US Banks Must Report Cybersecurity Incidents

From April 1, 2022, banking entities supervising by the FDIC, OCC and Federal Reserve will be required to notify their regulator within 36 hours of discovering security incidents that may have cause or have already caused material, harmful impacts to their services. Bank service providers will also be required to notify their entity customers of security incidents that materially impact their services to the bank for over 4 hours.

This new Rule has been jointly issued by The Federal Deposit Insurance Corporation (FDIC), Federal Reserve Board and Office of the Comptroller of the Currency (OCC). The Computer-Security Incident Notification Final Rule is effective from April 1, 2022, with full compliance needed by May 1, 2022. It applies to all Banks including:

  • National banks
  • Federal savings associations
  • Federal branches and agencies of foreign banks
  • Bank service providers
  • US bank holding companies
  • Savings and loan holding companies
  • Insured state nonmember banks
  • State member banks
  • Insured state licensed branches of foreign banks
  • US operations of foreign banks, and;
  • Insured state savings associations

Computer-Security Incident Notification Final Rule

A “computer-security” incident is anything that results in actual harm to an information system’s confidentiality, integrity or availability. A “notification incident” means any of the previously mentioned incidents that has been or is likely to be materially disruptive or degrading to any of the following:

  • A Bank’s ability to carry out business activities and services to a material portion of it’s customers
  • Business lines including associated operations, services or support, which if impacted would result in material loss of revenue or value
  • Operations, including associated services, functions and support which if impacted would threaten the financial stability of the United States.


Banks must notify all notification incidents to the applicable authority through email, phone or similar methods. The notification must be received no later than 36 hours after the Bank discovers the occurrence. Depending on the regulation authority for the Bank entity the applicable authority to notify would be either:

  • OCC supervisory office or point of contact
  • Board designated point of contact, or;
  • FDIC supervisory office or point of contact

Where the breach occurs to a vendor working for the Bank then they are required to notify the Bank themselves. The Bank must be notified about any incident that would materially disrupt or degrade covered service to the Bank for over 4 hours. The vendor should contact their designated point of contact at the Bank or if there isn’t one then either the Bank’s Chief Information Officer, the Chief Executive Officer or two individuals of comparable responsibility.

Value Privacy are here to make your privacy policies and procedures simpler. Rules and regulations are being introduced all the time to make data safer and more secure but it’s easy to lose track. Value Privacy can manage your privacy responsibilities for you so you can focus on whatever you do best. Contact us today to find out how we can help you.

Previous Post

Norwegian Body Fined for Negligent Security Measures

Next Post

Missouri Complaint Alleges Concealment of a Data Breach

Related Posts