Financial Services Blog

Computer-Security Incident Notification Requirements

This blog was authored by my colleague Bonnie Newsome, NCCO, CUCE, BSACS, Regulatory Compliance Director, Financial Institutions.

In fall 2021, the banking agencies (Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), and Federal Deposit Insurance Corporation (FDIC)) issued a final ruled regarding computer-security incident notifications.

Effective April 1, 2022, the OCC, Board, and FDIC will require a banking organization to notify its primary Federal regulator, and a bank service provider to notify each affected banking organization customer, of any “computer-security incident” that rises to the level of a “notification incident.”

To understand this ruling, it is important to understand certain definitions.

  • A banking organization includes all depository institutions, hold companies, and certain other financial entities that are supervised by one or more of the agencies.
  • A bank service provider means a bank service company or other person that performs covered services.
  • Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
  • Notification incident is a computer-security incident that has materially disrupted or degraded or is reasonably likely to materially disrupt or degrade a banking organization’s ability to carry out banking functions to it customer base, in the ordinary course of business; failure would result in a material loss of revenue, profit, or franchise value; or failure or discontinuance would pose a threat to the financial stability of the United States.

Beginning May 1, 2022, a banking organization is required to notify its primary regulator upon the occurrence of a “notification incident,” but no later than 36 hours after the determination of “notification incident” has occurred.  Bank service providers will be required to notify at least one bank-designated point of contact at each affected banking organization as soon as possible once a determination has been made that it has experienced a computer-security incident.

Notification can be done through email, telephone, or other similar methods as prescribed by your appropriate agency. The final rule can be accessed here.

How Can We Help?

CLA continues to provide seamless, integrated services to our clients. Whether you need help navigating new regulatory rules, require risk management services, or need a trusted advisor, we are here to know you and to help you. Contact Us to learn more.

, Financial Services General, Information Technology, Regulatory Compliance | Comments Off on Computer-Security Incident Notification Requirements

  • Managing Principal Financial Services
  • Charlotte, NC
  • 704-816-8452

Susan is a CPA with more than 20 years of combined experience in public accounting and the financial institution industry, including experience with Fortune 500 financial services companies. Susan serves as the managing principal of CLA’s financial services group. Her responsibilities include providing engagement oversight in the areas of assurance and internal audit. In addition, Susan provides board advisory and management consulting services in the areas of strategic planning and mergers and acquisitions. Susan has been involved in multiple mergers and acquisitions of sizes ranging from $150 million to $500 billion with engagement at all stages of the process.

Comments are closed.

Subscribe to Blog   

We’re committed to helping you stay on top of issues and requirements affecting financial services companies. Check back often to learn about industry updates, new regulations, technology innovations, and fresh ideas that may help you prepare for future challenges.