Office of the Comptroller of the Currency November 23, 2021 – Federal Register Recent Federal Regulation Documents

Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
Document Number: 2021-25510
Type: Rule
Date: 2021-11-23
Agency: Federal Deposit Insurance Corporation, Agencies and Commissions, Federal Reserve System, Office of the Comptroller of the Currency, Department of Treasury, Department of the Treasury
The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any ``computer-security incident'' that rises to the level of a ``notification incident,'' as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.