Summary:

On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (collectively, the agencies) issued a joint final rule to establish computer-security incident notification requirements (Final Rule) for banking organizations and their bank service providers. Banks and their service providers must comply with the Final Rule starting May 1, 2022.

FDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov .

Bank service providers must notify any affected FDIC-supervised banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to such banking organization for four or more hours.

A copy of the Final Rule is available on the FDIC’s website.

Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-insured financial institutions

Highlights:

• FDIC-supervised banks can comply with the rule by notifying their case manager of an incident.
• FDIC-supervised banks can comply with the rule by notifying any member of an FDIC examination team if the event occurs during an examination.
• If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov .