An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
OCC Bulletin 2022-8 | March 29, 2022
Share This Page:
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
Effective May 1, 2022, banks1 must use the designated points of contact listed in this bulletin to satisfy the incident notification requirements established in the interagency final rule for banks and their bank service providers dated November 23, 2021. The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published the final rule to help promote early awareness of emerging threats to banks, their bank service providers, and the broader financial system and to help the agencies react to these threats before they become systemic.2
Banks and their bank service providers must comply with the final rule starting May 1, 2022. Under the final rule, a notification incident generally includes a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector. Incidents may include a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.
This bulletin applies to community banks.
Starting on May 1, 2022, banks may satisfy the notification requirement of the final rule by contacting their supervisory office or by using one of the following to communicate a notification incident:
If a bank is unsure whether it is experiencing a notification incident for purposes of the final rule, the bank should contact its supervisory office.3
Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Counsel, Chief Counsel’s Office, (202) 649-5490.
Grovetta Gardineer Senior Deputy Comptroller for Bank Supervision Policy
1 "Banks" refers collectively to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations.
2 Refer to 86 Fed. Reg. 66424 (November 23, 2021).
3 The final rule also defines the notifications requirements for bank service providers that experience certain incidents. If a bank service provider is unsure whether it has experienced a computer-security incident that meets this threshold, the OCC encourages the bank service provider to contact the affected banking organization customer(s) or the service provider’s own legal counsel.