A regulation passed by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (OCC) in November 2021 has gone into effect as of May 1st, requiring all banks to report data breaches within 36 hours. This is a change from previous reporting regulations, such as the New York Department of Financial Services rule that requires incident notification within 72 hours. According to the 80-page draft regulation, banks are required to report within 36 hours of determining that a breach is serious and has a material adverse impact on operations. According to the guidance posted by the agencies, banks can seek clarification from the appropriate agency as to whether an incident should be reported.
FDIC Incident Reporting Information
FDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as a primary FDIC contact for supervisory-related matters, or to any member of an FDIC examination team if the incident occurs during an examination. If a bank is unable to access these supervisory team contacts, the bank may notify the FDIC by email at [email protected].
Federal Reserve Incident Reporting Information
A banking organization whose primary federal regulator is the Board of Governors of the Federal Reserve System must inform the board about a notification incident by sending an email to [email protected] or by calling 866-364-0096.
OCC Incident Reporting Information
A bank is required to notify the OCC after it determines that the notification incident has occurred. To satisfy this requirement, the bank may email/call its supervisory office, submit a notification via the BankNet website or contact the BankNet Help Desk at [email protected] or by phone at 800-641-5925.
Cybersecurity has become a regulatory and legislative focus in the United States. Organizations, especially those considered to be contributing to essential infrastructure, should continue to monitor the swiftly changing regulatory landscape and expect sanctions and fines levied from the regulatory agencies due to the political prioritization of these issues. Swift incident reporting provides a substantive community benefit as it limits the effectiveness of new techniques, tactics, and procedures (TTP) in use by threat groups by allowing the publication of advisories that organizations can use to mitigate the risks of similar attacks during a campaign initiated by a threat group.