OCC Bulletin 2022-8| March 29, 2022
Information Technology: OCC Points of Contact for Banks’ Computer-Security Incident Notifications
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
Effective May 1, 2022, banks1 must use the designated points of contact listed in this bulletin to satisfy the incident notification requirements established in the interagency final rule for banks and their bank service providers dated November 23, 2021. The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published the final rule to help promote early awareness of emerging threats to banks, their bank service providers, and the broader financial system and to help the agencies react to these threats before they become systemic.2
Banks and their bank service providers must comply with the final rule starting May 1, 2022. Under the final rule, a notification incident generally includes a significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the bank’s operations; results in customers being unable to access their deposit and other accounts; or impacts the stability of the financial sector. Incidents may include a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.
Note for Community Banks
This bulletin applies to community banks.
- A bank must notify the OCC after the bank determines that a notification incident has occurred, and the OCC must receive this notice as soon as possible and no later than 36 hours after the bank’s determination.
- To satisfy the notification requirement, the bank may email or call its supervisory office, submit a notification via the BankNet website, or contact the BankNet Help Desk starting on May 1, 2022. Refer to the “OCC Points of Contact for Banks” section of this bulletin.
OCC Points of Contact for Banks
Starting on May 1, 2022, banks may satisfy the notification requirement of the final rule by contacting their supervisory office or by using one of the following to communicate a notification incident:
- BankNet Help Desk
- Email: BankNet@occ.treas.gov
- Phone: (800) 641-5925
If a bank is unsure whether it is experiencing a notification incident for purposes of the final rule, the bank should contact its supervisory office.3
Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Counsel, Chief Counsel’s Office, (202) 649-5490.
Senior Deputy Comptroller for Bank Supervision Policy
2 Refer to 86 Fed. Reg. 66424 (November 23, 2021).
3 The final rule also defines the notifications requirements for bank service providers that experience certain incidents. If a bank service provider is unsure whether it has experienced a computer-security incident that meets this threshold, the OCC encourages the bank service provider to contact the affected banking organization customer(s) or the service provider’s own legal counsel.