www.occ.gov
Open in
urlscan Pro
199.83.40.54
Public Scan
URL:
https://www.occ.gov/news-issuances/bulletins/2021/bulletin-2021-55.html
Submission: On May 10 via manual from US — Scanned from DE
Submission: On May 10 via manual from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="Search Field" id="gsc-i-id1" dir="ltr" spellcheck="false" placeholder="What are you looking for?"
aria-label="What are you looking for?"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background-position: left center; background-size: initial; background-repeat: no-repeat; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(255, 255, 255); outline: none;">
</td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13" focusable="false">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Name: MainSearch — javascript:void(0)
<form action="javascript:void(0)" id="MainSearch" name="MainSearch"><!-- RL 09272018
<label class="hide" for="q">Search OCC Website</label>
<input type="text" class="input-box-stay" size="25" name="q" id="q" placeholder="Search" tabindex="-1" />
<input type="submit" class="sitewide" value="Go" name="Submit" tabindex="-1" onclick="submitSearch('q','')" />
-->
<p> </p>
<!-- BEGIN AUTOCOMPLETE -->
<div class="mobile-search-bar">
<div id="___gcse_1">
<div class="gsc-control-searchbox-only gsc-control-searchbox-only-en" dir="ltr">
<table cellspacing="0" cellpadding="0" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="Search Field" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; background-position: left center; background-size: initial; background-repeat: no-repeat; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgb(255, 255, 255); outline: none;"
placeholder="What are you looking for?" aria-label="What are you looking for?"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13" focusable="false">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</form>POST https://public.govdelivery.com/accounts/USTREASOCC/subscribers/qualify
<form id="GD-snippet-form" action="https://public.govdelivery.com/accounts/USTREASOCC/subscribers/qualify" accept-charset="UTF-8" method="post"><input name="utf8" type="hidden" value="✓"><input type="hidden" name="category_id" id="category_id"
value="USTREASOCC_C1">
<fieldset>
<h4 data-content="Get updates">Get updates</h4>
<label for="email" class="hide">Email Address</label> <input type="text" name="email" placeholder="Enter your email" id="email"><input type="submit" name="commit" value="Subscribe" data-disable-with="Submit">
</fieldset>
</form>Text Content
Skip to main content
* Careers
* Quick Access
* Most Requested
* Bank Secrecy Act (BSA)
* Contact Us
* Community Reinvestment Act (CRA)
* Comptroller's Handbook
* Corporate Application Search
* Enforcement Action Search
* Financial Institution Lists
* Newsroom
* Third-Party Relationships: Risk Management Guidance
* More OCC Websites
* * BankNet.gov
Find resources for bankers.
* HelpWithMyBank.gov
Get answers to banking questions.
* Careers.occ.gov
Join one of the best places to work.
* Search
* ×
search
* Top Searches
* COVID-19
* Annual Report
* Enforcement Actions
* Jobs
* Comptroller's Handbook
* More Search Tools
* Institution Search
* Central Application Tracking System (CATS)
* CRA Evaluation Search
* Corporate Application Search (CAS)
* Enforcement Actions Search
* Office of Thrift Supervision Archive Search
Office of the Comptroller of the Currency
×
search
* About
About Overview
* Who We Are
* Comptroller
* Leadership
* Organization
* Locations
* History
* Careers at OCC
* What We Do
* Annual Report
* Key Data & Statistics
* Strategic Plan
* Connect With Us
* Contact the OCC
* District & Field Offices
* Media Resources
* Doing Business With the OCC
* Freedom of Information Act (FOIA)
* OCC Outreach
* Public Comments
* OCC Alumni
* Whistleblower Protections
* News & Events
News & Events Overview
* Newsroom
* News Releases
* Bulletins
* Alerts
* Speeches
* Congressional Testimonies
* Advisory Letters
* News & Issuances By Year
* Events
* Digital Media Library
* Media Resources
* News & Issuance Archive
* Consumer Advisories
* Public Service Announcements
* Rescinded Issuances
* Publications & Resources
Publications & Resources Overview
* Publications
* Comptroller's Handbook
* Comptroller's Licensing Manual
* Mortgage Metrics Report
* Semiannual Risk Perspective
* All Publications
* Tools
* BankNet
* Corporate Applications Search (CAS)
* OCC Financial Institution Search
* All Tools
* Forms
* Dodd-Frank Act Stress Test
* Licensing Filing Forms
* Suspicious Activity Report (SAR) Program
* All Forms
* Information For...
* Bankers and Bank Directors
* Bank Customers
* Media Representatives
* Job Seekers
* OCC Alumni
* Topics
Topics Overview
* Supervision & Examination
* Bank Management
* Bank Operations
* Bank Secrecy Act (BSA)
* Capital
* Capital Markets
* Climate
* Community Reinvestment Act (CRA)
* Consumer Compliance
* Credit
* Digital Assets
* Dispute Resolution
* Examinations
* International Banking
* Responsible Innovation
* Economics
* On Point
* Economic Snapshot Reports
* OCC Working Papers
* Regulatory Impact Analysis Memos
* Moments in History
* Hamilton's Corner
* Meet Our Research Economists
* Laws & Regulations
* OCC Regulations
* Enforcement Actions
* Interpretations & Precedents
* Legislation of Interest
* Litigation
* Charters & Licensing
* Comptroller's Licensing Manual
* Financial Institution Lists
* Corporate Application Search (CAS)
* Weekly Bulletin
* Interpretations & Actions
* Licensing Filing Forms
* Public Comments on Applications
* Consumers & Communities
* Community Affairs
* Community Reinvestment Act (CRA)
* Consumer Protection
* Financial Literacy
* Minority Outreach
* Public Bank Information
* Menu
* Who We Are
* What We Do
* Connect With Us
* Policies
* Menu
* Comptroller
* Leadership
* Organization
* Locations
* History
* Careers at OCC
* Menu
* Bank Supervision Policy
* Chief Counsel's Office
* Large Bank Supervision
* Midsize and Community Bank Supervision
* Office of Enterprise Governance and the Ombudsman
* Office of Innovation
* Office of Management / CFO
* Office of Minority Women and Inclusion
* Office of Public Affairs
* Supervision Risk and Analysis
* Menu
* Central District
* Large Bank Supervision Locations
* Midsize Bank Supervision Locations
* Northeastern District
* Southern District
* Western District
* Menu
* Founding of the OCC & the National Banking System
* Hugh McCulloch: OCC's First Comptroller
* Moments in History
* 1863-1865
* 1866-1913
* 1914-1935
* 1936-1966
* 1967-2007
* 2008-Present
* Previous Comptrollers
* Menu
* Annual Report
* Key Data & Statistics
* Menu
* Contact the OCC
* District & Field Offices
* Media Resources
* Doing Business With the OCC
* Freedom of Information Act (FOIA)
* OCC Outreach
* Public Comments
* OCC Alumni
* Whistleblower Protections
* Menu
* Newsroom
* Events
* Digital Media Library
* Media Resources
* News & Issuance Archive
* Menu
* News Releases
* Bulletins
* Alerts
* Speeches
* Congressional Testimonies
* Advisory Letters
* News & Issuances By Year
* Menu
* News Releases
* Bulletins
* Alerts
* Speeches
* Congressional Testimony
* Advisory Letters
* OTS Issuances
* Menu
* Consumer Advisories
* Public Service Announcements
* Rescinded Issuances
* Menu
* Publications
* Tools
* Forms
* Information For...
* Menu
* BankNet
* Corporate Applications Search (CAS)
* OCC Financial Institution Search
* All Tools
* Menu
* Dodd-Frank Act Stress Test
* Licensing Filing Forms
* Suspicious Activity Report (SAR) Program
* All Forms
* Menu
* Bankers and Bank Directors
* Bank Customers
* Media Representatives
* Job Seekers
* OCC Alumni
* Menu
* Community Bank Director Workshops
* Menu
* Supervision & Examination
* Economics
* Laws & Regulations
* Charters & Licensing
* Consumers & Communities
* Menu
* Bank Management
* Bank Operations
* Bank Secrecy Act (BSA)
* Capital
* Capital Markets
* Climate
* Community Reinvestment Act (CRA)
* Consumer Compliance
* Credit
* Digital Assets
* Dispute Resolution
* Examinations
* International Banking
* Responsible Innovation
* Menu
* Community Banks
* Minority Depository Institutions
* Mutual Savings Associations
* Menu
* Accounting
* Bank Information Technology (BIT)
* Financial Crime
* Major Disaster News Center
* COVID-19 (Coronavirus)
* Menu
* Allowances for Loan and Lease Losses (ALLL)
* Current Expected Credit Losses (CECL) Methodology
* Menu
* Counterfeit or Stolen Instruments
* Identity Theft
* Money Laundering
* Suspicious Activity Reports (SAR)
* Unauthorized Banking
* Menu
* BSA/AML Examinations
* BSA & OFAC Enforcement
* BSA & Related Regulations
* BSA Law Enforcement Tools & Resources
* BSA/AML Bulletins, FinCEN Advisories, & Related BASEL Information
* Counter-Terrorist Financing
* Money Laundering
* Suspicious Activity Reports (SAR)
* Links to Other Organizations’ BSA Information
* Menu
* Asset Management
* Balance Sheet Management
* Financial Markets
* Menu
* Collective Investment Funds
* Conflicts of Interest
* Corporate Trust
* Custody Services
* Employee Benefits and Retirement Plan Services
* GLBA/Reg R/Retail Nondeposit Investment Sales
* Personal Fiduciary Services
* Traditional and Alternative Investment Management Services
* Trust Operations
* Menu
* Bank-owned Life Insurance (BOLI)
* Interest Rate Risk
* Investment Securities
* Liquidity
* Menu
* Counterparty Risk
* Derivatives
* Securitization
* Trading/Volcker Rule
* Menu
* Commercial Credit
* Retail Credit
* Menu
* Bank Appeals
* Consumer Complaints
* Menu
* Bank Appeal Summaries
* Menu
* Assessments & Fees
* Examinations Overview
* Menu
* International Banking Supervision
* Foreign Technical Assistance Program
* Menu
* On Point
* Economic Snapshot Reports
* OCC Working Papers
* Regulatory Impact Analysis Memos
* Moments in History
* Hamilton's Corner
* Meet Our Research Economists
* Menu
* OCC Regulations
* Enforcement Actions
* Interpretations & Precedents
* Legislation of Interest
* Litigation
* Menu
* Final Issuances
* Proposed Issuances
* Menu
* Enforcement Action Types
* Enforcement Actions Search Tool
* Menu
* Advisory Letters
* Bulletins
* Comptroller's Licensing Manual
* Interpretations and Actions
* Legal Opinions Regarding Federal Savings Associations
* Menu
* Comptroller's Licensing Manual
* Financial Institution Lists
* Corporate Application Search (CAS)
* Weekly Bulletin
* Interpretations & Actions
* Licensing Filing Forms
* Public Comments on Applications
* Menu
* Community Affairs
* Community Reinvestment Act (CRA)
* Consumer Protection
* Financial Literacy
* Minority Outreach
* Public Bank Information
* Menu
* Community Affairs Outreach
* Publications
* Resource Directories
* Videos
* Menu
* Banking the Underbanked
* CDFI and CD Banking
* Financial Literacy
* Multifamily Rental
* Native American Banking
* Public Welfare Investments
* Rural Economic Development
* Small Business
* Tax Credits
* Menu
* CRA Exam Schedule
* CRA Performance Evaluations
* CRA Qualifying Activities Confirmation Request
* Menu
* Credit Cards, Debit Cards, And Gift Cards
* Credit Reporting
* Depository Services
* Fair Lending
* Flood Disaster Protection
* Foreclosure Prevention
* Fraud Resources
* Mortgages
* Payday Lending
* Privacy
* Servicemembers' Civil Relief Act
* Truth In Lending
* Menu
* About
* News & Events
* Publications & Resources
* Topics
X
* Home
* News & Events
* Newsroom
OCC Bulletin 2021-55| November 23, 2021
COMPUTER-SECURITY INCIDENT NOTIFICATION: FINAL RULE
Share This Page:
*
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to Email AppEmail App
TO
Chief Executive Officers of All National Banks, Federal Savings Associations,
and Federal Branches and Agencies; Department and Division Heads; All Examining
Personnel; and Other Interested Parties
SUMMARY
On November 23, 2021, the Office of the Comptroller of the Currency (OCC), Board
of Governors of the Federal Reserve System, and the Federal Deposit Insurance
Corporation published a final rule to establish computer-security incident
notification requirements for banking organizations and their bank service
providers.
NOTE FOR COMMUNITY BANKS
This final rule applies to community banks.1
HIGHLIGHTS
* The rule requires a bank to notify the OCC as soon as possible and no later
than 36 hours after the bank determines that a computer-security incident
that rises to the level of a notification incident has occurred. The bank
must provide this notification to the appropriate OCC supervisory office, or
OCC-designated point of contact, through email, telephone, or other similar
methods that the OCC may prescribe.
* The rule defines computer-security incident as an occurrence that results
in actual harm to the confidentiality, integrity, or availability of an
information system or the information that the system processes, stores, or
transmits.
* A notification incident generally would include a significant
computer-security incident that disrupts or degrades, or is reasonably
likely to disrupt or degrade, the viability of the banking organization’s
operations, result in customers being unable to access their deposit and
other accounts, or impact the stability of the financial sector. This may
include a major computer-system failure; cyber-related interruption, such
as a distributed denial of service or ransomware attack; or another type of
significant operational interruption.
* The rule also requires a bank service provider to notify at least one
bank-designated point of contact at each affected customer bank as soon as
possible when it determines it has experienced a computer-security incident
that has materially disrupted or degraded, or is reasonably likely to disrupt
or degrade, covered services provided to the bank for four or more hours. If
the bank has not previously provided a designated point of contact, the
notification must be made to the bank’s chief executive officer and chief
information officer or to two individuals of comparable responsibilities.
BACKGROUND
Computer-security incidents can result from destructive malware or malicious
software (cyberattacks), as well as nonmalicious failure of hardware and
software, personnel errors, and other causes. Cyberattacks targeting the
financial services industry have increased in frequency and severity in recent
years. These cyberattacks can adversely affect a bank’s networks, data, and
systems and, ultimately, its ability to resume normal operations.
In addition, banks have become increasingly reliant on bank service providers to
provide essential services. Such third parties may also experience
computer-security incidents that could disrupt or degrade the provision of
services to their bank customers or have other significant impact on a customer
bank.
This rule will help ensure that the OCC knows about and can respond in a timely
manner to material and adverse computer-security incidents affecting banks.
FURTHER INFORMATION
Please contact Patrick Kelly, Director, Critical Infrastructure Policy, (202)
649-5519; or Carl Kaminski, Assistant Director, or Priscilla Benner, Senior
Attorney, Chief Counsel’s Office, (202) 649-5490.
Benjamin W. McDonough
Senior Deputy Comptroller and Chief Counsel
RELATED LINK
* “Computer-Security Incident Notification Requirements for Banking
Organizations and Their Bank Service Providers: Final Rule” (PDF)
1 “Banks” refers to national banks, federal savings associations, and federal
branches and agencies of foreign banking organizations.
* Topic(s):
* Bank Information Technology (BIT)
* Bank Operations
* Information & Cyber Security - BIT
GET UPDATES
Email Address
OUR WEBSITES
* BankNet.govFind resources for bankers.
* HelpWithMyBank.govGet answers to banking questions.
* Careers.occ.gov Join one of the best places to work.
* OCC.gov Visit the official website of the OCC.
*
*
*
*
*
* Privacy
* No Fear Act
* USA.gov
* Accessibility
* U.S. Treasury
* FOIA
* Whistleblower Protection
* Vulnerability Disclosure
* Contact