Third Party Risk Management

How Does the OCC Computer-Security Incident Notification Bulletin Impact Your Institution?

You probably are already aware of an OCC mandate passed in November 2021, demanding notification of any cybersecurity breach or failure of systems.

Effective date of the final rule, May 1, 2022. Points of contact identified in this bulletin. OCC must be notified no later than 36 hours after a computer-security incident has occurred.

What institutions are in-scope?
Banks and their bank service providers must comply.

Incidents May Include
Major Computer-System Failure Cyber-Related Interruption Distributed Denial of Service
Any type of significant operational interruption Ransomware Attack

The rule defines computer-security incident as an occurrence that results in actual harm to:

  • Confidentiality
  • Integrity
  • Availability of an information system
  • Information that the system processes, stores, or transmits.

Bank service provider is to notify each affected customer bank as soon as possible when it determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the bank for four or more hours.

What can/should my institution do next?
Establish lines of communication (internal and external) now. Know who to inform should you receive notification from a service provider or are reporting an internal security incident. Your service providers ought to be informed of this regulatory demand. Many contracts have notice provisions in them already, know that regardless of existing contract language, all parties must comply with this regulation.

Please let us know if you have questions and how we can help you continue to have an effective and efficient third party risk management program. Fortrex is here to assist.

Know that this communication is the opinion of Fortrex Technologies and should not replace guidance from your institution’s legal counsel.


Leave a Reply