The FDIC issued guidance on how banks it supervises can comply with recently established interagency incident notification requirements, effective May 1.
FDIC Guidance: The agency said institutions can comply by reporting incidents to case managers who serve as their primary FDIC contact for all supervisory-related matters or to any member of an FDIC examination team if the event occurs during an exam. Banks unable to access supervisory team contacts may notify the FDIC by email at [email protected].
Background: The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after it determines a cyber incident has occurred.
OCC: The FDIC release came a day after the OCC issued a bulletin with the designated points of contact for OCC-supervised banks. The OCC said banks may satisfy notification requirements by contacting their supervisory office or by using BankNet contact information.
ICBA Position: In a comment letter last year, ICBA expressed opposition to the rule, noting that community banks are already required to report incidents under the Gramm-Leach-Bliley Act.