The May 1 change to banks’ cyber-notification process is fast approaching. As we wrote previously the OCC, FDIC, and Federal Reserve Board implemented a final rule under which banks and their service providers must notify their primary federal regulators within 36 hours of certain incidents. A notification incident that triggers this requirement is defined as a computer security incident that materially disrupts a banking organization’s operations or lines of business. Thus not all incidents will meet these levels. For those that do, banks will need to be prepared. Part of that is having the right points of contact, which include:

• OCC: BankNet home page; BankNet Help Desk: Email: BankNet@occ.treas.gov; Phone: (800) 641-5925.
• FDIC: FDIC case managers of FDIC-supervised banks or if unavailable, by email at incident@fdic.gov.
• Federal Reserve: Contact by email incident@frb.gov or telephone (866) 364-0096.

Putting it Into Practice: Before May 1, banks will want to make sure they have processes in place to identify and address “notification incidents.” Part of the process updates can be adding the correct points of contact to their standing incident plans.