United States: Filing Instructions Released For New US Bank Incident Reporting Requirement

On March 29, 2022, the US federal banking regulators released instructions on how financial institutions should comply with recently adopted computer-security incident notification requirements.¹ These instructions will assist financial institutions in satisfying their obligations under the new requirements once compliance is required on May 1, 2022.

Background

On November 18, 2021, the Board of Governors of the Federal Reserve System ("Federal Reserve"), Office of the Comptroller of the Currency ("OCC") and Federal Deposit Insurance Corporation ("FDIC") finalized new cyber incident notification requirements for the financial institutions that they regulate and service providers to those institutions. In relevant part, a financial institution is now required to notify its appropriate federal regulator of a "notification incident" as soon as possible and no later than 36 hours after the institution determines that a reportable event occurred. (Please see our earlier Legal Update for a more detailed discussion of the new requirements for financial institutions and their service providers.)

March Instructions

The instructions explain how a financial institution will be expected to notify its federal regulator of a notification incident. The procedure is different for each regulator:

• Federal Reserve: A US banking holding company, US savings and loan holding company, state member bank, US operations of a foreign banking organization, Edge corporation or agreement corporation must notify the Board about a notification incident by (i) email to incident@frb.gov or (ii) telephone to (866) 364-0096.²
• OCC: A national bank, federal savings association, or federal branch or agency of a foreign bank must notify the OCC about a notification incident by (i) contacting their OCC supervisory office, (ii) submitting an incident through BankNet, (iii) emailing BankNet@occ.treas.gov or (iv) calling (800) 641-5925.
• FDIC: An insured state nonmember bank, insured state savings association or insured state-licensed branch of a foreign bank must notify the FDIC about a notification incident by (i) contacting their FDIC case manager, (ii) contacting any member of an FDIC examination team if the institution is undergoing an examination or (iii) emailing incident@fdic.gov.

The Federal Reserve and OCC instructions note that an institution should contact its primary supervisory contact if the institution is unsure whether it is experiencing a reportable incident. Additionally, the OCC instructions state that a service provider should contact the affected financial institution customers or the service provider's own legal counsel if the service provider is unsure whether a computer-security incident has occurred that would require reporting to the institution.³

Takeaway

The instructions provided by the federal regulators are relatively clear and should be easy for most financial institutions to incorporate in their incident response plans and regulatory affairs procedures. However, the instructions do not shed further light on the required content of an incident notification. Notwithstanding regulator statements that there is "no specific content or format" for notifications and the notifications are intended only to "alert the agencies to such incidents," we expect many financial institutions will grapple with difficult decisions about what information to include in a notification. This is particularly true in the early stages of an incident, where the information known to an institution may rapidly change.

Footnotes

1. Federal Reserve, SR 22-4 (Mar. 29, 2022), https://www.federalreserve.gov/supervisionreg/srletters/SR2204.htm; OCC, Bull. 2022-8 (Mar. 29, 2022), https://occ.gov/news-issuances/bulletins/2022/bulletin-2022-8.html; FDIC, FIL-12-2022 (Mar. 29, 2022), https://www.fdic.gov/news/financial-institution-letters/2022/fil22012.html.

2. While not addressed in the instructions, the Federal Reserve's guidance regarding the content of notifications of unauthorized access to customer information presumably remains in effect until and unless rescinded. See Federal Reserve, SR 05-23 (Dec. 1, 2005).

3. Service providers do not have an obligation to report incidents directly to the federal banking regulators unless they also are financial institutions (e.g., a national bank that provides services to other national banks).

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.