�౦��Ϸ����

Summary:

On November 23, 2021, the Federal Deposit Insurance Corporation (�౦��Ϸ����), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (collectively, the agencies) issued a joint final rule to establish computer-security incident notification requirements (Final Rule) for banking organizations and their bank service providers. Banks and their service providers must comply with the Final Rule starting May 1, 2022.

�౦��Ϸ����-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as the primary �౦��Ϸ���� contact for all supervisory-related matters, or to any member of an �౦��Ϸ���� examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the �౦��Ϸ���� by email at: incident@fdic.gov .

Bank service providers must notify any affected �౦��Ϸ����-supervised banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to such banking organization for four or more hours.

A copy of the Final Rule is available on the �౦��Ϸ����’s website.

Statement of Applicability: The contents of, and material referenced in, this FIL apply to all �౦��Ϸ����-insured financial institutions

Highlights:

• �౦��Ϸ����-supervised banks can comply with the rule by notifying their case manager of an incident.
• �౦��Ϸ����-supervised banks can comply with the rule by notifying any member of an �౦��Ϸ���� examination team if the event occurs during an examination.
• If a bank is unable to access its supervisory team contacts, the bank may notify the �౦��Ϸ���� by email at: incident@fdic.gov .