Skip to Main Content
Federal Reserve Bank of Richmond
Menu

Computer-Security Incident Notification Rule — How Does it Affect Your Bank?

By Michelle S. Fitch
Supervision News Flash
June 2022
cyber security

Cyber risk is a top risk for our supervised firms. Ransomware attacks at banks increased 13 times in the first half of 2021 compared to the same period in 2020.1 

With these risks in mind, interagency guidance was recently issued jointly with the Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation that outlines a new Computer-Security Incident Notification Rule.

Prompt notification of incidents is the first step of the process that positions the Federal Reserve to make timely decisions related to the safety and soundness of supervised firms and the financial system. After this notification, we coordinate with key internal and external stakeholders, assess the threat an incident poses to a supervised firm and take appropriate action. 

The new notification process went into effect in April with compliance required by May 1, 2022. Key points of focus within this new guidance include:

  • The definition of a computer-security incident as well as material thresholds for “notification incidents” that require reporting.
  • Each bank is required to notify its primary federal regulator as soon as possible, and no later than 36 hours, once management determines a computer-security incident has occurred.
  • For our Federal Reserve-supervised banks, Banks are directed to email incident@frb.gov (preferred) or call 866-364-0096, in addition to notifying your Richmond Fed central point of contact.
  • Bank service providers are required to notify their customers of computer-security incidents as well as outage/operational downtime when they are more than four hours.

Note: The Notification Rule is in addition to the GLBA notification requirements for breaches and information security incidents. GLBA notification requirements have not changed; however, now both of these notifications should be made by sending an email to incident@frb.gov (preferred) and/or calling (866) 364-0096.

You can hear additional discussion in our latest Fifth District Focus Webinar: Exams, Risks and More session that took place on May 24, 2022. Please reach out to your Supervisory central point of contact with any questions on this new notification process.

  1. Source: Trendmicro, Attacks from All Angles: 2021 Mid-Year Cybersecurity Report