Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter

Computer-Security Incident Notification Implementation

Summary:

On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (collectively, the agencies) issued a joint final rule to establish computer-security incident notification requirements (Final Rule) for banking organizations and their bank service providers. Banks and their service providers must comply with the Final Rule starting May 1, 2022.

FDIC-supervised banks can comply with the rule by reporting an incident to their case manager, who serves as the primary FDIC contact for all supervisory-related matters, or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov .

Bank service providers must notify any affected FDIC-supervised banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to such banking organization for four or more hours.

A copy of the Final Rule is available on the FDIC’s website.

Statement of Applicability: The contents of, and material referenced in, this FIL apply to all FDIC-insured financial institutions

Highlights:

  • FDIC-supervised banks can comply with the rule by notifying their case manager of an incident.
  • FDIC-supervised banks can comply with the rule by notifying any member of an FDIC examination team if the event occurs during an examination.
  • If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov .
FIL-12-2022
Attachment(s)

Last Updated: March 29, 2022