The OCC issued a bulletin with the designated points of contact banks must use to satisfy recently established interagency incident notification requirements, effective May 1.
Background: The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after it determines a cyber incident has occurred.
Points of Contact: The OCC said banks may satisfy notification requirements by contacting their supervisory office or by using BankNet contact information.
ICBA Position: In a comment letter last year, ICBA expressed opposition to the rule, noting that community banks are already required to report incidents under the Gramm-Leach-Bliley Act