Exams or Audits

 View Only

  • 1.  OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

    Posted 07-05-2022 06:37 PM
    To my community bankers, how is your organization handling the above requirement internally?  

    We are still having some healthy debates internally on which category of vendors fall into this requirement.  The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. " 

    So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level. 

    How are you interpreting/tackling this? 


  • 2.  RE: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

    Posted 07-12-2022 11:59 AM

    My interpretation is that the following activity categories performed by third parties would fall under this requirement: "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution." That is an excerpt from 12 U.S. Code § 1863 (Link 1 below), which is pointed to by FDIC 12 CFR Part 304 § 304.22(b)(5) (Link 2 below) when defining covered services of bank service providers.

    Link 1: https://www.law.cornell.edu/uscode/text/12/1863

    Link 2: https://occ.gov/news-issuances/federal-register/2021/86fr66424.pdf

    I am not a community banker, so I'm interested in how others are complying as well.



  • 3.  RE: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

    Posted 07-19-2022 04:48 AM
    I am very shocked that there was only 1 response. I too would love to hear with what others are doing?



  • 4.  RE: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

    This message was posted by a user wishing to remain anonymous
    Posted 07-19-2022 08:28 AM
    This message was posted by a user wishing to remain anonymous

    For us, we assessed all of our critical vendors (has significant customer impact, bring down banking systems, large amounts of NPI, etc.) and see which fits the definition of the Bulletin.  By definition, our high-risk, moderate, or low risk vendors would not rise to the level of the Bulletin.
    Original Message


  • 5.  RE: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

    This message was posted by a user wishing to remain anonymous
    Posted 07-19-2022 07:43 AM
    This message was posted by a user wishing to remain anonymous

    Aaron's answer is right on regarding identifying the type of vendor this rule covers, i.e. the definition of a BSC. For us, once we ID'd these vendors, we then asked ourselves if this vendor has an "incident", is it likely to materially disrupt our ability to operate; to prevent us from offering that service to a majority of our customers; or cause our operational failure? Will this failure have a detrimental financial impact or affect the stability of the United States? We're not a very large bank, so the only vendor we identified was our core service provider