This message was posted by a user wishing to remain anonymous
For us, we assessed all of our critical vendors (has significant customer impact, bring down banking systems, large amounts of NPI, etc.) and see which fits the definition of the Bulletin. By definition, our high-risk, moderate, or low risk vendors would not rise to the level of the Bulletin.
Original Message:
Sent: 07-19-2022 06:48 AM
From: PAUL PELLETIER
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule
I am very shocked that there was only 1 response. I too would love to hear with what others are doing?
Original Message:
Sent: 07-05-2022 08:37 PM
From: Premika Mishra
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule
To my community bankers, how is your organization handling the above requirement internally?
We are still having some healthy debates internally on which category of vendors fall into this requirement. The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. "
So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level.
How are you interpreting/tackling this?