Exams or Audits

To my community bankers, how is your organization handling the above requirement internally?  

We are still having some healthy debates internally on which category of vendors fall into this requirement.  The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. " 

So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level. 

How are you interpreting/tackling this? 

Original Message:
Sent: 07-05-2022 08:37 PM
From: Premika Mishra
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

To my community bankers, how is your organization handling the above requirement internally?  

We are still having some healthy debates internally on which category of vendors fall into this requirement.  The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. " 

So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level. 

How are you interpreting/tackling this? 

I am very shocked that there was only 1 response. I too would love to hear with what others are doing?

Original Message:
Sent: 07-05-2022 08:37 PM
From: Premika Mishra
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

To my community bankers, how is your organization handling the above requirement internally?  

We are still having some healthy debates internally on which category of vendors fall into this requirement.  The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. " 

So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level. 

How are you interpreting/tackling this? 

This message was posted by a user wishing to remain anonymous

For us, we assessed all of our critical vendors (has significant customer impact, bring down banking systems, large amounts of NPI, etc.) and see which fits the definition of the Bulletin.  By definition, our high-risk, moderate, or low risk vendors would not rise to the level of the Bulletin.
Original Message:
Sent: 07-19-2022 06:48 AM
From: PAUL PELLETIER
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

I am very shocked that there was only 1 response. I too would love to hear with what others are doing?

Original Message:
Sent: 07-05-2022 08:37 PM
From: Premika Mishra
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

To my community bankers, how is your organization handling the above requirement internally?  

We are still having some healthy debates internally on which category of vendors fall into this requirement.  The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. " 

So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level. 

How are you interpreting/tackling this? 

This message was posted by a user wishing to remain anonymous

Aaron's answer is right on regarding identifying the type of vendor this rule covers, i.e. the definition of a BSC. For us, once we ID'd these vendors, we then asked ourselves if this vendor has an "incident", is it likely to materially disrupt our ability to operate; to prevent us from offering that service to a majority of our customers; or cause our operational failure? Will this failure have a detrimental financial impact or affect the stability of the United States? We're not a very large bank, so the only vendor we identified was our core service provider
Original Message:
Sent: 07-05-2022 08:37 PM
From: Premika Mishra
Subject: OCC Bulletin 2021-55: Computer-Security Incident Notification: Final Rule

To my community bankers, how is your organization handling the above requirement internally?  

We are still having some healthy debates internally on which category of vendors fall into this requirement.  The requirement states, "significant computer-security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. " 

So we interpret that as vendors that customer facing and those would be the only ones we would report to notify the regulator should an incident rise to that level. 

How are you interpreting/tackling this?