Process for Incident Notification to the Board
Regulation HH requires designated financial market utilities (designated FMUs) for which the Board is the Supervisory Agency under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 to notify the Board of material operational incidents, in accordance with the process established by the Board. The compliance date for the incident management and notification requirements of the final rule is June 13, 2024.
Among other requirements, 12 CFR § 234.3(a)(17)(vi)(A) requires a designated FMU to notify the Board immediately when the designated FMU activates its business continuity plan or has a reasonable basis to conclude that (1) there is an actual or likely disruption, or material degradation, to any critical operations or services, or to its ability to fulfill its obligations on time; or (2) there is unauthorized entry or a vulnerability that could allow unauthorized entry into the designated FMU’s computer, network, electronic, technical, automated, or similar systems that affects or has the potential to affect its critical operations or services. The process set forth below provides a centralized means for the Board to receive and track notifications.
If a designated FMU for which the Board is the Supervisory Agency experiences a material operational incident requiring notification, the designated FMU must immediately notify the Board about the incident by email to [email protected] or telephone to (866) 364-0096.1 Email should be used as the primary means for notification, with telephone as a backup if email communication is unavailable. A designated FMU should reference Regulation HH when determining whether an incident requires notification to the Board. Notifications should contain, to the extent available, the incident date and time, location, incident type or observed activity, impacts to systems, and perceived severity of the event. A designated FMU does not need to have detailed information about the incident, such as the root cause or measures for containment or remediation, before notifying the Board. The designated FMU’s dedicated supervisory team (DST) will follow up with the designated FMU for further information regarding the incident.
If a designated FMU is in doubt as to whether it is experiencing a material operational incident that requires notification to the Board, the designated FMU is encouraged to notify the Board at the email address or telephone number listed above. In addition to the required notification to the Board, a designated FMU may contact its DST about the notification incident.
These instructions do not take the place of a designated FMU’s obligations to inform a Reserve Bank of any incidents that require notification under Operating Circular No. 5.
Footnotes
1. The Board notes that, while this email address and telephone number are identical to the ones used for banking organization incident notification under 12 CFR § 225.302 and SR Letter No. 22-4, the requirements for designated FMUs to notify the Board of material operational incidents under Regulation HH differ from those found under 12 CFR § 225.302 and SR Letter No. 22-4. The Board may identify other methods by which designated FMUs may provide notice of incidents in the future. Return to text.