OCC to Conduct Independent Audit of February Security Breach

The OCC on Tuesday notified Congress of a “major information security incident,” as required under the Federal Information Security Modernization Act. The February breach was discovered through “internal and independent third-party reviews of OCC emails and email attachments that were subject to unauthorized access,” the agency said.

“I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident,” said acting Comptroller of the Currency Rodney Hood. “There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”

Attorneys at Troutman Pepper Locke said Friday the OCC’s incident-response protocols include a third-party assessment of the breach, notification of the Cybersecurity and Infrastructure Security Agency, disabling of administrative accounts and confirmation of terminating unauthorized access. Troutman said it’s unclear “if and when the OCC plans to notify affected financial institutions.”