top of page



Taproot Security Comments on Bank Security Incident Reporting Rule

Asks OCC to incentivize fully timely notifications


Saint Paul, MN, March 30, 2021 – Taproot Security submitted a formal comment letter to the US Office of the Comptroller of Currency (OCC) recommending banks be given adequate time and confidentiality to ensure detailed, actionable notifications. The proposed rule currently mandates a report within 36 hours of an incident and doesn't offer explicit confidentiality guarantees.

"I support transparency for bank security incidents," said Taproot Security founder Mike McCormick. "But the clock should start ticking only after the bank has a chance to confirm the incident, carry out emergency response procedures, and protect its customers. Requiring notification while the organization in the midst of crisis only creates distraction and less reliable information. Regulators must also keep information strictly confidential if it's going to be detailed and actionable."


​The full text of the proposed OCC rule is here. Taproot Security comments are publicly available here .


About Taproot Security


Taproot Security is an information security consulting firm advising industry and government on cyber issues and policy. For more information, please visit




To learn more about this announcement, please contact

Michael McCormick

Founder & President

Taproot Security, LLC


- END -

bottom of page