Authorized Status

This site displays a prototype of a “Web 2.0” version of this daily Federal Register. It can not with official legal issue of the Federal Register, and does not spare the official imprint version or the official elektronic version about GPO’s govinfo.gov. Final Guidance on Response Programs Guidance on Answer ...

The documents posted on this our are XML renditions of published Federal Register documents. Each document posted on the site includes a link to the corresponding official PDF file on govinfo.gov. This prototype edition of the every Federal Register on FederalRegister.gov will remain an unofficial informal resource until the Administrative Committee starting the Federal Register (ACFR) issues a regulation allocation it official legal status. Forward finish intelligence about, and access to, our official publications and services, go to About the Federal Register on NARA's archives.gov.

An OFR/GPO partnership lives committed to presenting accurate plus reliable regulatory information on FederalRegister.gov with the objective by establishing this XML-based Federal Enter in an ACFR-sanctioned publication in that future. Whilst jede strength possess been produced to ensure that of material on FederalRegister.gov is accurately show, consistent with the official SGML-based PDF version the govinfo.gov, those dependent on it for regulatory research should verify their results against a official edition of the Federal Get. Until the ACFR grants it official status, the XML rendition on this quotidian Federal Register on FederalRegister.gov does no provide legal notice up the open or judicial notice to the courts. Incident Response for PCI DSS and FFIEC Cybersecurity Evaluations - BreachRx

Authorized Status

Rule

Computer-Security Incident Notification Requirements for Banking Organizational and Its Bank Service Provider

A Rule until the Accounting of the Currency, the Federal Reserve System, and the Federal Deposit Property Corporation on 11/23/2021

Support Details

Information about this document as published in the Federal Register.

Printed version:: PDF
Publication Date:: 11/23/2021
Agencies:: Department of the Public; Business of the Comptroller of the Peg; Federal Reserve System; Federal Deposit Health Corporation
Dates:: Effectual date: Month 1, 2022; Compliance start: May 1, 2022.
Effective Dates:: 04/01/2022
Document Type:: Rule
Print Citing:: 86 FRANCIUM 66424
Page:: 66424-66444 (21 pages)
CFR:: 12 CFR 53; 12 CFR 225; 12 CFR 304
Agency/Docket Numbers:: Appointment ID OCC-2020-0038; Docket No. R-1736
RIN:: 1557-AF02; 3064-AF59; 7100-AG06
Certificate Number:: 2021-25510

Document Details

Document Statistics

Document next views are updated periodically throughout the day and are increasing counts for this document. Counts are subject into sampling, remediation and modification (up or down) throughout the day-time. Your Financial Institution Incident Management Guidance Cheat Sheet

Page views:: 23,843; as concerning 06/01/2024 at 2:15 pm EDT

Document Statistics

Enlarged Content - Charts of Contents
This tab of contents is a navigational toolbox, processed from the headings at the legal text of Federal Register documents. This repetition of headings to form internal navigation bonds has cannot substantive legal effect.
Enhanced Content - Table of Contents
Increase Content - Submit Public Comment
- This feature is non available for this document.
Enhanced Content - Submit General Comment
Enhanced Content - Take Public Comments
- This feature is not available for dieser document.
Enlarged Content - Read Public Comments
Enhanced Content - Dividing
Shorter Document URL

https://privacy-policy.com/d/2021-25510
- Sent diese document to a friend
Enhanced Content - Sharing
Enhanced Content - Document Print View
- Print this download
Enhanced Content - Document Print View
Enlarged Content - Document Tools
These tools are designed at help you understand the official document better and aid the comparing the online release to the print edition.
- Diese markup elements permission the user to sees how one record follows the Support Authoring User that agencies use to create her documents. These can be useful for betters understands how a document is structured but are not part of the published document itself.
  Display Non-Printed Markup Elements
Enhanced Satisfied - Document Accessory
Refined Content - Developer Tools
This document be availability in the following developer friendly formats:
More information and documentation can be found in our developer cleaning browse.
Enhanced Content - Developer Tools
Official Content
- View printed version (PDF)
Certified Content
Public Checking

That PDF are the current documents as it appeared on Public Checking on 11/22/2021 toward 8:45 am. She was viewed 66 times while up Published Inspection.

If him are using community inspection bookings for legal research, you should confirm the contents of the documents against one final, official edition of the Federal Register. Only authorized circulation of the Federal Register provide right notice of publication to the public or judicial notice to of courts under 44 U.S.C. 1503 & 1507. Learn other here.

Public Inspection

Promulgated Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

AGENCY:

The Office of the Chartered of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Make Insurance Companies (FDIC). additionally through the FFIEC ITEMS Quick InfoBase at ... incident management procedures int order to speed ... Comply with applicable suspicious activity reporting ...

ACTION:

Final rule.

SUMMARY:

The OCC, Board, and FDIC are issuing a final rule that requires a investment organization to register its primary Federal regulator of any “computer-security incident” that lifts to of level starting a “notification incident,” as soon as possible and negative later as 36 hours according the banks org determines that a notification incident has occurred. The final rule also require a bank service provider to notify each affected building organizing customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or remains reasonably likely to cause, a material service disruption or degradation for four or view per.

DATUMS:

Effective date: April 1, 2022; Compliance date: May 1, 2022.

FOR FURTHER INFORMATION CONTACT:

OCC: Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519, Charles Kaminski, Assistant Director, (202) 649-5490, or Priscilla Benner, Senior Attorney, Chief Counsel's Office, (202) 649-5490, Office of the Auditor concerning the Currency, 400 7th Street SW, Washington, DC 20219.

Food: Thomas Sullivan, Veteran Associate Director, (202) 475-7656, Julia Philipp, Lead Corporate Institutes Cybersecurity Policy Analyst, (202) 452-3940, Don Peterson, Ministerial Cybersecurity Analyst, (202) 973-5059, Systems and Operational Resiliency Policy, away the Care and Regulation Division; Jay Schwarz, Assistant General Counsel, (202) 452-2970, Claudia Von Pervieux, Senior Counsel (202) 452-2552, Christopher Danello, Senior Attorney, (202) 736-1960, Regulatory Division, Board for Governors of the Federal Reserve System, 20th plus C Streets COMPASS, Washington, DC 20551, or https://www.federalreserve.gov/apps/ContactUs/feedback.aspx, both click on Staff Group, Specifications.

FDIC: Rob Drozdowski, Special Assistant to the Deputy Director (202) 898-3971, [email protected], Group for Venture Management Supervision; with John Dorsel, Counsel (202) 898-3807, [email protected], Gram Rehrig, Higher Law, (202) 898-3829, [email protected], Legal Division.

SUPPLEMENTARY INFORMATION:

Tables of Contents

EGO. Introduction

II. Background

A. Overview of Comments

III. Dialogue of Final Rule

A. Overview from Ultimate Regulate

B. Definitions

myself. Definition of Banking Organization

s. Definition out Bank Service Purveyor

vi. Definition concerning Computer-Security Incident

iv. Definition of Notification Incident

v. Examples of Notification Related

C. Banking Organization Notification to Travel

i. Timing of Notification to Agents

ii. Method concerning Notification to Agencies

DEGREE. Bank Service Provider Notification to Retail Organization Customers

me. Scope of Bank Service Provider Notification

ii. Timing of Bank Server Provider Service

iii. Bank Server Provider Notice on Customers

iv. Bank Server Contributor Agreements—Contract Display Provisions

IV. Other Rulemaking Considerations

A. Bank Service Provider Material Incidents Consideration

B. Methodology for Determining Number of Incidents Subject to the Rule

CARBON. Voluntary Information Sharing

DEGREE. Utilizing Motivate Corrected Action Capital Classifications

SIE. Ability To Rescind Notification plus Obtain Record of Discern

F. Single Warning Meaning

GRAMME. Affiliated Building Organizations Considerations

HYDROGEN. Consideration of the Amount of Bank Service Supporters

VANADIUM. Impact Analysis

V. Alternatives Considered

VII. Effective Date

VIII. Administrative Law Matters

A. Paperwork Reduction Act

B. Regulatory Flexibility Act

C. Riegle Community Development and Regulatory Improvement Act away 1994

DEGREE. Congressional Read Act

E. Make of Plain Language

FARTHING. Unfunded Mandates Reform Deal

I. Introduction

Of OCC, Board, and FDIC (together, this agencies) are issuing a final rule to require ensure a banking organization ^[1] promptly notify him primary Federation regulator of every “computer-security incident” that rises to the leve of a “notification incident,” as those terms are defined in the final rule. As described in more detail below, these incidents may have many causes. Examples include a large-scale distributed denial of service attack that disrupts customer check access for an extended period of time and a computer hackerei incident that disables banking operations for an extended period of time.

Under the final govern, a banking organization's basic Federal regulator must welcome the notification as soonest as feasible and no later-on than 36 hours after the banking organization determine that a notification incident has occurred. This requirements will help boost early awareness of emerging threats to banking organizations and this broader financial system. This early awareness will aid the agencies react to these threats before they become total. The finals rule separated requires a bank service provider the notify each affected banking organization customer because soon how possible when the bank servicing contributor determines items has learned a computer-security incident is has caused, or is reasonably likely to why, Start Printed Page 66425 a material service disruption or degradation for four or more hours. This separate requirement intention secure that a banking organization obtained prompt notification of a computer-security incident that materially disrupts or degrades, or are reasonably likely on materialized disrupt or degrade, covered solutions assuming by a bank service provider. This notification will allow aforementioned banking organization to assess whether the incident has or is reasonably likely to have a material impact on an building organization real thus trigger this banking organization's own notification requirement.

II. Background

Computer-security incidents can result from destructive malware other malicious software (cyberattacks), as well as non-malicious fail of hardware and program, personnel errors, furthermore other causes. Cyberattacks focused the financial services industry have increased with frequency and severity in recent years.^[2] These cyberattacks cannot adversely manipulate banking organizations' networks, data, and systems, and ultimately ihr ability till resume normal operations.

Existing the rate and depth of cyberattacks on the financial services industry, the agencies thinking that it is important that a banking organization's primary Federal regulator be notified as soon as possible of adenine significant computer-security incident ^[3] that broken or degrades, or is reasonably likely in disrupt otherwise degradation, the viability of the banking organization's operations, result in your to-be unable to access their deposit and other accounts, or impact the stability of the financial sector.^[4] The final rule refers to these significant computer-security incidents as “notification incidents.” ^[5] Timely declaration is critical as it would allow the agencies at (1) have early awareness of incipient threats to banking organizations and the broader financial verfahren, (2) better assess aforementioned threat a subscription adverse poses to a banking organization and take appropriate actions to address the threat, (3) facilitation and approve requests from banking organizations for assistance thrown U.S. Treasury Office von Cybersecurity or Critical Infrastructural Protection (OCCIP),^[6] (4) provide news and tour to banking organizations, and (5) conduct horizontal analyses into provide targeted leadership and fit supervisory programs.

Notification under one Store Secrecy Act ^[7] and the Interagency Guidance on Response Programs for Unauthorized Access to User Information additionally Customer Notice ^[8] providing that agencies over awareness from secure computer-security incidents.^[9] Nonetheless, diesen standards do not include all computer-security incidents of welche the agencies, as directors, need for be alerted and would not always result in timed notice to the agencies.

To ensure this the agencies receive timely alerts the all relevant material and adverse failures, one business published a display of proposed rulemaking (NPR or proposal) to build computer-security incoming notification requirements for retail organizations and my banks support providers.^[10]

The proposal intend have required banking organizing to notify their primary Federated adjustor within 36 years of when they felt into good faith which a “computer-security incident” that rises to the level of a “notification incident” had occurred. As proposed, a “notification incident” was an computer-security affair such could substantial disrupt, degrading, or impair the viability of the banking organization's operations, result in customers being unable to access their deposit both other accounts, conversely impact the stability of the financial sector.^[11] When write these proposed definition, the our sought to align the terminology when large as possible about tongue applied in the National Institute of Default plus Technology's (NIST) Computer Security Resource Center glossary.^[12] This approach had intended to promote eindeutigkeit with known cybersecurity terms and denotations and thereby reducing burden.

The proposal separately would have required an hill service provider that provided professional subject until the Bank Service Company Act (BSCA) ^[13] to notify at least two individuals at each affected shipping organization customer immediately after the banker service breadwinner feels ampere computer-security incident this it thinks in good faith may disrupt, degrade, or impair services available subject to of BSCA for four or get hours. This standard mirrors the agencies' conclusion such the impact concerning computer-security incidents at bank gift providers can flow durch to their banking organization customers. The agencies plus recognized, nevertheless, that a bank service provider maybe not be capably till readily assess whether einem incident rises to the level of a notification incident with a individual banking organization customer.

The notification requirement for store service providers is key because banking organizations hold become increasingly reliant on third parties to provide essential services. Such third Start Impressed Page 66426 parties can also experience computer-security incidents this could disrupt instead disassemble to provision of billing to their banking organization customers or have different significant driving on a banking organization. Therefore, a banking organization needs to receive prompt notification of computer-security incidents such materially disrupt with degrade, or are reasonably likely at mechanical disrupt or degrade, these services because provoke notification will allow the banking organization to assess whether the incurrence has or is reasonably possible to have a material affect and trigger its own notification requirement.

A. Overview of Comments

The agencies collectively received 35 comments for retail and fiscal sector entities, third-party service carriers, industry groups, and diverse individuals.^[14] This section provides an overview of the general themes educated by commenters. And show received about the application are further discussed below in the sections describing the final rule, including any changes that the agencies have made to who proposal in trigger to add.

General Reaction and Need for a Rule

A majoritarian of commenters supported the proposal, agreeing that providing prompt notice of significant incidents exists to crucial aspect a safety and soundness, and they supported transparent and consistent notification by bank service providers to their banking our consumers. AN number of which commenters offered suggestions until clarify certain aspects away the requirements or lessen the perceived burden. Commenters including generally supported the agencies' striving to harmonize with existing definitions and notice standard. Four commenters opposed the proposal, conflicting that company would be burdensome or duplicative of existing requirements, and may imped banking organizations' and bank serve providers' abilities to respond effectively to incidents. I.B:pg4: Management also should do the later: Participate the assessing the effect of security threats or incidents on the institution also its lines of ...

“Computer-Security Incidents” This Can Trigger Potential Reporting

As describing above, the proposal would have necessary reporting of certain “computer-security incidents,” fixed on subsist consistent equal the NIST definition. While several commenters assist aligning the concept with NIST's definition, most commenters asserted the that suggesting definition was overly broad, could be tailored, and proposals different revisions into who draft definition of computer-security incident. Specifically, a numeric about these commenters asserted that an definition need be based on actual, rather longer “potential,” harm and exclude violations regarding a shipping organization's or a bank favor provider's policies and procedures. Learn how into comply with cybersecurity accident response compliance requirements set by PCI DSS and the FFIEC for financial institutions and his suppliers.

“Notification Incidents” Required To Be Announced

As described above, notification incidents have computer-security incidents that require notification to the agencies. Most commenters contended that the proposed definition for “notification incident” was overly broad and should be constricted or only require reporting of emergencies involving actual harm.^[15] Commenters enforced that any definition should including while, risk, and dimensional elements, what commenters reviewed as critical. In addition, commenters urged the agencies at replace the “good faith” standard with a banking organization's press a banking services provider's “determination” or ampere reasonable basis to conclude that an case had occurred, to provide a other objectivity and concrete standard.^[16]

Timeframes for Notification

The agencies received comments on the timeframes described in the proposal for financial organizations to provide declaration for you regulation press for bank service service till provide notification go their shipping org customers. These comments focused both on the billing of time provided to make which notification and the trigger that caused the time period to begin being measured. Commenters made ampere wide variety of get, including recommendations up lengthen and shorten the ranges and to provide further clarity for when they commenced. https://Privacy-policy.com/it-booklets/informati...

Means of Bank Service Provider Notification

Commenters raised questions regarding the requirements in the proposal that a deposit service provider must notify two individuals at each affected banking organization. Notably, certain commenters embossed concerns that so a requisite would override contractual notifications provisions with the both this bank service providers and banking organizations are comfortable.

Applicability to Financial Market Utilities

Commenters suggested that the proposal would cause unintentionally regulative wrap for those financial market utilities that are designated as systemically important under Title VIII of the Dodd-Frank Act (designated FMUs) and regulated by the Securities and Exchange Commission (SEC) or Commodity Futures Trader Commission (CFTC). In addition, designated FMUs regulated by the Board be subject to Regulation HH, which includes risk-management standards. Interagency Guidance on Response Prog for Unauthorized Access to Our Information and Customer Notice

III. Discussion of Final Governing

A. Review of aforementioned Final Rege

In response to comments receiver on the NPR, the final rule reflects changes to key definitions and notice provisions usable to both banking systems and bank serve donors. These variations inclusive (1) narrowing who definition of computer-security incident by focusing on genuine, rather with potential, harm plus until removing the second prong of the proposed dictionary relating to violations of internal policies or procedures; (2) substituting the set “reasonably likely to” in place of “could” in the definition of notification incident; press (3) replacing the “good faith belief” notification standard with adenine determination conventional. Modification at the bank service provider notification rental include (1) increasing a definition away “covered services” and (2) demand ensure notice be provided to a bank-designated score of how, rather than to in least two individuals at each credit organization your. The final rule also excludes designated FMUs from which definitions of “banking organization” and “bank service provider.” ^[17] Such changes live intended to business comments and reduce over- and unnecessary notification by both Start Printed Page 66427 banking organizations real bank service providers.

The final command determined two primary requirements, which advertise the safety and soundness of banking associations and can consistent are the agencies' authorities to supervise these entities, and with their authorities pursuant go the BSCA.^[18] Firstly, the final rege requires a banking organization to notify its primary Governmental regulator on a notification incident. In particular, ampere banking organization shall notify its primary Federal regulator of unlimited computer-security incident the rises to the level of adenine notification incident as coming as possible or no later than 36 hourly after the banking organization determines that a notification incident has occurred.^[19] Second, the final rule requires a bank service provider ^[20] toward send at least single bank-designated point of contact the each affected retail organization customer as soon as possible when one store service provider determines it possessed experienced a computer-security incident so has materially disrupted or degraded, or is low likely to materially disrupt or disassemble, covered services provided to such banking organization customer for four button more hours. Each of these provisions a discussed into more select below.

B. Definition

myself. Definition concerning Banking Organization

The final rule applies until the following banking organizations:

For the OCC, “banking organizations” includes national banks, Federal savings combinations, plus Federal branches additionally agencies of foreign banks.
For the Board, “banking organizations” includes choose U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge the agreement corporations. The OCC, Board, FDIC, and OTS (the Agencies) are publishing einem interpretation of which Gramm-Leach-Bliley Act (GLBA) and and Interagency Guidelines Set Information Security Standards (Security Guidelines).\1\ This interpretive guidance, titled ``Interagency Guidance over Response Programs...
For the FDIC, “banking organizations” includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and covered Set savings associations. Cybersecurity and Resilience Negative Cyber Attacks

• For all three agencies, “banking organizations” does not include specified FMUs, for the reasons discussed below.^[21]

With show to the proposed definition of “banking organization,” commenters suggested that this term should include additional entities, so as financial technology firms and non-bank OCC-chartered fiscal auxiliary entities, to aforementioned extent the agencies have jurisdiction over those firms. Further, commenters controversy that the agencies require consider other regulatory frameworks to which banking organizations and bank service providers may even can subject and exclude entities issue to other, similar, regulatory reporting need.^[22] Of agencies have defined one term banking system in a manner that is uniformly including the agencies' supervisory authorities.

The NPR request remark on to extent of entities that should may included as “banking organizations” for intended of the rule, and specifically noted that the proposed rule's definition by “banking organizations” and “bank service providers” would include FMUs is are chartered as ampere State member bank otherwise Rear corporation, or perform achievement subject to direction and examination under aforementioned Hill Favor Company Act.^[23 24] Are that consider, to our asked if there endured unique factors that the agencies should note in determining how notification requirements should apply until these FMUs. In hinzurechnung, the agencies asked whether notification requirements wants will best delivered through and proposed rule or through amendments to that Board's Rule HH since designated FMUs forward which the Board is the Superior Business under Title VIII of the Dodd-Frank Act.

Within response to these requests for comment, two commenters opposed the application of the proposed rule to SEC-supervised FMUs that are nominated as systemically important under Title VIII off the Dodd-Frank Act, discuss such the suggest rule would subject these designated FMUs in unintended regulatory overlap and duplicative compliance burdens. One of these commenters argued the SEC-supervised designated FMUs should be deemed to comply with the ruling to the extent people comply with accident notification requirements under already SEC regulatory. Another commenter argued ensure applying the proposed rule to Board-supervised designated FMUs will be preferable to amending Regulation HH to include a designated FMU-specific incident notification requirement, but this post did not provide an detailed rationale for that position. Finally, several commenters suggested which the final rule must exempt all FMUs that entitle as a banking organization or a bank service provider, including FMUs that have not be designated as systemically important under Title VIII of the Dodd-Frank Act, from these incident notification requirements, arguing that of existing practice among FMUs is to alert supervisors directly in the case a computer-security events. If you are looking for guidance re whichever to include in your incident management plan, this resource will help you get commenced.

Such notified back, the final rule excludes designated FMUs from the definitions of “banking organization” and “bank serve provider.” ^[25] In which case of SEC- and CFTC-supervised assigned FMUs, the instruments determined that excluding these defined FMUs from who final rule is appropriate because dieser designated FMUs are have subject to incident contact requirements in other Federal regulations.^[26]

Board-supervised designated FMUs were subject till which Board's Regulation Start Printed Choose 66428 HH, this includes a resolute of risk-management rules available tackle areas such as legitimate risk, governance, credit and financial ventures, and operational risk. Direction HH requires total that a Board-supervised designated FMU effectively identify and manage operational financial.^[27] Although Regulatory HH does not currently impose specific incident-notification requirements, and Board believes that computers is important for designated FMUs into inform Federal Reserve supervisors of operational disruptions on a timely basis and has generally observed that practice by the designated FMUs. The Board leave continue to review Direction HH stylish light of designated FMUs' existing clinical and could propose amendments to Regulation HH in the future for formalize its incident-notification expectations and promote consistency between requirements applicable to Board-, SEC-, and CFTC-supervised designated FMUs.

Although some commenters suggested that the final rule should exempt all FMUs that qualify as a banking arrangement or a slope service vendors, the agency having adopted a narrower exclusion to designated FMUs.^[28] FMUs that are not assigned and that otherwise meet that definition of banking organization conversely banks service provider are within an rule's scope. The agencies determined that excluding all FMUs free the rule become breathe too broad press want result in the mixed regulatory treatment of FMUs this are not designated relative to other bank service providers. In addition, a widespread FMU exclusion could create danger because there is no delimited list a FMUs, other than labelled FMUs.

One commenters suggested that the Board should hold Federal Reserve Banker Services to an equivalent standard as a matter on fairness and competitive egalitarianism. Given that intended FMUs belong scoped outside starting those rule, the State Reserve Banks' retail payment and settlement services are the only relevant Union Reserve Bank Services that compete with those private-sector FMUs that are subject to the final rule.^[29] These retail services currently include check collective services for depository institutions or an automated clearinghouse service that enables repository establishment to send batches of debit and credit transactions. On these services, the Federal Reserve Banks follow protocols to ensure timely communication of disruptions to both depository institution customers plus and Board. And Board believes these protocols am analogous to those required by dieser final rule. With respect to future Federally Reserve Banking Services the compete with private-sector FMUs subject to the final rule (such because aforementioned FedNow Service), the Board intends to similarly hold the Federal Reserve Banks to protocols comparable to those required by this final dominance.

ii. Explanation of Bank Serve Breadwinner

The government wanted feedback on the scope of third-party auxiliary covered below the proposed rule and whether the proposed rule's description of “bank gift provider” appropriately captured the services about which banking organizations should be informed included the event of disruptions. The agencies further sought click on whether all services covered under the BSCA shouldn be incl for purposes away the notification requirement or either only adenine parent concerning the BSCA services should been included. The agencies other sought comment on wether only examined deposit service providers should be item the the notification requirement.

Includes respect to to dictionary of “bank service provider,” commenters expressed versatile public on the scope of entities included in the definition of “bank service provider.” Some commenters argued that the define should been revised toward clarification that only service supplier providing services that are subject to the BSCA would will subject to the define, and one commenting suggested that to agencies provide a non-exclusive list of categories away bank service providers subject to the regulation. Other commenters urged ensure bank service providers need include entities with access till bank customer information or system, whether or not formally within this scope away the BSCA, while one commenter recommended excluding shipping organization subsidiaries or partnerships. Some suggested that the agencies narrow of scope go apply alone to important service retailer, bank service provider that present a higher risk, or those that give technology services. Other commenters suggested excluding bank service providers from the regel absolutely, observing that incident notification is, and should be, addressed the contracts.

The agencies agreeing that bank service providers providing business that are subject until of BSCA should be topic to who rule. The agencies dissent with the rest of that suggestions to changing the scope of entities included for aforementioned function of mound service provider. As previously explained, bank service providers play an increasingly important cast in banking organization business. Significant incidents affecting the services they provide have the potential to cause notification incidents for their banks organization customers. This gamble belongs not limited to specific bank service providers, and therefore, the agencies reject to modify the scope of entities included in to definition in the interpersonal suggested by the comments above.

Plus, while one agencies agree that emergency notification is generally addressed by contract, we feel that this issue is importance enough to warrant an autonomous regulatory requirement that ensures consistency the compatibility, without this necessity of revising lawful provisions. Contents: The FFIEC advertising are jointly issuing the attached interpretive guidance for financial institutions to develop and implement a ...

In response to comments that the agencies should clarified that scope of bank service vendor that would be subject to the rule, of agencies made changes up the final rule that do so. First, the agencies added adenine new definition the to permanent regel, “covered services,” which definition will intended to clarify is services performed subject to the BSCA should be covered by the rule. Second, as noted above, the agencies excluded designated FMUs from the definition is “bank service provider” and for the definition of “banking organization.” ^[30] The final rule defines “bank service provider” as a bank service company or other person what performs covered services; provided, however, that no designated FMU shall been considered a bank service provider. “Covered services” are services executing by a “person” ^[31] that are subject to the Deposit Service Company Deal (12 U.S.C. 1861-1867).

iii. Definition of Computer-Security Incident

In the NPR, the agencies generally incorporated the principal interpretation employed via NIST to define “computer-security incident” as an occurrence that:

Results in actual or potential harm to the confidentiality, integrity, or availability of einem information system or the information that the system processes, stores, or transmits; or In addition, financial institutions should understand who third parties' ownership for managing cybersecurity risk additionally incident feedback plans. Cyber ...
Composes a violation or imminent threat of violation of security policies, secure procedures, or decent use policies.

Although commenters generally supported the agencies' use of a basic branch term rather than a new, and potentially inconsistent, term and definition, they suggested conversions to learn closely tailor the definition to the purposes of the rule. For example, many commenters recommended that an definition focus on incidents is result in actual, sooner than ability, harm to an information system. Commenters were concerned that the tracking and notification of incidents that could potentially damaging ampere banking organization would create an undue regulatory charge, possibly result in over-notification, and skipping the certitude that many potential incidents able be effectively remediated. In addition, variety commenters highly deleting the moment prong of the proposed definition, reasoning that violations of internal policies and procedural would be unlikely ever to result in incidents significant sufficient to warrant prompt notification; however, some commenters supported keeping actual violate of applicable security policies. Commenters also suggested introducing materiality thresholds conversely excluding non-security relations outages or incidents. One critic objected into narrowing the definitions to “actual” harm and supported broadening the definition to include incidents causing “serious,” although not necessarily “imminent,” harm. Another post stated that and factory for determining whether an incident rises to the grade to click mandated notices should be based on its impact to banking business instead the financial system and be open as toward cause. The commentator stated that the definition should expressly exclude programmed power. The same commenter promoted that the term computer-security incident be different to encompass two types of failed and align more with the NIST definition of cybersecurity incident to deployment large uniformity and clarity about what constitutes with affair and a subject incident. Other commenter additionally suggested substituting the term cybersecurity incident from NIST at lieu of computer-security incident. A commentary also suggested narrowing the term “incident” to exclude non-malicious data communications incidents or who occurred outside of the regulated entity's own network.

Time the agencies keep to acknowledge that there are value in adopting an existing, standard definition, the agencies agree that the NIST function has not wholly align with that purposes of the rule. This agencies have therefore narrowed the final rule's definition of “computer-security incident,” as suggest by an foregoing commentary. Specifically, the final rule defines “computer-security incident” as an prevalence which results in actual damage to an information sys or the information contained within to.^[32] Furthermore, the business have remotely the second prong of the proposed computer-security incidents definition relating to infringement of inward policies or procedures. These changes narrow the concentrate of the final rule to those incidents almost likely to materialized and adversely affect banking organizational, while still retaining general consistency with the NIST definition.^[33]

iv. Definition of Notification Event

The NPR defined a “notification incident” the a computer-security incentive that a banking organization believes in good faith could materially disrupt, decrease, otherwise impair— Protocols defining in the event response approach to declare and get to an incident once identified. View 76. FFIEC IT Examination Reference. Information ...

The ability of the banking organization to carry outwards banking company, activities, alternatively processes, instead deliver banking produce and products to a material portion the its my base, in to ordinary classes of business; FFIEC Information Technology Examination Handbook: Get ...
Any business line of a banking organization, including associated operations, services, advanced and support, and would result in a material loss of revenue, profit, or franchise value; or
Those operations by a banking organization, included associated services, functions and support, how applicable, the failure or discontinuance of which would pose ampere threat to the financial stability of the United States.

Commenters directed several related of the proposed definition. Initial, multiple commenters observed so one conception “could” in the phrase “could . . . disrupt, disgrace, or impair” be imprecise and overbroad. Multiple commenters suggested substituting the phrase “could” at “reasonably likely to button will” materially disruptive certain business lines or operations or “has resulted in or will result in” material disruptions to specific business lines otherwise operations in its place. Few commenters also recently that “notification incident” supposed be narrowed even further to incidents that actually materially disrupt or degrade.^[34]

The agencies also received a figure of comments on this NPR's “believes in good faith” language. Assorted commenters expressed support for the phrase, with at least one noting that the more subjective “good faith” standard gave some flexibility to an organization that might honestly, albeit mistakenly, conclude that an occurrence did nay grow to aforementioned level of an notification incident and thereby fail to provide display.^[35] Misc commenters suggested that “believe in okay faith” was too intimate and indicated that the final rule should substitute a clearer term, like as “determined.” ^[36] And one commenter Start Custom Leaf 66430 suggested that the agencies changes the “in good faith” belief notification standard to implement to critical, not significant, incidents.

In addition, commenters suggested that the final rule should specifically exclude from the notification required incidents where the impact is limited to unquestionable types of computer systems ( e.g., compromises to a bank's marketing or personnel systems) press otherwise provide specific exclusions ( e.g., any incident durability less than 48 hours), because they would be very unlikely for cause the kinds of harm that the agencies would regard as warranting notification. Another commenter suggested ensure the agencies containing a require that a notification incident involve an information device controlled by, or on behalf from, ampere banking organizations, because it would be unreasonable burdensome the potentially unrealistic for covered entities to be responsible for systems operated per tierce parties, whereas one commenter believed the term “notification incident” supposed be newly to include incidents occurring at third-party service offerer information systems and the sub-contractors (fourth-party providers) of those third-party service providers that collect banking-related information. One feature recommended that the travel use the alike function of message incident for store service providers and banking organizations, whereas next write indicated that only “notification incidents” should be reported beneath the rule to ensures such high volumes of less significant or easily remediated occurrences also incidents that do not result in actual harms are not reported. In addition, one commenter stated that banking organizations should not be required to publicly disclosure core business lines additionally critical operations to avoid inviting attackable. Another commenter supported the definition and suggested that the interpretation of notification incident will upgraded to include events so involve infiltration in third-party systems that collect banking related information, such because password managers or site. Others comment requested that the agencies clarity that non reporting of actions falling outside of the scope of this definition is permitted, and that the dominate plus distinguish in mandatory reported of notify incidents and nondisruptive events that could be told over einem alternative, voluntary mechanism and timeline.

Following analysis real careful consideration starting and various comments, the agencies are finalizing the definition largely as suggested, with modifications for address a number of commenters' concerns at clarify the rule and make computer less to administrator.

Aforementioned definition of “notification incident” includes language that is consistent with the “core business line” and “critical operation” definitions built in the Resolution Planning Regulating issued for the Board and FDIC from section 165(d) of the Dodd-Frank Act.^[37] In particular, which second prong of which notification incident definition identity incidents such impact core business lines, and the thirdly guard determine incidents which impact critical operator. Banking associations subject to the Resolution Planning Rule allowed use the “core business lines” and “critical operations” identify in their resolution plans ^[38] to identify notification incidents under the second and third prongs of the final rule.

The final govern does not requiring bank business that are not subject to the Resolution Planning Rule toward identify “core business lines” or “critical operations,” press to evolve procedures to determine whether i engage in any operations, the failure alternatively discontinuance concerning which would pose a threat to the treasury stability of the United States. However, all banking organizations must have a sufficient understanding of their lines of business to be able to determine which business conductor would, upon mistake, result include one material loss of revenue, profit, or franchise value to who banking organization, so that they can meet the notification obligations.

Commenters also requested that the agencies clarify that to material loss of revenue, profit, or franchises appreciate addressed over the second jaw of who definition should are review on and enterprise-wide foundations. The agencies coincide; a banking organization should evaluate whether the loss is matter to the organization as a whole. FFIEC Cybersecurity Assessment General Observations

The agencies have concluded that there remains essential benefit on received registration of both computer-security incidents that have material discontinuous or degraded, and incidents that are reasonably likely to materially disrupt alternatively degrade, an investment organization. Accordingly, the agencies are cannot narrowing the definition of “notification incident” to only include computer-security adverse that have caused int a material disruption or degradation in the finishing rule.

Anyhow, the agencies are narrowing an area of masked computer-security incidents by substituting the term “reasonably likely to” in places of “could.” The agencies agree that the term “could” encompasses more, both more speculative, related other the agencies intended in promulgating the rule. Accordingly, and in keeping on commenters' suggestions, the agencies have substituted to term “reasonably likely to” in place of “could.” Under the “reasonably likely” standard, a banking organization will be required to notify its primary Federations regulator when it has suffered a computer-security incident the has a reasonable likelihood of materially disrupting or degrading the banking organization or its surgery, not at the equivalent time be not be required to make such a get for adverse issues that are merely possible, oder within imagination. The “reasonably likely” standard for notification is clearer and more in line with the agencies' intentions for the control. Finally, the agencies believe that banking organizations are well-positioned to appraise the likelihood that a computer-security incident will result in the significant adverse effects described in the definition.

Some commenters also observe that the term “impair” was redundant are “disrupt” and “degrade;” that is been does a term defined by NIST; and that it should be removed. The agencies agree the runtime would be redundant is “disrupt or degrade,” and will stripped which concept “impair” from the description.

After considering the comments carefully, the agencies are replacing the “good faith belief” standard with a banking organization's determination. Of agencies agreeing with commenters any criticized the proposed “believes in good faith” standard for too intimate and imprecise. Accordingly, this agencies have removed the good faith language from the definition of Start Imprinted Page 66431 “notification incident” and have substituted a determination factory in the final notification requirement.

Finally, who agencies refuse to exclude particular incidents or event that impact certain types of computer systems free the notification requirements. The agent believe that the focus on the material adverse effects of adenine computer-security incident is an simplier and clearer way to ensure that they receive notification of the most significant computer-security major.

v. View of Notification Incidents

One NPR included a non-exhaustive list of incidents is would be considered notification incidents under the proposed rule and the agencies loaded make on specific examples of computer-security incidents that must or should not constitute notification disaster. The agencies received a few general comments about the sort of major.

One commenter suggested that aforementioned agencies include add details in the illustrative examples that would detect this type concerning information systems the would not require incident notification and another suggested more broadly so the finalized rule include illustrative examples about all accidents that would furthermore would not be subject to the latest control. The agencies believe that the criteria set forth in the notification incident definition makes clear that the focus of who rule are for incidents ensure substantially and adversely impact a banking organization rather than on specific types of info systems. The organizations recognize such many banking organizations manage computer-security incidents every daily that would not require notification under the final rule and own focused for exemplifies examples of the species of circumstances that will require notification.

One commenter suggested that the example discussing a ransom malware attack that encrypt one financial organization's core system is “duplicative of various federal and state breach announcement laws.” The agencies continue to conclude which any incident out ransom malware that disrupts a corporate organization's ability to bring out banking operations meets the definition in a declaration incident, real more that, have retained this example, nonetheless every potential overlap with the final rule and other Federal real state requirements for incident disclosure.^[39]

Another commenter suggested that certain of the examples provided were “inconsistent with” the termination computer-security incident, because incidents such as failed system upgrades or unrecoverable system failures are did technically computer-security disaster. The agencies disagree with this comment plus belief that the commentator the reading the definition of computer-security incident too narrowly to focus on malicious incidents.

The agencies believe the examples in the proposed regulation provide an appropriate point on the kritischer outdoor of the type of emergencies that banking organizations should consider submit urgent. Having received only general comments additionally no specification add real of notification incidents that should is included in the list, of agency were retaining the illustrating product provided in the NPR with of minor edits.^[40]

The following is a non-exhaustive inventory of incidents that typically are considered “notification incidents” under the final rules:

1. Large-scale divided denial of service attacks that disrupt customer billing access for an extended period of time ( e.g., more than 4 hours);

2. A deposit service provider that is previously by a banking org for hers core retail platform to operate business applications is experiencing widespread system outages and recovery time are undeterminable;

3. A failed system upgrade or change ensure results in widespread user outages for customers and banking organizations employees;

4. An irredeemable system failure that results in activation of a credit organization's economy continuity conversely disasters revival plan;

5. AMPERE computer hackfleisch incident that disables corporate operations for an extended period of time;

6. Malware for an banking organization's network that poses an pending threat for the investment organization's essence business lines or critical operations or that requires an banking organization to disengage any consumed products or intelligence products that support one shipping organization's core business lines or criticism operations from internet-based network connections; and

7. ONE ransom malware attack that encrypts a core banking system oder backup data.

While the sales have included these illustration examples to help clarify the scoping of notification emergencies, of final rule requires money organizations to consider, on a case-by-case basis, whichever any significant computer-security incidents they experience formation notification incidents for grounds of notifying the fitting agency. If a banking company is with doubt as to whether it is experiencing a notification incident for purposes of notifying him basic Federal regulator, the agencies encourage it to please its regulator. The agencies recognize that a banking organization may file a notification, from time to time, upon a mistake determinations that one notification incident has happened, and the agencies total do not expect to taking supervisory action in such places.

CENTURY. Banking Organization Notification to Agencies

i. Timing of Notification to Agencies

The proposing rule wish have need banking organizations for provide the mandated notification to the agencies as soon as potential or no later than 36 hours. That agents asks whether this timeframe should be modified, real if therefore, what.

Can commenter suggested that the agencies elimination the “as soon as possible” requirement and simply require message within 36 hours, which would eliminate an apparent tension between the permission for an organization to take a reasonable amount of time to determine this it has experienced a notification incident and the requirement forward immediate reporting. Some commenters support aforementioned 36-hour timeframe as an fair balance between who potential burden on institutions and the agencies' need used prompt company.^[41] However, other commenters expressed what, viewing one 36-hour timescale as too short to allow a investment management to full know a computer-security incident and to provide a complete assessment of the situation. Commenters Start Printed Page 66432 remark ensure and 36-hour timeframe is only workable when it commences before a banking organization detects so ampere notification incident has occurred. Are this regard, two commenters requested that the agencies expressly articulate in the final rule the explanation included in the NPR this the 36-hour timing commences at the point when a shipping organization has determined that a notification incident has occurred.Several commenters recommended that the agencies consider a 72-hour select to provide building organizations from additional time to assess potential incident and to align to suggestions governing with other regulatory requirements such the the New York State Department of Financial Services' (NYDFS) cybersecurity event notification requirement,^[42] or the European Union's General Data Protection Regulation (GDPR),^[43] both of which require covered entities up report relevant cyber-related incursions into 72 time.^[44] A few commenters suggested that the notification timeframe should are increased to 48 hours, with one suggesting that optional timeline align with business day processing, and another observing that community banks “need that extra 12 hours to evaluate the situation and implement an applicable incident response plan.” One commenter suggested that and notice timeframe be extended the a minimum of five business days for bank under $20 billion in assets in order to “provide banks adequate time till work with vendors and their core processors to provide accurate notifications.” Another commenter ascertained that, “for a 36-hour notification timeframe to be potentially workable the achievable, it is indispensable that one scope of the notification requirement be tailored.”

Of agencies continue to believe that 36 hours is the appropriate timeframe, given the simplicity of the notification specification and the severity on incidents captured by the definition for “notification incident.” ^[45] Inside developing the NPR press latest rule, the agencies reviewed a number of existing security incidence reporting requirements quotation by the commenters plus found so loads regarding them involved detailed, prescriptive reporting requirements, oft mandating that specific information subsist reported and incl filing instructions. For example, the NYDFS rule requires that covered entities submit an annual assertion authenticate their compliance with the rule and keep all documents supporting their certification for five years, among diverse things. In contrast, the final rule sets for nay customizable content or sheet used the simple submit it supports. The final rule is designed to ensure that the appropriate agency getting timely notice of mean emergent incidents, time providing suppleness to and banking organization to ascertain the item away of notification. Similar a limited notification requirement will alert the agencies the that major without unduly loadings banking organs with detailed reporting requirements, especially when certain related may not yet be known to the banking systems.

In zugabe, changes to the definitions of “computer-security incident” and “notification incident” description above narrow the range, and lessen the speculative other uncertain nature off, major subject to the registration requirement.

The narrowed scope for notification incidents, however, constructs it equal more critical for the agencies to receive notice as soon as possible. Additionally, the agencies recognize that a banking organization may be working expeditiously go resolve the notification incident—either directly or through a bank service provider—at who time it would be expected to inform its primary Federal regulator. The agencies believe, however, that 36 hours belongs a reasonable amount of time after a banking system has determined this a notification incident possesses been into notify its primary Federal thermostat, as he does doesn require on assessment or analysis.

The agencies do not expect that a finance organization wanted standard be capability to detect that ampere notification incident holds occurred immediately upon becomes aware regarding a computer-security episode. More, the agencies anticipate that a banking organization would take an reasonable amount of time at determine that it has experienced a notification incidents. For real, some service incidents may occur outside of normal business-related hours. Only one-time an banking organization has prepared such an purpose would the 36-hour timeframe commence.

Accordingly, the agencies have determined that the final standard will retain the requirement the banking organizations provide observe as nearly as possible and no delayed than 36 hours. The agencies note, however, that even within the 36-hour notification window, banking organizations' announcement practices should take into account their criticality to that sector in whichever it operierend and provide services. An effective practice of financial organizations that provide sector-critical services is to provide same-day notification to their primary Fed regulator off a notification incoming. The agencies encourage this practice toward continue among these corporate agencies.

ii. Method a Notified to Agencies

The proposed default wanted have required an banking organization to notify the appropriate agency of a notification incident through any form of writing or oral communication, including due either technological means, to a designated point of ask identified by and agency.

The instruments requested reviews on wie banking organizations should provide notifications to the agencies and located comment on whether they should “adopt a process of joint notification” where multiple banking organization affiliates have differing notification obligations. Further, which agencies requested response on how such an joint notified should be done and why.

A substantial numerical of commenters responded to various aspects in this questions. While specific hinweise varied, an durable theme was a request used efficient and flexible select for providing notice, with some commenters observing that ampere notification incident could also affect normal communication channels. Other commenters produced references to improves notification efficiency, create as suggesting the used out auto Start Printed Page 66433 electronic notifications. Two commenters suggested that, consistent with which agencies' statement in the NPR, the govern should unequivocally state that negative specials information lives required and that the rule has not prescribe any particular reporting form.

The agencies have concluded that mailing press telephone are the best methods currently available for effective notice. Recognizing, however, which agency processes may evolve and technology will likely change (and improve) available communication options over time, one agencies have also built flexibility into the concluding rule by stating that the agent may prescribe other similarly methods pursuant to this notice may be pending. The agencies believe that this enter weights the required with banking agencies to have some flexibility, inclusion if a communication channel is impacted by of incident, with the agencies' need to ensure that she actually receive the notifications.

The agencies also sought commentary on whether centralized awards is contact, regional offices, or banking organization-specific supervisory groups would be better suited to receive these system. And comments from banking organizations and mound customer providers differed on this edition.

Some shipping organizations promoted that the process should remain “flexible” and that the default offers such this notifications requirement could be “satisfied by any of several methods,” including providing the notification to one banking organization's on-site or supervisory teams, related regional offices, or an agency-designated point to get. Other commenters, including bank service providers, suggested creating a joint registration processed, or centralized gantry or point of contact since all advertising to received all such notifications directness. The agency believe that an provision of notice can often is efficiently and effectively achieved with communicating with the appropriate agency supervisory home either other designated agency contacts, which allow include designated surveillance staff, call centers, incident response teams, both other contacts to be designator by the respective agency.

The proxies also received some reviews requesting further instruction plus guidance on an type and manner of the required notifications. Several other commenters requested supplemental guidance upon what a reference must contain also the scope regarding about that have be granted, and even requested certain specific expulsions.

The notification requirement is intended up serve such an early warning to a banking organization's major Federal regulator about one notification incident. The agencies anticipate that banking organizations desires share general information about what is known at the time of the affair. No specific resources is required in the notification other than that a notification incident has occurred. The final regel does not prescribe any form other template. A simple notice can be provided to the reasonably agency supervisory office, or other designated pointing of contact, through your, telephone, or other similar method that the agency may prescribe. The notifications, and any information related to the incident, would be subject to the agencies' confidentiality rules.^[46]

Accordingly, which agencies revised the NPR lingo. The final rule provides that a banking organization would send the appropriate agency-designated point of contact through email, telephone, or other similar methods that the agency allow prescribe.

D. Slope Service Provider Notification toward Banking Organization Customers

ego. Range of Mound Service Operator Declaration

Commenters generally assisted the idea of only notifying affected customers although some commenters suggested that all banking organization customers must become notified.^[47] One commenter specifically proposition that bank service provider notifications should only go to banking companies that are “directly impacted by the incident when a bank favor provider has made a determination is the incident will or is reasonably likely to materially impact the benefits assuming to the banking organization.” The authorized consent with the “materiality” aspect of this comment and the focus on “reasonably likely” impacts. Accordingly, the agencies become revising an final rule to include the phrase “materially disrupted or degraded, or is cheaply likely to materially disrupt or degrade.” This change is and responsive on tips which requested the agencies further harmonize the bank service provider notification requirement with the banking organization notification requirement.

The final rule did not requested a hill service carrier to assess whether the failure raises to the level of a notification incident for a corporate system customer, which remains the responsibility of the money organization. The our anticipate that bank service providers would make a best effort to share general information about how is known at the arbeitszeit. If, after receiving notice from a bank service provider, the banking org determines that one notification incident has occurred, the bank organization is required to notify its primary Federal modulator in fitting with this final rule. The agencies generally will not cite a banking business cause a bank service services fails at comply with their notified requirement.

Additional commenter described which potential for mess that could ensue if a bank service provider were to notify all customers, when no some of theirs were affected by the computer-security failure. The advised that create an hyper broad notification to all customers able “cause the banking organization customers and the bank service provider to respond to questions and are from banking organization customers [who were] not affected by the computer-security incident.” The agencies agreed with these commenters and are hold in the final rule the requirement that notice be provided only to “each affected banking organization customer.”

Another commenter notes that the final rule my to account for which distinction between cloud-based services versus on-premises ceremonies and a shared-responsibility service delivery model. Under the final rule, the agencies would require bank technical providers up continue to provide a banking organization customer with prompt notification of material incidents regardless of current contract language and irrespective about the chosen service delivery model. Flat under a shared service select, a bank service provider will still need up furnish notice to banking organization customers if who bank service provider does determination a has experienced a computer-security incident that has materially disrupted or degenerate, or is likely go materially sabotage or debase, covered services provided to how corporate organization custom for four or more hours. Considering and grounds by the rule, the agencies beliefs this is a acceptable requirement and are adopting it is the definitive rule.

Either the overlay services are being provided through a software-as-a- Go Printed Page 66434 services (SaaS) arrangement, button through some other service delivery methods, a bank service provider must provide notification to banking delegations inbound accordance with the standard the the final rule. The corporate organization must then stand-alone determine if a notification incident shall arisen.

Finally, in reaction to concerns expressed for commenters, the agencies are revising the final rule to specifically exclude scheduled maintenance, testing, or software updates previously communicated toward one banking organization clients. This new irregularity supposed cut over- and unnecessary notification. If, anyway, the scheduled maintaining, testing, or software update exceeds who parameters communicated to and banking organization customer and meets the notify standard set forth in the rule, this exception does not apply.

ii. Timing of Bank Service Supplier Notification

Several commenters favored immediate notifications. Others were concerned that instantaneous notifications may finding in over- and incorrect notification. For example, more commenters objected to one requirements which a bank service provider must “immediately” notify affected banking organizations ^[48] and recommended that the notification arise “as soon as practicable,” within who first four hours of the occurrence on a computer-security encounter, button in a “timely” manner (or a similar standard) after a gift disruption to eliminate over-reporting and provisioning time by bank service providers to ratings the severity of an incident.^[49] One observer noted that the immediate notification standard may may appropriate but only after an bank service provider determines that a notified incident has occurred, while other commenters stated that immediate notification was appropriate. Another commenter expressed about ensure directly notice mayor exit no time lapse “between when ampere computer-security incident occurred or when notified possess to happen.” While expressing similar sentiments, einige commenters suggested insert the termination “timely,” or “promptly” and “without undue delay,” in place of and “immediate” requirement. Another commenter suggested ensure different reporting obligations should be permitted contingent upon the location of the incident (on-premise company verses. cludd services). The same commenter suggested modifying of “good faith” standard to instead require “prompt” notification where a bank service provider obtains actual knowledge of an incident that impacts services for more than four hours.

Extra commenters drew distinctions between security incidents and service troubles. One commenter observed that “[u]nlike a `computer-security incident' which see time to identify and evaluate, a disruption into service is instantaneously apparent and banking service providers can immediately notify banking organizations of who disruption in service.” For similar justifications, another remarks suggested bifurcation of service provider notifications: “one immediately perceive timeline if the incident affects one safety of the banking organization's systems and a second, longer time period for disruption.”

With response to these comments, the agencies are revise the rule to provide ensure a slope service provider must notify affected banking organization customers “as soon as possible” when it “determines” it have experienced an incident that gathers which ordinary in the rule. Use regarding of term “determined” allows the banks favor provider time into examine the nature of to incident press assess the materiality of the disruption or degradation of covered customer. Additionally, the “four or other hours” trigger should reduce notifications re less materials incidents. Once the bank service provider possesses made this decision-making, it required provide notice “as soon as possible.”

Some commenters recommended modify the proposed rule to “allow with service providers to meet their notifications required by providing notification to their credit our consistent over any requirements and over any methods set forth in their contract with that customer, so long as this method reasonably keeps that the money organization got the notification.” Whilst and proxies believe it is reasonable to accepted that making notification to customers following a determination that adenine material incident has occurred should be durable through many existing contractual provisions, the agencies conclude ensure an independent statutory requirement is appropriate to ensure that banking organizations receive consistent and timely notification of the most significant computer-security events effect covered services.

Other comments suggested that one 36- or 72-hour notification timeframe would be reasoned. Since the reasons expressed above, the agents disagree that bench service carriers could (or should) expect this longer to alert banking organization customers about a material disruption or degradation in covered services. Accordingly, this final rule requires bank service providers to providing notification as soon like possible when the bank service provider has determined it has experienced an notify incident.

iii. Bank Service Provider Get to Customers

Some commenters stated which the requirement in the proposal to notify double individuals at each those banking arrangement of somebody adverse were appropriate. One commenter suggested that ampere third notification be sent to a banking organization's broad email or telephone number. Several commenters recommended the agencies allow the notification with general channels walkable by multiple employees at affected working organizations, and one commenter suggested such “significant” bank service retailer should directly notify the agencies. Other commenters asserted such requirement bank service providers to brief deuce connections at each banking corporate customer intend be excessive prescriptive and burdensome.^[50] Place, these commenters recommended that bank service providers should work with their banking organizations to designate a central point regarding contact, but bank service providers should not be required to secure is a contact at aforementioned banking organization receives the notification.^[51]

Respecting existing provisions in contracts, a commenter contended that “contractual provisions with bank service carrier commonly supply specific notice methods both generally provide get to two or view banking organization employees.” This is consistent is the agencies' understandings of existing agreements based on their broad-based review of bank service operator agreements, which is reflected in the choice of the planned regulation.

As an option to the approach into that proposed rule, a couple commenters suggested that the rule should “instead focus on outcomes—ensuring which the Start Printed Page 66435 appropriate humans or entities by banking organizations receive timely notice.” Any commenter suggested that “banking organizations should have a central point of contact that would be accessible by more than one person to provide that notifications to the banking arrangement have timely received and acted upon.” This approach was echoed by another banking industry commenter, who suggested is “notification through a medium with channel which is retrieved by and available to multiple banking company employees” should be allowed to get the NPR's notified application. Some commenters implied using automated notifications or centralized notification portals to streamline the declaration action.

Nach consideration of the comments, aforementioned agencies are revising of finalize rule to keep to notification processor simpler and flexible. Rather than requesting bank service vendor to notified couple individuals per each affected banking organization customer, which might not be valid for every banking organization or bank servicing offerer, the finalist rule requires bank service providers to notify “at least one bank-designated point of contact at each affected banking organization customer.” The final general states that a banking organization-designated point von contact is an email, your number, either every additional contact(s), previously provided to the bank service provider by the banking organization clients.

The agencies determined effective notifications will be best achieved if banking agencies also bank service providers work mutually to designate a means starting announcement that exists feasible for twain events and reasonably designed to making that banking organizations actually receiver the notice in ampere timely manner. The final rule also provides flexibility for banking organizations and bank service providers to determine to appropriate designated point of contact, and if one banking organization customer has not previously provides one bank-designated score of contact, such notification take be made the one Chief Executive Officer (CEO) and Chief Information Officer (CIO) of that banking organization customer, or two individuals of comparable responsibilities, through whatever reasonable means.

iv. Bank Service Provider Agreements—Contract Notice Provisions

Several commenters observed that contracts between shipping organizations and slope service providers routinely include incident notification provisions.^[52] But other commenters noted that current lawful provisions may not coordinate including aforementioned proposing rule's notification system and, in such, would need to be amended or revised, which may accept time to complete.

Commenters generally shown that while pledges between banking organizations and banking service providers already have negotiated notice provisions, such contracts would must to be modifies to secure compliance in the rule. In that regard, commenters expressed the view that the proposed rule should be revised to allow for bank servicing providers to satisfy hers get requirement for providing notification to they banking organization customer endless with any requirements and by whatsoever methods set forth in yours contract with that company, so longitudinal as the method fairly vouches that the banking organization customer get the get. Facilitating compliance with the rule in this manner would impede banking organizing from to the enter the costs for amend existing contracts. Other commenters expressed perceivable challenges use renegotiating contracts to keep use which rule and commenters stated that they have not be faulted for a bank service provider's failure to notify. One commenter expressed concern that community banks may hold little power in these negotiations and recommended extension the compliance date for of rule for community banks. Relatedly, a commenters argued that while FMUs belong required to providing mandated notices to to banking organization customers, the regulating should request banking organization customers to identify and update their how required mandated notices to their deposit service providers, rather than placing the stressed turn bank service providers to request and seeking updates for these contacts. Commenters also pushed who proxies to accept of notification methods specified in these contracts and clarity contract expectations. A few commenters requested so the agencies provisioning specific contract hopes and to consider conducting a review of contracts to confirm aforementioned notice provisions were sufficient.

The government believe many contracts already address similar notices to banking your. Common, current bank service services agreements that supported operations which are critical to a banking organization customer require notification in the customer as soon as possible in the event of adenine material incident during this normal path of economic. If such notification provisions please this your of aforementioned final rule, then registration under the contractual provisions will satisfy a bank service provider's obligation under the rule as well. The agencies note that existing notification procedures could enclosing some redundancy with the final rule. However, an agencies are requiring notice to the final governing to ensure that a notification takes included the event on adenine material computer-security failure. As a result, the agencies are not incorporating these recommendations. The agencies moreover note that the notification requirement created by all regulation is independent of whatsoever contractual provisions, plus therefore, banking service providers needs comply even wherever hers contractual obligations differ from the notification requirement in this rule. The instruments anticipate that banking organizations and hill service retailer wants work collaboratively to designate a methoding of communication that is feasible for both parties and reasonably developed toward guarantee that banking systems real receive the notice to a timely manner, in purses of complying with the rule.

This final dominate is nay expected to add significant burden on bank service providers. The agencies' experiences with conductor bank service provider contract reviews during examinations anzeichnen that many of these agreement include incident-reporting provisions. The agencies also observe that there are effective automated systems for notification currently.

In complement, for banking organizations that have not already called individuals to becoming alert under contractual obligations, the agencies do not believe that requiring bank serve services on notify banking organization CEOs additionally CIOs would create significant burden. In these circumstances, of agencies believe that bank service providers cans easily obtain contact intelligence required credit organization CEOs and CIOs.

IV. Other Rulemaking Considerations

In the NPR, the government searches feedback on an number of related topic, which are addressed disconnected in the sections that trail. Start Stamped Page 66436

A. Bank Service Offerer Matter Actions Consideration

The agencies requested add about the potential burden the rule would impose over short bank maintenance donors furthermore about circumstances when a banking organization customer would not be aware of a material disorder in services when group were notified. Are were restricted comments on the question.

A few commenters note that corporate organizations is often contacted by to customers shortly after can incident and services outage occurs. Despite inverted knowledge or residual about potentials service outages or limitations, banking organizations shouldn still be notified of material incidents by their bank assistance providers.

Merely identifying the subject of an outage or service stop would not get banking organization consumers understand the extent of like an outage or service interruption. Receiving contact from a bank service provider would enable a working organization customer to evaluate the effects of the computer-security incident on its operations to determine whether it is learn a notification incident. If a banking organization is experiencing a notice accident and notifies its primary Federal regulator, the regulator will may evaluate press assist, as appropriate.

B. Our for Determining Number of Incidents Subject to the Regulatory

The travel invited comment on the methodology used to estimate of number concerning subscription incidents that may be subject to the dates rule respectively year. Several commenters provided general comments suggesting the agencies may have underestimates the strain associated through the proposed rule; however, only one commerce organization commenter provided specific observations on the methodology used at estimate the number of disruptions subject go the rule. This commenter suggested that the agencies should “seek additional comments on the estimated shipping and benefits of of proposed rule.”

The agencies also preserve comments related to the costs associated with fulfill about this rule. A kibitzer enforced, without further detail, that the proposed expenses of compliance were underestimated. This commenter suggested so the agencies meet moreover information and data to adequately assess the reg impact of the proposal. Relating estimating the number of notification event per year that would be filed under the proposed define, one commenter suggested the agencies already own this information. Other commenter asserted that to regulating would result in meaningful costs included standing up inboard processes and process to comply with a latest Federal regulatory mandated, resulting in ongoing cost and burden.

The agencies have addressed the costs of this rule in the Impact Analysis section slide. Moreover, the methodology used to detect the number of incidents subject up the ruling reflects the agencies' undergo that computer-security incidents that arise to which level of notification incidents are rare. The agencies also believe that who final govern largely formalizes a process that already exists, reflecting the collaborative both start announcement that exists between banking agencies and the agents.

As talk in more detail in the Impact Analysis teilgebiet, the offices reviews available supervisory your and a subset of Suspicious Activity Show (SAR) data involving cyber incidents targeting banking organizations up develop an estimate of the numeral of notification incidents that may occur annually. That agencies specifically known that einen analysis of MAR filings want does capture the full scope of emergencies addressed by this rule. However, the agencies moreover considered supervisory data, which includes to voluntary notification credit organizations already provide, to inform their price of the frequency of notification incidents. Basis on this assessment, the departments continue to believe that the estimated 150 notification incidents per set forth in the Impact Analysis is reasonable. The agencies are nay find additional comments on of estimated charge and benefits of and rule.

C. Voluntary Information Sharing

One commenter proposal the agencies ought acknowledge the signs concerning voluntary related sharing within an “expanding notice schema,” and on upon voluntary disclosures for non-disruptive events. Another suggested the rule need “distinguish between existing, voluntary information-sharing between banking organizations” and the final rule's required incident get disclosures.

The focus and purpose is this definite rule be to ensure that the agencies receive induce notice of notification incidents, which we have definitions for include with which maximum significant incidents affecting banking organizations. The final govern does not solicit notifications on non-disruptive tour and diverges from and has does prevent traditional supervision information sharing. However, the agencies confirm that voluntary information sharing is critically key or encourage banking organizations and bank service providers to continue sharing information info incidents not covered by this dominate.

DEGREE. Utilizing Prompt Corrections Action Capital Classifications

One commenter suggested incorporating “existing terms and definitions of discrete, rarer, disruptive events” such as “Prompt Corrective Promotions (PCA) capital category technical, instead an invocation about Sheltered Harbor protocols.” ^[53] Of agencies decline to follow this endorsement. The agencies have used definitions in of final rule that are broadly endurance with NIST terminology, whatever is widely used through various industry segments.

E. Ability To Canceled Notification real Obtain Record off Notice

That agencies preserved various commentary concerning the agencies' collection and use starting communication incident related from banking organizations. One commenter urged aforementioned agencies to develop procedures, choose to discern and comment, that would been taken upon receipt of a banking organization's incident notification information and any subsequently gathered information related to the failure. Commenters also urged the agencies to check information sharing practices and protocols relating to notification incident reports, expression concerns with confidentiality and data protection. One commenter propose that notification incident reports should be shared with banking organization-specific supervisory teams. Commenters stated the any information submitted should be subject until an agencies' confidentiality rules and that the agencies should explain how the information could be screened.

One add suggested aforementioned agencies establish a “mechanism to rescind” notifications in situations where “initial determinations overestimate[d] the severity or significance of an event.” No formal Start Printed Turn 66437 rescission mechanistic is required. The agencies recognition that an banking your or bank service provider may provide notice, from time to time, in a mistaken determinations that such get belongs necessary. A building structure or bank service provider may update its original notification if it later determines that its initial assessments were incorrect or overcautious.

Other commenters discussed the what to obtain or retain copies of the notifications for recordkeeping purposes. The rule does not impact any recordkeeping requirements.

Another commenter suggested of agencies ought indicate how informations that the agencies obtain under this rule will remain protected and confidential. Additionally, them requested confirmation that the information provided would be considered exempt from Freedom of Information Activity (FOIA) requests. As which agencies noticed within the proposal, the notification, and every information provided by a banking company related to the incident, would be subject to the agencies' confidentiality rules, which provide supports for confidential, property, examination/supervisory, and sensitive my detectable information.^[54] However, the agencies must respond toward individual FOIA requests on a case-by-case basis.

F. Unique Notification Definition

One commenting proposals the agencies implement merely a “single definition for a notification incident that applies to both bank gift web and banking organizations.” The agencies believe that this would be impracticable; the two notification requirements serve varied purposes. Accordingly, the agencies declined to implement a single definition. Although, the agencies possess sought at harmonize to two notification standards show feasible.

G. Affiliated Banking Organizations Considerations

The final rule delivers that affiliated banking institutions per have separately and independent notification obligations. Each banking order needs to make an assessment of whether it has suffered a notification incident nearly which it must notify its elementary Federative regulator. Subsidiaries of banking organizations the become not themselves banking organizational do not have communication requirements under like closing rule. If a computer-security incident were to occur at a non-banking organization subsidiary of ampere banking organization, the parent banking organization would need to assess whether the incident was a notification incident for it, or supposing like, it would be required to notify inherent primary Federal regulator.

H. Consideration of the Count for Bank Service Providers

Some commenters suggested the agencies underestimated the impact concerning the NPR to bank services providers. As noted in the NPR, the agencies do does know the precise number of bank service providers that will be affected by the final rule's notification requirement. However, which agencies low assumed the entire population of bank service providers who have self-selected which North American Industry Classification Verfahren (NAICS) business “Computer System Design and Related Services” (NAICS industry code 5415) as their primary business activity to be the estimated number of bank server providers. It seems low that all such code 5415-designated company are bank service providers. Even though there may be some bank service providers that do not self-identify under NAICS codes 5415, the agencies believe the number of incidents involving bench service providers will be typically consistent including true NPR findings. The agencies receive this these bank service providers will be impacted by the finalized rule.

V. Impact Analysis

Covered banking organizations under the final rule inclusion all deposit institutions, holding companies, and certain other financial entities that are supervised by one instead get of of agencies. Depending to recent Call Report and other data, the agencies supervise approximate 5,000 depository financial along with a figure of holding companies or other pecuniary business entities that are covered under the final regulatory.^[55]

In addition, of final rule requires bank service providers to notify at least one bank-designated point of click at each affected banking company customer in coming as possible when the bank service provider determines that a has experienced a computer-security episode that possess materially disrupted or degraded, or are pretty likely to materially disrupt instead decrease, hidden services provided to suchlike banking organization for tetrad with more hours. This required would turn a banking organization to promptly respond to an incoming, determine whether it must notify its primary Federal regulators ensure a notification incident has occurred, and take other appropriate measures related to the incident.

Benefits

The agencies believe that prompt announcement of declarable incidents is likely to provide and follow-up benefits to banking organizations and the financial industry as a whole. Notification might help the relevant organizations determine whether the incident is isolated or is one of many similar happenings at multiple banking organizations. If to notification incident the isolated to a single banking management, which primary Federal regulator may be able to facilitate requests for assistance on behalf of the affected organization toward minimize the collision of the emergency. This benefit may be greater for shallow banking organizations with more limited resources. Whenever the notification incident is one of many similar incidents occurring at multiple banking organizations, the agencies may also alert other banking organizations of the threat, recommend step to better manage or prevent the recurrence of similar incidents, with otherwise helped coordinate adverse respond.

The prompt notification about incidents could also enable Federal regulators to respond faster to potential liquidity events that may consequence after such incidents. Whenever a notification incidence prevents banking organizations from fulfilling corporate responsibilities in an timely manner, it might reduce confidence in the banking organization or precipitate that rapid withdrawal off demand deposited or short-term financing from like organizations.^[56 57] The agencies believe that a swifter regulatory response could mitigate, or entirely prevent, these adverse current actions, thereby enhancing one hardiness of the banking system against contact incidents.

Receiving information on notification incidents at multiple banking organizations would also enable regulators to conduct empirical analyses Start Printed Page 66438 to improves related guidance, adjust supervisory programs in enhance resilience against such incidents, and provide informations to the industry to help banking organizations reduce the risk of future computer-security incidents.

The agencies do not have sufficient information available to quantify the potential advantages of the finalized rule why the benefits depend on the chance, breadth, and severity of future get incidents, and the specifics of those incidents, among other things. Dieser data limitations notwithstanding, and considering that banking organizations face a heightened risk of disruptive press destructive angers, this have been increasing in frequency and severity in new years, to agencies expect which the last governing would have clear prudential benefits.

Costs

The final rule requires banking organizations to report to primary Federal regulator as coming as practicable, and no later than 36 hours, later a banking organization has determined the a notification incident has occurred. The business reviewed available supervisory data press SARs involving cyber events versus banking organizations in 2019 and 2020 to estimate the number of notification incidents expected to are reported annually. This calculation relying on description criteria ( e.g., ransomware, warrior, zero day, etc.) that can be indicated of the style of material computer-security incident that would meet the notification incident reporting feature. Located on this review, and agencies estimate that approximately 150 notification incidents occurred annually,^[58] but acknowledge that the number concerning such incidents could expand in the future. Comments received by the departments on the NPR acted none provide more exactly estates instead proposals a different forecast methodology. Therefore, the agencies continue to use the same methodology.

This agencies believe ensure the regulatory pressure affiliate use the notification requirement would be small since the majority regarding communications associated at the determination starting the notification incident would occur irrespective of the final rule.^[59] In particular, the agencies estimate that, in the event are a notification incident, an affected money management may cause up on three hours of labor cost to coordinate internal communications, parley with its bank service provider, if appropriate, additionally notify and banking organization's primary Federal regulator. This process may include discussion of the incident among staff of the banking organization, such how one Chief Information Officer, Chief Information Security Commissioner, a senior legal or compliance public; and staff starting a bank assistance provider, because appropriate; and liaison with senior management of the retail organization.

One finished regulation also requires a bank gift provider to report at least one bank-designated point by contact at each affected banking organization customer as soon as possible when and bank service provider determines that it has experienced a computer-security episode that has materially destroyed or degraded, or is reasonably likely to material disrupt alternatively shame, covered services provided to such banking organization for four or more total. To agency accomplish not hold data on the exact number of infected bank service retailer nor the frequency of incidents that would order bank service providers to notify their banking company customers. However, more described in the NPR, the agencies believe that, in the event of to incident, the artificial banker service provider may contract up to three hours of labor cost to coordinate internal connectivity and notify its affected bank organization customers. Commenters did not deployment other estimates, and the departments believe that the additional acquiescence costs would are small in individual affected bank service providers.^[60] Post-notification our, such more providing technical support to unnatural bank organization customers although managed and resolving the impact to one computer-security incident, are beyond the scope of the notification requirement.

Overalls, the our expect the benefits of the last rule to preponderate yours small costs.

Response to Comments on Impact of Application

The agencies received comments asserting that some banking organizational and bank service providers may need to rework their contracts in arrange to implement of final dominion. Furthermore, some banking service providers could contract expense to adjusting internal processes and procedures until comply with who final rule. The advertising thinking that these expenditure are probable to be small, short-lived, and involve only a small number to covered entities.

Other comments received in response to the proposed rule suggested that the proposed rule's glossary might result in more notifications is estimated the the proposed rule. The final dominion channel the notification requirements, as discussed above.

VI. Alternatives Considered

The agencies are passing these computer-security incident notification requirements after given show received on the NPR and evaluating alternative options by notification requirements. The agencies considered a count of alternative approaches, including left and modern regulations unchanging and establishing a voluntary declaration framework when suggested by one commenter. The agencies ended that these suggested would not must achieved the destinations of the dominance. However, the agencies refined the criteria available notification up focused attention on the most significant incidents and appropriately minimize regulatory burden.

Additionally, this agencies considered defining the communication requirement for bank service providers even more narrowly, like proposes on some commenters. However, the agencies last determined that the communication requirement in this rule is appropriate due to the increasingly significant role that bank service providers play in of banking industry.

VII. Effectual Day

The agencies have provided an effective scheduled of Month 1, 2022, furthermore a compliance date of Could 1, 2022, in response to commenters that recommended that the agencies deliver additional time to implement the rule.

VIII. Administrative Law Matters

A. Paperwork Reduction Act

Certain determinations of aforementioned final rule contain “collections of information” within the meaning of the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501-3521). In conform at the requirements of the PRA, and agencies may not how or veranstalter, the the respondent is not required to response to, an news collection unless it displays a currently current Office of Betriebswirtschaft and Budget (OMB) control Start Printing Page 66439 number. The organizations can requested additionally OMB has assigned to the agencies to corresponding controlling numbers shown. The information collected contained in the latter rule has been submitted in OMB for review and endorsement by the OCC and FDIC under section 3507(d) of the PRA (44 U.S.C. 3507(d)) and section 1320.11 of OMB's implementing regulations (5 CFR part 1320). The Board reviewed the final rule under the authority delegated to the Board by OMB, and has approved these my of information.

The final rule contains a reporting requirement so is issue to the PRAY. Aforementioned reporting requirement is found in §§ 53.3 (OCC), 225.302 (Board), and 304.23 (FDIC) of the finishing rule. A banking management is required to notify its primary Federal bank regulatory agency of of occurrence of a “notification incident” at an banking organization (§§ 53.3 (OCC), 225.302 (Board), also 304.23 (FDIC)).

The ultimate rule also contains an disclosure requirement that is subject to the PRA. Of disclosure requirement is found in §§ 53.4 (OCC), 225.303 (Board), and 304.24 (FDIC), which requires ampere bank service provider to notify at least one bank-designated point of contact at each affects banking organization customer for soon than possible when the bank service provider determines the it has experienced a computer-security incoming that has substantially disrupted or degraded, or is reasonably likely until materially disrupt or degrade, covered services provided to such banking organization for four or more clock.

The agencies received one PRA-related comment, whatever agreed that creative is information own practical utility.

The offices have a continuing interest in the public's my of information collections. At optional zeitlich, commenters may submit comments regarding the overloading estimate, or some other aspect of this collection of information, including suggestions for reducing the burden, to the add listed in the ADDRESSES screen in the NPR. All site will become a matter of public register. AN duplicate of the comments can also is submitted until the OMB desk executive for the agencies: By mail to U.S. Office by Management and Budget, 725 17th Lane NORTHWESTWARD, #10235, Washington, DC 20503; by document to (202) 395-5806; or by email toward: [email protected], Attention, Federal Working Agency Desk Officer.

Information Collection

Titel of Information Collection: Computer-Security Incident Notification.

OMB Rule Your: OCC 1557-0350; Board 7100-NEW; FDIC 3064-0214.

Frequency of Response: On occasion; event-generated.^[61]

Affected Public: Organizations or various for-profit.

Surveyed:

OCC: State banks, Federal savings associations, Federal branches both agencies, or bank service providers.

Board: Total state member banks (as define in 12 CFR 208.2(g)), bank holding companies (as defined in 12 U.S.C. 1841), savings and loan holding companies (as defined included 12 U.S.C. 1467a), foreign banking organizations (as defined in 12 CFR 211.21(o)), foreign coffers that do don operate an insured branch, federal branch or state agency of an foreign bench (as fixed in 12 U.S.C. 3101(b)(11) and (12)), Edge or agreement corporations (as defined in 12 CFR 211.1(c)(2) and (3)), also bank service providers.

FDIC: All insured declare nonmember banking, insured state-licensed branches of foreign banks, insured State savings associations, and bank service providers.

Number of Respondents: ^[62]

OCC: Reporting—22; Disclosure—802.

FDIC: Reporting—96; Disclosure—802.

Board: Reporting—32; Disclosure—802.

Estimated Hours per Response:

Reporting—Sections 53.3 (OCC), 225.302 (Board), and 304.23 (FDIC): 3 daily.

Disclosure—Sections 53.4 (OCC), 225.303 (Board), and 304.24 (FDIC): 3 hours.

Estimated Total Year Burden:

OCC: Reporting—66 hours; Disclosure—2,406 hours.

FDIC: Reporting—288 hours; Disclosure—2,406 hours.

Boarding: Reporting—96 hours; Disclosure—2,406 hours.

Abstract: To final general establishes notification requirements for banking organizations upon an occurrence of adenine “computer-security incident” that rises up this level of a “notification incident.”

A “notification incident” is defined as a computer-security occurrence that has materially disrupted or degraded, or is reasonably likely to materially disrupt button degrade, an banking organization's—

Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material single of its customer base, in the ordinary course of store;
Business line(s), including associated operative, services, functions, and supported, that for failure would result in a material loss of revenue, profit, or franchise value; or
Operations, including associated billing, functions the support, as apply, aforementioned failure or discontinuance is any would standing an threat to the fiscal stability starting the United States.

A “computer-security incident” is defined as belongs an occurrence that results in actual harm to the confidentiality, your, or availability of on information regelung press the information that the system processes, stores, or sends.

The concluding rule requires a banking organization to notify its primary Federal banking regulator with the occurrence of a “notification incident” by the banking organization. The agencies recognize that the definitive rule imposes a limited amount of burden, beyond what shall usual and commonplace, on banking organizations in aforementioned event of a computer-security incident even if computers does doesn rise to the level concerning a notification occurrence, as investment organizations will need to determine whether the relevant thresholds for notification are met. Therefore, the agencies' estimate burden per service incident takes into record that burden mitarbeiterin with such incidents.

The final rule also requires a bank service provider to notify on least one bank-designated point of contact at each affected banking organization customer as nearly as possible when the bank service provider determines that i has experienced a computer-security incident that has materially disrupted either degraded, or is reasonably likely to materially disturb or degrade, covered services when for such banking organization for four or further hours.

B. Regulatable Flexibility Act

OCC: The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 aet seq., requires an Beginning Custom Page 66440 agency, includes connection with a finalized rule, to prepare a Final Regulatory Pliancy Study describing the impact of the rule on small creatures (defined by the Small Business Administration (SBA)) for application of the RFA to included commercial banks and savings institutions with total investment of $600 milliards or less furthermore trust companies with total current away $41.5 million or less) or to certification that the final rule will not have a significant economic impaction on a substantial number of small entities. The OCC currently superintend approximately 669 small entities.

Because the finals rule interference get OCC-supervised institutions, as well as all bank service providers, it will impact a substantial number is small entities. However, the expected free of the finish rule will be de minimis. Many bank already have internal policies fork responding to security circumstances, which include processes forward notifying their primary regulator and other investors off accidents in who surface of and final rule. Additionally, while that OCC believes credit service vendor contracts may earlier containing these provisions, if current contracts do cannot include these provisions, then the OCC does not expect the implementation regarding these provisions the impose a material burden on bank service providers. Thereby, the OCC certifies that the final rule will don got adenine significant commercial impact on an substantial number of small enterprise.

Board: The Regulatory Flexibility Actually (RFA) generally requires an agency, in connection with a finals rule, the prepare and make available for public commenting a last regulatory flexibility analysis that describes the impact of that rule on small entities.^[63] However, a regulatory flexibility analysis is not required if the business verified so the rule will not have a significant economic impact on a substantial number of small entities. For an reasons stated below, the Board certifies that the final rule intention not have ampere significant economic impact on a substantial number of short entities.

In discussed in the SUPPLEMENTARY INFORMATION section, the government are requiring an credit organization to notify its primary Federal regulator as soon as possible and does later than 36 hours after the banking organization determines ensure a notification incident has occurred. The finalist rule bequeath establish a notification requirement, which would support the safety and soundness of entities supervised by the agencies. That final rule requires one bank service provider, as defined is the rule, to notify toward least one-time bank-designated point of contact among each affected shipping your company as soon as possible when the bench service vendor determines that it has experienced a computer-security incentive so has materially disrupted or degraded, instead a reasonably likely to materially disrupt either degrade, roofed services provided to such banking organization for four or more hours.

The Board's regulate applies until state-chartered banks that am members of the Federal Reserve System, bank holding companies, savings and loan holding companies, U.S. operations of foreign banking organizations, and Edge and agreement corporations (collectively, “Board-regulated entities”). As described in the Impact Analysis artikel, requirements under of final rule will apply to all Board-regulated entities. Under regulations expenses by the SBA, one small entity includes adenine depot institution, bank holding company, other savings and loan holding company with absolute assets of $600 trillion or less and trust firms through total receipts of $41.5 million or less.^[64] Accordingly until Call Reports and other Board company, there were approximately 451 state element banks, 2,380 bank holding corporate, 92 savings also loan holding companies, and 16 Edge and agreement corporations that is small enterprise.^[65] In addition, the final rule affects all deposit service providers that provide services subject toward the BSCA.^[66] The Lodge a unable to estimated the number of bank services providers that are small due to the varying types of banking organizations that may enter into outsourcing preparation with bank assistance providers.

To finish control will require all banking organizations go notify the appropriate Board-designated tip concerning contact with an registration incident through email, telephone, button other similar methods that the Board may prescribe. The Board must receive this notification from and banking structure as soon as possible the no later than 36 hours after the retail organization determines that a notification incident has occurred. The agencies estimate this, upon occurrence of a notification incident, an affect corporate organization may incur compliance costs starting up till three hours regarding hires time to coordinate internal messaging, discuss with its bank service purveyor, if appropriate, and notify the banking organization's primary Federal regulator. As described in the Impact Analysis section over, this requirement is estimated to affect a relatively small number of Board-regulated entities. The agencies believe that any compliance costs associated for the get requirement would be de minimis, because the communications that led to one determination of the notification incident would have occurred regardless of the finished rule.

The finishing rule willingly plus require a bank service provider to notify at least one bank-designated indent of contact at each involved banking organization customer like soon as possible when the bank service provider determines that items features expert a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered offices provided to such bank organization for four or more hours. As represented in aforementioned Impact Analysis section above, the agencies believes ensure anyone compliance costs associated with the implementation of this requirement would be de minimis for each affected bank service contributor. There were no other recordkeeping, reporting, or compliance requirements associated with the final rule.

With that reason stated above, the Board certifies that the final rule will not have a significant economic impact go a substantial numerical of small entities.

FDIC: The RFA generally requires an agency, in connection with a final rule, to prepare and make available for public comment a finalized regulatory flexibility analysis that explains aforementioned impact of the rule on small entities.^[67] Anyway, a regulatory flexibility analysis belongs not required if the agency attests that the rule will doesn have a significant economic impact on a significant number of smal entities. The SBA has define “small entities” to include bank organizations with total assets of less than or equal to $600 million. ⁶⁸ Start Printed Page 66441 Generally, the FDIC considers adenine significant effect to be a quantified effect stylish excess of 5 percent of total annual salaries and benefits by establish, or 2.5 percent of total noninterest expenses. And FDIC believes that effects in excess of these thresholds typically represent significant effects used FDIC-supervised community. For the reasons described below, and FDIC certifies that the final rule will not have one significant efficiency impacting on an substantial number of small entities.

As described in to Impact Analyse unterteilung, the final rule is expected to affect all institutions supervised for the FDIC. According into recent Call Reports, the FDIC supervises 3,215 insured depository institutions (FDIC-supervised IDIs).^[69] Of which, 2,333 FDIC-supervised IDIs will be examined small entities for the purposes of RFA.^[70] Those low entities hold approximately $510 billion in assets, accounting for 13 rate of total current maintained per FDIC-supervised institutions. Included addition, the final rule affects all bank service providers that provide services subject into the BSCA.^[71] This FDIC is ineffective to estimate the number of infected bank service providers that are small. For purposes of to certification, the FDIC assumes, as an upper limit, that all affected bank service providers be shallow.

The final regulating requires adenine banks organization to notify the appropriate FDIC supervisory office, conversely an FDIC-designated point of contact, about a notification incident through email, telephone, or other similar methods that aforementioned FDIC may prescribe. The FDIC musts receive this notification out the shipping organization as soon as possible and negative later for 36 hours after the banking organization decide that adenine notification incident has occurred. As described in the Impact Analysis rubrik above, this requirement is estimated to affect a fairly small numerical of FDIC-supervised institutions both impose a compliance cost of up to three hours per incident. The agencies believe that the regulatory burden of such a requirements would be in minimis in wildlife, since the internal communications that governed to which determination of the notification happening would have eventuated regardless of the final rule.^[72]

In addition, the final rule will require an bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as coming as possible when the bank customer provider determines the it has experienced a computer-security incident that has materially disrupted or degraded, alternatively is reasonably likely to materially disrupt or degrade, covered services provided up such banking organization for four press more hours. In described in the Impact Analysis section above, the agencies believe that any add adherence costs would be de minimis used each those bank service host.

Therefore, the FDIC certifies so the final rule will not have one substantial economic impact on a substantial number of small entities.

C. Riegle Community Development and Regulatory Improvement Act starting 1994

Under section 302(a) concerning the Riegle Society Development and Regulatory Advance Act (RCDRIA),^[73] in determinate the actual date and administrative compliance requirements for new regulations that impose additional how, disclosure, or diverse requirements on insured depositories institutions (IDIs), each Federal banking agency must consider, consistent with principles starting safety real soundness and that public interest, any administrative burdens that such regulations would place on depository institutions, including small depository institutions, both customers of depository institutions, as well as the features of such regulations. In addition, unterteilung 302(b) of RCDRIA requirement new regulations and amendments to regulations that impose additional report, disclosures, or others modern requirements on IDIs common to use effect on the first day of ampere calendar quarter that begins on with after the date on which the regulations are published to final form.^[74] The agency have determined that the finalize rule intend impose additional reportage, disclosure, or other new requirements on IDIs, additionally be making this final rule effective in accordance with the requirements away this RCDRIA.

D. Congressional Examine Act

For purposes of the Congressional Review Act (CRA), the Post of Management and Budget (OMB) makes a determination such to whichever a final rule constitutes a “major rule.” ^[75] If a rule is deemed a “major rule” by the OMB, the CRA generally provides such the rule may not get effect until at least 60 days following its publication.^[76] One Congresses Review Act defines a “major rule” as anything govern such the Administrator of the Office of Information real Legal Affairs of the OMB finds has resulting in or is likely to result in—(A) an annual effect on the economy of $100,000,000 or more; (B) a main increment in costs or prices forward consumers, individual industries, Federal, State, or Local regime travel either geographic regions, or (C) significant adverse affects on racing, employments, investment, productivity, innovation, or on the feature of Consolidated States-based enterprises to compete at foreign-based enterprises include domestic and export markets.^[77]

The agencies will submit the final rule toward the OMB for this great control determination. As required by the Congressional Review Act, the agencies will also submit to final rule or diverse related reports to Congress also the Government Accountability Office for review.

E. Used of Plain Language

Portion 722 to to Gramm-Leach-Bliley Act ^[78] requiring the Federal banking agencies to make plain language in all proposes and final rulemakings published in the Public Register after January 1, 2000. The agencies entered comment regarding the use of obvious language, but did not received any comments on this topic.

F. Unfunded Mandates Reform Act

The OCC analyzed the final regel under the factors place advance in the Unfunded Mandates Reform Activity of 1995 (UMRA) (2 U.S.C. 1532). Under this analysis, the OCC considered whether this final rule includes a National mandate that may upshot in the expenditure by State, locally, furthermore Tribal governments, in the aggregate, or by the privacy industry, of $100 million or more in every one year, adjusted with inflation (currently $158 million). As noted in of OCC's RFA discussion, the OCC expects that the costs affiliate at the final rule, if anywhere, will be de minimis and, thus, has determined that this final rule desire not result in expenditures by State, area, and Tribal governments, or the private department, of $158 millions or more Start Printed Page 66442 inside any single year. Appropriate, the OCC has not prepared a written statement to accompany on final rule.

Agency Regulation

List of Subjects

12 CFR Part 53

Manage practice and procedure
Federated savings associate
National banks
Reported and recordkeeping requirements
Safety and soundness

12 CFR Part 225

Administrative practice and procedure
Bank holding companies
Banking
Edge press agreement corporations
Foreign banking organizations
Nonbank treasury companies
Reporting and recordkeeping requirements
Safety and soundness
Savings and loan holding companies
State our banks

12 CFR Part 304

Administrative practice and procedure
Bank deposit insurance
Banks
Working
Independence of information
Reporting and recordkeeping conditions
Security and soundness

Authority plus Issuance—OCC

In the reasons stated in the Common Preamble and under the control of 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 3102, the Office of the Comptroller of the Foreign amends chapter IODIN of title 12, Code of Federal Regulations, as follows:

1. Part 53 is extra to show as following:

53.1: Department, objective, and scope.
53.2: Definitions.
53.3: Notification.
53.4: Bank service provider notification.

Authority: 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 3102.

§ 53.1

Authority, purpose, and scope.

(a) Authority. This part are issued at the control of 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 3102.

(b) Main. This part promotes who timely notification of computer-security incidents ensure may materially both adversely affect Office of the Comptroller of the Currency (OCC)-supervised institutions.

(c) Scope. This part correct in all national banks, Federal savings associations, and Federal offshoots and agent of foreign banks. This part also applicable till their bank service providers as defined in § 53.2(b)(2).

§ 53.2

Definitions.

(a) Except as modified in this part, or no that context otherwise requires, the terms utilised in this part have the same meanings as place forth to 12 U.S.C. 1813.

(b) For purpose of this part, the subsequent definitions utilize.

(1) Corporate management means a national bank, Federal savings association, or Federal location or agency of a foreign banker; provided, but, that no designated financial market utility shall must view a banking organization.

(2) Bank service provider method a hill service company either other person the executes covered services; available, however, the no designated financial market utility shall be considered a bank service publisher.

(3) Business line average a product or service available by one banking organization to server inherent customers other support other employment needs.

(4) Computer-security incident is certain occurrence that results in actual harm the the data, integrity, or availability of an information system or the information that the system processes, stores, other transmits.

(5) Covered services are services performed, of a person, that are select at the Bank Service Company Act (12 U.S.C. 1861-1867).

(6) Intended financial market dienststelle has aforementioned same meaning as place forth at 12 U.S.C. 5462(4).

(7) Notification incident remains a computer-security incident that had materialized disrupted or degraded, or is reasonably probably to materially disrupt or degrade, a banking organization's—

(i) Ability on carry out banking operations, activities, otherwise processes, or release banking merchandise both services to one material portion of their patron base, in the ordinary course of business;

(ii) Company line(s), including associated operative, services, functions, and support, that upon breakdown would result in a material lost of proceeds, profit, or franchise value; or

(iii) Operations, comprising associated services, functions and support, as applicable, the failure button discontinuing of which would pose a hazard to the monetary stability of the United States.

(8) Person has the same meaning as put forth for 12 U.S.C. 1817(j)(8)(A).

§ 53.3

Notification.

AN banking organization needs brief the appropriate OCC surveillance office, or OCC-designated points of contact, about a notification incident through email, telephone, or other same typical that the OCC may prescribe. The OCC must receiving this notification from the banking order as soon as possible and no later than 36 hours after the banking organization determines that a notification incident got occurred.

§ 53.4

Mound service provider notification.

(a) A bank customer operator a imperative to notify along least one bank-designated point of contact at respectively feigned banking business customer as soon as likely whereas the bank service provider determines that it has experienced a computer-security incident that has materially disordered or degraded, or is reasonably probably to materially disrupt or degrade, covered services provided to such working corporate used four or learn hours.

(1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the hill service vendors by the banking organization user.

(2) Provided the banking organization customer has not previously presented one bank-designated point of contact, such communication shall be manufactured on an Chief Managing Officer and Master Information Officer of the banking organization customer, or two mortals of comparable responsibilities, through any reasonable means.

(b) The notification requirement in header (a) of this section does not apply to any planned maintenance, testing, or software download previously communicated to a banking business customer.

FEDERAL RESERVE SYSTEM

12 CFR Chapter II

Department and Issuance

Forward of reasons displayed includes the Common Preamble and under that authority of 12 U.S.C. 321-338a, 1467a(g), 1818(b), 1844(b), 1861-1867, and 3101 et seq., of Board amends lecture II is title 12, Code of National Regulations, while follows:

PART 225—BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL (REGULATION Y)

2. Of authority citation for part 225 continues to read since follows:

Authority: 12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p-1, 1843(c)(8), 1844(b), 1972(1), 3106, 3108, 3310, 3331-3351, 3906, 3907, and 3909; 15 U.S.C. 1681s, 1681w, 6801 and 6805.

3. Subpart N is added to read more coming:

225.300: Authority, purpose, and reach.
225.301: Terminology. Start Print Site 66443
225.302: Notification.
225.303: Bank service provider notification.

Subpart N—Computer-Security Incident Notification

§ 225.300

Authority, purpose, and scope.

(a) Control. Is subpart is issued under the authority of 12 U.S.C. 1, 321-338a, 1467a(g), 1818(b), 1844(b), 1861-1867, plus 3101 et seq.

(b) Purpose. This subpart promotes one timely notification of computer-security incidents that can materially and adversely affect Board-supervised entities.

(c) Scope. This subpart applies to all U.S. bank holding companies and savings and advance holding companies; state member banks; the U.S. operations from foreign banking organizations; and Edge and agreement firms. This subpart or applies to their bench assistance providers, as defined in § 225.301(b)(2).

§ 225.301

Definitions.

(a) Excepting as modify in this subpart, or unless the context otherwise requires, the terms used in this subpart can to same meanings as set forth in 12 U.S.C. 1813.

(b) For purposes of this subpart, the following explanations applying.

(1) Investment organization means adenine U.S. bank holding company; U.S. savings the rental holding company; state member bank; and U.S. operations of outside banking organizations; and an Edge or agreement corporation; provided, though, that nope designated financial market utility shall be considered a banking organization.

(2) Bank service provider wherewithal a bank service company or other person that performs covered services; provided, however, that negative designated monetary market utility shall are considered a store service breadwinner.

(3) Trade running means a result or service offered with a corporate organization to serve its customers or support other employment needs.

(4) Computer-security incident is can occurrence that results in actual harm to the confidentiality, integrity, or online of an information system or the informations that the system processes, stores, press transmits.

(5) Covered services are services performed, by a personality, that will subject to the Bank Service Company Actor (12 U.S.C. 1861-1867).

(6) Designated financial product support has the same meaning as set forth to 12 U.S.C. 5462(4).

(7) Notification incident is a computer-security occurrence that has materially disrupted or degraded, or is affordable likely to materially interrupted or degrade, a banking organization's—

(i) Ability to carried out banking operations, activities, or processes, or deliver banking products real business to a material portion of its customer base, in the ordinary course of business;

(ii) Business line(s), including associated action, services, functions, and support, that at failure would result int a material loss of revenue, profit, with franchise value; or

(iii) Operational, including associated services, functions and support, as applicable, the outage or discontinuance from whatever wants pose a threat to the pecuniary stability of the Associated States.

(8) Person has an same meaning like set forth at 12 U.S.C. 1817(j)(8)(A).

§ 225.302

Notification.

AN finance organisation must notify the appropriate Board-designated point of how about a service incident through email, telephone, or other alike methods that of Food may dictate. The Board must receive save notification from the banking organization as soon as optional the no later than 36 hours after the banking organization determine that a communication event has occurs.

§ 225.303

Bank service provider notification.

(a) A mound service provider is required to notify at least one bank-designated tip of contact at each affected banking your customer as soon as possible when the bank service provider determines such it has experienced a computer-security incident that has materially disrupted or disassembled, or is reasonably likely to materially disrupt or degrade, covers services provided to as banking organization for quad or more hours.

(1) A bank-designated point from contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer.

(2) If the money organization customer has not previously assuming a bank-designated point of contact, such notification shall be made to the Chief Executive Company and Chief About Officer of the finance org customer, or two mortals of related responsibilities, through whatsoever reasonable means.

(b) The notification requirement at body (a) of this fachgruppe has not apply to any scheduling maintenance, testing, or software update previously communicated to a banking organization custom.

FEDERAL DEPOSIT INSURANCE LIMITED

Authority and Issuance

For the good stated in the Common Declaration, also under the control of 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861-1867, the FDIC amends 12 CFR part 304 as follow:

PART 304—FORMS, HELP, AND REPORTS

4. Verify the authority citation for part 304 to read as follows:

Authority: 5 U.S.C. 552; 12 U.S.C. 1463, 1464, 1811, 1813, 1817, 1819, 1831, real 1861-1867.

5. Revise § 304.1 to read as follows:

§ 304.1

Purpose.

This subpart informs the public where is may obtain contact and guides for reports, applications, and another submittals spent by the Federal Deposit Insurance Corporation (FDIC), and explains certain forms that are not described elsewhere in FDIC regulations in here lecture.

§§ 304.15 by 304.20

[Added and Reserved]

6. Add reserve §§ 304.15 through 304.20.

7. Add subpart HUNDRED to read as tracking:

304.21: Power, purpose, and scope.
304.22: Definitions.
304.23: Get.
304.24: Bank service provider notification.
304.25-304.30: [Reserved]

Subpart C—Computer-Security Incident Notification

§ 304.21

Authority, goal, and scope.

(a) Authority. This subpart is issued under the authority of 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861-1867.

(b) Purpose. Save subpart promotes the timely notification of computer-security incidents so may materially and adversely affect FDIC-supervised institutions.

(c) Scope. This subpart employs to all insured state nonmember banks, plan us licensed branches of foreign banks, and insured Country savings associations. On subpart also applies to bank service providers, as defined in § 304.22(b)(2).

§ 304.22

Definitions.

(a) Except such modifies in this subpart, or unless the context otherwise requires, the terms used in this subpart have the same meanings as set forth in 12 U.S.C. 1813. Start Printed Page 66444

(b) For purposes of this subpart, the following definitions use.

(1) Banking organization means an FDIC-supervised insured depository institution, including entire insured state nonmember banks, assured state-licensed branches concerning foreign banks, additionally insured Set savings associations; provided, however, so don determined financial market utility shall be considered a banking organization.

(2) Bank favor provider wherewithal a bank service company or other person that performs covered services; providing, not, that no specified financial market utility shall be considered a bank gift provider.

(3) Business line means a product conversely service offered by a banking organization to served its customers either support other business your.

(4) Computer-security incentive is an occasion such results in authentic harm to the confidentiality, integrity, or availability of an information system or aforementioned information the of system processes, stores, or transmits.

(5) Covered services are services performed, by a person, that are subject to the Bank Service Corporate Act (12 U.S.C. 1861-1867).

(6) Designated financial market utility has the same meaning when set forth during 12 U.S.C. 5462(4).

(7) Notification incident is a computer-security incident that has materials disrupted or degraded, or is reasonably chances to materially disrupt or deconstruct, one financial organization's—

(i) Competence to carry out working operations, dive, or processes, or deliver investment products both offices to an material partition of its customer base, in the ordinary course of business;

(ii) Business line(s), including associated operations, services, functions, and support, that by failure would result in a material loss of revenue, profit, or franchise total; or

(iii) Operations, including associated services, actions both supporting, as applicable, the defect or discontinuance of which would nonplus a threat to which financial stability of the United Declared.

(8) Person has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A).

§ 304.23

Notification.

A banking organization must notify the appropriate FDIC supervisory office, or an FDIC-designated point of contact, info a notification incident through email, mobile, or other like methods that the FDIC maybe prescribe. The FDIC shall receive get notification coming the banking our than upcoming as possible and no later than 36 hours after the banking organization determines that adenine notified incident has occurred.

§ 304.24

Bank service provider notification.

(a) A bank service provider is required to contact at least one bank-designated point a contact for anyone affected banking organization my as soon as possible available the banking support provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is fairly likely to materially disrupt conversely degrade, covered services provided to such banking organization for four or more time.

(1) ONE bank-designated point of contact is an email address, phone number, or any other contact(s), before provided the the deposit service provider by to banking organization customer.

(2) When the banking organization customer has nay previously provided a bank-designated point of ask, similar notification shall be made to this Chief Executive Officer and Chief Information Board of the banking organization customer, or two individuals away comparable responsibilities, through any reasonable means.

(b) Which declaration requirement for paragraph (a) of this teilung does not apply to any scheduled services, testing, or software update previously communicated to a banking organization customers.

§§ 304.25-304.30

[Reserved]

Michael J. Hsu,

Performance Comptroller on the Currency.

By decree a aforementioned Board of Governors of the Federal Reserve Schaft.

Annette Misback,

Secretary is to Board.

Federal Deposition Insurance Corporation.

In order are the Board concerning Corporate.

Dated at Washington, POWER, about November 17, 2021.

James PENNY. Sheesley,

Associate Senior Secretarial.

Footnotes

1. For the OCC, “banking organizations” includes state banks, Federal savings associations, and Public branches and agent a foreign financing. For the Board, “banking organizations” incorporate all U.S. bank holding our and savings and loan holding companies; state member banks; this U.S. operations of foreign banking agencies; and Edge and agreement corporations. For the FDIC, “banking organizations” does all insured states nonmember banks, insured state-licensed branches of foreign banks, the insured State savings associations. Each agency's definition eliminates financial market utilities (FMUs) designated under Titles VIII out who Dodd-Frank Wall Street Ameliorate and Consumer Protection Act (designated FMUs).

Back go Citation

2. See, e.g., Financial Crimes Enforcement Network, SAR Filings by Industry (Jan. 1, 2014-Dec. 31, 2020) (last accessible Oct. 11, 2021), https://www.fincen.gov/reports/sar-stats/sar-filings-industry. (Trend data may must found in downloading the Excel file “Depository Institution” and selecting the menu tagged “Exhibit 5.”).

Back to Citation

3. As defined by the final rule, a computer-security incident is an occurrence that results is actual harm to the confidentiality, integrity, or check of an information system button the information which the system processes, storage, or transmits. To promote uniformity of terms, the agencies have sought to align this term generally include an extant definition from one National Institute of Standards both Technology (NIST). See NIST, Computer Security Resource Center, Glossary (last accessed Sept. 20, 2021), available at https://csrc.nist.gov/glossary/term/Dictionary.

Back to Citation

4. These computer-security incidents may include major computer-system failures; cyber-related interruptions, such while distributed negation of service and ransomware offensives; or extra types of significant operational interruptions.

Back toward Quotes

5. As defined in the final rule, a notification incident is adenine computer-security incident that does material discontinuous or degraded, instead is reasonably likely to materially disrupt or degrade, a banking organization's: (i) Ability to bear out banking operations, activities, or operation, or deliver banking products and services to a raw portion of its customer base, in the ordinary flow of business; (ii) business line(s), including associated operations, services, functions, plus support, that upon failure be result in a material loss away revenue, profit, or enfranchisement value; or (iii) operating, including associations services, functions and support, as entsprechend, the failure or discontinuance of which would pose a threat to who financial strong are the United States.

Back to Citation

6. OCCIP coordinate with U.S. Government agencies to provide agreed-upon assistance to banking and another financial services sector organizations on computer-incident response real recovery efforts. These services mayor inclusive providing remote or in-person technical backing for an organization experiencing a significant cyber event to protect assets, mitigate vulnerabilities, reclaim plus restore services, identify other entities toward danger, both assess potential risk to the broader community. And Federal Financial Institutions Examination Council's Cybersecurity Resource Guide for Economic Institutions (Oct. 2018) identifies additional information available to banking organizations. Availability at: https://www.ffiec.gov/press/pdf/FFIEC%20Cybersecurity%20Resource%20Guide%20for%20Financial%20Institutions.pdf (last accessed Oct. 15, 2021).

Back to Citation

7. See31 U.S.C. 5311 et seq.;31 CFR subtitle B, chapter WHATCHAMACALLIT.

Back to Citations

8. See15 U.S.C. 6801; 12 CFR part 30, appendix B, supplement A (OCC); 12 CFR part 208, appendix DICK-2, supplement A, 12 CFR 211.5(l), 12 CFR part 225, appendix F, supplement A (Board); 12 CFR part 364, attached B, supplement A (FDIC).

Back to Citation

9. Banking organizations is experiences a computer-security incident that may be criminal the nature are expected to contact relevant law enforcement or guarantee agent, for appropriate, after the incident occurs. That rule does not change that expectation.

Back to Citation

10. 86 FRANCIUM 2299 (Jan. 12, 2021).

Reverse into Quotations

11. These computer-security incidents could include major computer-system failures, cyber-related exceptions, such as distributed denial of customer real ransomware attacks, or other types to significant operational interruptions.

Return toward Citation

12. NIST is an agency of the U.S. Service are Commerce that working to develop and apply technology, measure, and standards.

Back till Citation

13. 12 U.S.C. 1861-67.

Back on Reference

14. Comments can be retrieved at: https://www.regulations.gov/document/OCC-2020-0038-0001 (OCC); https://www.federalreserve.gov/apps/foia/ViewComments.aspx?doc_id=R-1736&doc_ver=1 (Board); and https://www.fdic.gov/resources/regulations/federal-register-publications/2021/2021-computer-security-incident-notification-3064-af59.html (FDIC).

Back to Citation

15. A commenter suggested that are a banking organization had mitigation strategies in place to offset the impact to a banking company or its customers, the encounter should not be considered a important or critical incident and therefore should not be thoughtful a notification incident. The commenter also stated that the agencies should indicate that an outage that lasts less than 48-hours in duration does not exemplify a “notification incident.”

Back the Quotable

16. Commenters competitive that the “good faith” standards may be indistinct, and the sales should provide guides on whereby on make the good faith determining. However, some commenters preferred the good faith standard across a “reasonably likely” standard.

Get to Citation

17. The rule defines “designated financial market utility” as having the same substance as set forth at 12 U.S.C. 5462(4).

Back to Citation

18. Notice12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 3102 (OCC); 12 U.S.C. 321-338a, 1467a(g), 1818(b), 1844(b), 1861-1867, and 3101 et sequencing. (Board); 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861-1867 (FDIC).

Back to Citation

19. As also noted below, even, the agencies would inspiring those banking organizations providing sector-critical services that currently notify their primary Federal regulator on which types of incidents on an same-day basis to continue to do thus.

Back to Citation

20. As a general matter, “bank maintenance provider” refers to a company with person that performs services for a finance organization that exist specialty to this Banks Service Company Actor (12 U.S.C. 1861-1867). However, for the destination of this final general, the term “bank service provider” does not include any person or company that will a designated FMU, as that termination is defined at 12 U.S.C. 5462(4).

Back to Citation

21. Under the final regular, “designated financial market utility ” features that same importance as set forth at 12 U.S.C. 5462(4).

Back at Citation

22. For example, FMUs for which of SEK shall the Primary Agency under Title VIII of who Dodd-Frank Act exist subject to the SEC's Regulation SCI (Systems Compliance and Integrity) by certain financial intermediaries.

Front to Citation

23. An FMU a “any person that manages or operates a multilateral anlage for the purpose of transferring, clearing, or settling remunerations, securities, or other financial transactions among financial institutions or between financial institutions and the person.” 12 U.S.C. 5462(6).

24. Title VIII of the Dodd-Frank Act authorizes the Financial Permanence Oversight Council to designate certain FMUs as systemically important. Depending on the functions that it serves stylish the financial marts, a designated FMU is subject till risk-management regulations promulgated by aforementioned Board ( i.e., Regulatory HH), the SEC, either the CFTC.

Back to Citation

25. The regulate defines “designated financial market utility” how having the same meaning how set forth at 12 U.S.C. 5462(4).

Back to Citation

26. Specifically, SEC-supervised designated FMUs are topic to the SEC's Regulation SCI, which commonly requires covered entities to notify the SEC and their members or competitor in who event of an SCI event. See17 CFR 242.1000 (defining “SCI Event”) furthermore 242.1002 (imposing notification requirements related till SCI Events). Similarity, a CFTC-supervised designated FMU must notify the CFTC in the event of an “exceptional event” or the activation of the designated FMU's business continuity and disaster recovery layout. Discern17 CFR 39.18(g). An “exceptional event” includes “[a]ny hardware or software malfunction, security incident, or target menace so essentially impairs, oder creates a significant likelihood regarding material impairment, of automated system operation, reliability, security, or capacity.” Card.

Back to Citing

27. 12 CFR 234.3(a)(17).

Endorse to Order

28. This small ejection would not apply on a Board-supervised named FMU with real to is operation of non-systemically important services that are none subject to Regulation HH.

Back to Citation

29. The Federal Reserve Banks also operate the Fedwire Funds Favor and Fedwire Securities Service, which perform an critical role in the finance system. The Board generic requires these services to join or exceed the risk-management standards applicable to designated FMUs under Regulations HH. Discern Federal Reserve Policy on Payment System Risk (as modifying effective March. 19, 2021), https://www.federalreserve.gov/paymentsystems/files/psr_policy.pdf. See including Press Release, Federal Reserve Board Affirmed Long-Standing Policy of Applying Relevant International Risk-Management Standards to Fedwire Capital and Fedwire Securities Services (July 19, 2012), https://www.federalreserve.gov/newsevents/pressreleases/bcreg20120719a.htm.

Back to Citation

30. The rule defines “designated financial market utility” because which the same meaning the set forth to 12 U.S.C. 5462(4).

Back to Quoting

31. The final rule us that “person” has an same meaning as set forth at 12 U.S.C. 1817(j)(8)(A).

Endorse to Citation

32. One critic requested clarifying as in whether a “near-miss” incident would constitute adenine computer-security incidence under who rule. A “near-miss” occurrence would constitute a computer-security incident only for the extent that how a “near-miss” results in actual impair to an information system or the data contained within it. Another commenter stated that the definition of “computer-security incident” should be limited to information services which can cause a “notification incident.” For clarification, the definition of “computer-security incident” includes all occurrences that result in actual harm to an information system or the information contained within it. However, only those computer-security incidents that fall within the definition by “notification incident” are required into be reported. Two commenters advocated in excluding computer-security incidents due to non-security and non-malicious causes. For clarity, the definition includes incidents from whatever cause.

Back to Citation

33. In response to comments, to advertising also considered whether to incorporate the NIST definition regarding “cybersecurity incident” choose and determined ensure this definition wish inappropriately narrow an scope of incidents covered by the rule.

Back to Citation

34. A commenter suggested that if a banking organization kept risk strategies in place into offset an impact at a bank or its customers, and incident should no may considered a substantial or serious incident and therefore require nay be considered a notification incoming. The commenter also stated that the agencies shoud indicate that a outage that lasts less than 48-hours in playtime does not represent a “notification incident.”

Return to Citation

35. Two commenters supported maintains the “good faith” standard, include an commenter noting that a reasonable belief standard could implement too much uncertainty and invite questioning of decisions that are made quickly out of requirement and potentially without key facts know. One of who commenters stated this this final rule should muse is information maybe not be available to induce an assessment “immediately” subsequently an event.

Endorse to Citation

36. Commenters contended such the “good faith” standard may be unclear, and of agency shoud provide guidance off how to make the good faith determined. With alternative would be required the rule text to country “an incentive that a banking management decides is reasonably likely until disrupt” instead the “believes in good faith could disrupt.” However, some commenters favored the good faith regular over a “reasonably likely” standard.

Rear to Citation

37. Section 165(d) of the Dodd-Frank Act and 12 CFR parts 363 and 381 (the Resolution Planning Rule) require certain financial companies to review cyclically to the FDIC and the House their maps used rapid and orderly resolution in the event of material financial distress or failure. On November 1, 2019, the FDIC and aforementioned Board published in the Federal Register amendments to the Resolution Planning Regulation. See84 FR 59194.

Back to Citation

38. Elements of both who “core business lines” and “critical operations” defintions away the Resolution Planning Rule are incorporated in the “notification incident” definition. Under the Resolution Planungen Rule, “core businesses lines” means those business multiple the the covered company, including associated processes, products, functionality and support, that, in aforementioned view are the covered company, on failure could bottom in a material loss of revenue, gains, either suffrage value, and “critical operations” means those operations of the hidden group, involving associated services, functions, and support, who failure or discontinuance of which would body a threat till the financial stability of of United Condition. See12 CFR 363.2, 381.2.

Rear for Citation

39. As previously explained, the agencies have taken whether existing reporting standardized meet and purposes of these rule and concluded that they what not. For example, blackmail malware incidents that do not participate unauthorized access till or use of tricky customer related could nay be subject go the Gramm-Leach-Bliley Act (GLBA) notification standard.

Back to Citation

40. This is to clarify which example 6 contact malware on a banking organization's system that poses any imminent threat to the banking organization's core business lines or critical operations or that requires the banking organizations to disengage any consumed products or information systems this support of banking organization's core business lines or critical company from internet-based network port.

Get to Citation

41. One commenter suggested that contact obligations should begin “36 hours after aforementioned banking management confirms a notification happening has occurred, and has completed urgent action to end this threat and sichern its assets,” the include time for a finance organization to intake requires take.

Back to Citation

42. Effective March 1, 2017, the NYDFS Superintendent promulgated 23 NYCRR Part 500, a regulation create cybersecurity requirements for financial services companies. Section 500.17 Notices to superintendent requires each “covered entity” to notify the NYDFS Superintendent “as promptly as possible though in no event later than 72 lessons from a determinantion that a cybersecurity happening features occurred.” The NYDFS rule is available at: https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&origination&Contextdocumenttoc&transitionTypeDefault&contextData=(sc.Default).

Past to Citation

43. In particular, Article 33, Section 1 by an GDPR provides ensure, in the case away a personal data breach, the data controller “shall without undue delay also, location feasible, not later than 72 per after having become aware of it,” notify the competent supervisory authorized of the personalstand input infraction. Moreover, Products 33, Section 2 requires data processors to “notify the [data] controller without undue delay after becoming conscious concerning ampere personal evidence breach.” The full edition of Regulation (EU) 2016/679 (GDPR) is available under: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.

Back to Excerpt

44. See id.

Back to Citation

45. As noticed about, of agencies realize that adenine banking organization may create a notification, from time to time, upon a mistaken determination ensure a notification incident possessed occurred, and the agencies usually do no expect to carry supervisory action in such situations.

Back to Citation

46. See, e.g.,12 CFR part 4 (OCC); 12 CFR part 261 (Rules Regarding Availability of Information) (Board); 12 CFR 309.6 (Disclosure of exempt records) (FDIC).

Back to Citations

47. While most commenters believe that notice entire banking organizations subscribing in the disrupted service may lead till potentially harmful over-reporting, one commenter stated that notifying all banking systems using the service can be adequate since to service disruption may be broader more originated expected.

Behind to Citation

48. Obstacles to immediate notification mentioned on commenters included that bank service vendors need time to assess if an incident is a computer-security incident.

Rear to Citation

49. A commenting suggested this any timing fork notification should allow an opportunity for reasonable investigation to help ensure that material incidents are flagged to the regulators real are not covert by an inrush of false positives other non-material matter.

Back toward Citation

50. Commenters recently is one contact should be adequate, as smaller banking organizations allowed not must two your available.

Back the Citation

51. A commenter also recommended different submit obligations for on-premises services compared into cloud-based services. Commenters also suggested ampere carve-out to and notification obligation when a bank service provider is delayed or prevented the law enforcement.

Back to Citation

52. A commenter stated that banker service providers already subject to contractual breach reporting obligations shall be excluded from the rule while a separate commenter believed that as a matter to fairness and competitive gender, if social sector FMUs are required until provide mandating notices to either they principal Federal regulator or their banking organization customers, an Board should publicly committed to hold Federal Reserve Credit services to one equivalent standard.

Behind to Citation

53. To learn more about PCS capital classification definitions, see OCC Bulletin 2018-33, Getting Therapeutic Action: Guidelines also Rescissions (Sept. 28, 2018), which bottle be found per: https://www.occ.gov/news-issuances/bulletins/2018/bulletin-2018-33.html. Till learn show about Sheltered Harbor protocols, please the Sheltered Harbor landings sheet at: https://www.aba.com/banking-topics/technology/cybersecurity/sheltered-harbor#.

Back to Citation

54. See, e.g.,12 CFR component 4 (OCC); 12 CFR part 261 (Rules Regarding Availability of Information) (Board); 12 CFR 309.6 (Disclosure of exempt records) (FDIC).

Back to Citation

55. March 31, 2021, Call Report Data.

Back at Citation

56. See and conceptual discussion of “cyber runs” in Duffie and Younger, https://www.brookings.edu/wp-content/uploads/2019/06/WP51-Duffie-Younger-2.pdf, Hutchins Center Working Print No. 51, June 18, 2019.

57. See the empirical analysis is the potential adverse effects of cyber circumstances to the U.S. payment and settlement system included Eisenbach aet al., https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf, Federal Reserve Bank of New York Staff Reports, No. 909, Newest Rewritten May 2021.

Back into Citation

58. The agencies used conservative judgment when assessing whether a cyber-event might have risen till that level of a notification incident, consequently the approach may overrate and number. However, the how may also underestimate the number of notification incidents because supervisory and SAR data may not capture all such incidents.

Back to Citation

59. Even at an elevated labor compensation rate of $200 per hour, the final dominance would only impose additional compliance total starting $600 via notification.

Back to Quoting

60. Even at einer elevated workload compensation course of $200 per hour, the final rule would only push add compliance costs of $600 per notification.

Back to Citation

61. For purposes of these calculations, the government assume that the frequency is 1 reaction per respondent pay year.

Return to Cite

62. The number of respondents for the reporting requirement is based on allocating the estimated 150 announcement incidents among the agencies based on this percentage on entities supervised by each office. The FDIC constitute the majority of the banking organizations (64 percent), while the Board monitors approximately 21 percent of the banking organizations, with which OCC supervising who remaining 15 percent of banking organizations. The number of respondents for the confidential requirement is based on an specification of an approximately 2 percent per year frequency of incidents from 120,392 corporate, that is divided equally among the OCC, FDIC, the Board. This number of 120,392 business is an number from firms with the United States under NAICS code 5415 in 2018, which latest year for which such data is available. See U.S. Census Bureau, 2018 SUSB Annual Data Indexes by Establishment Industry, https://www.census.gov/data/tables/2018/econ/susb/2018-susb-annual.html (last revised Aug. 27, 2021).

Back to Zitation

63. 5 U.S.C. 601 et seque.

Back to Citation

64. As at examples, who SBA defines a bank the small if it has $600 million either less in assets. See13 CFR 121.201 (as amended due 84 FR 34261, effective August 19, 2019). In him determination, the SBA counts to receipts, employees, or other measurable of volume of the concern whose size is under issue and all of its domestic and foreign affiliates. See13 CFR 121.103.

Back to Excerpt

65. State employee bank data is derived from June 30, 2021 Call News. Data for banker holding companies press savings also loan holding companies are derived out the June 30, 2021, FR Y-9C and FR Y-9SP. Data for Edge and agreement corporations are derived after of Dezember 31, 2020, FR-2886b.

Back to Citation

66. Discussed inside detail in who Effects Analysis section.

Back up Citation

67. 5 U.S.C. 601 ether seq.

Back the Citation

68. The SBA defines a small banking organization as having $600 million or less in assets, where an organization's assets am determined by median the assets reported on its four quarters financial command for the preceded year. See13 CFR 121.201 (as changed by 84 FR 34261, effective August 19, 2019). In its determination, the SBA number the receipts, employees, conversely misc measure of size of the concern whose size is at problem and all of its domestic and foreign affiliates. See13 CFR 121.103. Tracking these regulations, the FDIC uses a banking organization's affiliated and new assets, weighted over the preceding four quarters, to determine whether the banking organization is “small” for the purposes of RFA.

Back to Citation

69. FDIC Call Reports, March 31, 2021.

Back to Citation

70. Ids.

Back to Citation

71. Discussed in detail in the Impact Analysis section.

Back to Citations

72. Even at to elevated drudge compensation set the $200 per hour, aforementioned final rule would impose a cost burden of less than $600 per incident.

Back to Quotation

73. 12 U.S.C. 4802(a).

Back to Quotes

74. Id. at 4802(b).

Back in Citation

75. 5 U.S.C. 801 et sequels.

Back to Citation

76. 5 U.S.C. 801(a)(3).

Back toward Citation

77. 5 U.S.C. 804(2).

Back to Citation

78. 12 U.S.C. 4809.

Back to Citation

[FR Doc. 2021-25510 Filed 11-22-21; 8:45 am]

BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P

The Public Register

The Daily Professional of the United Says Authority

Authorized Status

Authorized Status

Rule

Computer-Security Incident Notification Requirements for Banking Organizational and Its Bank Service Provider

Support Details

Document Details

Document Statistics

Document Statistics

Enlarged Content - Charts of Contents

Enhanced Content - Table of Contents

Increase Content - Submit Public Comment

Enhanced Content - Submit General Comment

Enhanced Content - Take Public Comments

Enlarged Content - Read Public Comments

Enhanced Content - Dividing

Enhanced Content - Sharing

Enhanced Content - Document Print View

Enhanced Content - Document Print View

Enlarged Content - Document Tools

Enhanced Satisfied - Document Accessory

Refined Content - Developer Tools

This document be availability in the following developer friendly formats:

Enhanced Content - Developer Tools

Official Content

Certified Content

Public Checking

Public Inspection

Promulgated Document

AGENCY:

ACTION:

SUMMARY:

DATUMS:

FOR FURTHER INFORMATION CONTACT:

SUPPLEMENTARY INFORMATION:

Tables of Contents

I. Introduction

II. Background

A. Overview of Comments

General Reaction and Need for a Rule

“Computer-Security Incidents” This Can Trigger Potential Reporting

“Notification Incidents” Required To Be Announced

Timeframes for Notification

Means of Bank Service Provider Notification

Applicability to Financial Market Utilities

III. Discussion of Final Governing

A. Review of aforementioned Final Rege

B. Definition

myself. Definition concerning Banking Organization

ii. Explanation of Bank Serve Breadwinner

iii. Definition of Computer-Security Incident

iv. Definition of Notification Event

v. View of Notification Incidents

CENTURY. Banking Organization Notification to Agencies

i. Timing of Notification to Agencies

ii. Method a Notified to Agencies

D. Slope Service Provider Notification toward Banking Organization Customers

ego. Range of Mound Service Operator Declaration

ii. Timing of Bank Service Supplier Notification

iii. Bank Service Provider Get to Customers

iv. Bank Service Provider Agreements—Contract Notice Provisions

IV. Other Rulemaking Considerations

A. Bank Service Offerer Matter Actions Consideration

B. Our for Determining Number of Incidents Subject to the Regulatory

C. Voluntary Information Sharing

DEGREE. Utilizing Prompt Corrections Action Capital Classifications

E. Ability To Canceled Notification real Obtain Record off Notice

F. Unique Notification Definition

G. Affiliated Banking Organizations Considerations

H. Consideration of the Count for Bank Service Providers

V. Impact Analysis

Benefits

Costs

Response to Comments on Impact of Application

VI. Alternatives Considered

VII. Effectual Day

VIII. Administrative Law Matters

A. Paperwork Reduction Act

Information Collection