DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 53

[Docket ID OCC-2020-0038]

RIN 1557-AF02

FEDERAL RESERVE SYSTEM 12 CFR Part 225

[Docket No. R- 1736] RIN 7100-AG06

FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 304

RIN 3064-AF59

Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers

AGENCY: The Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC).

ACTION: Final rule.

SUMMARY: The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary federal regulator of any "computer-security incident" that rises to the level of a "notification incident," as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

DATES: Effective date: April 1, 2022; Compliance date: May 1, 2022.

1

FOR FURTHER INFORMATION CONTACT:

OCC:

Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519, Carl Kaminski, Assistant Director, (202) 649-5490, or Priscilla Benner, Senior Attorney, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219.

Board:

Thomas Sullivan, Senior Associate Director, (202) 475-7656, Julia Philipp, Lead Financial Institution Cybersecurity Policy Analyst, (202) 452-3940, Don Peterson, Supervisory Cybersecurity Analyst, (202) 973-5059, Systems and Operational Resiliency Policy, of the Supervision and Regulation Division; Jay Schwarz, Assistant General Counsel, (202) 452-2970, Claudia Von Pervieux, Senior Counsel (202) 452-2552, Christopher Danello, Senior Attorney,

  1. 736-1960,Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551, or https://www.federalreserve.gov/apps/ContactUs/feedback.aspx, and click on Staff Group, Regulations.

FDIC:

Rob Drozdowski, Special Assistant to the Deputy Director (202) 898-3971, rdrozdowski@fdic.gov, Division of Risk Management Supervision; or John Dorsey, Counsel

  1. 898-3807,jdorsey@fdic.gov, Graham Rehrig, Senior Attorney, (202) 898-3829, grehrig@fdic.gov, Legal Division.

SUPPLEMENTAL INFORMATION:

Table of Contents

  1. Introduction

2

  1. Background
  1. Overview of Comments

III. Discussion of Final Rule

  1. Overview of Final Rule
  2. Definitions
    1. Definition of Banking Organization
    2. Definition of Bank Service Provider
    3. Definition of Computer-Security Incident
    4. Definition of Notification Incident
    5. Examples of Notification Incidents
  4. Banking Organization Notification to Agencies
    1. Timing of Notification to Agencies
    2. Method of Notification to Agencies
  6. Bank Service Provider Notification to Banking Organization Customers
    1. Scope of Bank Service Provider Notification
    2. Timing of Bank Service Provider Notification
    3. Bank Service Provider Notification to Customers
    4. Bank Service Provider Agreements - Contract Notice Provisions IV. Other Rulemaking Considerations
  1. Bank Service Provider Material Incidents Consideration
  2. Methodology for Determining Number of Incidents Subject to the Rule
  3. Voluntary Information Sharing
  4. Utilizing Prompt Corrective Action Capital Classifications

3

  1. Ability to Rescind Notification and Obtain Record of Notice
  2. Single Notification Definition
  3. Affiliated Banking Organizations Considerations
  4. Consideration of the Number of Bank Service Providers V. Impact Analysis

VI. Alternatives Considered

VII. Effective Date

VIII. Administrative Law Matters

  1. Paperwork Reduction Act
  2. Regulatory Flexibility Act
  3. Riegle Community Development and Regulatory Improvement Act of 1994
  4. Congressional Review Act
  5. Use of Plain Language
  6. Unfunded Mandates Reform Act

IX. Agency Regulation

  1. Introduction
    The OCC, Board, and FDIC (together, the agencies) are issuing a final rule to require that

a banking organization1 promptly notify its primary federal regulator of any "computer-security incident" that rises to the level of a "notification incident," as those terms are defined in the final

1 For the OCC, "banking organizations" includes national banks, federal savings associations, and federal branches and agencies of foreign banks. For the Board, "banking organizations" includes all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations. For the FDIC, "banking organizations" includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. Each agency's definition excludes financial market utilities designated under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act (designated FMUs).

4

rule. As described in more detail below, these incidents may have many causes. Examples include a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time and a computer hacking incident that disables banking operations for an extended period of time.

Under the final rule, a banking organization's primary federal regulator must receive this notification as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic. The final rule separately requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. This separate requirement will ensure that a banking organization receives prompt notification of a computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization's own notification requirement.

  1. Background
    Computer-security incidents can result from destructive malware or malicious software

(cyberattacks), as well as non-malicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency

5

This is an excerpt of the original content. To continue reading it, access the original document here.

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

Board of Governors of the Federal Reserve System published this content on 18 November 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 18 November 2021 20:32:02 UTC.