Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 66424-66444 [2021-25510]

Download as PDF 66424 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations Signed in Washington, DC, on November 18, 2021. Treena V. Garrett, Federal Register Liaison Officer, U.S. Department of Energy. [FR Doc. 2021–25537 Filed 11–22–21; 8:45 am] BILLING CODE 6450–01–P DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 53 [Docket ID OCC–2020–0038] RIN 1557–AF02 FEDERAL RESERVE SYSTEM 12 CFR Part 225 [Docket No. R–1736] RIN 7100–AG06 FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 304 RIN 3064–AF59 Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers AGENCY: Table of Contents The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident,’’ as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. DATES: Effective date: April 1, 2022; Compliance date: May 1, 2022. FOR FURTHER INFORMATION CONTACT: OCC: Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649–5519, I. Introduction II. Background A. Overview of Comments III. Discussion of Final Rule A. Overview of Final Rule B. Definitions i. Definition of Banking Organization ii. Definition of Bank Service Provider iii. Definition of Computer-Security Incident iv. Definition of Notification Incident v. Examples of Notification Incidents C. Banking Organization Notification to Agencies i. Timing of Notification to Agencies ii. Method of Notification to Agencies D. Bank Service Provider Notification to Banking Organization Customers i. Scope of Bank Service Provider Notification ii. Timing of Bank Service Provider Notification iii. Bank Service Provider Notification to Customers iv. Bank Service Provider Agreements— Contract Notice Provisions IV. Other Rulemaking Considerations A. Bank Service Provider Material Incidents Consideration B. Methodology for Determining Number of Incidents Subject to the Rule C. Voluntary Information Sharing D. Utilizing Prompt Corrective Action Capital Classifications The Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC). ACTION: Final rule. SUMMARY: lotter on DSK11XQN23PROD with RULES1 Carl Kaminski, Assistant Director, (202) 649–5490, or Priscilla Benner, Senior Attorney, Chief Counsel’s Office, (202) 649–5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. Board: Thomas Sullivan, Senior Associate Director, (202) 475–7656, Julia Philipp, Lead Financial Institution Cybersecurity Policy Analyst, (202) 452–3940, Don Peterson, Supervisory Cybersecurity Analyst, (202) 973–5059, Systems and Operational Resiliency Policy, of the Supervision and Regulation Division; Jay Schwarz, Assistant General Counsel, (202) 452– 2970, Claudia Von Pervieux, Senior Counsel (202) 452–2552, Christopher Danello, Senior Attorney, (202) 736– 1960, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551, or https:// www.federalreserve.gov/apps/ ContactUs/feedback.aspx, and click on Staff Group, Regulations. FDIC: Rob Drozdowski, Special Assistant to the Deputy Director (202) 898–3971, rdrozdowski@fdic.gov, Division of Risk Management Supervision; or John Dorsey, Counsel (202) 898–3807, jdorsey@fdic.gov, Graham Rehrig, Senior Attorney, (202) 898–3829, grehrig@fdic.gov, Legal Division. SUPPLEMENTARY INFORMATION: VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 E. Ability To Rescind Notification and Obtain Record of Notice F. Single Notification Definition G. Affiliated Banking Organizations Considerations H. Consideration of the Number of Bank Service Providers V. Impact Analysis VI. Alternatives Considered VII. Effective Date VIII. Administrative Law Matters A. Paperwork Reduction Act B. Regulatory Flexibility Act C. Riegle Community Development and Regulatory Improvement Act of 1994 D. Congressional Review Act E. Use of Plain Language F. Unfunded Mandates Reform Act I. Introduction The OCC, Board, and FDIC (together, the agencies) are issuing a final rule to require that a banking organization 1 promptly notify its primary Federal regulator of any ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident,’’ as those terms are defined in the final rule. As described in more detail below, these incidents may have many causes. Examples include a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time and a computer hacking incident that disables banking operations for an extended period of time. Under the final rule, a banking organization’s primary Federal regulator must receive this notification as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic. The final rule separately requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, 1 For the OCC, ‘‘banking organizations’’ includes national banks, Federal savings associations, and Federal branches and agencies of foreign banks. For the Board, ‘‘banking organizations’’ includes all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations. For the FDIC, ‘‘banking organizations’’ includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. Each agency’s definition excludes financial market utilities (FMUs) designated under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act (designated FMUs). E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations a material service disruption or degradation for four or more hours. This separate requirement will ensure that a banking organization receives prompt notification of a computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization’s own notification requirement. lotter on DSK11XQN23PROD with RULES1 II. Background Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as non-malicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years.2 These cyberattacks can adversely affect banking organizations’ networks, data, and systems, and ultimately their ability to resume normal operations. Given the frequency and severity of cyberattacks on the financial services industry, the agencies believe that it is important that a banking organization’s primary Federal regulator be notified as soon as possible of a significant computer-security incident 3 that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.4 The final rule refers to these significant computer-security incidents as ‘‘notification incidents.’’ 5 Timely 2 See, e.g., Financial Crimes Enforcement Network, SAR Filings by Industry (Jan. 1, 2014–Dec. 31, 2020) (last accessed Oct. 11, 2021), https:// www.fincen.gov/reports/sar-stats/sar-filingsindustry. (Trend data may be found by downloading the Excel file ‘‘Depository Institution’’ and selecting the tab marked ‘‘Exhibit 5.’’). 3 As defined by the final rule, a computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. To promote uniformity of terms, the agencies have sought to align this term generally with an existing definition from the National Institute of Standards and Technology (NIST). See NIST, Computer Security Resource Center, Glossary (last accessed Sept. 20, 2021), available at https://csrc.nist.gov/glossary/ term/Dictionary. 4 These computer-security incidents may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions. 5 As defined in the final rule, a notification incident is a computer-security incident that has VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 notification is important as it would allow the agencies to (1) have early awareness of emerging threats to banking organizations and the broader financial system, (2) better assess the threat a notification incident poses to a banking organization and take appropriate actions to address the threat, (3) facilitate and approve requests from banking organizations for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP),6 (4) provide information and guidance to banking organizations, and (5) conduct horizontal analyses to provide targeted guidance and adjust supervisory programs. Notification under the Bank Secrecy Act 7 and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 8 provide the agencies with awareness of certain computersecurity incidents.9 Nonetheless, these standards do not include all computersecurity incidents of which the agencies, as supervisors, need to be alerted and would not always result in timely notification to the agencies. To ensure that the agencies receive timely alerts of all relevant material and materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. 6 OCCIP coordinates with U.S. Government agencies to provide agreed-upon assistance to banking and other financial services sector organizations on computer-incident response and recovery efforts. These activities may include providing remote or in-person technical support to an organization experiencing a significant cyber event to protect assets, mitigate vulnerabilities, recover and restore services, identify other entities at risk, and assess potential risk to the broader community. The Federal Financial Institutions Examination Council’s Cybersecurity Resource Guide for Financial Institutions (Oct. 2018) identifies additional information available to banking organizations. Available at: https:// www.ffiec.gov/press/pdf/FFIEC%20Cybersecurity% 20Resource%20Guide%20for%20Financial%20 Institutions.pdf (last accessed Oct. 15, 2021). 7 See 31 U.S.C. 5311 et seq.; 31 CFR subtitle B, chapter X. 8 See 15 U.S.C. 6801; 12 CFR part 30, appendix B, supplement A (OCC); 12 CFR part 208, appendix D–2, supplement A, 12 CFR 211.5(l), 12 CFR part 225, appendix F, supplement A (Board); 12 CFR part 364, appendix B, supplement A (FDIC). 9 Banking organizations that experience a computer-security incident that may be criminal in nature are expected to contact relevant law enforcement or security agencies, as appropriate, after the incident occurs. This rule does not change that expectation. PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 66425 adverse incidents, the agencies issued a notice of proposed rulemaking (NPR or proposal) to establish computer-security incident notification requirements for banking organizations and their bank service providers.10 The proposal would have required banking organizations to notify their primary Federal regulator within 36 hours of when they believed in good faith that a ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident’’ had occurred. As proposed, a ‘‘notification incident’’ was a computer-security incident that could materially disrupt, degrade, or impair the viability of the banking organization’s operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.11 When drafting these proposed definitions, the agencies sought to align the terminology as much as possible with language used in the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center glossary.12 This approach was intended to promote consistency with known cybersecurity terms and definitions and thereby reduce burden. The proposal separately would have required a bank service provider that provided services subject to the Bank Service Company Act (BSCA) 13 to notify at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a computersecurity incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. This standard reflected the agencies’ conclusion that the impact of computer-security incidents at bank service providers can flow through to their banking organization customers. The agencies also recognized, however, that a bank service provider may not be able to readily assess whether an incident rises to the level of a notification incident for a particular banking organization customer. The notification requirement for bank service providers is important because banking organizations have become increasingly reliant on third parties to provide essential services. Such third 10 86 FR 2299 (Jan. 12, 2021). computer-security incidents may include major computer-system failures, cyber-related interruptions, such as distributed denial of service and ransomware attacks, or other types of significant operational interruptions. 12 NIST is an agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards. 13 12 U.S.C. 1861–67. 11 These E:\FR\FM\23NOR1.SGM 23NOR1 66426 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations parties may also experience computersecurity incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization. Therefore, a banking organization needs to receive prompt notification of computersecurity incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, these services because prompt notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact and trigger its own notification requirement. A. Overview of Comments The agencies collectively received 35 comments from banking and financial sector entities, third-party service providers, industry groups, and other individuals.14 This section provides an overview of the general themes raised by commenters. The comments received on the proposal are further discussed below in the sections describing the final rule, including any changes that the agencies have made to the proposal in response to comments. General Reaction and Need for a Rule A majority of commenters supported the proposal, agreeing that providing prompt notice of significant incidents is an important aspect of safety and soundness, and they supported transparent and consistent notification from bank service providers to their banking organization customers. A number of these commenters offered suggestions to clarify certain aspects of the requirements or lessen the perceived burden. Commenters also generally supported the agencies’ efforts to harmonize with existing definitions and notification standards. Four commenters opposed the proposal, contending that compliance would be burdensome or duplicative of existing requirements, and may impede banking organizations’ and bank service providers’ abilities to respond effectively to incidents. ‘‘Computer-Security Incidents’’ That Can Trigger Potential Reporting lotter on DSK11XQN23PROD with RULES1 As described above, the proposal would have required reporting of certain ‘‘computer-security incidents,’’ defined to be consistent with the NIST 14 Comments can be accessed at: https:// www.regulations.gov/document/OCC-2020-00380001 (OCC); https://www.federalreserve.gov/apps/ foia/ViewComments.aspx?doc_id=R-1736&doc_ ver=1 (Board); and https://www.fdic.gov/resources/ regulations/federal-register-publications/2021/ 2021-computer-security-incident-notification-3064af59.html (FDIC). VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 definition. While several commenters supported aligning the definition with NIST’s definition, most commenters asserted that the proposed definition was overly broad, could be tailored, and suggested different revisions to the proposed definition of computersecurity incident. Specifically, a number of these commenters asserted that the definition should be based on actual, rather than ‘‘potential,’’ harm and exclude violations of a banking organization’s or a bank service provider’s policies and procedures. Means of Bank Service Provider Notification ‘‘Notification Incidents’’ Required To Be Reported As described above, notification incidents are computer-security incidents that require notification to the agencies. Most commenters argued that the proposed definition of ‘‘notification incident’’ was overly broad and should be narrowed and only require reporting of incidents involving actual harm.15 Commenters asserted that any definition should incorporate time, risk, and scale elements, which commenters viewed as critical. In addition, commenters urged the agencies to replace the ‘‘good faith’’ standard with a banking organization’s or a bank service provider’s ‘‘determination’’ or a reasonable basis to conclude that an incident had occurred, to provide a more objective and concrete standard.16 Applicability to Financial Market Utilities Timeframes for Notification The agencies received comments on the timeframes described in the proposal for banking organizations to provide notification to their regulator and for bank service providers to provide notification to their banking organization customers. These comments focused both on the amount of time provided to make the notification and the trigger that caused the time period to begin being measured. Commenters made a wide variety of suggestions, including recommendations to lengthen and shorten the periods and to provide further clarity regarding when they commenced. 15 A commenter suggested that if a banking organization had mitigation strategies in place to offset the impact to a banking organization or its customers, the incident should not be considered a significant or critical incident and therefore should not be considered a notification incident. The commenter also stated that the agencies should indicate that an outage that lasts less than 48-hours in duration does not represent a ‘‘notification incident.’’ 16 Commenters contended that the ‘‘good faith’’ standard may be unclear, and the agencies should provide guidance on how to make the good faith determination. However, some commenters preferred the good faith standard over a ‘‘reasonably likely’’ standard. PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 Commenters raised questions regarding the requirement in the proposal that a bank service provider must notify two individuals at each affected banking organization. Notably, some commenters raised concerns that such a requirement would override contractual notification provisions with which both the bank service providers and banking organizations are comfortable. Commenters suggested that the proposal would cause unintended regulatory overlap for those financial market utilities that are designated as systemically important under Title VIII of the Dodd-Frank Act (designated FMUs) and regulated by the Securities and Exchange Commission (SEC) or Commodity Futures Trading Commission (CFTC). In addition, designated FMUs regulated by the Board are subject to Regulation HH, which includes risk-management standards. III. Discussion of Final Rule A. Overview of the Final Rule In response to comments received on the NPR, the final rule reflects changes to key definitions and notification provisions applicable to both banking organizations and bank service providers. These changes include (1) narrowing the definition of computersecurity incident by focusing on actual, rather than potential, harm and by removing the second prong of the proposed definition relating to violations of internal policies or procedures; (2) substituting the phrase ‘‘reasonably likely to’’ in place of ‘‘could’’ in the definition of notification incident; and (3) replacing the ‘‘good faith belief’’ notification standard with a determination standard. Changes to the bank service provider notification provision include (1) adding a definition of ‘‘covered services’’ and (2) requiring that notice be provided to a bank-designated point of contact, rather than to at least two individuals at each banking organization customer. The final rule also excludes designated FMUs from the definitions of ‘‘banking organization’’ and ‘‘bank service provider.’’ 17 Such changes are intended to address comments and reduce overand unnecessary notification by both 17 The rule defines ‘‘designated financial market utility’’ as having the same meaning as set forth at 12 U.S.C. 5462(4). E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations banking organizations and bank service providers. The final rule establishes two primary requirements, which promote the safety and soundness of banking organizations and are consistent with the agencies’ authorities to supervise these entities, and with their authorities pursuant to the BSCA.18 First, the final rule requires a banking organization to notify its primary Federal regulator of a notification incident. In particular, a banking organization must notify its primary Federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.19 Second, the final rule requires a bank service provider 20 to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization customer for four or more hours. Each of these requirements is discussed in more detail below. B. Definitions i. Definition of Banking Organization The final rule applies to the following banking organizations: • For the OCC, ‘‘banking organizations’’ includes national banks, Federal savings associations, and Federal branches and agencies of foreign banks. • For the Board, ‘‘banking organizations’’ includes all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations. lotter on DSK11XQN23PROD with RULES1 18 See 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861–1867, and 3102 (OCC); 12 U.S.C. 321–338a, 1467a(g), 1818(b), 1844(b), 1861–1867, and 3101 et seq. (Board); 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861–1867 (FDIC). 19 As also noted below, however, the agencies would encourage those banking organizations providing sector-critical services that currently notify their primary Federal regulator of these types of incidents on a same-day basis to continue to do so. 20 As a general matter, ‘‘bank service provider’’ refers to a company or person that performs services for a banking organization that are subject to the Bank Service Company Act (12 U.S.C. 1861–1867). However, for the purpose of this final rule, the term ‘‘bank service provider’’ does not include any person or company that is a designated FMU, as that term is defined at 12 U.S.C. 5462(4). VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 • For the FDIC, ‘‘banking organizations’’ includes all insured state nonmember banks, insured statelicensed branches of foreign banks, and insured State savings associations. • For all three agencies, ‘‘banking organizations’’ does not include designated FMUs, for the reasons discussed below.21 With respect to the proposed definition of ‘‘banking organization,’’ commenters suggested that this term should include additional entities, such as financial technology firms and nonbank OCC-chartered financial services entities, to the extent the agencies have jurisdiction over those firms. Further, commenters contended that the agencies should consider other regulatory frameworks to which banking organizations and bank service providers may already be subject and exclude entities subject to other, similar, regulatory reporting requirements.22 The agencies have defined the term banking organization in a manner that is consistent with the agencies’ supervisory authorities. The NPR solicited comment on the scope of entities that should be included as ‘‘banking organizations’’ for purposes of the rule, and specifically noted that the proposed rule’s definition of ‘‘banking organizations’’ and ‘‘bank service providers’’ would include FMUs that are chartered as a State member bank or Edge corporation, or perform services subject to regulation and examination under the Bank Service Company Act.23 24 In that regard, the agencies asked whether there were unique factors that the agencies should consider in determining how notification requirements should apply to these FMUs. In addition, the agencies asked whether notification requirements would be best conveyed through the proposed rule or through amendments to the Board’s Regulation HH for designated FMUs for which the Board is 21 Under the final rule, ‘‘designated financial market utility’’ has the same meaning as set forth at 12 U.S.C. 5462(4). 22 For example, FMUs for which the SEC is the Primary Agency under Title VIII of the Dodd-Frank Act are subject to the SEC’s Regulation SCI (Systems Compliance and Integrity) for certain financial intermediaries. 23 An FMU is ‘‘any person that manages or operates a multilateral system for the purpose of transferring, clearing, or settling payments, securities, or other financial transactions among financial institutions or between financial institutions and the person.’’ 12 U.S.C. 5462(6). 24 Title VIII of the Dodd-Frank Act authorizes the Financial Stability Oversight Council to designate certain FMUs as systemically important. Depending on the functions that it serves in the financial markets, a designated FMU is subject to riskmanagement regulations promulgated by the Board (i.e., Regulation HH), the SEC, or the CFTC. PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 66427 the Supervisory Agency under Title VIII of the Dodd-Frank Act. In response to these requests for comment, two commenters opposed the application of the proposed rule to SECsupervised FMUs that are designated as systemically important under Title VIII of the Dodd-Frank Act, arguing that the proposed rule would subject these designated FMUs to unintended regulatory overlap and duplicative compliance burdens. One of these commenters argued that SEC-supervised designated FMUs should be deemed to comply with the rule to the extent they comply with incident notification requirements under existing SEC regulations. Another commenter argued that applying the proposed rule to Board-supervised designated FMUs would be preferable to amending Regulation HH to include a designated FMU-specific incident notification requirement, but this commenter did not provide a detailed rationale for that position. Finally, several commenters suggested that the final rule should exempt all FMUs that qualify as a banking organization or a bank service provider, including FMUs that have not been designated as systemically important under Title VIII of the DoddFrank Act, from these incident notification requirements, arguing that the existing practice among FMUs is to alert supervisors directly in the case of computer-security incidents. As noted above, the final rule excludes designated FMUs from the definitions of ‘‘banking organization’’ and ‘‘bank service provider.’’ 25 In the case of SEC- and CFTC-supervised designated FMUs, the agencies determined that excluding these designated FMUs from the final rule is appropriate because these designated FMUs are already subject to incident notification requirements in other Federal regulations.26 Board-supervised designated FMUs are subject to the Board’s Regulation 25 The rule defines ‘‘designated financial market utility’’ as having the same meaning as set forth at 12 U.S.C. 5462(4). 26 Specifically, SEC-supervised designated FMUs are subject to the SEC’s Regulation SCI, which generally requires covered entities to notify the SEC and their members or participants in the event of an SCI event. See 17 CFR 242.1000 (defining ‘‘SCI Event’’) and 242.1002 (imposing notification requirements related to SCI Events). Similarly, a CFTC-supervised designated FMU must notify the CFTC in the event of an ‘‘exceptional event’’ or the activation of the designated FMU’s business continuity and disaster recovery plan. See 17 CFR 39.18(g). An ‘‘exceptional event’’ includes ‘‘[a]ny hardware or software malfunction, security incident, or targeted threat that materially impairs, or creates a significant likelihood of material impairment, of automated system operation, reliability, security, or capacity.’’ Id. E:\FR\FM\23NOR1.SGM 23NOR1 66428 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations HH, which includes a set of riskmanagement standards for addressing areas such as legal risk, governance, credit and liquidity risks, and operational risk. Regulation HH requires generally that a Board-supervised designated FMU effectively identify and manage operational risks.27 Although Regulation HH does not currently impose specific incident-notification requirements, the Board believes that it is important for designated FMUs to inform Federal Reserve supervisors of operational disruptions on a timely basis and has generally observed such practice by the designated FMUs. The Board will continue to review Regulation HH in light of designated FMUs’ existing practices and may propose amendments to Regulation HH in the future to formalize its incidentnotification expectations and promote consistency between requirements applicable to Board-, SEC-, and CFTCsupervised designated FMUs. Although some commenters suggested that the final rule should exempt all FMUs that qualify as a banking organization or a bank service provider, the agencies have adopted a narrower exclusion for designated FMUs.28 FMUs that are not designated and that otherwise meet the definition of banking organization or bank service provider are within the rule’s scope. The agencies determined that excluding all FMUs from the rule would be overly broad and would result in the inconsistent regulatory treatment of FMUs that are not designated relative to other bank service providers. In addition, a broad FMU exclusion could create uncertainty because there is no defined list of FMUs, other than designated FMUs. One commenter suggested that the Board should hold Federal Reserve Bank Services to an equivalent standard as a matter of fairness and competitive equality. Given that designated FMUs are scoped out of this rule, the Federal Reserve Banks’ retail payment and settlement services are the only relevant Federal Reserve Bank Services that compete with those private-sector FMUs that are subject to the final rule.29 These 27 12 CFR 234.3(a)(17). narrow exclusion would not apply to a Board-supervised designated FMU with respect to its operation of non-systemically important services that are not subject to Regulation HH. 29 The Federal Reserve Banks also operate the Fedwire Funds Service and Fedwire Securities Service, which play a critical role in the financial system. The Board generally requires these services to meet or exceed the risk-management standards applicable to designated FMUs under Regulation HH. See Federal Reserve Policy on Payment System Risk (as amended effective Mar. 19, 2021), https:// www.federalreserve.gov/paymentsystems/files/psr_ policy.pdf. See also Press Release, Federal Reserve lotter on DSK11XQN23PROD with RULES1 28 This VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 retail services currently include check collection services for depository institutions and an automated clearinghouse service that enables depository institutions to send batches of debit and credit transfers. For these services, the Federal Reserve Banks follow protocols to ensure timely communication of incidents to both depository institution customers and the Board. The Board believes these protocols are comparable to those required by this final rule. With respect to future Federal Reserve Bank Services that compete with private-sector FMUs subject to the final rule (such as the FedNow Service), the Board intends to similarly hold the Federal Reserve Banks to protocols comparable to those required by this final rule. ii. Definition of Bank Service Provider The agencies sought feedback on the scope of third-party services covered under the proposed rule and whether the proposed rule’s definition of ‘‘bank service provider’’ appropriately captured the services about which banking organizations should be informed in the event of disruptions. The agencies further sought comment on whether all services covered under the BSCA should be included for purposes of the notification requirement or whether only a subset of the BSCA services should be included. The agencies also sought comment on whether only examined bank service providers should be subject to the notification requirement. With respect to the definition of ‘‘bank service provider,’’ commenters expressed varied opinions on the scope of entities included in the definition of ‘‘bank service provider.’’ Some commenters argued that the definition should be revised to clarify that only service providers providing services that are subject to the BSCA would be subject to the rule, and one commenter suggested that the agencies provide a non-exclusive list of categories of bank service providers subject to the regulation. Other commenters urged that bank service providers should include entities with access to bank customer information or systems, whether or not formally within the scope of the BSCA, while one commenter recommended excluding banking organization subsidiaries and affiliates. Some suggested that the agencies narrow the scope to apply only to significant service providers, bank service Board Reaffirms Long-Standing Policy of Applying Relevant International Risk-Management Standards to Fedwire Funds and Fedwire Securities Services (July 19, 2012), https://www.federalreserve.gov/ newsevents/pressreleases/bcreg20120719a.htm. PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 providers that present a higher risk, or those that provide technology services. Other commenters suggested excluding bank service providers from the rule entirely, observing that incident notification is, and should be, addressed in contracts. The agencies agree that bank service providers providing services that are subject to the BSCA should be subject to the rule. The agencies disagree with the rest of these suggestions to modify the scope of entities included in the definition of bank service provider. As previously explained, bank service providers play an increasingly important role in banking organization operations. Significant incidents affecting the services they provide have the potential to cause notification incidents for their banking organization customers. This risk is not limited to specific bank service providers, and therefore, the agencies decline to modify the scope of entities included in the definition in the manners suggested by the comments above. Furthermore, while the agencies agree that incident notification is generally addressed by contract, we believe that this issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability, without the necessity of revising contractual provisions. In response to comments that the agencies should clarify the scope of bank service providers that would be subject to the rule, the agencies made changes to the final rule that do so. First, the agencies added a new definition in the final rule, ‘‘covered services,’’ which definition is intended to clarify that services performed subject to the BSCA would be covered by the rule. Second, as noted above, the agencies excluded designated FMUs from the definition of ‘‘bank service provider’’ and from the definition of ‘‘banking organization.’’ 30 The final rule defines ‘‘bank service provider’’ as a bank service company or other person who performs covered services; provided, however, that no designated FMU shall be considered a bank service provider. ‘‘Covered services’’ are services performed by a ‘‘person’’ 31 that are subject to the Bank Service Company Act (12 U.S.C. 1861–1867). 30 The rule defines ‘‘designated financial market utility’’ as having the same meaning as set forth at 12 U.S.C. 5462(4). 31 The final rule states that ‘‘person’’ has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A). E:\FR\FM\23NOR1.SGM 23NOR1 lotter on DSK11XQN23PROD with RULES1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations iii. Definition of Computer-Security Incident In the NPR, the agencies generally incorporated the principal definition employed by NIST to define ‘‘computersecurity incident’’ as an occurrence that: • Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or • Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Although commenters generally supported the agencies’ use of a standard industry term rather than a new, and potentially inconsistent, term and definition, they suggested revisions to more closely tailor the definition to the purposes of the rule. For example, many commenters recommended that the definition focus on incidents that result in actual, rather than potential, harm to an information system. Commenters were concerned that the tracking and notification of incidents that could potentially harm a banking organization would create an undue regulatory burden, possibly result in over-notification, and overlook the fact that many potential incidents can be effectively remediated. In addition, various commenters recommended deleting the second prong of the proposed definition, reasoning that violations of internal policies and procedures would be unlikely ever to result in incidents significant enough to warrant prompt notification; however, some commenters supported keeping actual violations of applicable security policies. Commenters also suggested introducing materiality thresholds or excluding non-security related outages or incidents. One commenter objected to narrowing the definition to ‘‘actual’’ harm and supported broadening the definition to include incidents causing ‘‘serious,’’ but not necessarily ‘‘imminent,’’ harm. Another commenter stated that the standard for determining whether an incident rises to the level to trigger mandated notices should be based on its impact to banking organizations or the financial system and be agnostic as to cause. One commenter stated that the definition should expressly exclude scheduled outages. The same commenter suggested that the term computer-security incident be changed to encompass two types of outages and align more with the NIST definition of cybersecurity incident to provide greater uniformity and clarity about what constitutes an incident and a reportable incident. Another VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 commenter also suggested substituting the term cybersecurity incident from NIST in lieu of computer-security incident. A commenter also suggested narrowing the term ‘‘incident’’ to exclude non-malicious data communications incidents or those occurring outside of the regulated entity’s own network. While the agencies continue to recognize that there is value in adopting an existing, standard definition, the agencies agree that the NIST definition does not wholly align with the purposes of the rule. The agencies have therefore narrowed the final rule’s definition of ‘‘computer-security incident,’’ as suggested by the foregoing comments. Specifically, the final rule defines ‘‘computer-security incident’’ as an occurrence that results in actual harm to an information system or the information contained within it.32 Furthermore, the agencies have removed the second prong of the proposed computer-security incident definition relating to violations of internal policies or procedures. These changes narrow the focus of the final rule to those incidents most likely to materially and adversely affect banking organizations, while still retaining general consistency with the NIST definition.33 iv. Definition of Notification Incident The NPR defined a ‘‘notification incident’’ as a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair— • The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; 32 One commenter requested clarification as to whether a ‘‘near-miss’’ incident would constitute a computer-security incident under the rule. A ‘‘nearmiss’’ incident would constitute a computersecurity incident only to the extent that such a ‘‘near-miss’’ results in actual harm to an information system or the information contained within it. Another commenter stated that the definition of ‘‘computer-security incident’’ should be limited to information systems that can cause a ‘‘notification incident.’’ For clarification, the definition of ‘‘computer-security incident’’ includes all occurrences that result in actual harm to an information system or the information contained within it. However, only those computer-security incidents that fall within the definition of ‘‘notification incident’’ are required to be reported. Two commenters advocated for excluding computer-security incidents due to non-security and non-malicious causes. For clarity, the definition includes incidents from whatever cause. 33 In response to comments, the agencies also considered whether to incorporate the NIST definition of ‘‘cybersecurity incident’’ instead and determined that this definition would inappropriately narrow the scope of incidents covered by the rule. PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 66429 • Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or • Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. Commenters addressed several aspects of the proposed definition. First, multiple commenters observed that the term ‘‘could’’ in the phrase ‘‘could . . . disrupt, degrade, or impair’’ was imprecise and overbroad. Multiple commenters suggested substituting the phrase ‘‘could’’ with ‘‘reasonably likely to or will’’ materially disrupt certain business lines or operations or ‘‘has resulted in or will result in’’ material disruptions to certain business lines or operations in its place. Some commenters also suggested that ‘‘notification incident’’ should be narrowed even further to incidents that actually materially disrupt or degrade.34 The agencies also received a number of comments on the NPR’s ‘‘believes in good faith’’ language. Various commenters expressed support for the phrase, with at least one noting that the more subjective ‘‘good faith’’ standard gave some flexibility to an organization that might honestly, albeit mistakenly, conclude that an occurrence did not rise to the level of a notification incident and thereby fail to provide notice.35 Other commenters suggested that ‘‘believe in good faith’’ was too subjective and stated that the final rule should substitute a clearer term, such as ‘‘determined.’’ 36 And one commenter 34 A commenter suggested that if a banking organization had mitigation strategies in place to offset the impact to a bank or its customers, the incident should not be considered a significant or critical incident and therefore should not be considered a notification incident. The commenter also stated that the agencies should indicate that an outage that lasts less than 48-hours in duration does not represent a ‘‘notification incident.’’ 35 Two commenters supported maintaining the ‘‘good faith’’ standard, with one commenter noting that a reasonable belief standard could introduce too much uncertainty and invite questioning of decisions that are made quickly out of necessity and potentially without key facts known. One of those commenters stated that the final rule should reflect that information may not be available to make an assessment ‘‘immediately’’ after an occurrence. 36 Commenters contended that the ‘‘good faith’’ standard may be unclear, and the agencies should provide guidance on how to make the good faith determination. An alternative would be for the rule text to state ‘‘an incident that a banking organization determines is reasonably likely to disrupt’’ instead of ‘‘believes in good faith could disrupt.’’ However, some commenters preferred the E:\FR\FM\23NOR1.SGM Continued 23NOR1 lotter on DSK11XQN23PROD with RULES1 66430 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations suggested that the agencies change the ‘‘in good faith’’ belief notification standard to apply to critical, not significant, incidents. In addition, commenters suggested that the final rule should specifically exclude from the notification requirement incidents where the impact is limited to certain types of computer systems (e.g., compromises to a bank’s marketing or personnel systems) or otherwise provide specific exclusions (e.g., any incident lasting less than 48 hours), because they would be very unlikely to cause the kinds of harm that the agencies would regard as warranting notification. Another commenter suggested that the agencies include a requirement that a notification incident involve an information system operated by, or on behalf of, a banking organization, because it would be unduly burdensome and potentially unrealistic for covered entities to be responsible for systems operated by third parties, whereas another commenter believed the term ‘‘notification incident’’ should be revised to include incidents occurring at third-party service provider information systems and the sub-contractors (fourthparty providers) of those third-party service providers that collect bankingrelated information. One commenter recommended that the agencies use the same definition of notification incident for bank service providers and banking organizations, whereas another commenter stated that only ‘‘notification incidents’’ should be reported under the rule to ensure that high volumes of less significant or easily remediated occurrences and incidents that do not result in actual harm are not reported. In addition, one commenter stated that banking organizations should not be required to publicly disclose core business lines and critical operations to avoid inviting attacks. Another commenter supported the definition and suggested that the definition of notification incident be expanded to include events that involve infiltration of third-party systems that collect banking related information, such as password managers or browsers. Another commenter requested that the agencies clarify that voluntary reporting of incidents falling outside of the scope of the definition is permitted, and that the rule also distinguish between mandatory reporting of notification incidents and nondisruptive events that could be reported through an alternative, voluntary mechanism and timeline. good faith standard over a ‘‘reasonably likely’’ standard. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 Following analysis and careful consideration of the various comments, the agencies are finalizing the definition largely as proposed, with modifications to address a number of commenters’ concerns to clarify the rule and make it easier to administer. The definition of ‘‘notification incident’’ includes language that is consistent with the ‘‘core business line’’ and ‘‘critical operation’’ definitions included in the Resolution Planning Rule issued by the Board and FDIC under section 165(d) of the Dodd-Frank Act.37 In particular, the second prong of the notification incident definition identifies incidents that impact core business lines, and the third prong identifies incidents that impact critical operations. Banking organizations subject to the Resolution Planning Rule may use the ‘‘core business lines’’ and ‘‘critical operations’’ identified in their resolution plans 38 to identify notification incidents under the second and third prongs of the final rule. The final rule does not require banking organizations that are not subject to the Resolution Planning Rule to identify ‘‘core business lines’’ or ‘‘critical operations,’’ or to develop procedures to determine whether they engage in any operations, the failure or discontinuance of which would pose a threat to the financial stability of the United States. However, all banking organizations must have a sufficient understanding of their lines of business to be able to determine which business lines would, upon failure, result in a material loss of revenue, profit, or franchise value to the banking organization, so that they can meet their notification obligations. Commenters also requested that the agencies clarify that the material loss of revenue, profit, or franchise value 37 Section 165(d) of the Dodd-Frank Act and 12 CFR parts 363 and 381 (the Resolution Planning Rule) require certain financial companies to report periodically to the FDIC and the Board their plans for rapid and orderly resolution in the event of material financial distress or failure. On November 1, 2019, the FDIC and the Board published in the Federal Register amendments to the Resolution Planning Rule. See 84 FR 59194. 38 Elements of both the ‘‘core business lines’’ and ‘‘critical operations’’ definitions from the Resolution Planning Rule are incorporated in the ‘‘notification incident’’ definition. Under the Resolution Planning Rule, ‘‘core business lines’’ means those business lines of the covered company, including associated operations, services, functions and support, that, in the view of the covered company, upon failure would result in a material loss of revenue, profit, or franchise value, and ‘‘critical operations’’ means those operations of the covered company, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. See 12 CFR 363.2, 381.2. PO 00000 Frm 00028 Fmt 4700 Sfmt 4700 addressed by the second prong of the definition should be evaluated on an enterprise-wide basis. The agencies agree; a banking organization should evaluate whether the loss is material to the organization as a whole. The agencies have concluded that there is substantial benefit to receiving notification of both computer-security incidents that have materially disrupted or degraded, and incidents that are reasonably likely to materially disrupt or degrade, a banking organization. Accordingly, the agencies are not narrowing the definition of ‘‘notification incident’’ to only include computersecurity incidents that have resulted in a material disruption or degradation in the final rule. However, the agencies are narrowing the scope of covered computer-security incidents by substituting the phrase ‘‘reasonably likely to’’ in place of ‘‘could.’’ The agencies agree that the term ‘‘could’’ encompasses more, and more speculative, incidents than the agencies intended in promulgating the rule. Accordingly, and in keeping with commenters’ suggestions, the agencies have substituted the term ‘‘reasonably likely to’’ in place of ‘‘could.’’ Under the ‘‘reasonably likely’’ standard, a banking organization will be required to notify its primary Federal regulator when it has suffered a computer-security incident that has a reasonable likelihood of materially disrupting or degrading the banking organization or its operations, but at the same time would not be required to make such a notification for adverse outcomes that are merely possible, or within imagination. The ‘‘reasonably likely’’ standard for notification is clearer and more in line with the agencies’ intentions for the rule. Finally, the agencies believe that banking organizations are wellpositioned to assess the likelihood that a computer-security incident will result in the significant adverse effects described in the definition. Some commenters also observed that the term ‘‘impair’’ was redundant of ‘‘disrupt’’ and ‘‘degrade;’’ that it was not a term defined by NIST; and that it should be removed. The agencies agree the term would be redundant with ‘‘disrupt or degrade,’’ and have removed the term ‘‘impair’’ from the definition. After considering the comments carefully, the agencies are replacing the ‘‘good faith belief’’ standard with a banking organization’s determination. The agencies agree with commenters who criticized the proposed ‘‘believes in good faith’’ standard as too subjective and imprecise. Accordingly, the agencies have removed the good faith language from the definition of E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations lotter on DSK11XQN23PROD with RULES1 ‘‘notification incident’’ and have substituted a determination standard in the final notification requirement. Finally, the agencies decline to exclude particular incidents or incidents that impact certain types of computer systems from the notification requirements. The agencies believe that the focus on the material adverse effects of a computer-security incident is a simpler and clearer way to ensure that they receive notification of the most significant computer-security incidents. v. Examples of Notification Incidents The NPR included a non-exhaustive list of incidents that would be considered notification incidents under the proposed rule and the agencies invited comment on specific examples of computer-security incidents that should or should not constitute notification incidents. The agencies received a few general comments about the list of incidents. One commenter suggested that the agencies include additional details in the illustrative examples that would identify the type of information systems that would not require incident notification and another suggested more broadly that the final rule include illustrative examples of both incidents that would and would not be subject to the final rule. The agencies believe that the criteria set forth in the notification incident definition make clear that the focus of the rule is on incidents that materially and adversely impact a banking organization rather than on specific types of information systems. The agencies recognize that many banking organizations manage computer-security incidents every day that would not require notification under the final rule and have focused on illustrative examples of the type of incidents that would require notification. One commenter suggested that the example discussing a ransom malware attack that encrypts a banking organization’s core system is ‘‘duplicative of various federal and state breach notification laws.’’ The agencies continue to conclude that any incident of ransom malware that disrupts a banking organization’s ability to carry out banking operations meets the definition of a notification incident, and as such, have retained this example, notwithstanding any potential overlap between the final rule and other Federal and state requirements for incident reporting.39 39 As previously explained, the agencies have considered whether existing reporting standards meet the purposes of this rule and concluded that VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 Another commenter suggested that some of the examples provided were ‘‘inconsistent with’’ the term computersecurity incident, as incidents such as failed system upgrades or unrecoverable system failures are not technically computer-security incidents. The agencies disagree with this comment and believe that the commenter is reading the definition of computersecurity incident too narrowly to focus on malicious incidents. The agencies believe the examples in the proposed rule provide an appropriate perspective on the critical nature of the type of incidents that banking organizations should consider notification incidents. Having received only general comments and no specific new examples of notification incidents that should be included in the list, the agencies are retaining the illustrative examples provided in the NPR with some minor edits.40 The following is a non-exhaustive list of incidents that generally are considered ‘‘notification incidents’’ under the final rule: 1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time (e.g., more than 4 hours); 2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable; 3. A failed system upgrade or change that results in widespread user outages for customers and banking organization employees; 4. An unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan; 5. A computer hacking incident that disables banking operations for an extended period of time; 6. Malware on a banking organization’s network that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any they do not. For example, ransom malware incidents that do not involve unauthorized access to or use of sensitive customer information would not be subject to the Gramm-Leach-Bliley Act (GLBA) notification standard. 40 This is to clarify that example 6 addresses malware on a banking organization’s system that poses an imminent threat to the banking organization’s core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections. PO 00000 Frm 00029 Fmt 4700 Sfmt 4700 66431 compromised products or information systems that support the banking organization’s core business lines or critical operations from internet-based network connections; and 7. A ransom malware attack that encrypts a core banking system or backup data. While the agencies have included these illustrative examples to help clarify the scope of notification incidents, the final rule requires banking organizations to consider, on a case-by-case basis, whether any significant computer-security incidents they experience constitute notification incidents for purposes of notifying the appropriate agency. If a banking organization is in doubt as to whether it is experiencing a notification incident for purposes of notifying its primary Federal regulator, the agencies encourage it to contact its regulator. The agencies recognize that a banking organization may file a notification, from time to time, upon a mistaken determination that a notification incident has occurred, and the agencies generally do not expect to take supervisory action in such situations. C. Banking Organization Notification to Agencies i. Timing of Notification to Agencies The proposed rule would have required banking organizations to provide the mandated notification to the agencies as soon as possible and no later than 36 hours. The agencies asked whether this timeframe should be modified, and if so, how. One commenter suggested that the agencies eliminate the ‘‘as soon as possible’’ requirement and simply require notification within 36 hours, which would eliminate an apparent tension between the permission for an organization to take a reasonable amount of time to determine that it has experienced a notification incident and the requirement for immediate reporting. Some commenters supported the 36-hour timeframe as an appropriate balance between the potential burden on institutions and the agencies’ need for prompt information.41 However, other commenters expressed concerns, viewing the 36-hour timeframe as too short to allow a banking organization to fully understand a computer-security incident and to provide a complete assessment of the situation. Commenters 41 One commenter suggested that notification obligations should begin ‘‘36 hours after the banking organization confirms a notification incident has occurred, and has completed urgent measures to end the threat and protect its assets,’’ to include time for a banking organization to take necessary measures. E:\FR\FM\23NOR1.SGM 23NOR1 66432 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations lotter on DSK11XQN23PROD with RULES1 noted that the 36-hour timeframe is only workable when it commences after a banking organization determines that a notification incident has occurred. In this regard, two commenters requested that the agencies expressly articulate in the final rule the explanation included in the NPR that the 36-hour timeframe commences at the point when a banking organization has determined that a notification incident has occurred.Several commenters suggested that the agencies consider a 72-hour window to provide banking organizations with additional time to assess potential incidents and to align the proposed rule with other regulatory requirements such as the New York State Department of Financial Services’ (NYDFS) cybersecurity event notification requirement,42 or the European Union’s General Data Protection Regulation (GDPR),43 both of which require covered entities to report relevant cyber-related incidents within 72 hours.44 A few commenters suggested that the notification timeframe should be increased to 48 hours, with one suggesting that any timeline align with business day processing, and another observing that community banks ‘‘need the additional 12 hours to evaluate the situation and implement an appropriate incident response plan.’’ One commenter suggested that the notification timeframe be extended to a minimum of five business days for banks under $20 billion in assets in order to ‘‘provide banks adequate time to work with vendors and their core processors to provide accurate notifications.’’ Another commenter observed that, ‘‘for a 36-hour notification timeframe to be potentially 42 Effective March 1, 2017, the NYDFS Superintendent promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. Section 500.17 Notices to superintendent requires each ‘‘covered entity’’ to notify the NYDFS Superintendent ‘‘as promptly as possible but in no event later than 72 hours from a determinantion that a cybersecurity event has occurred.’’ The NYDFS regulation is available at:https://govt.westlaw.com/nycrr/Browse/ Home/NewYork/NewYorkCodesRulesand Regulations?guid=I5be30d2007f811e79d43a037eef d0011&origination&Context documenttoc&transitionTypeDefault&context Data=(sc.Default). 43 In particular, Article 33, Section 1 of the GDPR provides that, in the case of a personal data breach, the data controller ‘‘shall without undue delay and, where feasible, not later than 72 hours after having become aware of it,’’ notify the competent supervisory authority of the personal data breach. Moreover, Article 33, Section 2 requires data processors to ‘‘notify the [data] controller without undue delay after becoming aware of a personal data breach.’’ The full version of Regulation (EU) 2016/679 (GDPR) is available at: https://eurlex.europa.eu/legal-content/EN/TXT/PDF/ ?uri=CELEX:32016R0679. 44 See id. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 workable and achievable, it is imperative that the scope of the notification requirement be tailored.’’ The agencies continue to believe that 36 hours is the appropriate timeframe, given the simplicity of the notification requirement and the severity of incidents captured by the definition of ‘‘notification incident.’’ 45 In developing the NPR and final rule, the agencies reviewed a number of existing security incident reporting requirements cited by the commenters and found that many of them involved detailed, prescriptive reporting requirements, often mandating that specific information be reported and including filing instructions. For example, the NYDFS rule requires that covered entities submit an annual statement certifying their compliance with the rule and keep all documents supporting their certification for five years, among other things. In contrast, the final rule sets forth no specific content or format for the simple notification it requires. The final rule is designed to ensure that the appropriate agency receives timely notice of significant emergent incidents, while providing flexibility to the banking organization to determine the content of the notification. Such a limited notification requirement will alert the agencies to such incidents without unduly burdening banking organizations with detailed reporting requirements, especially when certain information may not yet be known to the banking organizations. In addition, changes to the definitions of ‘‘computer-security incident’’ and ‘‘notification incident’’ described above narrow the range, and reduce the speculative or uncertain nature of, incidents subject to the notification requirement. The narrowed scope of notification incidents, however, makes it even more important for the agencies to receive notice as soon as possible. Additionally, the agencies recognize that a banking organization may be working expeditiously to resolve the notification incident—either directly or through a bank service provider—at the time it would be expected to notify its primary Federal regulator. The agencies believe, however, that 36 hours is a reasonable amount of time after a banking organization has determined that a notification incident has occurred to notify its primary Federal regulator, as 45 As noted above, the agencies recognize that a banking organization may file a notification, from time to time, upon a mistaken determination that a notification incident has occurred, and the agencies generally do not expect to take supervisory action in such situations. PO 00000 Frm 00030 Fmt 4700 Sfmt 4700 it does not require an assessment or analysis. The agencies do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computersecurity incident. Rather, the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. For example, some notification incidents may occur outside of normal business hours. Only once the banking organization has made such a determination would the 36-hour timeframe begin. Accordingly, the agencies have determined that the final rule will retain the requirement that banking organizations provide notice as soon as possible and no later than 36 hours. The agencies note, however, that even within the 36-hour notification window, banking organizations’ notification practices should take into account their criticality to the sector in which they operate and provide services. An effective practice of banking organizations that provide sector-critical services is to provide same-day notification to their primary Federal regulator of a notification incident. The agencies encourage this practice to continue among these banking organizations. ii. Method of Notification to Agencies The proposed rule would have required a banking organization to notify the appropriate agency of a notification incident through any form of written or oral communication, including through any technological means, to a designated point of contact identified by the agency. The agencies requested comments on how banking organizations should provide notifications to the agencies and sought comment on whether they should ‘‘adopt a process of joint notification’’ where multiple banking organization affiliates have differing notification obligations. Further, the agencies requested feedback on how such a joint notification should be done and why. A substantial number of commenters responded to various aspects of these questions. While specific suggestions varied, a consistent theme was a desire for efficient and flexible options for providing notice, with some commenters observing that a notification incident could also affect normal communication channels. Other commenters made recommendations to enhance notification efficiency, such as suggesting the use of automated E:\FR\FM\23NOR1.SGM 23NOR1 lotter on DSK11XQN23PROD with RULES1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations electronic notifications. Two commenters suggested that, consistent with the agencies’ statement in the NPR, the rule should explicitly state that no specific information is required and that the rule does not prescribe any particular reporting form. The agencies have concluded that email and telephone are the best methods currently available for effective notification. Recognizing, however, that agency processes may evolve and technology will likely change (and improve) available communication options over time, the agencies have also built flexibility into the final rule by stating that the agencies may prescribe other similar methods pursuant to which notice may be provided. The agencies believe that this approach balances the need for banking organizations to have some flexibility, including if a communication channel is impacted by the incident, with the agencies’ need to ensure that they actually receive the notifications. The agencies also sought comments on whether centralized points of contact, regional offices, or banking organization-specific supervisory teams would be better suited to receive these notifications. The comments from banking organizations and bank service providers differed on this issue. Some banking organizations suggested that the process should remain ‘‘flexible’’ and that the rule provide that the notification requirement could be ‘‘satisfied by any of several methods,’’ including providing the notification to the banking organization’s on-site or supervisory teams, appropriate regional offices, or an agency-designated point of contact. Other commenters, including bank service providers, suggested creating a joint notification process, or centralized portal or point of contact for all agencies to receive all such notifications directly. The agencies believe that the provision of notice can often be efficiently and effectively achieved by communicating with the appropriate agency supervisory office or other designated agency contacts, which may include designated supervisory staff, call centers, incident response teams, and other contacts to be designated by the respective agency. The agencies also received several comments requesting further instruction and guidance on the method and manner of the required notifications. Several other commenters requested additional guidance on what a notice must contain and the scope of information that should be provided, and even requested certain specific exclusions. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 The notification requirement is intended to serve as an early alert to a banking organization’s primary Federal regulator about a notification incident. The agencies anticipate that banking organizations will share general information about what is known at the time of the incident. No specific information is required in the notification other than that a notification incident has occurred. The final rule does not prescribe any form or template. A simple notice can be provided to the appropriate agency supervisory office, or other designated point of contact, through email, telephone, or other similar method that the agency may prescribe. The notifications, and any information related to the incident, would be subject to the agencies’ confidentiality rules.46 Accordingly, the agencies revised the NPR language. The final rule provides that a banking organization would notify the appropriate agencydesignated point of contact through email, telephone, or other similar methods that the agency may prescribe. D. Bank Service Provider Notification to Banking Organization Customers i. Scope of Bank Service Provider Notification Commenters generally supported the idea of only notifying affected customers although some commenters suggested that all banking organization customers should be notified.47 One commenter specifically suggested that bank service provider notifications should only go to banking organizations that are ‘‘directly impacted by the incident when a bank service provider has made a determination that the incident will or is reasonably likely to materially impact the services provided to the banking organization.’’ The agencies agree with the ‘‘materiality’’ aspect of this comment and the focus on ‘‘reasonably likely’’ impacts. Accordingly, the agencies are revising the final rule to include the phrase ‘‘materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade.’’ This change is also responsive to comments that requested the agencies further harmonize the bank service provider notification 46 See, e.g., 12 CFR part 4 (OCC); 12 CFR part 261 (Rules Regarding Availability of Information) (Board); 12 CFR 309.6 (Disclosure of exempt records) (FDIC). 47 While most commenters believe that notifying all banking organizations subscribing to the disrupted service may lead to potentially harmful over-reporting, one commenter stated that notifying all banking organizations using the service may be appropriate since the service disruption may be broader than originally expected. PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 66433 requirement with the banking organization notification requirement. The final rule does not require a bank service provider to assess whether the incident rises to the level of a notification incident for a banking organization customer, which remains the responsibility of the banking organization. The agencies anticipate that bank service providers would make a best effort to share general information about what is known at the time. If, after receiving notice from a bank service provider, the banking organization determines that a notification incident has occurred, the banking organization is required to notify its primary Federal regulator in accordance with this final rule. The agencies generally will not cite a banking organization because a bank service provider fails to comply with its notification requirement. Another commenter described the potential for confusion that could ensue if a bank service provider were to notify all customers, when only some of them were affected by the computer-security incident. They advised that such an overly broad notification to all customers could ‘‘cause the banking organization customers and the bank service provider to respond to questions and concerns from banking organization customers [who were] not affected by the computer-security incident.’’ The agencies agree with these commenters and are retaining in the final rule the requirement that notice be provided only to ‘‘each affected banking organization customer.’’ Another commenter noted that the final rule needs to account for the distinction between cloud-based services versus on-premises services and a shared-responsibility service delivery model. Under the final rule, the agencies would require bank service providers to continue to provide a banking organization customer with prompt notification of material incidents regardless of current contract language and irrespective of the chosen service delivery model. Even under a shared service model, a bank service provider will still need to provide notice to banking organization customers if the bank service provider has determined it has experienced a computer-security incident that has materially disrupted or degraded, or is likely to materially disrupt or degrade, covered services provided to such banking organization customer for four or more hours. Given the purposes of the rule, the agencies believe this is a reasonable requirement and are adopting it in the final rule. Whether the covered services are being provided through a software-as-a- E:\FR\FM\23NOR1.SGM 23NOR1 66434 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations service (SaaS) arrangement, or through some other service delivery method, a bank service provider must provide notification to banking organizations in accordance with the standard in the final rule. The banking organization must then independently determine if a notification incident has occurred. Finally, in response to concerns expressed by commenters, the agencies are revising the final rule to specifically exclude scheduled maintenance, testing, or software updates previously communicated to a banking organization customer. This new exception should reduce over- and unnecessary notification. If, however, the scheduled maintenance, testing, or software update exceeds the parameters communicated to the banking organization customer and meets the notification standard set forth in the rule, this exception does not apply. lotter on DSK11XQN23PROD with RULES1 ii. Timing of Bank Service Provider Notification Several commenters favored immediate notifications. Others were concerned that immediate notifications may result in over- and inaccurate notification. For example, some commenters objected to the requirement that a bank service provider must ‘‘immediately’’ notify affected banking organizations 48 and recommended that the notification occur ‘‘as soon as practicable,’’ within the first four hours of the occurrence of a computer-security incident, or in a ‘‘timely’’ manner (or a similar standard) after a service disruption to prevent over-reporting and provide time for bank service providers to assess the severity of an incident.49 One commenter noted that an immediate notification standard may be appropriate but only after the bank service provider determines that a notification incident has occurred, while other commenters stated that immediate notification was appropriate. Another commenter expressed concern that immediate notice may leave no time lapse ‘‘between when a computersecurity incident occurred and when notification has to happen.’’ While expressing similar sentiments, some commenters suggested substituting the term ‘‘timely,’’ or ‘‘promptly’’ and ‘‘without undue delay,’’ in place of the ‘‘immediate’’ requirement. Another 48 Obstacles to immediate notification mentioned by commenters included that bank service providers need time to assess whether an incident is a computer-security incident. 49 A commenter suggested that any timing for notification should allow an opportunity for reasonable investigation to help ensure that material incidents are flagged to the regulators and are not obfuscated by an influx of false positives or non-material matter. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 commenter suggested that different reporting obligations should be permitted contingent upon the location of the incident (on-premise services vs. cloud services). The same commenter suggested modifying the ‘‘good faith’’ standard to instead require ‘‘prompt’’ notification where a bank service provider obtains actual knowledge of an incident that impacts services for more than four hours. Other commenters drew distinctions between security incidents and service disruptions. One commenter observed that ‘‘[u]nlike a ‘computer-security incident’ which requires time to identify and evaluate, a disruption in service is instantaneously apparent and bank service providers can immediately notify banking organizations of the disruption in service.’’ For similar reasons, another commenter suggested bifurcation of service provider notifications: ‘‘one immediate notice timeline if the incident affects the security of the banking organization’s systems and a second, longer time period for disruption.’’ In response to these comments, the agencies are revising the rule to provide that a bank service provider must notify affected banking organization customers ‘‘as soon as possible’’ when it ‘‘determines’’ it has experienced an incident that meets the standard in the rule. Use of the term ‘‘determined’’ allows the bank service provider time to examine the nature of the incident and assess the materiality of the disruption or degradation of covered services. Additionally, the ‘‘four or more hours’’ threshold should reduce notifications concerning less material incidents. Once the bank service provider has made this determination, it must provide notice ‘‘as soon as possible.’’ Some commenters recommended revising the proposed rule to ‘‘allow for service providers to satisfy their notification requirement by providing notification to their banking customer consistent with any requirements and by any methods set forth in their contract with that customer, so long as the method reasonably ensures that the banking organization receives the notification.’’ While the agencies believe it is reasonable to assume that providing notification to customers following a determination that a material incident has occurred should be consistent with many existing contractual provisions, the agencies conclude that an independent regulatory requirement is appropriate to ensure that banking organizations receive consistent and timely notification of the most significant computer-security incidents affecting covered services. PO 00000 Frm 00032 Fmt 4700 Sfmt 4700 Other comments suggested that a 36or 72-hour notification timeframe would be reasonable. For the reasons expressed above, the agencies disagree that bank service providers could (or should) wait this long to alert banking organization customers about a material disruption or degradation in covered services. Accordingly, the final rule requires bank service providers to provide notice as soon as possible when the bank service provider has determined it has experienced a notification incident. iii. Bank Service Provider Notification to Customers Some commenters stated that the requirement in the proposal to notify two individuals at each affected banking organization of an incident was appropriate. One commenter suggested that a third notification be sent to a banking organization’s general email or telephone number. Several commenters recommended the agencies allow the notification through general channels accessible by multiple employees at affected banking organizations, and one commenter suggested that ‘‘significant’’ bank service providers should directly notify the agencies. Other commenters asserted that requiring bank service providers to notify two contacts at each banking organization customer would be overly prescriptive and burdensome.50 Instead, these commenters recommended that bank service providers should work with their banking organizations to designate a central point of contact, but bank service providers should not be required to ensure that a contact at the banking organization receive the notification.51 Regarding existing provisions in contracts, a commenter contended that ‘‘contractual provisions with bank service providers commonly provide specific notice methods and generally provide notice to two or more banking organization employees.’’ This is consistent with the agencies’ understandings of existing agreements based on their broad-based review of bank service provider agreements, which was reflected in the language of the proposed rule. As an alternative to the approach in the proposed rule, a few commenters suggested that the rule should ‘‘instead focus on outcomes—ensuring that the 50 Commenters suggested that one contact should be adequate, as smaller banking organizations may not have two contacts available. 51 A commenter also recommended different notification obligations for on-premises services compared to cloud-based services. Commenters also suggested a carve-out to the notification obligation when a bank service provider is delayed or prevented by law enforcement. E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations lotter on DSK11XQN23PROD with RULES1 appropriate individuals or entities at banking organizations receive timely notice.’’ Another commenter suggested that ‘‘banking organizations should have a central point of contact that would be accessible by more than one person to ensure that notifications to the banking organization are timely received and acted upon.’’ This approach was echoed by another banking industry commenter, who suggested that ‘‘notification through a medium or channel that is accessed by and available to multiple banking organization employees’’ should be allowed to meet the NPR’s notification requirement. Some commenters suggested using automated notifications or centralized notification portals to streamline the notification process. After consideration of the comments, the agencies are revising the final rule to keep the notification process simple and flexible. Rather than requiring bank service providers to notify two individuals at each affected banking organization customer, which may not be effective for every banking organization or bank service provider, the final rule requires bank service providers to notify ‘‘at least one bankdesignated point of contact at each affected banking organization customer.’’ The final rule states that a banking organization-designated point of contact is an email, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer. The agencies determined effective notice will be best achieved if banking organizations and bank service providers work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner. The final rule also provides flexibility for banking organizations and bank service providers to determine the appropriate designated point of contact, and if a banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer (CEO) and Chief Information Officer (CIO) of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means. iv. Bank Service Provider Agreements— Contract Notice Provisions Several commenters observed that contracts between banking organizations and bank service providers routinely include incident notification VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 provisions.52 But other commenters noted that current contractual provisions may not align with the proposed rule’s notification requirements and, as such, would need to be amended or revised, which may take time to complete. Commenters generally stated that while contracts between banking organizations and bank service providers already have negotiated notice provisions, such contracts would need to be amended to ensure compliance with the rule. In that regard, commenters expressed the view that the proposed rule should be revised to allow for bank service providers to satisfy their notification requirement by providing notification to their banking organization customer consistent with any requirements and by any methods set forth in their contract with that customer, so long as the method reasonably ensures that the banking organization customer receives the notification. Facilitating compliance with the rule in this manner would prevent banking organizations from having to incur the costs to amend existing contracts. Other commenters expressed perceived challenges with renegotiating contracts to comply with the rule and commenters stated that they should not be faulted for a bank service provider’s failure to notify. One commenter expressed concern that community banks may hold little power in these negotiations and recommended extending the compliance date of the rule for community banks. Relatedly, a commenter argued that if FMUs are required to provide mandated notices to their banking organization customers, the rule should require banking organization customers to identify and update their contacts for mandated notices to their bank service providers, rather than placing the burden on bank service providers to request and seek updates to these contacts. Commenters also urged the agencies to accept the notification methods specified in these contracts and clarify contract expectations. A few commenters requested that the agencies provide specific contract expectations and to consider conducting a review of contracts to confirm the notice provisions were adequate. 52 A commenter stated that bank service providers already subject to contractual breach reporting obligations should be excluded from the rule while a different commenter believed that as a matter of fairness and competitive equality, if private sector FMUs are required to provide mandated notices to either their primary Federal regulator or their banking organization customers, the Board should publicly commit to hold Federal Reserve Bank services to an equivalent standard. PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 66435 The agencies believe many contracts already address such notices to banking organizations. Typically, existing bank service provider agreements that support operations that are critical to a banking organization customer require notification to the customer as soon as possible in the event of a material incident during the normal course of business. If such notification provisions satisfy the requirements of the final rule, then notification under the contractual provisions will satisfy a bank service provider’s obligation under the rule as well. The agencies note that existing notification procedures may include some redundancy with the final rule. However, the agencies are requiring notice in the final rule to ensure that a notification occurs in the event of a material computer-security incident. As a result, the agencies are not incorporating these recommendations. The agencies also note that the notification requirement created by this rule is independent of any contractual provisions, and therefore, bank service providers must comply even where their contractual obligations differ from the notification requirement in this rule. The agencies anticipate that banking organizations and bank service providers will work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner, for purposes of complying with the rule. This final rule is not expected to add significant burden on bank service providers. The agencies’ experiences with conducting bank service provider contract reviews during examinations indicate that many of these contracts include incident-reporting provisions. The agencies also observe that there are effective automated systems for notification currently. In addition, for banking organizations that have not already designated individuals to be notified under contractual obligations, the agencies do not believe that requiring bank service providers to notify banking organization CEOs and CIOs would create significant burden. In these circumstances, the agencies believe that bank service providers can easily obtain contact information for banking organization CEOs and CIOs. IV. Other Rulemaking Considerations In the NPR, the agencies sought feedback on a number of related topics, which are addressed separately in the sections that follow. E:\FR\FM\23NOR1.SGM 23NOR1 66436 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations A. Bank Service Provider Material Incidents Consideration The agencies requested comments about the potential burden the rule would impose on small bank service providers and about circumstances when a banking organization customer would not be aware of a material disruption in services unless they were notified. There were limited comments on this question. A few commenters noted that banking organizations are often contacted by their customers shortly after an incident and service outage occurs. Despite indirect knowledge or suspicions about potential service outages or limitations, banking organizations should still be notified of material incidents by their bank service providers. Merely identifying the fact of an outage or service interruption would not help banking organization customers understand the extent of such an outage or service interruption. Receiving notification from a bank service provider would enable a banking organization customer to evaluate the impact of the computer-security incident on its operations to determine whether it is experiencing a notification incident. If a banking organization is experiencing a notification incident and notifies its primary Federal regulator, the regulator then may evaluate and assist, as appropriate. lotter on DSK11XQN23PROD with RULES1 B. Methodology for Determining Number of Incidents Subject to the Rule The agencies invited comment on the methodology used to estimate the number of notification incidents that may be subject to the proposed rule each year. Several commenters provided general comments suggesting the agencies may have underestimated the burden associated with the proposed rule; however, only one trade association commenter provided specific observations on the methodology used to estimate the number of incidents subject to the rule. This commenter suggested that the agencies should ‘‘seek additional comments on the estimated costs and benefits of the proposed rule.’’ The agencies also received comments related to the costs associated with complying with the rule. A commenter asserted, without further detail, that the proposed costs of compliance were underestimated. This commenter suggested that the agencies gather more information and data to adequately assess the regulatory impact of the proposal. Regarding estimating the number of notification incidents per year that would be reported under the VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 proposed rule, one commenter suggested the agencies already have this information. Another commenter asserted that the rule would result in significant costs in standing up internal processes and procedures to comply with a new Federal regulatory mandate, resulting in ongoing cost and burden. The agencies have addressed the costs of this rule in the Impact Analysis section below. Moreover, the methodology used to determine the number of incidents subject to the rule reflects the agencies’ experience that computer-security incidents that rise to the level of notification incidents are rare. The agencies also believe that the final rule largely formalizes a process that already exists, reflecting the collaborative and open communication that exists between banking organizations and the agencies. As discussed in more detail in the Impact Analysis section, the agencies reviewed available supervisory data and a subset of Suspicious Activity Report (SAR) data involving cyber incidents targeting banking organizations to develop an estimate of the number of notification incidents that may occur annually. The agencies specifically recognized that an analysis of SAR filings would not capture the full scope of incidents addressed by this rule. However, the agencies also considered supervisory data, which includes the voluntary notification banking organizations already provide, to inform their estimate of the frequency of notification incidents. Based on this assessment, the agencies continue to believe that the estimated 150 notification incidents annually set forth in the Impact Analysis is reasonable. The agencies are not seeking additional comments on the estimated costs and benefits of the rule. C. Voluntary Information Sharing One commenter suggested the agencies should acknowledge the importance of voluntary information sharing within an ‘‘expanding notice schema,’’ and rely upon voluntary disclosures for non-disruptive events. Another suggested the rule should ‘‘distinguish between existing, voluntary information-sharing between banking organizations’’ and the final rule’s required incident notification disclosures. The focus and purpose of this final rule is to ensure that the agencies receive prompt notice of notification incidents, which we have defined to include only the most significant incidents affecting banking organizations. The final rule does not solicit notifications on non-disruptive PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 events and differs from and does not prevent traditional supervisory information sharing. However, the agencies agree that voluntary information sharing is critically important and encourage banking organizations and bank service providers to continue sharing information about incidents not covered by this rule. D. Utilizing Prompt Corrective Action Capital Classifications One commenter suggested incorporating ‘‘existing terms and definitions of discrete, rare, disruptive events’’ such as ‘‘Prompt Corrective Action (PCA) capital category definitions, or the invocation of Sheltered Harbor protocols.’’ 53 The agencies decline to follow this recommendation. The agencies have used definitions in the final rule that are broadly consistent with NIST terminology, which is widely used across various industry segments. E. Ability To Rescind Notification and Obtain Record of Notice The agencies received several comments regarding the agencies’ collection and use of notification incident information from banking organizations. One commenter urged the agencies to develop procedures, subject to notice and comment, that would be taken upon receipt of a banking organization’s incident notification information and any subsequently gathered information related to the incident. Commenters also urged the agencies to clarify information sharing practices and protocols relating to notification incident reports, expressing concerns with confidentiality and data security. One commenter suggested that notification incident reports should be shared with banking organizationspecific supervisory teams. Commenters stated that any information submitted should be subject to the agencies’ confidentiality rules and that the agencies should explain how the information would be protected. One commenter suggested the agencies establish a ‘‘mechanism to rescind’’ notifications in situations where ‘‘initial determinations overestimate[d] the severity or significance of an event.’’ No formal 53 To learn more about PCA capital category definitions, see OCC Bulletin 2018–33, Prompt Corrective Action: Guidelines and Rescissions (Sept. 28, 2018), which can be found at: https:// www.occ.gov/news-issuances/bulletins/2018/ bulletin-2018-33.html. To learn more about Sheltered Harbor protocols, see the Sheltered Harbor landing page at: https://www.aba.com/ banking-topics/technology/cybersecurity/shelteredharbor#. E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations rescission mechanism is required. The agencies recognize that a banking organization or bank service provider may provide notice, from time to time, upon a mistaken determination that such notice is necessary. A banking organization or bank service provider may update its original notification if it later determines that its initial assessments were incorrect or overcautious. Other commenters discussed the need to obtain or retain copies of the notifications for recordkeeping purposes. The rule does not impose any recordkeeping requirements. Another commenter suggested the agencies should indicate how information that the agencies obtain under this rule would remain protected and confidential. Additionally, they requested confirmation that the information provided would be considered exempt from Freedom of Information Act (FOIA) requests. As the agencies noted in the proposal, the notification, and any information provided by a banking organization related to the incident, would be subject to the agencies’ confidentiality rules, which provide protections for confidential, proprietary, examination/ supervisory, and sensitive personally identifiable information.54 However, the agencies must respond to individual FOIA requests on a case-by-case basis. lotter on DSK11XQN23PROD with RULES1 F. Single Notification Definition One commenter suggested the agencies implement only a ‘‘single definition for a notification incident that applies to both bank service providers and banking organizations.’’ The agencies believe that this would be unworkable; the two notification requirements serve different purposes. Accordingly, the agencies declined to implement a single definition. However, the agencies have sought to harmonize the two notification standards where feasible. G. Affiliated Banking Organizations Considerations The final rule provides that affiliated banking organizations each have separate and independent notification obligations. Each banking organization needs to make an assessment of whether it has suffered a notification incident about which it must notify its primary Federal regulator. Subsidiaries of banking organizations that are not themselves banking organizations do not have notification requirements 54 See, e.g., 12 CFR part 4 (OCC); 12 CFR part 261 (Rules Regarding Availability of Information) (Board); 12 CFR 309.6 (Disclosure of exempt records) (FDIC). VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 under this final rule. If a computersecurity incident were to occur at a nonbanking organization subsidiary of a banking organization, the parent banking organization would need to assess whether the incident was a notification incident for it, and if so, it would be required to notify its primary Federal regulator. H. Consideration of the Number of Bank Service Providers Some commenters suggested the agencies underestimated the impact of the NPR to bank service providers. As noted in the NPR, the agencies do not know the precise number of bank service providers that will be affected by the final rule’s notification requirement. However, the agencies conservatively assumed the entire population of bank service providers who have self-selected the North American Industry Classification System (NAICS) industry ‘‘Computer System Design and Related Services’’ (NAICS industry code 5415) as their primary business activity to be the estimated number of bank service providers. It seems unlikely that all such code 5415-designated firms are bank service providers. Even though there may be some bank service providers that do not self-identify under NAICS code 5415, the agencies believe the number of incidents involving bank service providers will be generally consistent with original NPR findings. The agencies acknowledge that these bank service providers will be impacted by the final rule. V. Impact Analysis Covered banking organizations under the final rule include all depository institutions, holding companies, and certain other financial entities that are supervised by one or more of the agencies. According to recent Call Report and other data, the agencies supervise approximately 5,000 depository institutions along with a number of holding companies and other financial services entities that are covered under the final rule.55 In addition, the final rule requires bank service providers to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. This requirement would enable a 55 March PO 00000 31, 2021, Call Report Data. Frm 00035 Fmt 4700 Sfmt 4700 66437 banking organization to promptly respond to an incident, determine whether it must notify its primary Federal regulator that a notification incident has occurred, and take other appropriate measures related to the incident. Benefits The agencies believe that prompt notification of reportable incidents is likely to provide the following benefits to banking organizations and the financial industry as a whole. Notification may help the relevant agencies determine whether the incident is isolated or is one of many similar incidents at multiple banking organizations. If the notification incident is isolated to a single banking organization, the primary Federal regulator may be able to facilitate requests for assistance on behalf of the affected organization to minimize the impact of the incident. This benefit may be greater for small banking organizations with more limited resources. If the notification incident is one of many similar incidents occurring at multiple banking organizations, the agencies could also alert other banking organizations of the threat, recommend measures to better manage or prevent the recurrence of similar incidents, or otherwise help coordinate incident response. The prompt notification about incidents could also enable Federal regulators to respond faster to potential liquidity events that may result from such incidents. If a notification incident prevents banking organizations from fulfilling financial obligations in a timely manner, it might reduce confidence in the banking organization and precipitate the rapid withdrawal of demand deposits or short-term financing from such organizations.56 57 The agencies believe that a faster regulatory response could mitigate, or entirely prevent, these adverse liquidity events, thereby enhancing the resilience of the banking system against notification incidents. Receiving information on notification incidents at multiple banking organizations would also enable regulators to conduct empirical analyses 56 See the conceptual discussion of ‘‘cyber runs’’ in Duffie and Younger, https://www.brookings.edu/ wp-content/uploads/2019/06/WP51-DuffieYounger-2.pdf, Hutchins Center Working Paper No. 51, June 18, 2019. 57 See the empirical analysis of the potential adverse impact of cyber events on the U.S. payment and settlement system in Eisenbach et al., https:// www.newyorkfed.org/medialibrary/media/research/ staff_reports/sr909.pdf, Federal Reserve Bank of New York Staff Reports, No. 909, Last Revised May 2021. E:\FR\FM\23NOR1.SGM 23NOR1 66438 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations to improve related guidance, adjust supervisory programs to enhance resilience against such incidents, and provide information to the industry to help banking organizations reduce the risk of future computer-security incidents. The agencies do not have sufficient information available to quantify the potential benefits of the final rule because the benefits depend on the probability, breadth, and severity of future notification incidents, and the specifics of those incidents, among other things. These data limitations notwithstanding, and considering that banking organizations face a heightened risk of disruptive and destructive attacks, which have been increasing in frequency and severity in recent years, the agencies expect that the final rule would have clear prudential benefits. Costs lotter on DSK11XQN23PROD with RULES1 The final rule requires banking organizations to notify their primary Federal regulator as soon as possible, and no later than 36 hours, after a banking organization has determined that a notification incident has occurred. The agencies reviewed available supervisory data and SARs involving cyber events against banking organizations in 2019 and 2020 to estimate the number of notification incidents expected to be reported annually. This calculation relied on descriptive criteria (e.g., ransomware, trojan, zero day, etc.) that may be indicative of the type of material computer-security incident that would meet the notification incident reporting criteria. Based on this review, the agencies estimate that approximately 150 notification incidents occurred annually,58 but acknowledge that the number of such incidents could increase in the future. Comments received by the agencies on the NPR did not provide more accurate estimates or suggest a different estimation methodology. Therefore, the agencies continue to use the same methodology. The agencies believe that the regulatory burden associated with the notification requirement would be small because the majority of communications associated with the determination of the notification incident would occur regardless of the final rule.59 In 58 The agencies used conservative judgment when assessing whether a cyber-event might have risen to the level of a notification incident, so the approach may overestimate the number. However, the approach may also underestimate the number of notification incidents since supervisory and SAR data may not capture all such incidents. 59 Even at an elevated labor compensation rate of $200 per hour, the final rule would only impose VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 particular, the agencies estimate that, in the event of a notification incident, an affected banking organization may incur up to three hours of labor cost to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organization’s primary Federal regulator. This process may include discussion of the incident among staff of the banking organization, such as the Chief Information Officer, Chief Information Security Officer, a senior legal or compliance officer; and staff of a bank service provider, as appropriate; and liaison with senior management of the banking organization. The final rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. The agencies do not have data on the exact number of affected bank service providers nor the frequency of incidents that would require bank service providers to notify their banking organization customers. However, as described in the NPR, the agencies believe that, in the event of an incident, the affected bank service provider may incur up to three hours of labor cost to coordinate internal communications and notify its affected banking organization customers. Commenters did not provide other estimates, and the agencies believe that the additional compliance costs would be small for individual affected bank service providers.60 Post-notification activities, such as providing technical support to affected bank organization customers when managing and resolving the impact of a computer-security incident, are beyond the scope of the notification requirement. Overall, the agencies expect the benefits of the final rule to outweigh its small costs. contracts in order to implement the final rule. Furthermore, some bank service providers may incur costs to adjust internal processes and procedures to comply with the final rule. The agencies believe that these costs are likely to be small, transitory, and affect only a small number of covered entities. Other comments received in response to the proposed rule suggested that the proposed rule’s definitions might result in more notifications than estimated in the proposed rule. The final rule narrows the notification requirements, as discussed above. Response to Comments on Impact of Proposal The agencies received comments asserting that some banking organizations and bank service providers may need to revise their A. Paperwork Reduction Act additional compliance costs of $600 per notification. 60 Even at an elevated labor compensation rate of $200 per hour, the final rule would only impose additional compliance costs of $600 per notification. PO 00000 Frm 00036 Fmt 4700 Sfmt 4700 VI. Alternatives Considered The agencies are adopting these computer-security incident notification requirements after considering comments received on the NPR and evaluating alternative options for notification requirements. The agencies considered a number of alternative approaches, including leaving the current regulations unchanged and establishing a voluntary notification framework as suggested by one commenter. The agencies concluded that these approaches would not have achieved the objectives of the rule. However, the agencies refined the criteria for notification to focus attention on the most significant incidents and appropriately minimize regulatory burden. Additionally, the agencies considered defining the notification requirement for bank service providers even more narrowly, as suggested by some commenters. However, the agencies ultimately determined that the notification requirement in this rule is appropriate due to the increasingly significant role that bank service providers play in the banking industry. VII. Effective Date The agencies have provided an effective date of April 1, 2022, and a compliance date of May 1, 2022, in response to commenters that recommended that the agencies provide additional time to implement the rule. VIII. Administrative Law Matters Certain provisions of the final rule contain ‘‘collections of information’’ within the meaning of the Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501–3521). In accordance with the requirements of the PRA, the agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control E:\FR\FM\23NOR1.SGM 23NOR1 lotter on DSK11XQN23PROD with RULES1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations number. The agencies have requested and OMB has assigned to the agencies the respective control numbers shown. The information collections contained in the final rule have been submitted to OMB for review and approval by the OCC and FDIC under section 3507(d) of the PRA (44 U.S.C. 3507(d)) and section 1320.11 of OMB’s implementing regulations (5 CFR part 1320). The Board reviewed the final rule under the authority delegated to the Board by OMB, and has approved these collections of information. The final rule contains a reporting requirement that is subject to the PRA. The reporting requirement is found in §§ 53.3 (OCC), 225.302 (Board), and 304.23 (FDIC) of the final rule. A banking organization is required to notify its primary Federal bank regulatory agency of the occurrence of a ‘‘notification incident’’ at the banking organization (§§ 53.3 (OCC), 225.302 (Board), and 304.23 (FDIC)). The final rule also contains a disclosure requirement that is subject to the PRA. The disclosure requirement is found in §§ 53.4 (OCC), 225.303 (Board), and 304.24 (FDIC), which requires a bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. The agencies received one PRArelated comment, which agreed that collections of information have practical utility. The agencies have a continuing interest in the public’s opinions of information collections. At any time, commenters may submit comments regarding the burden estimate, or any other aspect of this collection of information, including suggestions for reducing the burden, to the addresses listed in the ADDRESSES caption in the NPR. All comments will become a matter of public record. A copy of the comments may also be submitted to the OMB desk officer for the agencies: By mail to U.S. Office of Management and Budget, 725 17th Street NW, #10235, Washington, DC 20503; by facsimile to (202) 395–5806; or by email to: oira_ submission@omb.eop.gov, Attention, Federal Banking Agency Desk Officer. Information Collection Title of Information Collection: Computer-Security Incident Notification. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 OMB Control Number: OCC 1557– 0350; Board 7100–NEW; FDIC 3064– 0214. Frequency of Response: On occasion; event-generated.61 Affected Public: Businesses or other for-profit. Respondents: OCC: National banks, Federal savings associations, Federal branches and agencies, and bank service providers. Board: All state member banks (as defined in 12 CFR 208.2(g)), bank holding companies (as defined in 12 U.S.C. 1841), savings and loan holding companies (as defined in 12 U.S.C. 1467a), foreign banking organizations (as defined in 12 CFR 211.21(o)), foreign banks that do not operate an insured branch, state branch or state agency of a foreign bank (as defined in 12 U.S.C. 3101(b)(11) and (12)), Edge or agreement corporations (as defined in 12 CFR 211.1(c)(2) and (3)), and bank service providers. FDIC: All insured state nonmember banks, insured state-licensed branches of foreign banks, insured State savings associations, and bank service providers. Number of Respondents: 62 OCC: Reporting—22; Disclosure—802. FDIC: Reporting—96; Disclosure— 802. Board: Reporting—32; Disclosure— 802. Estimated Hours per Response: Reporting—Sections 53.3 (OCC), 225.302 (Board), and 304.23 (FDIC): 3 hours. Disclosure—Sections 53.4 (OCC), 225.303 (Board), and 304.24 (FDIC): 3 hours. Estimated Total Annual Burden: OCC: Reporting—66 hours; Disclosure—2,406 hours. FDIC: Reporting—288 hours; Disclosure—2,406 hours. 61 For purposes of these calculations, the agencies assume that the frequency is 1 response per respondent per year. 62 The number of respondents for the reporting requirement is based on allocating the estimated 150 notification incidents among the agencies based on the percentage of entities supervised by each agency. The FDIC represents the majority of the banking organizations (64 percent), while the Board supervises approximately 21 percent of the banking organizations, with the OCC supervising the remaining 15 percent of banking organizations. The number of respondents for the disclosure requirement is based on an assumption of an approximately 2 percent per year frequency of incidents from 120,392 firms, which is divided equally among the OCC, FDIC, and Board. The number of 120,392 firms is the number of firms in the United States under NAICS code 5415 in 2018, the latest year for which such data is available. See U.S. Census Bureau, 2018 SUSB Annual Data Tables by Establishment Industry, https:// www.census.gov/data/tables/2018/econ/susb/2018susb-annual.html (last revised Aug. 27, 2021). PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 66439 Board: Reporting—96 hours; Disclosure—2,406 hours. Abstract: The final rule establishes notification requirements for banking organizations upon the occurrence of a ‘‘computer-security incident’’ that rises to the level of a ‘‘notification incident.’’ A ‘‘notification incident’’ is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s— • Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; • Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or • Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. A ‘‘computer-security incident’’ is defined as is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. The final rule requires a banking organization to notify its primary Federal banking regulator upon the occurrence of a ‘‘notification incident’’ at the banking organization. The agencies recognize that the final rule imposes a limited amount of burden, beyond what is usual and customary, on banking organizations in the event of a computer-security incident even if it does not rise to the level of a notification incident, as banking organizations will need to determine whether the relevant thresholds for notification are met. Therefore, the agencies’ estimated burden per notification incident takes into account the burden associated with such incidents. The final rule also requires a bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. B. Regulatory Flexibility Act OCC: The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., requires an E:\FR\FM\23NOR1.SGM 23NOR1 lotter on DSK11XQN23PROD with RULES1 66440 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations agency, in connection with a final rule, to prepare a Final Regulatory Flexibility Analysis describing the impact of the rule on small entities (defined by the Small Business Administration (SBA)) for purposes of the RFA to include commercial banks and savings institutions with total assets of $600 million or less and trust companies with total assets of $41.5 million or less) or to certify that the final rule will not have a significant economic impact on a substantial number of small entities. The OCC currently supervises approximately 669 small entities. Because the final rule impacts all OCC-supervised institutions, as well as all bank service providers, it will impact a substantial number of small entities. However, the expected costs of the final rule will be de minimis. Many banks already have internal policies for responding to security incidents, which include processes for notifying their primary regulator and other stakeholders of incidents within the scope of the final rule. Additionally, while the OCC believes bank service provider contracts may already include these provisions, if current contracts do not include these provisions, then the OCC does not expect the implementation of these provisions to impose a material burden on bank service providers. Therefore, the OCC certifies that the final rule will not have a significant economic impact on a substantial number of small entities. Board: The Regulatory Flexibility Act (RFA) generally requires an agency, in connection with a final rule, to prepare and make available for public comment a final regulatory flexibility analysis that describes the impact of the rule on small entities.63 However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. For the reasons described below, the Board certifies that the final rule will not have a significant economic impact on a substantial number of small entities. As discussed in the SUPPLEMENTARY INFORMATION section, the agencies are requiring a banking organization to notify its primary Federal regulator as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule will establish a notification requirement, which would support the safety and soundness of entities supervised by the agencies. The final rule requires a bank service provider, as defined in the rule, 63 5 U.S.C. 601 et seq. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. The Board’s rule applies to statechartered banks that are members of the Federal Reserve System, bank holding companies, savings and loan holding companies, U.S. operations of foreign banking organizations, and Edge and agreement corporations (collectively, ‘‘Board-regulated entities’’). As described in the Impact Analysis section, requirements under the final rule will apply to all Board-regulated entities. Under regulations issued by the SBA, a small entity includes a depository institution, bank holding company, or savings and loan holding company with total assets of $600 million or less and trust companies with total receipts of $41.5 million or less.64 According to Call Reports and other Board reports, there were approximately 451 state member banks, 2,380 bank holding companies, 92 savings and loan holding companies, and 16 Edge and agreement corporations that are small entities.65 In addition, the final rule affects all bank service providers that provide services subject to the BSCA.66 The Board is unable to estimate the number of bank service providers that are small due to the varying types of banking organizations that may enter into outsourcing arrangements with bank service providers. The final rule will require all banking organizations to notify the appropriate Board-designated point of contact about a notification incident through email, telephone, or other similar methods that the Board may prescribe. The Board must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a 64 As an example, the SBA defines a bank as small if it has $600 million or less in assets. See 13 CFR 121.201 (as amended by 84 FR 34261, effective August 19, 2019). In its determination, the SBA counts the receipts, employees, or other measure of size of the concern whose size is at issue and all of its domestic and foreign affiliates. See 13 CFR 121.103. 65 State member bank data is derived from June 30, 2021 Call Reports. Data for bank holding companies and savings and loan holding companies are derived from the June 30, 2021, FR Y–9C and FR Y–9SP. Data for Edge and agreement corporations are derived from the December 31, 2020, FR–2886b. 66 Discussed in detail in the Impact Analysis section. PO 00000 Frm 00038 Fmt 4700 Sfmt 4700 notification incident has occurred. The agencies estimate that, upon occurrence of a notification incident, an affected banking organization may incur compliance costs of up to three hours of staff time to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organization’s primary Federal regulator. As described in the Impact Analysis section above, this requirement is estimated to affect a relatively small number of Boardregulated entities. The agencies believe that any compliance costs associated with the notice requirement would be de minimis, because the communications that led to the determination of the notification incident would have occurred regardless of the final rule. The final rule will also require a bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. As described in the Impact Analysis section above, the agencies believe that any compliance costs associated with the implementation of this requirement would be de minimis for each affected bank service provider. There are no other recordkeeping, reporting, or compliance requirements associated with the final rule. For the reasons stated above, the Board certifies that the final rule will not have a significant economic impact on a substantial number of small entities. FDIC: The RFA generally requires an agency, in connection with a final rule, to prepare and make available for public comment a final regulatory flexibility analysis that describes the impact of the rule on small entities.67 However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. The SBA has defined ‘‘small entities’’ to include banking organizations with total assets of less than or equal to $600 million.68 67 5 U.S.C. 601 et seq. SBA defines a small banking organization as having $600 million or less in assets, where an organization’s assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year. See 13 CFR 121.201 (as amended by 84 FR 34261, effective August 19, 2019). In its determination, the SBA 68 The E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations lotter on DSK11XQN23PROD with RULES1 Generally, the FDIC considers a significant effect to be a quantified effect in excess of 5 percent of total annual salaries and benefits per institution, or 2.5 percent of total noninterest expenses. The FDIC believes that effects in excess of these thresholds typically represent significant effects for FDICsupervised institutions. For the reasons described below, the FDIC certifies that the final rule will not have a significant economic impact on a substantial number of small entities. As described in the Impact Analysis section, the final rule is expected to affect all institutions supervised by the FDIC. According to recent Call Reports, the FDIC supervises 3,215 insured depository institutions (FDICsupervised IDIs).69 Of these, 2,333 FDICsupervised IDIs would be considered small entities for the purposes of RFA.70 These small entities hold approximately $510 billion in assets, accounting for 13 percent of total assets held by FDICsupervised institutions. In addition, the final rule affects all bank service providers that provide services subject to the BSCA.71 The FDIC is unable to estimate the number of affected bank service providers that are small. For purposes of this certification, the FDIC assumes, as an upper limit, that all affected bank service providers are small. The final rule requires a banking organization to notify the appropriate FDIC supervisory office, or an FDICdesignated point of contact, about a notification incident through email, telephone, or other similar methods that the FDIC may prescribe. The FDIC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. As described in the Impact Analysis section above, this requirement is estimated to affect a relatively small number of FDICsupervised institutions and impose a compliance cost of up to three hours per incident. The agencies believe that the regulatory burden of such a requirement would be de minimis in nature, since the internal communications that led to the determination of the notification counts the receipts, employees, or other measure of size of the concern whose size is at issue and all of its domestic and foreign affiliates. See 13 CFR 121.103. Following these regulations, the FDIC uses a banking organization’s affiliated and acquired assets, averaged over the preceding four quarters, to determine whether the banking organization is ‘‘small’’ for the purposes of RFA. 69 FDIC Call Reports, March 31, 2021. 70 Id. 71 Discussed in detail in the Impact Analysis section. VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 incident would have occurred regardless of the final rule.72 In addition, the final rule will require a bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. As described in the Impact Analysis section above, the agencies believe that any additional compliance costs would be de minimis for each affected bank service provider. Therefore, the FDIC certifies that the final rule will not have a significant economic impact on a substantial number of small entities. C. Riegle Community Development and Regulatory Improvement Act of 1994 Under section 302(a) of the Riegle Community Development and Regulatory Improvement Act (RCDRIA),73 in determining the effective date and administrative compliance requirements for new regulations that impose additional reporting, disclosure, or other requirements on insured depository institutions (IDIs), each Federal banking agency must consider, consistent with principles of safety and soundness and the public interest, any administrative burdens that such regulations would place on depository institutions, including small depository institutions, and customers of depository institutions, as well as the benefits of such regulations. In addition, section 302(b) of RCDRIA requires new regulations and amendments to regulations that impose additional reporting, disclosures, or other new requirements on IDIs generally to take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in final form.74 The agencies have determined that the final rule would impose additional reporting, disclosure, or other new requirements on IDIs, and are making this final rule effective in accordance with the requirements of the RCDRIA. D. Congressional Review Act For purposes of the Congressional Review Act (CRA), the Office of Management and Budget (OMB) makes 72 Even at an elevated labor compensation rate of $200 per hour, the final rule would impose a cost burden of less than $600 per incident. 73 12 U.S.C. 4802(a). 74 Id. at 4802(b). PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 66441 a determination as to whether a final rule constitutes a ‘‘major rule.’’ 75 If a rule is deemed a ‘‘major rule’’ by the OMB, the CRA generally provides that the rule may not take effect until at least 60 days following its publication.76 The Congressional Review Act defines a ‘‘major rule’’ as any rule that the Administrator of the Office of Information and Regulatory Affairs of the OMB finds has resulted in or is likely to result in—(A) an annual effect on the economy of $100,000,000 or more; (B) a major increase in costs or prices for consumers, individual industries, Federal, State, or Local government agencies or geographic regions, or (C) significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States-based enterprises to compete with foreignbased enterprises in domestic and export markets.77 The agencies will submit the final rule to the OMB for this major rule determination. As required by the Congressional Review Act, the agencies will also submit the final rule and other appropriate reports to Congress and the Government Accountability Office for review. E. Use of Plain Language Section 722 of the Gramm-LeachBliley Act 78 requires the Federal banking agencies to use plain language in all proposed and final rulemakings published in the Federal Register after January 1, 2000. The agencies invited comment regarding the use of plain language, but did not receive any comments on this topic. F. Unfunded Mandates Reform Act The OCC analyzed the final rule under the factors set forth in the Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532). Under this analysis, the OCC considered whether the final rule includes a Federal mandate that may result in the expenditure by State, local, and Tribal governments, in the aggregate, or by the private sector, of $100 million or more in any one year, adjusted for inflation (currently $158 million). As noted in the OCC’s RFA discussion, the OCC expects that the costs associated with the final rule, if any, will be de minimis and, thus, has determined that this final rule will not result in expenditures by State, local, and Tribal governments, or the private sector, of $158 million or more 75 5 U.S.C. 801 et seq. U.S.C. 801(a)(3). 77 5 U.S.C. 804(2). 78 12 U.S.C. 4809. 76 5 E:\FR\FM\23NOR1.SGM 23NOR1 66442 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations in any one year. Accordingly, the OCC has not prepared a written statement to accompany this final rule. Agency Regulation List of Subjects 12 CFR Part 53 Administrative practice and procedure, Federal savings associations, National banks, Reporting and recordkeeping requirements, Safety and soundness. 12 CFR Part 225 Administrative practice and procedure, Bank holding companies, Banking, Edge and agreement corporations, Foreign banking organizations, Nonbank financial companies, Reporting and recordkeeping requirements, Safety and soundness, Savings and loan holding companies, State member banks. 12 CFR Part 304 Administrative practice and procedure, Bank deposit insurance, Banks, Banking, Freedom of information, Reporting and recordkeeping requirements, Safety and soundness. Authority and Issuance—OCC For the reasons stated in the Common Preamble and under the authority of 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861–1867, and 3102, the Office of the Comptroller of the Currency amends chapter I of title 12, Code of Federal Regulations, as follows: ■ 1. Part 53 is added to read as follows: PART 53—COMPUTER-SECURITY INCIDENT NOTIFICATION Sec. 53.1 Authority, purpose, and scope. 53.2 Definitions. 53.3 Notification. 53.4 Bank service provider notification. Authority: 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861–1867, and 3102. lotter on DSK11XQN23PROD with RULES1 § 53.1 Authority, purpose, and scope. (a) Authority. This part is issued under the authority of 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861–1867, and 3102. (b) Purpose. This part promotes the timely notification of computer-security incidents that may materially and adversely affect Office of the Comptroller of the Currency (OCC)supervised institutions. (c) Scope. This part applies to all national banks, Federal savings associations, and Federal branches and agencies of foreign banks. This part also applies to their bank service providers as defined in § 53.2(b)(2). VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 § 53.2 Definitions. (a) Except as modified in this part, or unless the context otherwise requires, the terms used in this part have the same meanings as set forth in 12 U.S.C. 1813. (b) For purposes of this part, the following definitions apply. (1) Banking organization means a national bank, Federal savings association, or Federal branch or agency of a foreign bank; provided, however, that no designated financial market utility shall be considered a banking organization. (2) Bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider. (3) Business line means a product or service offered by a banking organization to serve its customers or support other business needs. (4) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. (5) Covered services are services performed, by a person, that are subject to the Bank Service Company Act (12 U.S.C. 1861–1867). (6) Designated financial market utility has the same meaning as set forth at 12 U.S.C. 5462(4). (7) Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s— (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. (8) Person has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A). § 53.3 Notification. A banking organization must notify the appropriate OCC supervisory office, or OCC-designated point of contact, about a notification incident through email, telephone, or other similar methods that the OCC may prescribe. The OCC must receive this notification PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. § 53.4 Bank service provider notification. (a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. (1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer. (2) If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means. (b) The notification requirement in paragraph (a) of this section does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer. FEDERAL RESERVE SYSTEM 12 CFR Chapter II Authority and Issuance For the reasons stated in the Common Preamble and under the authority of 12 U.S.C. 321–338a, 1467a(g), 1818(b), 1844(b), 1861–1867, and 3101 et seq., the Board amends chapter II of title 12, Code of Federal Regulations, as follows: PART 225—BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL (REGULATION Y) 2. The authority citation for part 225 continues to read as follows: ■ Authority: 12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p–1, 1843(c)(8), 1844(b), 1972(1), 3106, 3108, 3310, 3331–3351, 3906, 3907, and 3909; 15 U.S.C. 1681s, 1681w, 6801 and 6805. 3. Subpart N is added to read as follows: ■ Subpart N—Computer-Security Incident Notification Sec. 225.300 Authority, purpose, and scope. 225.301 Definitions. E:\FR\FM\23NOR1.SGM 23NOR1 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations 225.302 225.303 Notification. Bank service provider notification. Subpart N—Computer-Security Incident Notification § 225.300 Authority, purpose, and scope. (a) Authority. This subpart is issued under the authority of 12 U.S.C. 1, 321– 338a, 1467a(g), 1818(b), 1844(b), 1861– 1867, and 3101 et seq. (b) Purpose. This subpart promotes the timely notification of computersecurity incidents that may materially and adversely affect Board-supervised entities. (c) Scope. This subpart applies to all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations. This subpart also applies to their bank service providers, as defined in § 225.301(b)(2). lotter on DSK11XQN23PROD with RULES1 § 225.301 Definitions. (a) Except as modified in this subpart, or unless the context otherwise requires, the terms used in this subpart have the same meanings as set forth in 12 U.S.C. 1813. (b) For purposes of this subpart, the following definitions apply. (1) Banking organization means a U.S. bank holding company; U.S. savings and loan holding company; state member bank; the U.S. operations of foreign banking organizations; and an Edge or agreement corporation; provided, however, that no designated financial market utility shall be considered a banking organization. (2) Bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider. (3) Business line means a product or service offered by a banking organization to serve its customers or support other business needs. (4) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. (5) Covered services are services performed, by a person, that are subject to the Bank Service Company Act (12 U.S.C. 1861–1867). (6) Designated financial market utility has the same meaning as set forth at 12 U.S.C. 5462(4). (7) Notification incident is a computer-security incident that has materially disrupted or degraded, or is VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 reasonably likely to materially disrupt or degrade, a banking organization’s— (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. (8) Person has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A). § 225.302 Notification. A banking organization must notify the appropriate Board-designated point of contact about a notification incident through email, telephone, or other similar methods that the Board may prescribe. The Board must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. § 225.303 Bank service provider notification. (a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. (1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer. (2) If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means. (b) The notification requirement in paragraph (a) of this section does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer. PO 00000 Frm 00041 Fmt 4700 Sfmt 4700 66443 FEDERAL DEPOSIT INSURANCE CORPORATION Authority and Issuance For the reasons stated in the Common Preamble, and under the authority of 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861–1867, the FDIC amends 12 CFR part 304 as follows: PART 304—FORMS, INSTRUCTIONS, AND REPORTS 4. Revise the authority citation for part 304 to read as follows: ■ Authority: 5 U.S.C. 552; 12 U.S.C. 1463, 1464, 1811, 1813, 1817, 1819, 1831, and 1861–1867. ■ 5. Revise § 304.1 to read as follows: § 304.1 Purpose. This subpart informs the public where it may obtain forms and instructions for reports, applications, and other submittals used by the Federal Deposit Insurance Corporation (FDIC), and describes certain forms that are not described elsewhere in FDIC regulations in this chapter. §§ 304.15 through 304.20 Reserved] [Added and 6. Add reserve §§ 304.15 through 304.20. ■ 7. Add subpart C to read as follows: ■ Subpart C—Computer-Security Incident Notification Sec. 304.21 Authority, purpose, and scope. 304.22 Definitions. 304.23 Notification. 304.24 Bank service provider notification. 304.25–304.30 [Reserved] Subpart C—Computer-Security Incident Notification § 304.21 Authority, purpose, and scope. (a) Authority. This subpart is issued under the authority of 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861–1867. (b) Purpose. This subpart promotes the timely notification of computersecurity incidents that may materially and adversely affect FDIC-supervised institutions. (c) Scope. This subpart applies to all insured state nonmember banks, insured state licensed branches of foreign banks, and insured State savings associations. This subpart also applies to bank service providers, as defined in § 304.22(b)(2). § 304.22 Definitions. (a) Except as modified in this subpart, or unless the context otherwise requires, the terms used in this subpart have the same meanings as set forth in 12 U.S.C. 1813. E:\FR\FM\23NOR1.SGM 23NOR1 66444 Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations (b) For purposes of this subpart, the following definitions apply. (1) Banking organization means an FDIC-supervised insured depository institution, including all insured state nonmember banks, insured statelicensed branches of foreign banks, and insured State savings associations; provided, however, that no designated financial market utility shall be considered a banking organization. (2) Bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider. (3) Business line means a product or service offered by a banking organization to serve its customers or support other business needs. (4) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. (5) Covered services are services performed, by a person, that are subject to the Bank Service Company Act (12 U.S.C. 1861–1867). (6) Designated financial market utility has the same meaning as set forth at 12 U.S.C. 5462(4). (7) Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s— (i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. (8) Person has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A). lotter on DSK11XQN23PROD with RULES1 § 304.23 Notification. determines that a notification incident has occurred. § 304.24 Bank service provider notification. [Reserved] Michael J. Hsu, Acting Comptroller of the Currency. By order of the Board of Governors of the Federal Reserve System. Ann Misback, Secretary of the Board. Federal Deposit Insurance Corporation. By order of the Board of Directors. Dated at Washington, DC, on November 17, 2021. James P. Sheesley, Assistant Executive Secretary. [FR Doc. 2021–25510 Filed 11–22–21; 8:45 am] BILLING CODE 4810–33–P; 6210–01–P; 6714–01–P A banking organization must notify the appropriate FDIC supervisory office, or an FDIC-designated point of contact, about a notification incident through email, telephone, or other similar methods that the FDIC may prescribe. The FDIC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization VerDate Sep<11>2014 16:32 Nov 22, 2021 Jkt 256001 PO 00000 Frm 00042 Fmt 4700 Sfmt 4700 Federal Aviation Administration 14 CFR Part 39 (a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours. (1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer. (2) If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means. (b) The notification requirement in paragraph (a) of this section does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer. §§ 304.25–304.30 DEPARTMENT OF TRANSPORTATION [Docket No. FAA–2021–0661; Project Identifier AD–2020–01349–E; Amendment 39–21792; AD 2021–22–19] RIN 2120–AA64 Airworthiness Directives; Pratt & Whitney Turbofan Engines Federal Aviation Administration (FAA), DOT. ACTION: Final rule. AGENCY: The FAA is superseding Airworthiness Directive (AD) 2011–07– 02 for all Pratt & Whitney (P&W) JT8D– 209, JT8D–217, JT8D–217A, JT8D–217C, and JT8D–219 model turbofan engines. AD 2011–07–02 required initial and repetitive torque inspections of the 3rdstage and 4th-stage low-pressure turbine (LPT) blades. AD 2011–07–02 also required replacement of the LPT blade if wear limits are exceeded, replacement of the LPT-to-exhaust case bolts and nuts, and installation of crushable sleeve spacers on the bolts. This AD was prompted by a report of an MD–82 airplane, equipped with a JT8D–217C model turbofan engine, experiencing an engine surge that resulted in the fracture of the LPT blade and uncontained release of the LPT blade. This AD retains certain requirements of AD 2011–07–02, while revising the inspection thresholds and replacement intervals for the 3rd-stage and 4th-stage LPT blades. The FAA is issuing this AD to address the unsafe condition on these products. DATES: This AD is effective December 28, 2021. The Director of the Federal Register approved the incorporation by reference of a certain publication listed in this AD as of December 28, 2021. ADDRESSES: For service information identified in this final rule, contact Pratt & Whitney, 400 Main Street, East Hartford, CT 06118; phone: (800) 565– 0140; email: help24@prattwhitney.com; website: https:// fleetcare.prattwhitney.com. You may view this service information at the FAA, Airworthiness Products Section, Operational Safety Branch, 1200 District Avenue, Burlington, MA 01803. For information on the availability of this material at the FAA, call (781) 238– 7759. It is also available at https:// www.regulations.gov by searching for and locating Docket No. FAA–2021– 0661. SUMMARY: E:\FR\FM\23NOR1.SGM 23NOR1

Agencies

[Federal Register Volume 86, Number 223 (Tuesday, November 23, 2021)]
[Rules and Regulations]
[Pages 66424-66444]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25510]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 53

[Docket ID OCC-2020-0038]
RIN 1557-AF02

FEDERAL RESERVE SYSTEM

12 CFR Part 225

[Docket No. R-1736]
RIN 7100-AG06

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 304

RIN 3064-AF59


Computer-Security Incident Notification Requirements for Banking 
Organizations and Their Bank Service Providers

AGENCY: The Office of the Comptroller of the Currency (OCC), Treasury; 
the Board of Governors of the Federal Reserve System (Board); and the 
Federal Deposit Insurance Corporation (FDIC).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, and FDIC are issuing a final rule that 
requires a banking organization to notify its primary Federal regulator 
of any ``computer-security incident'' that rises to the level of a 
``notification incident,'' as soon as possible and no later than 36 
hours after the banking organization determines that a notification 
incident has occurred. The final rule also requires a bank service 
provider to notify each affected banking organization customer as soon 
as possible when the bank service provider determines that it has 
experienced a computer-security incident that has caused, or is 
reasonably likely to cause, a material service disruption or 
degradation for four or more hours.

DATES: Effective date: April 1, 2022; Compliance date: May 1, 2022.

FOR FURTHER INFORMATION CONTACT: 
    OCC: Patrick Kelly, Director, Critical Infrastructure Policy, (202) 
649-5519, Carl Kaminski, Assistant Director, (202) 649-5490, or 
Priscilla Benner, Senior Attorney, Chief Counsel's Office, (202) 649-
5490, Office of the Comptroller of the Currency, 400 7th Street SW, 
Washington, DC 20219.
    Board: Thomas Sullivan, Senior Associate Director, (202) 475-7656, 
Julia Philipp, Lead Financial Institution Cybersecurity Policy Analyst, 
(202) 452-3940, Don Peterson, Supervisory Cybersecurity Analyst, (202) 
973-5059, Systems and Operational Resiliency Policy, of the Supervision 
and Regulation Division; Jay Schwarz, Assistant General Counsel, (202) 
452-2970, Claudia Von Pervieux, Senior Counsel (202) 452-2552, 
Christopher Danello, Senior Attorney, (202) 736-1960, Legal Division, 
Board of Governors of the Federal Reserve System, 20th and C Streets 
NW, Washington, DC 20551, or https://www.federalreserve.gov/apps/ContactUs/feedback.aspx, and click on Staff Group, Regulations.
    FDIC: Rob Drozdowski, Special Assistant to the Deputy Director 
(202) 898-3971, [email protected], Division of Risk Management 
Supervision; or John Dorsey, Counsel (202) 898-3807, [email protected], 
Graham Rehrig, Senior Attorney, (202) 898-3829, [email protected], Legal 
Division.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Introduction
II. Background
    A. Overview of Comments
III. Discussion of Final Rule
    A. Overview of Final Rule
    B. Definitions
    i. Definition of Banking Organization
    ii. Definition of Bank Service Provider
    iii. Definition of Computer-Security Incident
    iv. Definition of Notification Incident
    v. Examples of Notification Incidents
    C. Banking Organization Notification to Agencies
    i. Timing of Notification to Agencies
    ii. Method of Notification to Agencies
    D. Bank Service Provider Notification to Banking Organization 
Customers
    i. Scope of Bank Service Provider Notification
    ii. Timing of Bank Service Provider Notification
    iii. Bank Service Provider Notification to Customers
    iv. Bank Service Provider Agreements--Contract Notice Provisions
IV. Other Rulemaking Considerations
    A. Bank Service Provider Material Incidents Consideration
    B. Methodology for Determining Number of Incidents Subject to 
the Rule
    C. Voluntary Information Sharing
    D. Utilizing Prompt Corrective Action Capital Classifications
    E. Ability To Rescind Notification and Obtain Record of Notice
    F. Single Notification Definition
    G. Affiliated Banking Organizations Considerations
    H. Consideration of the Number of Bank Service Providers
V. Impact Analysis
VI. Alternatives Considered
VII. Effective Date
VIII. Administrative Law Matters
    A. Paperwork Reduction Act
    B. Regulatory Flexibility Act
    C. Riegle Community Development and Regulatory Improvement Act 
of 1994
    D. Congressional Review Act
    E. Use of Plain Language
    F. Unfunded Mandates Reform Act

I. Introduction

    The OCC, Board, and FDIC (together, the agencies) are issuing a 
final rule to require that a banking organization \1\ promptly notify 
its primary Federal regulator of any ``computer-security incident'' 
that rises to the level of a ``notification incident,'' as those terms 
are defined in the final rule. As described in more detail below, these 
incidents may have many causes. Examples include a large-scale 
distributed denial of service attack that disrupts customer account 
access for an extended period of time and a computer hacking incident 
that disables banking operations for an extended period of time.
---------------------------------------------------------------------------

    \1\ For the OCC, ``banking organizations'' includes national 
banks, Federal savings associations, and Federal branches and 
agencies of foreign banks. For the Board, ``banking organizations'' 
includes all U.S. bank holding companies and savings and loan 
holding companies; state member banks; the U.S. operations of 
foreign banking organizations; and Edge and agreement corporations. 
For the FDIC, ``banking organizations'' includes all insured state 
nonmember banks, insured state-licensed branches of foreign banks, 
and insured State savings associations. Each agency's definition 
excludes financial market utilities (FMUs) designated under Title 
VIII of the Dodd-Frank Wall Street Reform and Consumer Protection 
Act (designated FMUs).
---------------------------------------------------------------------------

    Under the final rule, a banking organization's primary Federal 
regulator must receive this notification as soon as possible and no 
later than 36 hours after the banking organization determines that a 
notification incident has occurred. This requirement will help promote 
early awareness of emerging threats to banking organizations and the 
broader financial system. This early awareness will help the agencies 
react to these threats before they become systemic. The final rule 
separately requires a bank service provider to notify each affected 
banking organization customer as soon as possible when the bank service 
provider determines it has experienced a computer-security incident 
that has caused, or is reasonably likely to cause,

[[Page 66425]]

a material service disruption or degradation for four or more hours. 
This separate requirement will ensure that a banking organization 
receives prompt notification of a computer-security incident that 
materially disrupts or degrades, or is reasonably likely to materially 
disrupt or degrade, covered services provided by a bank service 
provider. This notification will allow the banking organization to 
assess whether the incident has or is reasonably likely to have a 
material impact on the banking organization and thus trigger the 
banking organization's own notification requirement.

II. Background

    Computer-security incidents can result from destructive malware or 
malicious software (cyberattacks), as well as non-malicious failure of 
hardware and software, personnel errors, and other causes. Cyberattacks 
targeting the financial services industry have increased in frequency 
and severity in recent years.\2\ These cyberattacks can adversely 
affect banking organizations' networks, data, and systems, and 
ultimately their ability to resume normal operations.
---------------------------------------------------------------------------

    \2\ See, e.g., Financial Crimes Enforcement Network, SAR Filings 
by Industry (Jan. 1, 2014-Dec. 31, 2020) (last accessed Oct. 11, 
2021), https://www.fincen.gov/reports/sar-stats/sar-filings-industry. (Trend data may be found by downloading the Excel file 
``Depository Institution'' and selecting the tab marked ``Exhibit 
5.'').
---------------------------------------------------------------------------

    Given the frequency and severity of cyberattacks on the financial 
services industry, the agencies believe that it is important that a 
banking organization's primary Federal regulator be notified as soon as 
possible of a significant computer-security incident \3\ that disrupts 
or degrades, or is reasonably likely to disrupt or degrade, the 
viability of the banking organization's operations, result in customers 
being unable to access their deposit and other accounts, or impact the 
stability of the financial sector.\4\ The final rule refers to these 
significant computer-security incidents as ``notification incidents.'' 
\5\ Timely notification is important as it would allow the agencies to 
(1) have early awareness of emerging threats to banking organizations 
and the broader financial system, (2) better assess the threat a 
notification incident poses to a banking organization and take 
appropriate actions to address the threat, (3) facilitate and approve 
requests from banking organizations for assistance through U.S. 
Treasury Office of Cybersecurity and Critical Infrastructure Protection 
(OCCIP),\6\ (4) provide information and guidance to banking 
organizations, and (5) conduct horizontal analyses to provide targeted 
guidance and adjust supervisory programs.
---------------------------------------------------------------------------

    \3\ As defined by the final rule, a computer-security incident 
is an occurrence that results in actual harm to the confidentiality, 
integrity, or availability of an information system or the 
information that the system processes, stores, or transmits. To 
promote uniformity of terms, the agencies have sought to align this 
term generally with an existing definition from the National 
Institute of Standards and Technology (NIST). See NIST, Computer 
Security Resource Center, Glossary (last accessed Sept. 20, 2021), 
available at https://csrc.nist.gov/glossary/term/Dictionary.
    \4\ These computer-security incidents may include major 
computer-system failures; cyber-related interruptions, such as 
distributed denial of service and ransomware attacks; or other types 
of significant operational interruptions.
    \5\ As defined in the final rule, a notification incident is a 
computer-security incident that has materially disrupted or 
degraded, or is reasonably likely to materially disrupt or degrade, 
a banking organization's: (i) Ability to carry out banking 
operations, activities, or processes, or deliver banking products 
and services to a material portion of its customer base, in the 
ordinary course of business; (ii) business line(s), including 
associated operations, services, functions, and support, that upon 
failure would result in a material loss of revenue, profit, or 
franchise value; or (iii) operations, including associated services, 
functions and support, as applicable, the failure or discontinuance 
of which would pose a threat to the financial stability of the 
United States.
    \6\ OCCIP coordinates with U.S. Government agencies to provide 
agreed-upon assistance to banking and other financial services 
sector organizations on computer-incident response and recovery 
efforts. These activities may include providing remote or in-person 
technical support to an organization experiencing a significant 
cyber event to protect assets, mitigate vulnerabilities, recover and 
restore services, identify other entities at risk, and assess 
potential risk to the broader community. The Federal Financial 
Institutions Examination Council's Cybersecurity Resource Guide for 
Financial Institutions (Oct. 2018) identifies additional information 
available to banking organizations. Available at: https://www.ffiec.gov/press/pdf/FFIEC%20Cybersecurity%20Resource%20Guide%20for%20Financial%20Institutions.pdf (last accessed Oct. 15, 2021).
---------------------------------------------------------------------------

    Notification under the Bank Secrecy Act \7\ and the Interagency 
Guidance on Response Programs for Unauthorized Access to Customer 
Information and Customer Notice \8\ provide the agencies with awareness 
of certain computer-security incidents.\9\ Nonetheless, these standards 
do not include all computer-security incidents of which the agencies, 
as supervisors, need to be alerted and would not always result in 
timely notification to the agencies.
---------------------------------------------------------------------------

    \7\ See 31 U.S.C. 5311 et seq.; 31 CFR subtitle B, chapter X.
    \8\ See 15 U.S.C. 6801; 12 CFR part 30, appendix B, supplement A 
(OCC); 12 CFR part 208, appendix D-2, supplement A, 12 CFR 211.5(l), 
12 CFR part 225, appendix F, supplement A (Board); 12 CFR part 364, 
appendix B, supplement A (FDIC).
    \9\ Banking organizations that experience a computer-security 
incident that may be criminal in nature are expected to contact 
relevant law enforcement or security agencies, as appropriate, after 
the incident occurs. This rule does not change that expectation.
---------------------------------------------------------------------------

    To ensure that the agencies receive timely alerts of all relevant 
material and adverse incidents, the agencies issued a notice of 
proposed rulemaking (NPR or proposal) to establish computer-security 
incident notification requirements for banking organizations and their 
bank service providers.\10\
---------------------------------------------------------------------------

    \10\ 86 FR 2299 (Jan. 12, 2021).
---------------------------------------------------------------------------

    The proposal would have required banking organizations to notify 
their primary Federal regulator within 36 hours of when they believed 
in good faith that a ``computer-security incident'' that rises to the 
level of a ``notification incident'' had occurred. As proposed, a 
``notification incident'' was a computer-security incident that could 
materially disrupt, degrade, or impair the viability of the banking 
organization's operations, result in customers being unable to access 
their deposit and other accounts, or impact the stability of the 
financial sector.\11\ When drafting these proposed definitions, the 
agencies sought to align the terminology as much as possible with 
language used in the National Institute of Standards and Technology's 
(NIST) Computer Security Resource Center glossary.\12\ This approach 
was intended to promote consistency with known cybersecurity terms and 
definitions and thereby reduce burden.
---------------------------------------------------------------------------

    \11\ These computer-security incidents may include major 
computer-system failures, cyber-related interruptions, such as 
distributed denial of service and ransomware attacks, or other types 
of significant operational interruptions.
    \12\ NIST is an agency of the U.S. Department of Commerce that 
works to develop and apply technology, measurements, and standards.
---------------------------------------------------------------------------

    The proposal separately would have required a bank service provider 
that provided services subject to the Bank Service Company Act (BSCA) 
\13\ to notify at least two individuals at each affected banking 
organization customer immediately after the bank service provider 
experiences a computer-security incident that it believes in good faith 
could disrupt, degrade, or impair services provided subject to the BSCA 
for four or more hours. This standard reflected the agencies' 
conclusion that the impact of computer-security incidents at bank 
service providers can flow through to their banking organization 
customers. The agencies also recognized, however, that a bank service 
provider may not be able to readily assess whether an incident rises to 
the level of a notification incident for a particular banking 
organization customer.
---------------------------------------------------------------------------

    \13\ 12 U.S.C. 1861-67.
---------------------------------------------------------------------------

    The notification requirement for bank service providers is 
important because banking organizations have become increasingly 
reliant on third parties to provide essential services. Such third

[[Page 66426]]

parties may also experience computer-security incidents that could 
disrupt or degrade the provision of services to their banking 
organization customers or have other significant impacts on a banking 
organization. Therefore, a banking organization needs to receive prompt 
notification of computer-security incidents that materially disrupt or 
degrade, or are reasonably likely to materially disrupt or degrade, 
these services because prompt notification will allow the banking 
organization to assess whether the incident has or is reasonably likely 
to have a material impact and trigger its own notification requirement.

A. Overview of Comments

    The agencies collectively received 35 comments from banking and 
financial sector entities, third-party service providers, industry 
groups, and other individuals.\14\ This section provides an overview of 
the general themes raised by commenters. The comments received on the 
proposal are further discussed below in the sections describing the 
final rule, including any changes that the agencies have made to the 
proposal in response to comments.
---------------------------------------------------------------------------

    \14\ Comments can be accessed at: https://www.regulations.gov/document/OCC-2020-0038-0001 (OCC); https://www.federalreserve.gov/apps/foia/ViewComments.aspx?doc_id=R-1736&doc_ver=1 (Board); and 
https://www.fdic.gov/resources/regulations/federal-register-publications/2021/2021-computer-security-incident-notification-3064-af59.html (FDIC).
---------------------------------------------------------------------------

General Reaction and Need for a Rule
    A majority of commenters supported the proposal, agreeing that 
providing prompt notice of significant incidents is an important aspect 
of safety and soundness, and they supported transparent and consistent 
notification from bank service providers to their banking organization 
customers. A number of these commenters offered suggestions to clarify 
certain aspects of the requirements or lessen the perceived burden. 
Commenters also generally supported the agencies' efforts to harmonize 
with existing definitions and notification standards. Four commenters 
opposed the proposal, contending that compliance would be burdensome or 
duplicative of existing requirements, and may impede banking 
organizations' and bank service providers' abilities to respond 
effectively to incidents.
``Computer-Security Incidents'' That Can Trigger Potential Reporting
    As described above, the proposal would have required reporting of 
certain ``computer-security incidents,'' defined to be consistent with 
the NIST definition. While several commenters supported aligning the 
definition with NIST's definition, most commenters asserted that the 
proposed definition was overly broad, could be tailored, and suggested 
different revisions to the proposed definition of computer-security 
incident. Specifically, a number of these commenters asserted that the 
definition should be based on actual, rather than ``potential,'' harm 
and exclude violations of a banking organization's or a bank service 
provider's policies and procedures.
``Notification Incidents'' Required To Be Reported
    As described above, notification incidents are computer-security 
incidents that require notification to the agencies. Most commenters 
argued that the proposed definition of ``notification incident'' was 
overly broad and should be narrowed and only require reporting of 
incidents involving actual harm.\15\ Commenters asserted that any 
definition should incorporate time, risk, and scale elements, which 
commenters viewed as critical. In addition, commenters urged the 
agencies to replace the ``good faith'' standard with a banking 
organization's or a bank service provider's ``determination'' or a 
reasonable basis to conclude that an incident had occurred, to provide 
a more objective and concrete standard.\16\
---------------------------------------------------------------------------

    \15\ A commenter suggested that if a banking organization had 
mitigation strategies in place to offset the impact to a banking 
organization or its customers, the incident should not be considered 
a significant or critical incident and therefore should not be 
considered a notification incident. The commenter also stated that 
the agencies should indicate that an outage that lasts less than 48-
hours in duration does not represent a ``notification incident.''
    \16\ Commenters contended that the ``good faith'' standard may 
be unclear, and the agencies should provide guidance on how to make 
the good faith determination. However, some commenters preferred the 
good faith standard over a ``reasonably likely'' standard.
---------------------------------------------------------------------------

Timeframes for Notification
    The agencies received comments on the timeframes described in the 
proposal for banking organizations to provide notification to their 
regulator and for bank service providers to provide notification to 
their banking organization customers. These comments focused both on 
the amount of time provided to make the notification and the trigger 
that caused the time period to begin being measured. Commenters made a 
wide variety of suggestions, including recommendations to lengthen and 
shorten the periods and to provide further clarity regarding when they 
commenced.
Means of Bank Service Provider Notification
    Commenters raised questions regarding the requirement in the 
proposal that a bank service provider must notify two individuals at 
each affected banking organization. Notably, some commenters raised 
concerns that such a requirement would override contractual 
notification provisions with which both the bank service providers and 
banking organizations are comfortable.
Applicability to Financial Market Utilities
    Commenters suggested that the proposal would cause unintended 
regulatory overlap for those financial market utilities that are 
designated as systemically important under Title VIII of the Dodd-Frank 
Act (designated FMUs) and regulated by the Securities and Exchange 
Commission (SEC) or Commodity Futures Trading Commission (CFTC). In 
addition, designated FMUs regulated by the Board are subject to 
Regulation HH, which includes risk-management standards.

III. Discussion of Final Rule

A. Overview of the Final Rule

    In response to comments received on the NPR, the final rule 
reflects changes to key definitions and notification provisions 
applicable to both banking organizations and bank service providers. 
These changes include (1) narrowing the definition of computer-security 
incident by focusing on actual, rather than potential, harm and by 
removing the second prong of the proposed definition relating to 
violations of internal policies or procedures; (2) substituting the 
phrase ``reasonably likely to'' in place of ``could'' in the definition 
of notification incident; and (3) replacing the ``good faith belief'' 
notification standard with a determination standard. Changes to the 
bank service provider notification provision include (1) adding a 
definition of ``covered services'' and (2) requiring that notice be 
provided to a bank-designated point of contact, rather than to at least 
two individuals at each banking organization customer. The final rule 
also excludes designated FMUs from the definitions of ``banking 
organization'' and ``bank service provider.'' \17\ Such changes are 
intended to address comments and reduce over- and unnecessary 
notification by both

[[Page 66427]]

banking organizations and bank service providers.
---------------------------------------------------------------------------

    \17\ The rule defines ``designated financial market utility'' as 
having the same meaning as set forth at 12 U.S.C. 5462(4).
---------------------------------------------------------------------------

    The final rule establishes two primary requirements, which promote 
the safety and soundness of banking organizations and are consistent 
with the agencies' authorities to supervise these entities, and with 
their authorities pursuant to the BSCA.\18\ First, the final rule 
requires a banking organization to notify its primary Federal regulator 
of a notification incident. In particular, a banking organization must 
notify its primary Federal regulator of any computer-security incident 
that rises to the level of a notification incident as soon as possible 
and no later than 36 hours after the banking organization determines 
that a notification incident has occurred.\19\ Second, the final rule 
requires a bank service provider \20\ to notify at least one bank-
designated point of contact at each affected banking organization 
customer as soon as possible when the bank service provider determines 
it has experienced a computer-security incident that has materially 
disrupted or degraded, or is reasonably likely to materially disrupt or 
degrade, covered services provided to such banking organization 
customer for four or more hours. Each of these requirements is 
discussed in more detail below.
---------------------------------------------------------------------------

    \18\ See 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 
3102 (OCC); 12 U.S.C. 321-338a, 1467a(g), 1818(b), 1844(b), 1861-
1867, and 3101 et seq. (Board); 12 U.S.C. 1463, 1811, 1813, 1817, 
1819, and 1861-1867 (FDIC).
    \19\ As also noted below, however, the agencies would encourage 
those banking organizations providing sector-critical services that 
currently notify their primary Federal regulator of these types of 
incidents on a same-day basis to continue to do so.
    \20\ As a general matter, ``bank service provider'' refers to a 
company or person that performs services for a banking organization 
that are subject to the Bank Service Company Act (12 U.S.C. 1861-
1867). However, for the purpose of this final rule, the term ``bank 
service provider'' does not include any person or company that is a 
designated FMU, as that term is defined at 12 U.S.C. 5462(4).
---------------------------------------------------------------------------

B. Definitions

i. Definition of Banking Organization
    The final rule applies to the following banking organizations:
     For the OCC, ``banking organizations'' includes national 
banks, Federal savings associations, and Federal branches and agencies 
of foreign banks.
     For the Board, ``banking organizations'' includes all U.S. 
bank holding companies and savings and loan holding companies; state 
member banks; the U.S. operations of foreign banking organizations; and 
Edge and agreement corporations.
     For the FDIC, ``banking organizations'' includes all 
insured state nonmember banks, insured state-licensed branches of 
foreign banks, and insured State savings associations.
     For all three agencies, ``banking organizations'' does not 
include designated FMUs, for the reasons discussed below.\21\
---------------------------------------------------------------------------

    \21\ Under the final rule, ``designated financial market 
utility'' has the same meaning as set forth at 12 U.S.C. 5462(4).
---------------------------------------------------------------------------

    With respect to the proposed definition of ``banking 
organization,'' commenters suggested that this term should include 
additional entities, such as financial technology firms and non-bank 
OCC-chartered financial services entities, to the extent the agencies 
have jurisdiction over those firms. Further, commenters contended that 
the agencies should consider other regulatory frameworks to which 
banking organizations and bank service providers may already be subject 
and exclude entities subject to other, similar, regulatory reporting 
requirements.\22\ The agencies have defined the term banking 
organization in a manner that is consistent with the agencies' 
supervisory authorities.
---------------------------------------------------------------------------

    \22\ For example, FMUs for which the SEC is the Primary Agency 
under Title VIII of the Dodd-Frank Act are subject to the SEC's 
Regulation SCI (Systems Compliance and Integrity) for certain 
financial intermediaries.
---------------------------------------------------------------------------

    The NPR solicited comment on the scope of entities that should be 
included as ``banking organizations'' for purposes of the rule, and 
specifically noted that the proposed rule's definition of ``banking 
organizations'' and ``bank service providers'' would include FMUs that 
are chartered as a State member bank or Edge corporation, or perform 
services subject to regulation and examination under the Bank Service 
Company Act.23 24 In that regard, the agencies asked whether 
there were unique factors that the agencies should consider in 
determining how notification requirements should apply to these FMUs. 
In addition, the agencies asked whether notification requirements would 
be best conveyed through the proposed rule or through amendments to the 
Board's Regulation HH for designated FMUs for which the Board is the 
Supervisory Agency under Title VIII of the Dodd-Frank Act.
---------------------------------------------------------------------------

    \23\ An FMU is ``any person that manages or operates a 
multilateral system for the purpose of transferring, clearing, or 
settling payments, securities, or other financial transactions among 
financial institutions or between financial institutions and the 
person.'' 12 U.S.C. 5462(6).
    \24\ Title VIII of the Dodd-Frank Act authorizes the Financial 
Stability Oversight Council to designate certain FMUs as 
systemically important. Depending on the functions that it serves in 
the financial markets, a designated FMU is subject to risk-
management regulations promulgated by the Board (i.e., Regulation 
HH), the SEC, or the CFTC.
---------------------------------------------------------------------------

    In response to these requests for comment, two commenters opposed 
the application of the proposed rule to SEC-supervised FMUs that are 
designated as systemically important under Title VIII of the Dodd-Frank 
Act, arguing that the proposed rule would subject these designated FMUs 
to unintended regulatory overlap and duplicative compliance burdens. 
One of these commenters argued that SEC-supervised designated FMUs 
should be deemed to comply with the rule to the extent they comply with 
incident notification requirements under existing SEC regulations. 
Another commenter argued that applying the proposed rule to Board-
supervised designated FMUs would be preferable to amending Regulation 
HH to include a designated FMU-specific incident notification 
requirement, but this commenter did not provide a detailed rationale 
for that position. Finally, several commenters suggested that the final 
rule should exempt all FMUs that qualify as a banking organization or a 
bank service provider, including FMUs that have not been designated as 
systemically important under Title VIII of the Dodd-Frank Act, from 
these incident notification requirements, arguing that the existing 
practice among FMUs is to alert supervisors directly in the case of 
computer-security incidents.
    As noted above, the final rule excludes designated FMUs from the 
definitions of ``banking organization'' and ``bank service provider.'' 
\25\ In the case of SEC- and CFTC-supervised designated FMUs, the 
agencies determined that excluding these designated FMUs from the final 
rule is appropriate because these designated FMUs are already subject 
to incident notification requirements in other Federal regulations.\26\
---------------------------------------------------------------------------

    \25\ The rule defines ``designated financial market utility'' as 
having the same meaning as set forth at 12 U.S.C. 5462(4).
    \26\ Specifically, SEC-supervised designated FMUs are subject to 
the SEC's Regulation SCI, which generally requires covered entities 
to notify the SEC and their members or participants in the event of 
an SCI event. See 17 CFR 242.1000 (defining ``SCI Event'') and 
242.1002 (imposing notification requirements related to SCI Events). 
Similarly, a CFTC-supervised designated FMU must notify the CFTC in 
the event of an ``exceptional event'' or the activation of the 
designated FMU's business continuity and disaster recovery plan. See 
17 CFR 39.18(g). An ``exceptional event'' includes ``[a]ny hardware 
or software malfunction, security incident, or targeted threat that 
materially impairs, or creates a significant likelihood of material 
impairment, of automated system operation, reliability, security, or 
capacity.'' Id.
---------------------------------------------------------------------------

    Board-supervised designated FMUs are subject to the Board's 
Regulation

[[Page 66428]]

HH, which includes a set of risk-management standards for addressing 
areas such as legal risk, governance, credit and liquidity risks, and 
operational risk. Regulation HH requires generally that a Board-
supervised designated FMU effectively identify and manage operational 
risks.\27\ Although Regulation HH does not currently impose specific 
incident-notification requirements, the Board believes that it is 
important for designated FMUs to inform Federal Reserve supervisors of 
operational disruptions on a timely basis and has generally observed 
such practice by the designated FMUs. The Board will continue to review 
Regulation HH in light of designated FMUs' existing practices and may 
propose amendments to Regulation HH in the future to formalize its 
incident-notification expectations and promote consistency between 
requirements applicable to Board-, SEC-, and CFTC-supervised designated 
FMUs.
---------------------------------------------------------------------------

    \27\ 12 CFR 234.3(a)(17).
---------------------------------------------------------------------------

    Although some commenters suggested that the final rule should 
exempt all FMUs that qualify as a banking organization or a bank 
service provider, the agencies have adopted a narrower exclusion for 
designated FMUs.\28\ FMUs that are not designated and that otherwise 
meet the definition of banking organization or bank service provider 
are within the rule's scope. The agencies determined that excluding all 
FMUs from the rule would be overly broad and would result in the 
inconsistent regulatory treatment of FMUs that are not designated 
relative to other bank service providers. In addition, a broad FMU 
exclusion could create uncertainty because there is no defined list of 
FMUs, other than designated FMUs.
---------------------------------------------------------------------------

    \28\ This narrow exclusion would not apply to a Board-supervised 
designated FMU with respect to its operation of non-systemically 
important services that are not subject to Regulation HH.
---------------------------------------------------------------------------

    One commenter suggested that the Board should hold Federal Reserve 
Bank Services to an equivalent standard as a matter of fairness and 
competitive equality. Given that designated FMUs are scoped out of this 
rule, the Federal Reserve Banks' retail payment and settlement services 
are the only relevant Federal Reserve Bank Services that compete with 
those private-sector FMUs that are subject to the final rule.\29\ These 
retail services currently include check collection services for 
depository institutions and an automated clearinghouse service that 
enables depository institutions to send batches of debit and credit 
transfers. For these services, the Federal Reserve Banks follow 
protocols to ensure timely communication of incidents to both 
depository institution customers and the Board. The Board believes 
these protocols are comparable to those required by this final rule. 
With respect to future Federal Reserve Bank Services that compete with 
private-sector FMUs subject to the final rule (such as the FedNow 
Service), the Board intends to similarly hold the Federal Reserve Banks 
to protocols comparable to those required by this final rule.
---------------------------------------------------------------------------

    \29\ The Federal Reserve Banks also operate the Fedwire Funds 
Service and Fedwire Securities Service, which play a critical role 
in the financial system. The Board generally requires these services 
to meet or exceed the risk-management standards applicable to 
designated FMUs under Regulation HH. See Federal Reserve Policy on 
Payment System Risk (as amended effective Mar. 19, 2021), https://www.federalreserve.gov/paymentsystems/files/psr_policy.pdf. See also 
Press Release, Federal Reserve Board Reaffirms Long-Standing Policy 
of Applying Relevant International Risk-Management Standards to 
Fedwire Funds and Fedwire Securities Services (July 19, 2012), 
https://www.federalreserve.gov/newsevents/pressreleases/bcreg20120719a.htm.
---------------------------------------------------------------------------

ii. Definition of Bank Service Provider
    The agencies sought feedback on the scope of third-party services 
covered under the proposed rule and whether the proposed rule's 
definition of ``bank service provider'' appropriately captured the 
services about which banking organizations should be informed in the 
event of disruptions. The agencies further sought comment on whether 
all services covered under the BSCA should be included for purposes of 
the notification requirement or whether only a subset of the BSCA 
services should be included. The agencies also sought comment on 
whether only examined bank service providers should be subject to the 
notification requirement.
    With respect to the definition of ``bank service provider,'' 
commenters expressed varied opinions on the scope of entities included 
in the definition of ``bank service provider.'' Some commenters argued 
that the definition should be revised to clarify that only service 
providers providing services that are subject to the BSCA would be 
subject to the rule, and one commenter suggested that the agencies 
provide a non-exclusive list of categories of bank service providers 
subject to the regulation. Other commenters urged that bank service 
providers should include entities with access to bank customer 
information or systems, whether or not formally within the scope of the 
BSCA, while one commenter recommended excluding banking organization 
subsidiaries and affiliates. Some suggested that the agencies narrow 
the scope to apply only to significant service providers, bank service 
providers that present a higher risk, or those that provide technology 
services. Other commenters suggested excluding bank service providers 
from the rule entirely, observing that incident notification is, and 
should be, addressed in contracts.
    The agencies agree that bank service providers providing services 
that are subject to the BSCA should be subject to the rule. The 
agencies disagree with the rest of these suggestions to modify the 
scope of entities included in the definition of bank service provider. 
As previously explained, bank service providers play an increasingly 
important role in banking organization operations. Significant 
incidents affecting the services they provide have the potential to 
cause notification incidents for their banking organization customers. 
This risk is not limited to specific bank service providers, and 
therefore, the agencies decline to modify the scope of entities 
included in the definition in the manners suggested by the comments 
above.
    Furthermore, while the agencies agree that incident notification is 
generally addressed by contract, we believe that this issue is 
important enough to warrant an independent regulatory requirement that 
ensures consistency and enforceability, without the necessity of 
revising contractual provisions.
    In response to comments that the agencies should clarify the scope 
of bank service providers that would be subject to the rule, the 
agencies made changes to the final rule that do so. First, the agencies 
added a new definition in the final rule, ``covered services,'' which 
definition is intended to clarify that services performed subject to 
the BSCA would be covered by the rule. Second, as noted above, the 
agencies excluded designated FMUs from the definition of ``bank service 
provider'' and from the definition of ``banking organization.'' \30\ 
The final rule defines ``bank service provider'' as a bank service 
company or other person who performs covered services; provided, 
however, that no designated FMU shall be considered a bank service 
provider. ``Covered services'' are services performed by a ``person'' 
\31\ that are subject to the Bank Service Company Act (12 U.S.C. 1861-
1867).
---------------------------------------------------------------------------

    \30\ The rule defines ``designated financial market utility'' as 
having the same meaning as set forth at 12 U.S.C. 5462(4).
    \31\ The final rule states that ``person'' has the same meaning 
as set forth at 12 U.S.C. 1817(j)(8)(A).

---------------------------------------------------------------------------

[[Page 66429]]

iii. Definition of Computer-Security Incident
    In the NPR, the agencies generally incorporated the principal 
definition employed by NIST to define ``computer-security incident'' as 
an occurrence that:
     Results in actual or potential harm to the 
confidentiality, integrity, or availability of an information system or 
the information that the system processes, stores, or transmits; or
     Constitutes a violation or imminent threat of violation of 
security policies, security procedures, or acceptable use policies.
    Although commenters generally supported the agencies' use of a 
standard industry term rather than a new, and potentially inconsistent, 
term and definition, they suggested revisions to more closely tailor 
the definition to the purposes of the rule. For example, many 
commenters recommended that the definition focus on incidents that 
result in actual, rather than potential, harm to an information system. 
Commenters were concerned that the tracking and notification of 
incidents that could potentially harm a banking organization would 
create an undue regulatory burden, possibly result in over-
notification, and overlook the fact that many potential incidents can 
be effectively remediated. In addition, various commenters recommended 
deleting the second prong of the proposed definition, reasoning that 
violations of internal policies and procedures would be unlikely ever 
to result in incidents significant enough to warrant prompt 
notification; however, some commenters supported keeping actual 
violations of applicable security policies. Commenters also suggested 
introducing materiality thresholds or excluding non-security related 
outages or incidents. One commenter objected to narrowing the 
definition to ``actual'' harm and supported broadening the definition 
to include incidents causing ``serious,'' but not necessarily 
``imminent,'' harm. Another commenter stated that the standard for 
determining whether an incident rises to the level to trigger mandated 
notices should be based on its impact to banking organizations or the 
financial system and be agnostic as to cause. One commenter stated that 
the definition should expressly exclude scheduled outages. The same 
commenter suggested that the term computer-security incident be changed 
to encompass two types of outages and align more with the NIST 
definition of cybersecurity incident to provide greater uniformity and 
clarity about what constitutes an incident and a reportable incident. 
Another commenter also suggested substituting the term cybersecurity 
incident from NIST in lieu of computer-security incident. A commenter 
also suggested narrowing the term ``incident'' to exclude non-malicious 
data communications incidents or those occurring outside of the 
regulated entity's own network.
    While the agencies continue to recognize that there is value in 
adopting an existing, standard definition, the agencies agree that the 
NIST definition does not wholly align with the purposes of the rule. 
The agencies have therefore narrowed the final rule's definition of 
``computer-security incident,'' as suggested by the foregoing comments. 
Specifically, the final rule defines ``computer-security incident'' as 
an occurrence that results in actual harm to an information system or 
the information contained within it.\32\ Furthermore, the agencies have 
removed the second prong of the proposed computer-security incident 
definition relating to violations of internal policies or procedures. 
These changes narrow the focus of the final rule to those incidents 
most likely to materially and adversely affect banking organizations, 
while still retaining general consistency with the NIST definition.\33\
---------------------------------------------------------------------------

    \32\ One commenter requested clarification as to whether a 
``near-miss'' incident would constitute a computer-security incident 
under the rule. A ``near-miss'' incident would constitute a 
computer-security incident only to the extent that such a ``near-
miss'' results in actual harm to an information system or the 
information contained within it. Another commenter stated that the 
definition of ``computer-security incident'' should be limited to 
information systems that can cause a ``notification incident.'' For 
clarification, the definition of ``computer-security incident'' 
includes all occurrences that result in actual harm to an 
information system or the information contained within it. However, 
only those computer-security incidents that fall within the 
definition of ``notification incident'' are required to be reported. 
Two commenters advocated for excluding computer-security incidents 
due to non-security and non-malicious causes. For clarity, the 
definition includes incidents from whatever cause.
    \33\ In response to comments, the agencies also considered 
whether to incorporate the NIST definition of ``cybersecurity 
incident'' instead and determined that this definition would 
inappropriately narrow the scope of incidents covered by the rule.
---------------------------------------------------------------------------

iv. Definition of Notification Incident
    The NPR defined a ``notification incident'' as a computer-security 
incident that a banking organization believes in good faith could 
materially disrupt, degrade, or impair--
     The ability of the banking organization to carry out 
banking operations, activities, or processes, or deliver banking 
products and services to a material portion of its customer base, in 
the ordinary course of business;
     Any business line of a banking organization, including 
associated operations, services, functions and support, and would 
result in a material loss of revenue, profit, or franchise value; or
     Those operations of a banking organization, including 
associated services, functions and support, as applicable, the failure 
or discontinuance of which would pose a threat to the financial 
stability of the United States.
    Commenters addressed several aspects of the proposed definition. 
First, multiple commenters observed that the term ``could'' in the 
phrase ``could . . . disrupt, degrade, or impair'' was imprecise and 
overbroad. Multiple commenters suggested substituting the phrase 
``could'' with ``reasonably likely to or will'' materially disrupt 
certain business lines or operations or ``has resulted in or will 
result in'' material disruptions to certain business lines or 
operations in its place. Some commenters also suggested that 
``notification incident'' should be narrowed even further to incidents 
that actually materially disrupt or degrade.\34\
---------------------------------------------------------------------------

    \34\ A commenter suggested that if a banking organization had 
mitigation strategies in place to offset the impact to a bank or its 
customers, the incident should not be considered a significant or 
critical incident and therefore should not be considered a 
notification incident. The commenter also stated that the agencies 
should indicate that an outage that lasts less than 48-hours in 
duration does not represent a ``notification incident.''
---------------------------------------------------------------------------

    The agencies also received a number of comments on the NPR's 
``believes in good faith'' language. Various commenters expressed 
support for the phrase, with at least one noting that the more 
subjective ``good faith'' standard gave some flexibility to an 
organization that might honestly, albeit mistakenly, conclude that an 
occurrence did not rise to the level of a notification incident and 
thereby fail to provide notice.\35\ Other commenters suggested that 
``believe in good faith'' was too subjective and stated that the final 
rule should substitute a clearer term, such as ``determined.'' \36\ And 
one commenter

[[Page 66430]]

suggested that the agencies change the ``in good faith'' belief 
notification standard to apply to critical, not significant, incidents.
---------------------------------------------------------------------------

    \35\ Two commenters supported maintaining the ``good faith'' 
standard, with one commenter noting that a reasonable belief 
standard could introduce too much uncertainty and invite questioning 
of decisions that are made quickly out of necessity and potentially 
without key facts known. One of those commenters stated that the 
final rule should reflect that information may not be available to 
make an assessment ``immediately'' after an occurrence.
    \36\ Commenters contended that the ``good faith'' standard may 
be unclear, and the agencies should provide guidance on how to make 
the good faith determination. An alternative would be for the rule 
text to state ``an incident that a banking organization determines 
is reasonably likely to disrupt'' instead of ``believes in good 
faith could disrupt.'' However, some commenters preferred the good 
faith standard over a ``reasonably likely'' standard.
---------------------------------------------------------------------------

    In addition, commenters suggested that the final rule should 
specifically exclude from the notification requirement incidents where 
the impact is limited to certain types of computer systems (e.g., 
compromises to a bank's marketing or personnel systems) or otherwise 
provide specific exclusions (e.g., any incident lasting less than 48 
hours), because they would be very unlikely to cause the kinds of harm 
that the agencies would regard as warranting notification. Another 
commenter suggested that the agencies include a requirement that a 
notification incident involve an information system operated by, or on 
behalf of, a banking organization, because it would be unduly 
burdensome and potentially unrealistic for covered entities to be 
responsible for systems operated by third parties, whereas another 
commenter believed the term ``notification incident'' should be revised 
to include incidents occurring at third-party service provider 
information systems and the sub-contractors (fourth-party providers) of 
those third-party service providers that collect banking-related 
information. One commenter recommended that the agencies use the same 
definition of notification incident for bank service providers and 
banking organizations, whereas another commenter stated that only 
``notification incidents'' should be reported under the rule to ensure 
that high volumes of less significant or easily remediated occurrences 
and incidents that do not result in actual harm are not reported. In 
addition, one commenter stated that banking organizations should not be 
required to publicly disclose core business lines and critical 
operations to avoid inviting attacks. Another commenter supported the 
definition and suggested that the definition of notification incident 
be expanded to include events that involve infiltration of third-party 
systems that collect banking related information, such as password 
managers or browsers. Another commenter requested that the agencies 
clarify that voluntary reporting of incidents falling outside of the 
scope of the definition is permitted, and that the rule also 
distinguish between mandatory reporting of notification incidents and 
nondisruptive events that could be reported through an alternative, 
voluntary mechanism and timeline.
    Following analysis and careful consideration of the various 
comments, the agencies are finalizing the definition largely as 
proposed, with modifications to address a number of commenters' 
concerns to clarify the rule and make it easier to administer.
    The definition of ``notification incident'' includes language that 
is consistent with the ``core business line'' and ``critical 
operation'' definitions included in the Resolution Planning Rule issued 
by the Board and FDIC under section 165(d) of the Dodd-Frank Act.\37\ 
In particular, the second prong of the notification incident definition 
identifies incidents that impact core business lines, and the third 
prong identifies incidents that impact critical operations. Banking 
organizations subject to the Resolution Planning Rule may use the 
``core business lines'' and ``critical operations'' identified in their 
resolution plans \38\ to identify notification incidents under the 
second and third prongs of the final rule.
---------------------------------------------------------------------------

    \37\ Section 165(d) of the Dodd-Frank Act and 12 CFR parts 363 
and 381 (the Resolution Planning Rule) require certain financial 
companies to report periodically to the FDIC and the Board their 
plans for rapid and orderly resolution in the event of material 
financial distress or failure. On November 1, 2019, the FDIC and the 
Board published in the Federal Register amendments to the Resolution 
Planning Rule. See 84 FR 59194.
    \38\ Elements of both the ``core business lines'' and ``critical 
operations'' definitions from the Resolution Planning Rule are 
incorporated in the ``notification incident'' definition. Under the 
Resolution Planning Rule, ``core business lines'' means those 
business lines of the covered company, including associated 
operations, services, functions and support, that, in the view of 
the covered company, upon failure would result in a material loss of 
revenue, profit, or franchise value, and ``critical operations'' 
means those operations of the covered company, including associated 
services, functions, and support, the failure or discontinuance of 
which would pose a threat to the financial stability of the United 
States. See 12 CFR 363.2, 381.2.
---------------------------------------------------------------------------

    The final rule does not require banking organizations that are not 
subject to the Resolution Planning Rule to identify ``core business 
lines'' or ``critical operations,'' or to develop procedures to 
determine whether they engage in any operations, the failure or 
discontinuance of which would pose a threat to the financial stability 
of the United States. However, all banking organizations must have a 
sufficient understanding of their lines of business to be able to 
determine which business lines would, upon failure, result in a 
material loss of revenue, profit, or franchise value to the banking 
organization, so that they can meet their notification obligations.
    Commenters also requested that the agencies clarify that the 
material loss of revenue, profit, or franchise value addressed by the 
second prong of the definition should be evaluated on an enterprise-
wide basis. The agencies agree; a banking organization should evaluate 
whether the loss is material to the organization as a whole.
    The agencies have concluded that there is substantial benefit to 
receiving notification of both computer-security incidents that have 
materially disrupted or degraded, and incidents that are reasonably 
likely to materially disrupt or degrade, a banking organization. 
Accordingly, the agencies are not narrowing the definition of 
``notification incident'' to only include computer-security incidents 
that have resulted in a material disruption or degradation in the final 
rule.
    However, the agencies are narrowing the scope of covered computer-
security incidents by substituting the phrase ``reasonably likely to'' 
in place of ``could.'' The agencies agree that the term ``could'' 
encompasses more, and more speculative, incidents than the agencies 
intended in promulgating the rule. Accordingly, and in keeping with 
commenters' suggestions, the agencies have substituted the term 
``reasonably likely to'' in place of ``could.'' Under the ``reasonably 
likely'' standard, a banking organization will be required to notify 
its primary Federal regulator when it has suffered a computer-security 
incident that has a reasonable likelihood of materially disrupting or 
degrading the banking organization or its operations, but at the same 
time would not be required to make such a notification for adverse 
outcomes that are merely possible, or within imagination. The 
``reasonably likely'' standard for notification is clearer and more in 
line with the agencies' intentions for the rule. Finally, the agencies 
believe that banking organizations are well-positioned to assess the 
likelihood that a computer-security incident will result in the 
significant adverse effects described in the definition.
    Some commenters also observed that the term ``impair'' was 
redundant of ``disrupt'' and ``degrade;'' that it was not a term 
defined by NIST; and that it should be removed. The agencies agree the 
term would be redundant with ``disrupt or degrade,'' and have removed 
the term ``impair'' from the definition.
    After considering the comments carefully, the agencies are 
replacing the ``good faith belief'' standard with a banking 
organization's determination. The agencies agree with commenters who 
criticized the proposed ``believes in good faith'' standard as too 
subjective and imprecise. Accordingly, the agencies have removed the 
good faith language from the definition of

[[Page 66431]]

``notification incident'' and have substituted a determination standard 
in the final notification requirement.
    Finally, the agencies decline to exclude particular incidents or 
incidents that impact certain types of computer systems from the 
notification requirements. The agencies believe that the focus on the 
material adverse effects of a computer-security incident is a simpler 
and clearer way to ensure that they receive notification of the most 
significant computer-security incidents.
v. Examples of Notification Incidents
    The NPR included a non-exhaustive list of incidents that would be 
considered notification incidents under the proposed rule and the 
agencies invited comment on specific examples of computer-security 
incidents that should or should not constitute notification incidents. 
The agencies received a few general comments about the list of 
incidents.
    One commenter suggested that the agencies include additional 
details in the illustrative examples that would identify the type of 
information systems that would not require incident notification and 
another suggested more broadly that the final rule include illustrative 
examples of both incidents that would and would not be subject to the 
final rule. The agencies believe that the criteria set forth in the 
notification incident definition make clear that the focus of the rule 
is on incidents that materially and adversely impact a banking 
organization rather than on specific types of information systems. The 
agencies recognize that many banking organizations manage computer-
security incidents every day that would not require notification under 
the final rule and have focused on illustrative examples of the type of 
incidents that would require notification.
    One commenter suggested that the example discussing a ransom 
malware attack that encrypts a banking organization's core system is 
``duplicative of various federal and state breach notification laws.'' 
The agencies continue to conclude that any incident of ransom malware 
that disrupts a banking organization's ability to carry out banking 
operations meets the definition of a notification incident, and as 
such, have retained this example, notwithstanding any potential overlap 
between the final rule and other Federal and state requirements for 
incident reporting.\39\
---------------------------------------------------------------------------

    \39\ As previously explained, the agencies have considered 
whether existing reporting standards meet the purposes of this rule 
and concluded that they do not. For example, ransom malware 
incidents that do not involve unauthorized access to or use of 
sensitive customer information would not be subject to the Gramm-
Leach-Bliley Act (GLBA) notification standard.
---------------------------------------------------------------------------

    Another commenter suggested that some of the examples provided were 
``inconsistent with'' the term computer-security incident, as incidents 
such as failed system upgrades or unrecoverable system failures are not 
technically computer-security incidents. The agencies disagree with 
this comment and believe that the commenter is reading the definition 
of computer-security incident too narrowly to focus on malicious 
incidents.
    The agencies believe the examples in the proposed rule provide an 
appropriate perspective on the critical nature of the type of incidents 
that banking organizations should consider notification incidents. 
Having received only general comments and no specific new examples of 
notification incidents that should be included in the list, the 
agencies are retaining the illustrative examples provided in the NPR 
with some minor edits.\40\
---------------------------------------------------------------------------

    \40\ This is to clarify that example 6 addresses malware on a 
banking organization's system that poses an imminent threat to the 
banking organization's core business lines or critical operations or 
that requires the banking organization to disengage any compromised 
products or information systems that support the banking 
organization's core business lines or critical operations from 
internet-based network connections.
---------------------------------------------------------------------------

    The following is a non-exhaustive list of incidents that generally 
are considered ``notification incidents'' under the final rule:
    1. Large-scale distributed denial of service attacks that disrupt 
customer account access for an extended period of time (e.g., more than 
4 hours);
    2. A bank service provider that is used by a banking organization 
for its core banking platform to operate business applications is 
experiencing widespread system outages and recovery time is 
undeterminable;
    3. A failed system upgrade or change that results in widespread 
user outages for customers and banking organization employees;
    4. An unrecoverable system failure that results in activation of a 
banking organization's business continuity or disaster recovery plan;
    5. A computer hacking incident that disables banking operations for 
an extended period of time;
    6. Malware on a banking organization's network that poses an 
imminent threat to the banking organization's core business lines or 
critical operations or that requires the banking organization to 
disengage any compromised products or information systems that support 
the banking organization's core business lines or critical operations 
from internet-based network connections; and
    7. A ransom malware attack that encrypts a core banking system or 
backup data.
    While the agencies have included these illustrative examples to 
help clarify the scope of notification incidents, the final rule 
requires banking organizations to consider, on a case-by-case basis, 
whether any significant computer-security incidents they experience 
constitute notification incidents for purposes of notifying the 
appropriate agency. If a banking organization is in doubt as to whether 
it is experiencing a notification incident for purposes of notifying 
its primary Federal regulator, the agencies encourage it to contact its 
regulator. The agencies recognize that a banking organization may file 
a notification, from time to time, upon a mistaken determination that a 
notification incident has occurred, and the agencies generally do not 
expect to take supervisory action in such situations.

C. Banking Organization Notification to Agencies

i. Timing of Notification to Agencies
    The proposed rule would have required banking organizations to 
provide the mandated notification to the agencies as soon as possible 
and no later than 36 hours. The agencies asked whether this timeframe 
should be modified, and if so, how.
    One commenter suggested that the agencies eliminate the ``as soon 
as possible'' requirement and simply require notification within 36 
hours, which would eliminate an apparent tension between the permission 
for an organization to take a reasonable amount of time to determine 
that it has experienced a notification incident and the requirement for 
immediate reporting. Some commenters supported the 36-hour timeframe as 
an appropriate balance between the potential burden on institutions and 
the agencies' need for prompt information.\41\ However, other 
commenters expressed concerns, viewing the 36-hour timeframe as too 
short to allow a banking organization to fully understand a computer-
security incident and to provide a complete assessment of the 
situation. Commenters

[[Page 66432]]

noted that the 36-hour timeframe is only workable when it commences 
after a banking organization determines that a notification incident 
has occurred. In this regard, two commenters requested that the 
agencies expressly articulate in the final rule the explanation 
included in the NPR that the 36-hour timeframe commences at the point 
when a banking organization has determined that a notification incident 
has occurred.Several commenters suggested that the agencies consider a 
72-hour window to provide banking organizations with additional time to 
assess potential incidents and to align the proposed rule with other 
regulatory requirements such as the New York State Department of 
Financial Services' (NYDFS) cybersecurity event notification 
requirement,\42\ or the European Union's General Data Protection 
Regulation (GDPR),\43\ both of which require covered entities to report 
relevant cyber-related incidents within 72 hours.\44\ A few commenters 
suggested that the notification timeframe should be increased to 48 
hours, with one suggesting that any timeline align with business day 
processing, and another observing that community banks ``need the 
additional 12 hours to evaluate the situation and implement an 
appropriate incident response plan.'' One commenter suggested that the 
notification timeframe be extended to a minimum of five business days 
for banks under $20 billion in assets in order to ``provide banks 
adequate time to work with vendors and their core processors to provide 
accurate notifications.'' Another commenter observed that, ``for a 36-
hour notification timeframe to be potentially workable and achievable, 
it is imperative that the scope of the notification requirement be 
tailored.''
---------------------------------------------------------------------------

    \41\ One commenter suggested that notification obligations 
should begin ``36 hours after the banking organization confirms a 
notification incident has occurred, and has completed urgent 
measures to end the threat and protect its assets,'' to include time 
for a banking organization to take necessary measures.
    \42\ Effective March 1, 2017, the NYDFS Superintendent 
promulgated 23 NYCRR Part 500, a regulation establishing 
cybersecurity requirements for financial services companies. Section 
500.17 Notices to superintendent requires each ``covered entity'' to 
notify the NYDFS Superintendent ``as promptly as possible but in no 
event later than 72 hours from a determinantion that a cybersecurity 
event has occurred.'' The NYDFS regulation is available at:https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&origination&Contextdocumenttoc&transitionTypeDefault&contextData=(s
c.Default).
    \43\ In particular, Article 33, Section 1 of the GDPR provides 
that, in the case of a personal data breach, the data controller 
``shall without undue delay and, where feasible, not later than 72 
hours after having become aware of it,'' notify the competent 
supervisory authority of the personal data breach. Moreover, Article 
33, Section 2 requires data processors to ``notify the [data] 
controller without undue delay after becoming aware of a personal 
data breach.'' The full version of Regulation (EU) 2016/679 (GDPR) 
is available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
    \44\ See id.
---------------------------------------------------------------------------

    The agencies continue to believe that 36 hours is the appropriate 
timeframe, given the simplicity of the notification requirement and the 
severity of incidents captured by the definition of ``notification 
incident.'' \45\ In developing the NPR and final rule, the agencies 
reviewed a number of existing security incident reporting requirements 
cited by the commenters and found that many of them involved detailed, 
prescriptive reporting requirements, often mandating that specific 
information be reported and including filing instructions. For example, 
the NYDFS rule requires that covered entities submit an annual 
statement certifying their compliance with the rule and keep all 
documents supporting their certification for five years, among other 
things. In contrast, the final rule sets forth no specific content or 
format for the simple notification it requires. The final rule is 
designed to ensure that the appropriate agency receives timely notice 
of significant emergent incidents, while providing flexibility to the 
banking organization to determine the content of the notification. Such 
a limited notification requirement will alert the agencies to such 
incidents without unduly burdening banking organizations with detailed 
reporting requirements, especially when certain information may not yet 
be known to the banking organizations.
---------------------------------------------------------------------------

    \45\ As noted above, the agencies recognize that a banking 
organization may file a notification, from time to time, upon a 
mistaken determination that a notification incident has occurred, 
and the agencies generally do not expect to take supervisory action 
in such situations.
---------------------------------------------------------------------------

    In addition, changes to the definitions of ``computer-security 
incident'' and ``notification incident'' described above narrow the 
range, and reduce the speculative or uncertain nature of, incidents 
subject to the notification requirement.
    The narrowed scope of notification incidents, however, makes it 
even more important for the agencies to receive notice as soon as 
possible. Additionally, the agencies recognize that a banking 
organization may be working expeditiously to resolve the notification 
incident--either directly or through a bank service provider--at the 
time it would be expected to notify its primary Federal regulator. The 
agencies believe, however, that 36 hours is a reasonable amount of time 
after a banking organization has determined that a notification 
incident has occurred to notify its primary Federal regulator, as it 
does not require an assessment or analysis.
    The agencies do not expect that a banking organization would 
typically be able to determine that a notification incident has 
occurred immediately upon becoming aware of a computer-security 
incident. Rather, the agencies anticipate that a banking organization 
would take a reasonable amount of time to determine that it has 
experienced a notification incident. For example, some notification 
incidents may occur outside of normal business hours. Only once the 
banking organization has made such a determination would the 36-hour 
timeframe begin.
    Accordingly, the agencies have determined that the final rule will 
retain the requirement that banking organizations provide notice as 
soon as possible and no later than 36 hours. The agencies note, 
however, that even within the 36-hour notification window, banking 
organizations' notification practices should take into account their 
criticality to the sector in which they operate and provide services. 
An effective practice of banking organizations that provide sector-
critical services is to provide same-day notification to their primary 
Federal regulator of a notification incident. The agencies encourage 
this practice to continue among these banking organizations.
ii. Method of Notification to Agencies
    The proposed rule would have required a banking organization to 
notify the appropriate agency of a notification incident through any 
form of written or oral communication, including through any 
technological means, to a designated point of contact identified by the 
agency.
    The agencies requested comments on how banking organizations should 
provide notifications to the agencies and sought comment on whether 
they should ``adopt a process of joint notification'' where multiple 
banking organization affiliates have differing notification 
obligations. Further, the agencies requested feedback on how such a 
joint notification should be done and why.
    A substantial number of commenters responded to various aspects of 
these questions. While specific suggestions varied, a consistent theme 
was a desire for efficient and flexible options for providing notice, 
with some commenters observing that a notification incident could also 
affect normal communication channels. Other commenters made 
recommendations to enhance notification efficiency, such as suggesting 
the use of automated

[[Page 66433]]

electronic notifications. Two commenters suggested that, consistent 
with the agencies' statement in the NPR, the rule should explicitly 
state that no specific information is required and that the rule does 
not prescribe any particular reporting form.
    The agencies have concluded that email and telephone are the best 
methods currently available for effective notification. Recognizing, 
however, that agency processes may evolve and technology will likely 
change (and improve) available communication options over time, the 
agencies have also built flexibility into the final rule by stating 
that the agencies may prescribe other similar methods pursuant to which 
notice may be provided. The agencies believe that this approach 
balances the need for banking organizations to have some flexibility, 
including if a communication channel is impacted by the incident, with 
the agencies' need to ensure that they actually receive the 
notifications.
    The agencies also sought comments on whether centralized points of 
contact, regional offices, or banking organization-specific supervisory 
teams would be better suited to receive these notifications. The 
comments from banking organizations and bank service providers differed 
on this issue.
    Some banking organizations suggested that the process should remain 
``flexible'' and that the rule provide that the notification 
requirement could be ``satisfied by any of several methods,'' including 
providing the notification to the banking organization's on-site or 
supervisory teams, appropriate regional offices, or an agency-
designated point of contact. Other commenters, including bank service 
providers, suggested creating a joint notification process, or 
centralized portal or point of contact for all agencies to receive all 
such notifications directly. The agencies believe that the provision of 
notice can often be efficiently and effectively achieved by 
communicating with the appropriate agency supervisory office or other 
designated agency contacts, which may include designated supervisory 
staff, call centers, incident response teams, and other contacts to be 
designated by the respective agency.
    The agencies also received several comments requesting further 
instruction and guidance on the method and manner of the required 
notifications. Several other commenters requested additional guidance 
on what a notice must contain and the scope of information that should 
be provided, and even requested certain specific exclusions.
    The notification requirement is intended to serve as an early alert 
to a banking organization's primary Federal regulator about a 
notification incident. The agencies anticipate that banking 
organizations will share general information about what is known at the 
time of the incident. No specific information is required in the 
notification other than that a notification incident has occurred. The 
final rule does not prescribe any form or template. A simple notice can 
be provided to the appropriate agency supervisory office, or other 
designated point of contact, through email, telephone, or other similar 
method that the agency may prescribe. The notifications, and any 
information related to the incident, would be subject to the agencies' 
confidentiality rules.\46\
---------------------------------------------------------------------------

    \46\ See, e.g., 12 CFR part 4 (OCC); 12 CFR part 261 (Rules 
Regarding Availability of Information) (Board); 12 CFR 309.6 
(Disclosure of exempt records) (FDIC).
---------------------------------------------------------------------------

    Accordingly, the agencies revised the NPR language. The final rule 
provides that a banking organization would notify the appropriate 
agency-designated point of contact through email, telephone, or other 
similar methods that the agency may prescribe.

D. Bank Service Provider Notification to Banking Organization Customers

i. Scope of Bank Service Provider Notification
    Commenters generally supported the idea of only notifying affected 
customers although some commenters suggested that all banking 
organization customers should be notified.\47\ One commenter 
specifically suggested that bank service provider notifications should 
only go to banking organizations that are ``directly impacted by the 
incident when a bank service provider has made a determination that the 
incident will or is reasonably likely to materially impact the services 
provided to the banking organization.'' The agencies agree with the 
``materiality'' aspect of this comment and the focus on ``reasonably 
likely'' impacts. Accordingly, the agencies are revising the final rule 
to include the phrase ``materially disrupted or degraded, or is 
reasonably likely to materially disrupt or degrade.'' This change is 
also responsive to comments that requested the agencies further 
harmonize the bank service provider notification requirement with the 
banking organization notification requirement.
---------------------------------------------------------------------------

    \47\ While most commenters believe that notifying all banking 
organizations subscribing to the disrupted service may lead to 
potentially harmful over-reporting, one commenter stated that 
notifying all banking organizations using the service may be 
appropriate since the service disruption may be broader than 
originally expected.
---------------------------------------------------------------------------

    The final rule does not require a bank service provider to assess 
whether the incident rises to the level of a notification incident for 
a banking organization customer, which remains the responsibility of 
the banking organization. The agencies anticipate that bank service 
providers would make a best effort to share general information about 
what is known at the time. If, after receiving notice from a bank 
service provider, the banking organization determines that a 
notification incident has occurred, the banking organization is 
required to notify its primary Federal regulator in accordance with 
this final rule. The agencies generally will not cite a banking 
organization because a bank service provider fails to comply with its 
notification requirement.
    Another commenter described the potential for confusion that could 
ensue if a bank service provider were to notify all customers, when 
only some of them were affected by the computer-security incident. They 
advised that such an overly broad notification to all customers could 
``cause the banking organization customers and the bank service 
provider to respond to questions and concerns from banking organization 
customers [who were] not affected by the computer-security incident.'' 
The agencies agree with these commenters and are retaining in the final 
rule the requirement that notice be provided only to ``each affected 
banking organization customer.''
    Another commenter noted that the final rule needs to account for 
the distinction between cloud-based services versus on-premises 
services and a shared-responsibility service delivery model. Under the 
final rule, the agencies would require bank service providers to 
continue to provide a banking organization customer with prompt 
notification of material incidents regardless of current contract 
language and irrespective of the chosen service delivery model. Even 
under a shared service model, a bank service provider will still need 
to provide notice to banking organization customers if the bank service 
provider has determined it has experienced a computer-security incident 
that has materially disrupted or degraded, or is likely to materially 
disrupt or degrade, covered services provided to such banking 
organization customer for four or more hours. Given the purposes of the 
rule, the agencies believe this is a reasonable requirement and are 
adopting it in the final rule.
    Whether the covered services are being provided through a software-
as-a-

[[Page 66434]]

service (SaaS) arrangement, or through some other service delivery 
method, a bank service provider must provide notification to banking 
organizations in accordance with the standard in the final rule. The 
banking organization must then independently determine if a 
notification incident has occurred.
    Finally, in response to concerns expressed by commenters, the 
agencies are revising the final rule to specifically exclude scheduled 
maintenance, testing, or software updates previously communicated to a 
banking organization customer. This new exception should reduce over- 
and unnecessary notification. If, however, the scheduled maintenance, 
testing, or software update exceeds the parameters communicated to the 
banking organization customer and meets the notification standard set 
forth in the rule, this exception does not apply.
ii. Timing of Bank Service Provider Notification
    Several commenters favored immediate notifications. Others were 
concerned that immediate notifications may result in over- and 
inaccurate notification. For example, some commenters objected to the 
requirement that a bank service provider must ``immediately'' notify 
affected banking organizations \48\ and recommended that the 
notification occur ``as soon as practicable,'' within the first four 
hours of the occurrence of a computer-security incident, or in a 
``timely'' manner (or a similar standard) after a service disruption to 
prevent over-reporting and provide time for bank service providers to 
assess the severity of an incident.\49\ One commenter noted that an 
immediate notification standard may be appropriate but only after the 
bank service provider determines that a notification incident has 
occurred, while other commenters stated that immediate notification was 
appropriate. Another commenter expressed concern that immediate notice 
may leave no time lapse ``between when a computer-security incident 
occurred and when notification has to happen.'' While expressing 
similar sentiments, some commenters suggested substituting the term 
``timely,'' or ``promptly'' and ``without undue delay,'' in place of 
the ``immediate'' requirement. Another commenter suggested that 
different reporting obligations should be permitted contingent upon the 
location of the incident (on-premise services vs. cloud services). The 
same commenter suggested modifying the ``good faith'' standard to 
instead require ``prompt'' notification where a bank service provider 
obtains actual knowledge of an incident that impacts services for more 
than four hours.
---------------------------------------------------------------------------

    \48\ Obstacles to immediate notification mentioned by commenters 
included that bank service providers need time to assess whether an 
incident is a computer-security incident.
    \49\ A commenter suggested that any timing for notification 
should allow an opportunity for reasonable investigation to help 
ensure that material incidents are flagged to the regulators and are 
not obfuscated by an influx of false positives or non-material 
matter.
---------------------------------------------------------------------------

    Other commenters drew distinctions between security incidents and 
service disruptions. One commenter observed that ``[u]nlike a 
`computer-security incident' which requires time to identify and 
evaluate, a disruption in service is instantaneously apparent and bank 
service providers can immediately notify banking organizations of the 
disruption in service.'' For similar reasons, another commenter 
suggested bifurcation of service provider notifications: ``one 
immediate notice timeline if the incident affects the security of the 
banking organization's systems and a second, longer time period for 
disruption.''
    In response to these comments, the agencies are revising the rule 
to provide that a bank service provider must notify affected banking 
organization customers ``as soon as possible'' when it ``determines'' 
it has experienced an incident that meets the standard in the rule. Use 
of the term ``determined'' allows the bank service provider time to 
examine the nature of the incident and assess the materiality of the 
disruption or degradation of covered services. Additionally, the ``four 
or more hours'' threshold should reduce notifications concerning less 
material incidents. Once the bank service provider has made this 
determination, it must provide notice ``as soon as possible.''
    Some commenters recommended revising the proposed rule to ``allow 
for service providers to satisfy their notification requirement by 
providing notification to their banking customer consistent with any 
requirements and by any methods set forth in their contract with that 
customer, so long as the method reasonably ensures that the banking 
organization receives the notification.'' While the agencies believe it 
is reasonable to assume that providing notification to customers 
following a determination that a material incident has occurred should 
be consistent with many existing contractual provisions, the agencies 
conclude that an independent regulatory requirement is appropriate to 
ensure that banking organizations receive consistent and timely 
notification of the most significant computer-security incidents 
affecting covered services.
    Other comments suggested that a 36- or 72-hour notification 
timeframe would be reasonable. For the reasons expressed above, the 
agencies disagree that bank service providers could (or should) wait 
this long to alert banking organization customers about a material 
disruption or degradation in covered services. Accordingly, the final 
rule requires bank service providers to provide notice as soon as 
possible when the bank service provider has determined it has 
experienced a notification incident.
iii. Bank Service Provider Notification to Customers
    Some commenters stated that the requirement in the proposal to 
notify two individuals at each affected banking organization of an 
incident was appropriate. One commenter suggested that a third 
notification be sent to a banking organization's general email or 
telephone number. Several commenters recommended the agencies allow the 
notification through general channels accessible by multiple employees 
at affected banking organizations, and one commenter suggested that 
``significant'' bank service providers should directly notify the 
agencies. Other commenters asserted that requiring bank service 
providers to notify two contacts at each banking organization customer 
would be overly prescriptive and burdensome.\50\ Instead, these 
commenters recommended that bank service providers should work with 
their banking organizations to designate a central point of contact, 
but bank service providers should not be required to ensure that a 
contact at the banking organization receive the notification.\51\
---------------------------------------------------------------------------

    \50\ Commenters suggested that one contact should be adequate, 
as smaller banking organizations may not have two contacts 
available.
    \51\ A commenter also recommended different notification 
obligations for on-premises services compared to cloud-based 
services. Commenters also suggested a carve-out to the notification 
obligation when a bank service provider is delayed or prevented by 
law enforcement.
---------------------------------------------------------------------------

    Regarding existing provisions in contracts, a commenter contended 
that ``contractual provisions with bank service providers commonly 
provide specific notice methods and generally provide notice to two or 
more banking organization employees.'' This is consistent with the 
agencies' understandings of existing agreements based on their broad-
based review of bank service provider agreements, which was reflected 
in the language of the proposed rule.
    As an alternative to the approach in the proposed rule, a few 
commenters suggested that the rule should ``instead focus on outcomes--
ensuring that the

[[Page 66435]]

appropriate individuals or entities at banking organizations receive 
timely notice.'' Another commenter suggested that ``banking 
organizations should have a central point of contact that would be 
accessible by more than one person to ensure that notifications to the 
banking organization are timely received and acted upon.'' This 
approach was echoed by another banking industry commenter, who 
suggested that ``notification through a medium or channel that is 
accessed by and available to multiple banking organization employees'' 
should be allowed to meet the NPR's notification requirement. Some 
commenters suggested using automated notifications or centralized 
notification portals to streamline the notification process.
    After consideration of the comments, the agencies are revising the 
final rule to keep the notification process simple and flexible. Rather 
than requiring bank service providers to notify two individuals at each 
affected banking organization customer, which may not be effective for 
every banking organization or bank service provider, the final rule 
requires bank service providers to notify ``at least one bank-
designated point of contact at each affected banking organization 
customer.'' The final rule states that a banking organization-
designated point of contact is an email, phone number, or any other 
contact(s), previously provided to the bank service provider by the 
banking organization customer.
    The agencies determined effective notice will be best achieved if 
banking organizations and bank service providers work collaboratively 
to designate a method of communication that is feasible for both 
parties and reasonably designed to ensure that banking organizations 
actually receive the notice in a timely manner. The final rule also 
provides flexibility for banking organizations and bank service 
providers to determine the appropriate designated point of contact, and 
if a banking organization customer has not previously provided a bank-
designated point of contact, such notification shall be made to the 
Chief Executive Officer (CEO) and Chief Information Officer (CIO) of 
the banking organization customer, or two individuals of comparable 
responsibilities, through any reasonable means.
iv. Bank Service Provider Agreements--Contract Notice Provisions
    Several commenters observed that contracts between banking 
organizations and bank service providers routinely include incident 
notification provisions.\52\ But other commenters noted that current 
contractual provisions may not align with the proposed rule's 
notification requirements and, as such, would need to be amended or 
revised, which may take time to complete.
---------------------------------------------------------------------------

    \52\ A commenter stated that bank service providers already 
subject to contractual breach reporting obligations should be 
excluded from the rule while a different commenter believed that as 
a matter of fairness and competitive equality, if private sector 
FMUs are required to provide mandated notices to either their 
primary Federal regulator or their banking organization customers, 
the Board should publicly commit to hold Federal Reserve Bank 
services to an equivalent standard.
---------------------------------------------------------------------------

    Commenters generally stated that while contracts between banking 
organizations and bank service providers already have negotiated notice 
provisions, such contracts would need to be amended to ensure 
compliance with the rule. In that regard, commenters expressed the view 
that the proposed rule should be revised to allow for bank service 
providers to satisfy their notification requirement by providing 
notification to their banking organization customer consistent with any 
requirements and by any methods set forth in their contract with that 
customer, so long as the method reasonably ensures that the banking 
organization customer receives the notification. Facilitating 
compliance with the rule in this manner would prevent banking 
organizations from having to incur the costs to amend existing 
contracts. Other commenters expressed perceived challenges with 
renegotiating contracts to comply with the rule and commenters stated 
that they should not be faulted for a bank service provider's failure 
to notify. One commenter expressed concern that community banks may 
hold little power in these negotiations and recommended extending the 
compliance date of the rule for community banks. Relatedly, a commenter 
argued that if FMUs are required to provide mandated notices to their 
banking organization customers, the rule should require banking 
organization customers to identify and update their contacts for 
mandated notices to their bank service providers, rather than placing 
the burden on bank service providers to request and seek updates to 
these contacts. Commenters also urged the agencies to accept the 
notification methods specified in these contracts and clarify contract 
expectations. A few commenters requested that the agencies provide 
specific contract expectations and to consider conducting a review of 
contracts to confirm the notice provisions were adequate.
    The agencies believe many contracts already address such notices to 
banking organizations. Typically, existing bank service provider 
agreements that support operations that are critical to a banking 
organization customer require notification to the customer as soon as 
possible in the event of a material incident during the normal course 
of business. If such notification provisions satisfy the requirements 
of the final rule, then notification under the contractual provisions 
will satisfy a bank service provider's obligation under the rule as 
well. The agencies note that existing notification procedures may 
include some redundancy with the final rule. However, the agencies are 
requiring notice in the final rule to ensure that a notification occurs 
in the event of a material computer-security incident. As a result, the 
agencies are not incorporating these recommendations. The agencies also 
note that the notification requirement created by this rule is 
independent of any contractual provisions, and therefore, bank service 
providers must comply even where their contractual obligations differ 
from the notification requirement in this rule. The agencies anticipate 
that banking organizations and bank service providers will work 
collaboratively to designate a method of communication that is feasible 
for both parties and reasonably designed to ensure that banking 
organizations actually receive the notice in a timely manner, for 
purposes of complying with the rule.
    This final rule is not expected to add significant burden on bank 
service providers. The agencies' experiences with conducting bank 
service provider contract reviews during examinations indicate that 
many of these contracts include incident-reporting provisions. The 
agencies also observe that there are effective automated systems for 
notification currently.
    In addition, for banking organizations that have not already 
designated individuals to be notified under contractual obligations, 
the agencies do not believe that requiring bank service providers to 
notify banking organization CEOs and CIOs would create significant 
burden. In these circumstances, the agencies believe that bank service 
providers can easily obtain contact information for banking 
organization CEOs and CIOs.

IV. Other Rulemaking Considerations

    In the NPR, the agencies sought feedback on a number of related 
topics, which are addressed separately in the sections that follow.

[[Page 66436]]

A. Bank Service Provider Material Incidents Consideration

    The agencies requested comments about the potential burden the rule 
would impose on small bank service providers and about circumstances 
when a banking organization customer would not be aware of a material 
disruption in services unless they were notified. There were limited 
comments on this question.
    A few commenters noted that banking organizations are often 
contacted by their customers shortly after an incident and service 
outage occurs. Despite indirect knowledge or suspicions about potential 
service outages or limitations, banking organizations should still be 
notified of material incidents by their bank service providers.
    Merely identifying the fact of an outage or service interruption 
would not help banking organization customers understand the extent of 
such an outage or service interruption. Receiving notification from a 
bank service provider would enable a banking organization customer to 
evaluate the impact of the computer-security incident on its operations 
to determine whether it is experiencing a notification incident. If a 
banking organization is experiencing a notification incident and 
notifies its primary Federal regulator, the regulator then may evaluate 
and assist, as appropriate.

B. Methodology for Determining Number of Incidents Subject to the Rule

    The agencies invited comment on the methodology used to estimate 
the number of notification incidents that may be subject to the 
proposed rule each year. Several commenters provided general comments 
suggesting the agencies may have underestimated the burden associated 
with the proposed rule; however, only one trade association commenter 
provided specific observations on the methodology used to estimate the 
number of incidents subject to the rule. This commenter suggested that 
the agencies should ``seek additional comments on the estimated costs 
and benefits of the proposed rule.''
    The agencies also received comments related to the costs associated 
with complying with the rule. A commenter asserted, without further 
detail, that the proposed costs of compliance were underestimated. This 
commenter suggested that the agencies gather more information and data 
to adequately assess the regulatory impact of the proposal. Regarding 
estimating the number of notification incidents per year that would be 
reported under the proposed rule, one commenter suggested the agencies 
already have this information. Another commenter asserted that the rule 
would result in significant costs in standing up internal processes and 
procedures to comply with a new Federal regulatory mandate, resulting 
in ongoing cost and burden.
    The agencies have addressed the costs of this rule in the Impact 
Analysis section below. Moreover, the methodology used to determine the 
number of incidents subject to the rule reflects the agencies' 
experience that computer-security incidents that rise to the level of 
notification incidents are rare. The agencies also believe that the 
final rule largely formalizes a process that already exists, reflecting 
the collaborative and open communication that exists between banking 
organizations and the agencies.
    As discussed in more detail in the Impact Analysis section, the 
agencies reviewed available supervisory data and a subset of Suspicious 
Activity Report (SAR) data involving cyber incidents targeting banking 
organizations to develop an estimate of the number of notification 
incidents that may occur annually. The agencies specifically recognized 
that an analysis of SAR filings would not capture the full scope of 
incidents addressed by this rule. However, the agencies also considered 
supervisory data, which includes the voluntary notification banking 
organizations already provide, to inform their estimate of the 
frequency of notification incidents. Based on this assessment, the 
agencies continue to believe that the estimated 150 notification 
incidents annually set forth in the Impact Analysis is reasonable. The 
agencies are not seeking additional comments on the estimated costs and 
benefits of the rule.

C. Voluntary Information Sharing

    One commenter suggested the agencies should acknowledge the 
importance of voluntary information sharing within an ``expanding 
notice schema,'' and rely upon voluntary disclosures for non-disruptive 
events. Another suggested the rule should ``distinguish between 
existing, voluntary information-sharing between banking organizations'' 
and the final rule's required incident notification disclosures.
    The focus and purpose of this final rule is to ensure that the 
agencies receive prompt notice of notification incidents, which we have 
defined to include only the most significant incidents affecting 
banking organizations. The final rule does not solicit notifications on 
non-disruptive events and differs from and does not prevent traditional 
supervisory information sharing. However, the agencies agree that 
voluntary information sharing is critically important and encourage 
banking organizations and bank service providers to continue sharing 
information about incidents not covered by this rule.

D. Utilizing Prompt Corrective Action Capital Classifications

    One commenter suggested incorporating ``existing terms and 
definitions of discrete, rare, disruptive events'' such as ``Prompt 
Corrective Action (PCA) capital category definitions, or the invocation 
of Sheltered Harbor protocols.'' \53\ The agencies decline to follow 
this recommendation. The agencies have used definitions in the final 
rule that are broadly consistent with NIST terminology, which is widely 
used across various industry segments.
---------------------------------------------------------------------------

    \53\ To learn more about PCA capital category definitions, see 
OCC Bulletin 2018-33, Prompt Corrective Action: Guidelines and 
Rescissions (Sept. 28, 2018), which can be found at: https://www.occ.gov/news-issuances/bulletins/2018/bulletin-2018-33.html. To 
learn more about Sheltered Harbor protocols, see the Sheltered 
Harbor landing page at: https://www.aba.com/banking-topics/technology/cybersecurity/sheltered-harbor#.
---------------------------------------------------------------------------

E. Ability To Rescind Notification and Obtain Record of Notice

    The agencies received several comments regarding the agencies' 
collection and use of notification incident information from banking 
organizations. One commenter urged the agencies to develop procedures, 
subject to notice and comment, that would be taken upon receipt of a 
banking organization's incident notification information and any 
subsequently gathered information related to the incident. Commenters 
also urged the agencies to clarify information sharing practices and 
protocols relating to notification incident reports, expressing 
concerns with confidentiality and data security. One commenter 
suggested that notification incident reports should be shared with 
banking organization-specific supervisory teams. Commenters stated that 
any information submitted should be subject to the agencies' 
confidentiality rules and that the agencies should explain how the 
information would be protected.
    One commenter suggested the agencies establish a ``mechanism to 
rescind'' notifications in situations where ``initial determinations 
overestimate[d] the severity or significance of an event.'' No formal

[[Page 66437]]

rescission mechanism is required. The agencies recognize that a banking 
organization or bank service provider may provide notice, from time to 
time, upon a mistaken determination that such notice is necessary. A 
banking organization or bank service provider may update its original 
notification if it later determines that its initial assessments were 
incorrect or overcautious.
    Other commenters discussed the need to obtain or retain copies of 
the notifications for recordkeeping purposes. The rule does not impose 
any recordkeeping requirements.
    Another commenter suggested the agencies should indicate how 
information that the agencies obtain under this rule would remain 
protected and confidential. Additionally, they requested confirmation 
that the information provided would be considered exempt from Freedom 
of Information Act (FOIA) requests. As the agencies noted in the 
proposal, the notification, and any information provided by a banking 
organization related to the incident, would be subject to the agencies' 
confidentiality rules, which provide protections for confidential, 
proprietary, examination/supervisory, and sensitive personally 
identifiable information.\54\ However, the agencies must respond to 
individual FOIA requests on a case-by-case basis.
---------------------------------------------------------------------------

    \54\ See, e.g., 12 CFR part 4 (OCC); 12 CFR part 261 (Rules 
Regarding Availability of Information) (Board); 12 CFR 309.6 
(Disclosure of exempt records) (FDIC).
---------------------------------------------------------------------------

F. Single Notification Definition

    One commenter suggested the agencies implement only a ``single 
definition for a notification incident that applies to both bank 
service providers and banking organizations.'' The agencies believe 
that this would be unworkable; the two notification requirements serve 
different purposes. Accordingly, the agencies declined to implement a 
single definition. However, the agencies have sought to harmonize the 
two notification standards where feasible.

G. Affiliated Banking Organizations Considerations

    The final rule provides that affiliated banking organizations each 
have separate and independent notification obligations. Each banking 
organization needs to make an assessment of whether it has suffered a 
notification incident about which it must notify its primary Federal 
regulator. Subsidiaries of banking organizations that are not 
themselves banking organizations do not have notification requirements 
under this final rule. If a computer-security incident were to occur at 
a non-banking organization subsidiary of a banking organization, the 
parent banking organization would need to assess whether the incident 
was a notification incident for it, and if so, it would be required to 
notify its primary Federal regulator.

H. Consideration of the Number of Bank Service Providers

    Some commenters suggested the agencies underestimated the impact of 
the NPR to bank service providers. As noted in the NPR, the agencies do 
not know the precise number of bank service providers that will be 
affected by the final rule's notification requirement. However, the 
agencies conservatively assumed the entire population of bank service 
providers who have self-selected the North American Industry 
Classification System (NAICS) industry ``Computer System Design and 
Related Services'' (NAICS industry code 5415) as their primary business 
activity to be the estimated number of bank service providers. It seems 
unlikely that all such code 5415-designated firms are bank service 
providers. Even though there may be some bank service providers that do 
not self-identify under NAICS code 5415, the agencies believe the 
number of incidents involving bank service providers will be generally 
consistent with original NPR findings. The agencies acknowledge that 
these bank service providers will be impacted by the final rule.

V. Impact Analysis

    Covered banking organizations under the final rule include all 
depository institutions, holding companies, and certain other financial 
entities that are supervised by one or more of the agencies. According 
to recent Call Report and other data, the agencies supervise 
approximately 5,000 depository institutions along with a number of 
holding companies and other financial services entities that are 
covered under the final rule.\55\
---------------------------------------------------------------------------

    \55\ March 31, 2021, Call Report Data.
---------------------------------------------------------------------------

    In addition, the final rule requires bank service providers to 
notify at least one bank-designated point of contact at each affected 
banking organization customer as soon as possible when the bank service 
provider determines that it has experienced a computer-security 
incident that has materially disrupted or degraded, or is reasonably 
likely to materially disrupt or degrade, covered services provided to 
such banking organization for four or more hours. This requirement 
would enable a banking organization to promptly respond to an incident, 
determine whether it must notify its primary Federal regulator that a 
notification incident has occurred, and take other appropriate measures 
related to the incident.

Benefits

    The agencies believe that prompt notification of reportable 
incidents is likely to provide the following benefits to banking 
organizations and the financial industry as a whole. Notification may 
help the relevant agencies determine whether the incident is isolated 
or is one of many similar incidents at multiple banking organizations. 
If the notification incident is isolated to a single banking 
organization, the primary Federal regulator may be able to facilitate 
requests for assistance on behalf of the affected organization to 
minimize the impact of the incident. This benefit may be greater for 
small banking organizations with more limited resources. If the 
notification incident is one of many similar incidents occurring at 
multiple banking organizations, the agencies could also alert other 
banking organizations of the threat, recommend measures to better 
manage or prevent the recurrence of similar incidents, or otherwise 
help coordinate incident response.
    The prompt notification about incidents could also enable Federal 
regulators to respond faster to potential liquidity events that may 
result from such incidents. If a notification incident prevents banking 
organizations from fulfilling financial obligations in a timely manner, 
it might reduce confidence in the banking organization and precipitate 
the rapid withdrawal of demand deposits or short-term financing from 
such organizations.56 57 The agencies believe that a faster 
regulatory response could mitigate, or entirely prevent, these adverse 
liquidity events, thereby enhancing the resilience of the banking 
system against notification incidents.
---------------------------------------------------------------------------

    \56\ See the conceptual discussion of ``cyber runs'' in Duffie 
and Younger, https://www.brookings.edu/wp-content/uploads/2019/06/WP51-Duffie-Younger-2.pdf, Hutchins Center Working Paper No. 51, 
June 18, 2019.
    \57\ See the empirical analysis of the potential adverse impact 
of cyber events on the U.S. payment and settlement system in 
Eisenbach et al., https://www.newyorkfed.org/medialibrary/media/research/staff_reports/sr909.pdf, Federal Reserve Bank of New York 
Staff Reports, No. 909, Last Revised May 2021.
---------------------------------------------------------------------------

    Receiving information on notification incidents at multiple banking 
organizations would also enable regulators to conduct empirical 
analyses

[[Page 66438]]

to improve related guidance, adjust supervisory programs to enhance 
resilience against such incidents, and provide information to the 
industry to help banking organizations reduce the risk of future 
computer-security incidents.
    The agencies do not have sufficient information available to 
quantify the potential benefits of the final rule because the benefits 
depend on the probability, breadth, and severity of future notification 
incidents, and the specifics of those incidents, among other things. 
These data limitations notwithstanding, and considering that banking 
organizations face a heightened risk of disruptive and destructive 
attacks, which have been increasing in frequency and severity in recent 
years, the agencies expect that the final rule would have clear 
prudential benefits.

Costs

    The final rule requires banking organizations to notify their 
primary Federal regulator as soon as possible, and no later than 36 
hours, after a banking organization has determined that a notification 
incident has occurred. The agencies reviewed available supervisory data 
and SARs involving cyber events against banking organizations in 2019 
and 2020 to estimate the number of notification incidents expected to 
be reported annually. This calculation relied on descriptive criteria 
(e.g., ransomware, trojan, zero day, etc.) that may be indicative of 
the type of material computer-security incident that would meet the 
notification incident reporting criteria. Based on this review, the 
agencies estimate that approximately 150 notification incidents 
occurred annually,\58\ but acknowledge that the number of such 
incidents could increase in the future. Comments received by the 
agencies on the NPR did not provide more accurate estimates or suggest 
a different estimation methodology. Therefore, the agencies continue to 
use the same methodology.
---------------------------------------------------------------------------

    \58\ The agencies used conservative judgment when assessing 
whether a cyber-event might have risen to the level of a 
notification incident, so the approach may overestimate the number. 
However, the approach may also underestimate the number of 
notification incidents since supervisory and SAR data may not 
capture all such incidents.
---------------------------------------------------------------------------

    The agencies believe that the regulatory burden associated with the 
notification requirement would be small because the majority of 
communications associated with the determination of the notification 
incident would occur regardless of the final rule.\59\ In particular, 
the agencies estimate that, in the event of a notification incident, an 
affected banking organization may incur up to three hours of labor cost 
to coordinate internal communications, consult with its bank service 
provider, if appropriate, and notify the banking organization's primary 
Federal regulator. This process may include discussion of the incident 
among staff of the banking organization, such as the Chief Information 
Officer, Chief Information Security Officer, a senior legal or 
compliance officer; and staff of a bank service provider, as 
appropriate; and liaison with senior management of the banking 
organization.
---------------------------------------------------------------------------

    \59\ Even at an elevated labor compensation rate of $200 per 
hour, the final rule would only impose additional compliance costs 
of $600 per notification.
---------------------------------------------------------------------------

    The final rule also requires a bank service provider to notify at 
least one bank-designated point of contact at each affected banking 
organization customer as soon as possible when the bank service 
provider determines that it has experienced a computer-security 
incident that has materially disrupted or degraded, or is reasonably 
likely to materially disrupt or degrade, covered services provided to 
such banking organization for four or more hours. The agencies do not 
have data on the exact number of affected bank service providers nor 
the frequency of incidents that would require bank service providers to 
notify their banking organization customers. However, as described in 
the NPR, the agencies believe that, in the event of an incident, the 
affected bank service provider may incur up to three hours of labor 
cost to coordinate internal communications and notify its affected 
banking organization customers. Commenters did not provide other 
estimates, and the agencies believe that the additional compliance 
costs would be small for individual affected bank service 
providers.\60\ Post-notification activities, such as providing 
technical support to affected bank organization customers when managing 
and resolving the impact of a computer-security incident, are beyond 
the scope of the notification requirement.
---------------------------------------------------------------------------

    \60\ Even at an elevated labor compensation rate of $200 per 
hour, the final rule would only impose additional compliance costs 
of $600 per notification.
---------------------------------------------------------------------------

    Overall, the agencies expect the benefits of the final rule to 
outweigh its small costs.

Response to Comments on Impact of Proposal

    The agencies received comments asserting that some banking 
organizations and bank service providers may need to revise their 
contracts in order to implement the final rule. Furthermore, some bank 
service providers may incur costs to adjust internal processes and 
procedures to comply with the final rule. The agencies believe that 
these costs are likely to be small, transitory, and affect only a small 
number of covered entities.
    Other comments received in response to the proposed rule suggested 
that the proposed rule's definitions might result in more notifications 
than estimated in the proposed rule. The final rule narrows the 
notification requirements, as discussed above.

VI. Alternatives Considered

    The agencies are adopting these computer-security incident 
notification requirements after considering comments received on the 
NPR and evaluating alternative options for notification requirements. 
The agencies considered a number of alternative approaches, including 
leaving the current regulations unchanged and establishing a voluntary 
notification framework as suggested by one commenter. The agencies 
concluded that these approaches would not have achieved the objectives 
of the rule. However, the agencies refined the criteria for 
notification to focus attention on the most significant incidents and 
appropriately minimize regulatory burden.
    Additionally, the agencies considered defining the notification 
requirement for bank service providers even more narrowly, as suggested 
by some commenters. However, the agencies ultimately determined that 
the notification requirement in this rule is appropriate due to the 
increasingly significant role that bank service providers play in the 
banking industry.

VII. Effective Date

    The agencies have provided an effective date of April 1, 2022, and 
a compliance date of May 1, 2022, in response to commenters that 
recommended that the agencies provide additional time to implement the 
rule.

VIII. Administrative Law Matters

A. Paperwork Reduction Act

    Certain provisions of the final rule contain ``collections of 
information'' within the meaning of the Paperwork Reduction Act (PRA) 
of 1995 (44 U.S.C. 3501-3521). In accordance with the requirements of 
the PRA, the agencies may not conduct or sponsor, and the respondent is 
not required to respond to, an information collection unless it 
displays a currently valid Office of Management and Budget (OMB) 
control

[[Page 66439]]

number. The agencies have requested and OMB has assigned to the 
agencies the respective control numbers shown. The information 
collections contained in the final rule have been submitted to OMB for 
review and approval by the OCC and FDIC under section 3507(d) of the 
PRA (44 U.S.C. 3507(d)) and section 1320.11 of OMB's implementing 
regulations (5 CFR part 1320). The Board reviewed the final rule under 
the authority delegated to the Board by OMB, and has approved these 
collections of information.
    The final rule contains a reporting requirement that is subject to 
the PRA. The reporting requirement is found in Sec. Sec.  53.3 (OCC), 
225.302 (Board), and 304.23 (FDIC) of the final rule. A banking 
organization is required to notify its primary Federal bank regulatory 
agency of the occurrence of a ``notification incident'' at the banking 
organization (Sec. Sec.  53.3 (OCC), 225.302 (Board), and 304.23 
(FDIC)).
    The final rule also contains a disclosure requirement that is 
subject to the PRA. The disclosure requirement is found in Sec. Sec.  
53.4 (OCC), 225.303 (Board), and 304.24 (FDIC), which requires a bank 
service provider to notify at least one bank-designated point of 
contact at each affected banking organization customer as soon as 
possible when the bank service provider determines that it has 
experienced a computer-security incident that has materially disrupted 
or degraded, or is reasonably likely to materially disrupt or degrade, 
covered services provided to such banking organization for four or more 
hours.
    The agencies received one PRA-related comment, which agreed that 
collections of information have practical utility.
    The agencies have a continuing interest in the public's opinions of 
information collections. At any time, commenters may submit comments 
regarding the burden estimate, or any other aspect of this collection 
of information, including suggestions for reducing the burden, to the 
addresses listed in the ADDRESSES caption in the NPR. All comments will 
become a matter of public record. A copy of the comments may also be 
submitted to the OMB desk officer for the agencies: By mail to U.S. 
Office of Management and Budget, 725 17th Street NW, #10235, 
Washington, DC 20503; by facsimile to (202) 395-5806; or by email to: 
[email protected], Attention, Federal Banking Agency Desk 
Officer.
Information Collection
    Title of Information Collection: Computer-Security Incident 
Notification.
    OMB Control Number: OCC 1557-0350; Board 7100-NEW; FDIC 3064-0214.
    Frequency of Response: On occasion; event-generated.\61\
---------------------------------------------------------------------------

    \61\ For purposes of these calculations, the agencies assume 
that the frequency is 1 response per respondent per year.
---------------------------------------------------------------------------

    Affected Public: Businesses or other for-profit.
    Respondents:
    OCC: National banks, Federal savings associations, Federal branches 
and agencies, and bank service providers.
    Board: All state member banks (as defined in 12 CFR 208.2(g)), bank 
holding companies (as defined in 12 U.S.C. 1841), savings and loan 
holding companies (as defined in 12 U.S.C. 1467a), foreign banking 
organizations (as defined in 12 CFR 211.21(o)), foreign banks that do 
not operate an insured branch, state branch or state agency of a 
foreign bank (as defined in 12 U.S.C. 3101(b)(11) and (12)), Edge or 
agreement corporations (as defined in 12 CFR 211.1(c)(2) and (3)), and 
bank service providers.
    FDIC: All insured state nonmember banks, insured state-licensed 
branches of foreign banks, insured State savings associations, and bank 
service providers.
    Number of Respondents: \62\
---------------------------------------------------------------------------

    \62\ The number of respondents for the reporting requirement is 
based on allocating the estimated 150 notification incidents among 
the agencies based on the percentage of entities supervised by each 
agency. The FDIC represents the majority of the banking 
organizations (64 percent), while the Board supervises approximately 
21 percent of the banking organizations, with the OCC supervising 
the remaining 15 percent of banking organizations. The number of 
respondents for the disclosure requirement is based on an assumption 
of an approximately 2 percent per year frequency of incidents from 
120,392 firms, which is divided equally among the OCC, FDIC, and 
Board. The number of 120,392 firms is the number of firms in the 
United States under NAICS code 5415 in 2018, the latest year for 
which such data is available. See U.S. Census Bureau, 2018 SUSB 
Annual Data Tables by Establishment Industry, https://www.census.gov/data/tables/2018/econ/susb/2018-susb-annual.html 
(last revised Aug. 27, 2021).
---------------------------------------------------------------------------

    OCC: Reporting--22; Disclosure--802.
    FDIC: Reporting--96; Disclosure--802.
    Board: Reporting--32; Disclosure--802.
    Estimated Hours per Response:
    Reporting--Sections 53.3 (OCC), 225.302 (Board), and 304.23 (FDIC): 
3 hours.
    Disclosure--Sections 53.4 (OCC), 225.303 (Board), and 304.24 
(FDIC): 3 hours.
    Estimated Total Annual Burden:
    OCC: Reporting--66 hours; Disclosure--2,406 hours.
    FDIC: Reporting--288 hours; Disclosure--2,406 hours.
    Board: Reporting--96 hours; Disclosure--2,406 hours.
    Abstract: The final rule establishes notification requirements for 
banking organizations upon the occurrence of a ``computer-security 
incident'' that rises to the level of a ``notification incident.''
    A ``notification incident'' is defined as a computer-security 
incident that has materially disrupted or degraded, or is reasonably 
likely to materially disrupt or degrade, a banking organization's--
     Ability to carry out banking operations, activities, or 
processes, or deliver banking products and services to a material 
portion of its customer base, in the ordinary course of business;
     Business line(s), including associated operations, 
services, functions, and support, that upon failure would result in a 
material loss of revenue, profit, or franchise value; or
     Operations, including associated services, functions and 
support, as applicable, the failure or discontinuance of which would 
pose a threat to the financial stability of the United States.
    A ``computer-security incident'' is defined as is an occurrence 
that results in actual harm to the confidentiality, integrity, or 
availability of an information system or the information that the 
system processes, stores, or transmits.
    The final rule requires a banking organization to notify its 
primary Federal banking regulator upon the occurrence of a 
``notification incident'' at the banking organization. The agencies 
recognize that the final rule imposes a limited amount of burden, 
beyond what is usual and customary, on banking organizations in the 
event of a computer-security incident even if it does not rise to the 
level of a notification incident, as banking organizations will need to 
determine whether the relevant thresholds for notification are met. 
Therefore, the agencies' estimated burden per notification incident 
takes into account the burden associated with such incidents.
    The final rule also requires a bank service provider to notify at 
least one bank-designated point of contact at each affected banking 
organization customer as soon as possible when the bank service 
provider determines that it has experienced a computer-security 
incident that has materially disrupted or degraded, or is reasonably 
likely to materially disrupt or degrade, covered services provided to 
such banking organization for four or more hours.

B. Regulatory Flexibility Act

    OCC: The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., 
requires an

[[Page 66440]]

agency, in connection with a final rule, to prepare a Final Regulatory 
Flexibility Analysis describing the impact of the rule on small 
entities (defined by the Small Business Administration (SBA)) for 
purposes of the RFA to include commercial banks and savings 
institutions with total assets of $600 million or less and trust 
companies with total assets of $41.5 million or less) or to certify 
that the final rule will not have a significant economic impact on a 
substantial number of small entities. The OCC currently supervises 
approximately 669 small entities.
    Because the final rule impacts all OCC-supervised institutions, as 
well as all bank service providers, it will impact a substantial number 
of small entities. However, the expected costs of the final rule will 
be de minimis. Many banks already have internal policies for responding 
to security incidents, which include processes for notifying their 
primary regulator and other stakeholders of incidents within the scope 
of the final rule. Additionally, while the OCC believes bank service 
provider contracts may already include these provisions, if current 
contracts do not include these provisions, then the OCC does not expect 
the implementation of these provisions to impose a material burden on 
bank service providers. Therefore, the OCC certifies that the final 
rule will not have a significant economic impact on a substantial 
number of small entities.
    Board: The Regulatory Flexibility Act (RFA) generally requires an 
agency, in connection with a final rule, to prepare and make available 
for public comment a final regulatory flexibility analysis that 
describes the impact of the rule on small entities.\63\ However, a 
regulatory flexibility analysis is not required if the agency certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities. For the reasons described below, 
the Board certifies that the final rule will not have a significant 
economic impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \63\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

    As discussed in the SUPPLEMENTARY INFORMATION section, the agencies 
are requiring a banking organization to notify its primary Federal 
regulator as soon as possible and no later than 36 hours after the 
banking organization determines that a notification incident has 
occurred. The final rule will establish a notification requirement, 
which would support the safety and soundness of entities supervised by 
the agencies. The final rule requires a bank service provider, as 
defined in the rule, to notify at least one bank-designated point of 
contact at each affected banking organization customer as soon as 
possible when the bank service provider determines that it has 
experienced a computer-security incident that has materially disrupted 
or degraded, or is reasonably likely to materially disrupt or degrade, 
covered services provided to such banking organization for four or more 
hours.
    The Board's rule applies to state-chartered banks that are members 
of the Federal Reserve System, bank holding companies, savings and loan 
holding companies, U.S. operations of foreign banking organizations, 
and Edge and agreement corporations (collectively, ``Board-regulated 
entities''). As described in the Impact Analysis section, requirements 
under the final rule will apply to all Board-regulated entities. Under 
regulations issued by the SBA, a small entity includes a depository 
institution, bank holding company, or savings and loan holding company 
with total assets of $600 million or less and trust companies with 
total receipts of $41.5 million or less.\64\ According to Call Reports 
and other Board reports, there were approximately 451 state member 
banks, 2,380 bank holding companies, 92 savings and loan holding 
companies, and 16 Edge and agreement corporations that are small 
entities.\65\ In addition, the final rule affects all bank service 
providers that provide services subject to the BSCA.\66\ The Board is 
unable to estimate the number of bank service providers that are small 
due to the varying types of banking organizations that may enter into 
outsourcing arrangements with bank service providers.
---------------------------------------------------------------------------

    \64\ As an example, the SBA defines a bank as small if it has 
$600 million or less in assets. See 13 CFR 121.201 (as amended by 84 
FR 34261, effective August 19, 2019). In its determination, the SBA 
counts the receipts, employees, or other measure of size of the 
concern whose size is at issue and all of its domestic and foreign 
affiliates. See 13 CFR 121.103.
    \65\ State member bank data is derived from June 30, 2021 Call 
Reports. Data for bank holding companies and savings and loan 
holding companies are derived from the June 30, 2021, FR Y-9C and FR 
Y-9SP. Data for Edge and agreement corporations are derived from the 
December 31, 2020, FR-2886b.
    \66\ Discussed in detail in the Impact Analysis section.
---------------------------------------------------------------------------

    The final rule will require all banking organizations to notify the 
appropriate Board-designated point of contact about a notification 
incident through email, telephone, or other similar methods that the 
Board may prescribe. The Board must receive this notification from the 
banking organization as soon as possible and no later than 36 hours 
after the banking organization determines that a notification incident 
has occurred. The agencies estimate that, upon occurrence of a 
notification incident, an affected banking organization may incur 
compliance costs of up to three hours of staff time to coordinate 
internal communications, consult with its bank service provider, if 
appropriate, and notify the banking organization's primary Federal 
regulator. As described in the Impact Analysis section above, this 
requirement is estimated to affect a relatively small number of Board-
regulated entities. The agencies believe that any compliance costs 
associated with the notice requirement would be de minimis, because the 
communications that led to the determination of the notification 
incident would have occurred regardless of the final rule.
    The final rule will also require a bank service provider to notify 
at least one bank-designated point of contact at each affected banking 
organization customer as soon as possible when the bank service 
provider determines that it has experienced a computer-security 
incident that has materially disrupted or degraded, or is reasonably 
likely to materially disrupt or degrade, covered services provided to 
such banking organization for four or more hours. As described in the 
Impact Analysis section above, the agencies believe that any compliance 
costs associated with the implementation of this requirement would be 
de minimis for each affected bank service provider. There are no other 
recordkeeping, reporting, or compliance requirements associated with 
the final rule.
    For the reasons stated above, the Board certifies that the final 
rule will not have a significant economic impact on a substantial 
number of small entities.
    FDIC: The RFA generally requires an agency, in connection with a 
final rule, to prepare and make available for public comment a final 
regulatory flexibility analysis that describes the impact of the rule 
on small entities.\67\ However, a regulatory flexibility analysis is 
not required if the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small entities. 
The SBA has defined ``small entities'' to include banking organizations 
with total assets of less than or equal to $600 million.\68\

[[Page 66441]]

Generally, the FDIC considers a significant effect to be a quantified 
effect in excess of 5 percent of total annual salaries and benefits per 
institution, or 2.5 percent of total noninterest expenses. The FDIC 
believes that effects in excess of these thresholds typically represent 
significant effects for FDIC-supervised institutions. For the reasons 
described below, the FDIC certifies that the final rule will not have a 
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \67\ 5 U.S.C. 601 et seq.
    \68\ The SBA defines a small banking organization as having $600 
million or less in assets, where an organization's assets are 
determined by averaging the assets reported on its four quarterly 
financial statements for the preceding year. See 13 CFR 121.201 (as 
amended by 84 FR 34261, effective August 19, 2019). In its 
determination, the SBA counts the receipts, employees, or other 
measure of size of the concern whose size is at issue and all of its 
domestic and foreign affiliates. See 13 CFR 121.103. Following these 
regulations, the FDIC uses a banking organization's affiliated and 
acquired assets, averaged over the preceding four quarters, to 
determine whether the banking organization is ``small'' for the 
purposes of RFA.
---------------------------------------------------------------------------

    As described in the Impact Analysis section, the final rule is 
expected to affect all institutions supervised by the FDIC. According 
to recent Call Reports, the FDIC supervises 3,215 insured depository 
institutions (FDIC-supervised IDIs).\69\ Of these, 2,333 FDIC-
supervised IDIs would be considered small entities for the purposes of 
RFA.\70\ These small entities hold approximately $510 billion in 
assets, accounting for 13 percent of total assets held by FDIC-
supervised institutions. In addition, the final rule affects all bank 
service providers that provide services subject to the BSCA.\71\ The 
FDIC is unable to estimate the number of affected bank service 
providers that are small. For purposes of this certification, the FDIC 
assumes, as an upper limit, that all affected bank service providers 
are small.
---------------------------------------------------------------------------

    \69\ FDIC Call Reports, March 31, 2021.
    \70\ Id.
    \71\ Discussed in detail in the Impact Analysis section.
---------------------------------------------------------------------------

    The final rule requires a banking organization to notify the 
appropriate FDIC supervisory office, or an FDIC-designated point of 
contact, about a notification incident through email, telephone, or 
other similar methods that the FDIC may prescribe. The FDIC must 
receive this notification from the banking organization as soon as 
possible and no later than 36 hours after the banking organization 
determines that a notification incident has occurred. As described in 
the Impact Analysis section above, this requirement is estimated to 
affect a relatively small number of FDIC-supervised institutions and 
impose a compliance cost of up to three hours per incident. The 
agencies believe that the regulatory burden of such a requirement would 
be de minimis in nature, since the internal communications that led to 
the determination of the notification incident would have occurred 
regardless of the final rule.\72\
---------------------------------------------------------------------------

    \72\ Even at an elevated labor compensation rate of $200 per 
hour, the final rule would impose a cost burden of less than $600 
per incident.
---------------------------------------------------------------------------

    In addition, the final rule will require a bank service provider to 
notify at least one bank-designated point of contact at each affected 
banking organization customer as soon as possible when the bank service 
provider determines that it has experienced a computer-security 
incident that has materially disrupted or degraded, or is reasonably 
likely to materially disrupt or degrade, covered services provided to 
such banking organization for four or more hours. As described in the 
Impact Analysis section above, the agencies believe that any additional 
compliance costs would be de minimis for each affected bank service 
provider.
    Therefore, the FDIC certifies that the final rule will not have a 
significant economic impact on a substantial number of small entities.

C. Riegle Community Development and Regulatory Improvement Act of 1994

    Under section 302(a) of the Riegle Community Development and 
Regulatory Improvement Act (RCDRIA),\73\ in determining the effective 
date and administrative compliance requirements for new regulations 
that impose additional reporting, disclosure, or other requirements on 
insured depository institutions (IDIs), each Federal banking agency 
must consider, consistent with principles of safety and soundness and 
the public interest, any administrative burdens that such regulations 
would place on depository institutions, including small depository 
institutions, and customers of depository institutions, as well as the 
benefits of such regulations. In addition, section 302(b) of RCDRIA 
requires new regulations and amendments to regulations that impose 
additional reporting, disclosures, or other new requirements on IDIs 
generally to take effect on the first day of a calendar quarter that 
begins on or after the date on which the regulations are published in 
final form.\74\ The agencies have determined that the final rule would 
impose additional reporting, disclosure, or other new requirements on 
IDIs, and are making this final rule effective in accordance with the 
requirements of the RCDRIA.
---------------------------------------------------------------------------

    \73\ 12 U.S.C. 4802(a).
    \74\ Id. at 4802(b).
---------------------------------------------------------------------------

D. Congressional Review Act

    For purposes of the Congressional Review Act (CRA), the Office of 
Management and Budget (OMB) makes a determination as to whether a final 
rule constitutes a ``major rule.'' \75\ If a rule is deemed a ``major 
rule'' by the OMB, the CRA generally provides that the rule may not 
take effect until at least 60 days following its publication.\76\ The 
Congressional Review Act defines a ``major rule'' as any rule that the 
Administrator of the Office of Information and Regulatory Affairs of 
the OMB finds has resulted in or is likely to result in--(A) an annual 
effect on the economy of $100,000,000 or more; (B) a major increase in 
costs or prices for consumers, individual industries, Federal, State, 
or Local government agencies or geographic regions, or (C) significant 
adverse effects on competition, employment, investment, productivity, 
innovation, or on the ability of United States-based enterprises to 
compete with foreign-based enterprises in domestic and export 
markets.\77\
---------------------------------------------------------------------------

    \75\ 5 U.S.C. 801 et seq.
    \76\ 5 U.S.C. 801(a)(3).
    \77\ 5 U.S.C. 804(2).
---------------------------------------------------------------------------

    The agencies will submit the final rule to the OMB for this major 
rule determination. As required by the Congressional Review Act, the 
agencies will also submit the final rule and other appropriate reports 
to Congress and the Government Accountability Office for review.

E. Use of Plain Language

    Section 722 of the Gramm-Leach-Bliley Act \78\ requires the Federal 
banking agencies to use plain language in all proposed and final 
rulemakings published in the Federal Register after January 1, 2000. 
The agencies invited comment regarding the use of plain language, but 
did not receive any comments on this topic.
---------------------------------------------------------------------------

    \78\ 12 U.S.C. 4809.
---------------------------------------------------------------------------

F. Unfunded Mandates Reform Act

    The OCC analyzed the final rule under the factors set forth in the 
Unfunded Mandates Reform Act of 1995 (UMRA) (2 U.S.C. 1532). Under this 
analysis, the OCC considered whether the final rule includes a Federal 
mandate that may result in the expenditure by State, local, and Tribal 
governments, in the aggregate, or by the private sector, of $100 
million or more in any one year, adjusted for inflation (currently $158 
million). As noted in the OCC's RFA discussion, the OCC expects that 
the costs associated with the final rule, if any, will be de minimis 
and, thus, has determined that this final rule will not result in 
expenditures by State, local, and Tribal governments, or the private 
sector, of $158 million or more

[[Page 66442]]

in any one year. Accordingly, the OCC has not prepared a written 
statement to accompany this final rule.

Agency Regulation

List of Subjects

12 CFR Part 53

    Administrative practice and procedure, Federal savings 
associations, National banks, Reporting and recordkeeping requirements, 
Safety and soundness.

12 CFR Part 225

    Administrative practice and procedure, Bank holding companies, 
Banking, Edge and agreement corporations, Foreign banking 
organizations, Nonbank financial companies, Reporting and recordkeeping 
requirements, Safety and soundness, Savings and loan holding companies, 
State member banks.

12 CFR Part 304

    Administrative practice and procedure, Bank deposit insurance, 
Banks, Banking, Freedom of information, Reporting and recordkeeping 
requirements, Safety and soundness.

Authority and Issuance--OCC

    For the reasons stated in the Common Preamble and under the 
authority of 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 
3102, the Office of the Comptroller of the Currency amends chapter I of 
title 12, Code of Federal Regulations, as follows:

0
1. Part 53 is added to read as follows:
PART 53--COMPUTER-SECURITY INCIDENT NOTIFICATION
Sec.
53.1 Authority, purpose, and scope.
53.2 Definitions.
53.3 Notification.
53.4 Bank service provider notification.

    Authority:  12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, 
and 3102.


Sec.  53.1   Authority, purpose, and scope.

    (a) Authority. This part is issued under the authority of 12 U.S.C. 
1, 93a, 161, 481, 1463, 1464, 1861-1867, and 3102.
    (b) Purpose. This part promotes the timely notification of 
computer-security incidents that may materially and adversely affect 
Office of the Comptroller of the Currency (OCC)-supervised 
institutions.
    (c) Scope. This part applies to all national banks, Federal savings 
associations, and Federal branches and agencies of foreign banks. This 
part also applies to their bank service providers as defined in Sec.  
53.2(b)(2).


Sec.  53.2   Definitions.

    (a) Except as modified in this part, or unless the context 
otherwise requires, the terms used in this part have the same meanings 
as set forth in 12 U.S.C. 1813.
    (b) For purposes of this part, the following definitions apply.
    (1) Banking organization means a national bank, Federal savings 
association, or Federal branch or agency of a foreign bank; provided, 
however, that no designated financial market utility shall be 
considered a banking organization.
    (2) Bank service provider means a bank service company or other 
person that performs covered services; provided, however, that no 
designated financial market utility shall be considered a bank service 
provider.
    (3) Business line means a product or service offered by a banking 
organization to serve its customers or support other business needs.
    (4) Computer-security incident is an occurrence that results in 
actual harm to the confidentiality, integrity, or availability of an 
information system or the information that the system processes, 
stores, or transmits.
    (5) Covered services are services performed, by a person, that are 
subject to the Bank Service Company Act (12 U.S.C. 1861-1867).
    (6) Designated financial market utility has the same meaning as set 
forth at 12 U.S.C. 5462(4).
    (7) Notification incident is a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, a banking organization's--
    (i) Ability to carry out banking operations, activities, or 
processes, or deliver banking products and services to a material 
portion of its customer base, in the ordinary course of business;
    (ii) Business line(s), including associated operations, services, 
functions, and support, that upon failure would result in a material 
loss of revenue, profit, or franchise value; or
    (iii) Operations, including associated services, functions and 
support, as applicable, the failure or discontinuance of which would 
pose a threat to the financial stability of the United States.
    (8) Person has the same meaning as set forth at 12 U.S.C. 
1817(j)(8)(A).


Sec.  53.3   Notification.

    A banking organization must notify the appropriate OCC supervisory 
office, or OCC-designated point of contact, about a notification 
incident through email, telephone, or other similar methods that the 
OCC may prescribe. The OCC must receive this notification from the 
banking organization as soon as possible and no later than 36 hours 
after the banking organization determines that a notification incident 
has occurred.


Sec.  53.4  Bank service provider notification.

    (a) A bank service provider is required to notify at least one 
bank-designated point of contact at each affected banking organization 
customer as soon as possible when the bank service provider determines 
that it has experienced a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, covered services provided to such banking 
organization for four or more hours.
    (1) A bank-designated point of contact is an email address, phone 
number, or any other contact(s), previously provided to the bank 
service provider by the banking organization customer.
    (2) If the banking organization customer has not previously 
provided a bank-designated point of contact, such notification shall be 
made to the Chief Executive Officer and Chief Information Officer of 
the banking organization customer, or two individuals of comparable 
responsibilities, through any reasonable means.
    (b) The notification requirement in paragraph (a) of this section 
does not apply to any scheduled maintenance, testing, or software 
update previously communicated to a banking organization customer.

FEDERAL RESERVE SYSTEM

12 CFR Chapter II

Authority and Issuance

    For the reasons stated in the Common Preamble and under the 
authority of 12 U.S.C. 321-338a, 1467a(g), 1818(b), 1844(b), 1861-1867, 
and 3101 et seq., the Board amends chapter II of title 12, Code of 
Federal Regulations, as follows:

PART 225--BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL 
(REGULATION Y)

0
2. The authority citation for part 225 continues to read as follows:

    Authority:  12 U.S.C. 1817(j)(13), 1818, 1828(o), 1831i, 1831p-
1, 1843(c)(8), 1844(b), 1972(1), 3106, 3108, 3310, 3331-3351, 3906, 
3907, and 3909; 15 U.S.C. 1681s, 1681w, 6801 and 6805.


0
3. Subpart N is added to read as follows:
Subpart N--Computer-Security Incident Notification
Sec.
225.300 Authority, purpose, and scope.
225.301 Definitions.

[[Page 66443]]

225.302 Notification.
225.303 Bank service provider notification.

Subpart N--Computer-Security Incident Notification


Sec.  225.300   Authority, purpose, and scope.

    (a) Authority. This subpart is issued under the authority of 12 
U.S.C. 1, 321-338a, 1467a(g), 1818(b), 1844(b), 1861-1867, and 3101 et 
seq.
    (b) Purpose. This subpart promotes the timely notification of 
computer-security incidents that may materially and adversely affect 
Board-supervised entities.
    (c) Scope. This subpart applies to all U.S. bank holding companies 
and savings and loan holding companies; state member banks; the U.S. 
operations of foreign banking organizations; and Edge and agreement 
corporations. This subpart also applies to their bank service 
providers, as defined in Sec.  225.301(b)(2).


Sec.  225.301   Definitions.

    (a) Except as modified in this subpart, or unless the context 
otherwise requires, the terms used in this subpart have the same 
meanings as set forth in 12 U.S.C. 1813.
    (b) For purposes of this subpart, the following definitions apply.
    (1) Banking organization means a U.S. bank holding company; U.S. 
savings and loan holding company; state member bank; the U.S. 
operations of foreign banking organizations; and an Edge or agreement 
corporation; provided, however, that no designated financial market 
utility shall be considered a banking organization.
    (2) Bank service provider means a bank service company or other 
person that performs covered services; provided, however, that no 
designated financial market utility shall be considered a bank service 
provider.
    (3) Business line means a product or service offered by a banking 
organization to serve its customers or support other business needs.
    (4) Computer-security incident is an occurrence that results in 
actual harm to the confidentiality, integrity, or availability of an 
information system or the information that the system processes, 
stores, or transmits.
    (5) Covered services are services performed, by a person, that are 
subject to the Bank Service Company Act (12 U.S.C. 1861-1867).
    (6) Designated financial market utility has the same meaning as set 
forth at 12 U.S.C. 5462(4).
    (7) Notification incident is a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, a banking organization's--
    (i) Ability to carry out banking operations, activities, or 
processes, or deliver banking products and services to a material 
portion of its customer base, in the ordinary course of business;
    (ii) Business line(s), including associated operations, services, 
functions, and support, that upon failure would result in a material 
loss of revenue, profit, or franchise value; or
    (iii) Operations, including associated services, functions and 
support, as applicable, the failure or discontinuance of which would 
pose a threat to the financial stability of the United States.
    (8) Person has the same meaning as set forth at 12 U.S.C. 
1817(j)(8)(A).


Sec.  225.302   Notification.

    A banking organization must notify the appropriate Board-designated 
point of contact about a notification incident through email, 
telephone, or other similar methods that the Board may prescribe. The 
Board must receive this notification from the banking organization as 
soon as possible and no later than 36 hours after the banking 
organization determines that a notification incident has occurred.


Sec.  225.303   Bank service provider notification.

    (a) A bank service provider is required to notify at least one 
bank-designated point of contact at each affected banking organization 
customer as soon as possible when the bank service provider determines 
that it has experienced a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, covered services provided to such banking 
organization for four or more hours.
    (1) A bank-designated point of contact is an email address, phone 
number, or any other contact(s), previously provided to the bank 
service provider by the banking organization customer.
    (2) If the banking organization customer has not previously 
provided a bank-designated point of contact, such notification shall be 
made to the Chief Executive Officer and Chief Information Officer of 
the banking organization customer, or two individuals of comparable 
responsibilities, through any reasonable means.
    (b) The notification requirement in paragraph (a) of this section 
does not apply to any scheduled maintenance, testing, or software 
update previously communicated to a banking organization customer.

FEDERAL DEPOSIT INSURANCE CORPORATION

Authority and Issuance

    For the reasons stated in the Common Preamble, and under the 
authority of 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861-1867, the 
FDIC amends 12 CFR part 304 as follows:

PART 304--FORMS, INSTRUCTIONS, AND REPORTS

0
4. Revise the authority citation for part 304 to read as follows:

    Authority:  5 U.S.C. 552; 12 U.S.C. 1463, 1464, 1811, 1813, 
1817, 1819, 1831, and 1861-1867.


0
5. Revise Sec.  304.1 to read as follows:


Sec.  304.1   Purpose.

    This subpart informs the public where it may obtain forms and 
instructions for reports, applications, and other submittals used by 
the Federal Deposit Insurance Corporation (FDIC), and describes certain 
forms that are not described elsewhere in FDIC regulations in this 
chapter.


Sec. Sec.  304.15 through 304.20   [Added and Reserved]

0
6. Add reserve Sec. Sec.  304.15 through 304.20.

0
7. Add subpart C to read as follows:
Subpart C--Computer-Security Incident Notification
Sec.
304.21 Authority, purpose, and scope.
304.22 Definitions.
304.23 Notification.
304.24 Bank service provider notification.
304.25-304.30 [Reserved]

Subpart C--Computer-Security Incident Notification


Sec.  304.21   Authority, purpose, and scope.

    (a) Authority. This subpart is issued under the authority of 12 
U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861-1867.
    (b) Purpose. This subpart promotes the timely notification of 
computer-security incidents that may materially and adversely affect 
FDIC-supervised institutions.
    (c) Scope. This subpart applies to all insured state nonmember 
banks, insured state licensed branches of foreign banks, and insured 
State savings associations. This subpart also applies to bank service 
providers, as defined in Sec.  304.22(b)(2).


Sec.  304.22   Definitions.

    (a) Except as modified in this subpart, or unless the context 
otherwise requires, the terms used in this subpart have the same 
meanings as set forth in 12 U.S.C. 1813.

[[Page 66444]]

    (b) For purposes of this subpart, the following definitions apply.
    (1) Banking organization means an FDIC-supervised insured 
depository institution, including all insured state nonmember banks, 
insured state-licensed branches of foreign banks, and insured State 
savings associations; provided, however, that no designated financial 
market utility shall be considered a banking organization.
    (2) Bank service provider means a bank service company or other 
person that performs covered services; provided, however, that no 
designated financial market utility shall be considered a bank service 
provider.
    (3) Business line means a product or service offered by a banking 
organization to serve its customers or support other business needs.
    (4) Computer-security incident is an occurrence that results in 
actual harm to the confidentiality, integrity, or availability of an 
information system or the information that the system processes, 
stores, or transmits.
    (5) Covered services are services performed, by a person, that are 
subject to the Bank Service Company Act (12 U.S.C. 1861-1867).
    (6) Designated financial market utility has the same meaning as set 
forth at 12 U.S.C. 5462(4).
    (7) Notification incident is a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, a banking organization's--
    (i) Ability to carry out banking operations, activities, or 
processes, or deliver banking products and services to a material 
portion of its customer base, in the ordinary course of business;
    (ii) Business line(s), including associated operations, services, 
functions, and support, that upon failure would result in a material 
loss of revenue, profit, or franchise value; or
    (iii) Operations, including associated services, functions and 
support, as applicable, the failure or discontinuance of which would 
pose a threat to the financial stability of the United States.
    (8) Person has the same meaning as set forth at 12 U.S.C. 
1817(j)(8)(A).


Sec.  304.23   Notification.

    A banking organization must notify the appropriate FDIC supervisory 
office, or an FDIC-designated point of contact, about a notification 
incident through email, telephone, or other similar methods that the 
FDIC may prescribe. The FDIC must receive this notification from the 
banking organization as soon as possible and no later than 36 hours 
after the banking organization determines that a notification incident 
has occurred.


Sec.  304.24   Bank service provider notification.

    (a) A bank service provider is required to notify at least one 
bank-designated point of contact at each affected banking organization 
customer as soon as possible when the bank service provider determines 
that it has experienced a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, covered services provided to such banking 
organization for four or more hours.
    (1) A bank-designated point of contact is an email address, phone 
number, or any other contact(s), previously provided to the bank 
service provider by the banking organization customer.
    (2) If the banking organization customer has not previously 
provided a bank-designated point of contact, such notification shall be 
made to the Chief Executive Officer and Chief Information Officer of 
the banking organization customer, or two individuals of comparable 
responsibilities, through any reasonable means.
    (b) The notification requirement in paragraph (a) of this section 
does not apply to any scheduled maintenance, testing, or software 
update previously communicated to a banking organization customer.


Sec. Sec.  304.25-304.30   [Reserved]

Michael J. Hsu,
Acting Comptroller of the Currency.

    By order of the Board of Governors of the Federal Reserve 
System.
Ann Misback,
Secretary of the Board.

Federal Deposit Insurance Corporation.

By order of the Board of Directors.

    Dated at Washington, DC, on November 17, 2021.
James P. Sheesley,
Assistant Executive Secretary.
[FR Doc. 2021-25510 Filed 11-22-21; 8:45 am]
BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P