Federal Register Extracts

Agency: "The Office of the Comptroller of the Currency (OCC), Treasury; the Board of Governors of the Federal Reserve System (Board); and the Federal Deposit Insurance Corporation (FDIC)."

SUMMARY: The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any "computer-security incident" that rises to the level of a "notification incident," as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

DATES: Effective date: April 1, 2022; Compliance date: May 1, 2022.

FOR FURTHER INFORMATION CONTACT:

OCC: Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519, Carl Kaminski, Assistant Director, (202) 649-5490, or Priscilla Benner, Senior Attorney, Chief Counsel's Office, (202) 649-5490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219.

Board: Thomas Sullivan, Senior Associate Director, (202) 475-7656, Julia Philipp, Lead Financial Institution Cybersecurity Policy Analyst, (202) 452-3940, Don Peterson, Supervisory Cybersecurity Analyst, (202) 973-5059, Systems and Operational Resiliency Policy, of the Supervision and Regulation Division; Jay Schwarz, Assistant General Counsel, (202) 452-2970, Claudia Von Pervieux, Senior Counsel (202) 452-2552, Christopher Danello, Senior Attorney, (202) 736-1960, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551, or https://www.federalreserve.gov/apps/ContactUs/feedback.aspx, and click on Staff Group, Regulations.

FDIC: Rob Drozdowski, Special Assistant to the Deputy Director (202) 898-3971, [email protected], Division of Risk Management Supervision; or John Dorsey, Counsel (202) 898-3807, [email protected], Graham Rehrig, Senior Attorney, (202) 898-3829, [email protected], Legal Division.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Introduction

II. Background

A. Overview of Comments

III. Discussion of Final Rule

A. Overview of Final Rule

B. Definitions

i. Definition of Banking Organization

ii. Definition of Bank Service Provider

iii. Definition of Computer-Security Incident

iv. Definition of Notification Incident

v. Examples of Notification Incidents

C. Banking Organization Notification to Agencies

i. Timing of Notification to Agencies

ii. Method of Notification to Agencies

D. Bank Service Provider Notification to Banking Organization Customers

i. Scope of Bank Service Provider Notification

ii. Timing of Bank Service Provider Notification

iii. Bank Service Provider Notification to Customers

iv. Bank Service Provider Agreements--Contract Notice Provisions

IV. Other Rulemaking Considerations

A. Bank Service Provider Material Incidents Consideration

B. Methodology for Determining Number of Incidents Subject to the Rule

C. Voluntary Information Sharing

D. Utilizing Prompt Corrective Action Capital Classifications

E. Ability To Rescind Notification and Obtain Record of Notice

F. Single Notification Definition

G. Affiliated Banking Organizations Considerations

H. Consideration of the Number of Bank Service Providers

V. Impact Analysis

VI. Alternatives Considered

VII. Effective Date

VIII. Administrative Law Matters

A. Paperwork Reduction Act

B. Regulatory Flexibility Act

C. Riegle Community Development and Regulatory Improvement Act of 1994

D. Congressional Review Act

E. Use of Plain Language

F. Unfunded Mandates Reform Act

I. Introduction The OCC, Board, and FDIC (together, the agencies) are issuing a final rule to require that a banking organization /1/ promptly notify its primary Federal regulator of any "computer-security incident" that rises to the level of a "notification incident," as those terms are defined in the final rule. As described in more detail below, these incidents may have many causes. Examples include a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time and a computer hacking incident that disables banking operations for an extended period of time.

FOOTNOTE 1 For the OCC, "banking organizations" includes national banks, Federal savings associations, and Federal branches and agencies of foreign banks. For the Board, "banking organizations" includes all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations. For the FDIC, "banking organizations" includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. Each agency's definition excludes financial market utilities (FMUs) designated under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act (designated FMUs). END FOOTNOTE

Under the final rule, a banking organization's primary Federal regulator must receive this notification as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic. The final rule separately requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. This separate requirement will ensure that a banking organization receives prompt notification of a computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization's own notification requirement.

II. Background

Computer-security incidents can result from destructive malware or malicious software (cyberattacks), as well as non-malicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years. /2/ These cyberattacks can adversely affect banking organizations' networks, data, and systems, and ultimately their ability to resume normal operations.

FOOTNOTE 2 See, e.g., Financial Crimes Enforcement Network, SAR Filings by Industry (Jan. 1, 2014-Dec. 31, 2020) (last accessed Oct. 11, 2021), https://www.fincen.gov/reports/sar-stats/sar-filings-industry. (Trend data may be found by downloading the Excel file "Depository Institution" and selecting the tab marked "Exhibit 5."). END FOOTNOTE

Given the frequency and severity of cyberattacks on the financial services industry, the agencies believe that it is important that a banking organization's primary Federal regulator be notified as soon as possible of a significant computer-security incident /3/ that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization's operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector. /4/ The final rule refers to these significant computer-security incidents as "notification incidents." /5/ Timely notification is important as it would allow the agencies to (1) have early awareness of emerging threats to banking organizations and the broader financial system, (2) better assess the threat a notification incident poses to a banking organization and take appropriate actions to address the threat, (3) facilitate and approve requests from banking organizations for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), /6/ (4) provide information and guidance to banking organizations, and (5) conduct horizontal analyses to provide targeted guidance and adjust supervisory programs.

FOOTNOTE 3 As defined by the final rule, a computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. To promote uniformity of terms, the agencies have sought to align this term generally with an existing definition from the National Institute of Standards and Technology (NIST). See NIST, Computer Security Resource Center, Glossary (last accessed Sept. 20, 2021), available at https://csrc.nist.gov/glossary/term/Dictionary. END FOOTNOTE

FOOTNOTE 4 These computer-security incidents may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions. END FOOTNOTE

--This is a summary of a Federal Register article originally published on the page number listed below--

Final rule.

CFR Part: "12 CFR Part 53"; "12 CFR Part 225"; "12 CFR Part 304"

RIN Number: "RIN 1557-AF02"; "RIN 7100-AG06"; "RIN 3064-AF59"

Citation: "86 FR 66424"

Document Number: "Docket ID OCC-2020-0038"; "Docket No. R-1736"

Federal Register Page Number: "66424"

"Rules and Regulations"