Office of Comptroller of Currency, Fed, FDIC Proposed Rule: Computer-Security Incident Notification Requirements for Banking Organizations, Their Bank Service Providers

WASHINGTON, Jan. 12 -- The Office of the Comptroller of the Currency, Federal Reserve System and Federal Deposit Insurance Corporation has issued a proposed rule (12 CFR Part 53, 12 CFR Part 225 and 12 CFR Part 304), published in the Federal Register, entitled: "Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers".

The proposed rule was issued by Ann Misback, Secretary of the Board and

James P. Sheesley, Assistant Executive Secretary.

DATES: Comments must be received by April 12, 2021.

ADDRESSES:

You may submit comments, identified by RIN (1557-AF02 (OCC), 7100-AF (Board), 3064-AF59 (FDIC)), by any of the following methods:

OCC:

Commenters are encouraged to submit comments through the Federal eRulemaking Portal, if possible. Please use the title "Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers" to facilitate the organization and distribution of the comments. You may submit comments by any of the following methods:

* Federal eRulemaking Portal--Regulations.gov Classic or Regulations.gov Beta:

* Regulations.gov Classic: Go to https://www.regulations.gov/. Enter "Docket ID OCC-2020-0038" in the Search Box and click "Search." Click on "Comment Now" to submit public comments. For help with submitting effective comments please click on "View Commenter's Checklist." Click on the "Help" tab on the Regulations.gov home page to get information on using Regulations.gov, including instructions for submitting public comments.

* Regulations.gov Beta: Go to https://beta.regulations.gov/ or click "Visit New Regulations.gov Site" from the Regulations.gov Classic homepage. Enter "Docket ID OCC-2020-0038" in the Search Box and click "Search." Public comments can be submitted via the "Comment" box below the displayed document information or by clicking on the document title and then clicking the "Comment" box on the top-left side of the screen. For help with submitting effective comments please click on "Commenter's Checklist." For assistance with the Regulations.gov Beta site, please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email [email protected].

* Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

* Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

Instructions: You must include "OCC" as the agency name and "Docket ID OCC-2020-0038" in your comment. In general, the OCC will enter all comments received into the docket and publish the comments on the Regulations.gov website without change, including any business or personal information provided such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

Public Inspection: You may review comments and other related materials that pertain to this rulemaking action by any of the following methods:

* Viewing Comments Electronically--Regulations.gov Classic or Regulations.gov Beta:

* Regulations.gov Classic: Go to https://www.regulations.gov/. Enter "Docket ID OCC-2020-0038" in the Search box and click "Search." Click on "Open Docket Folder" on the right side of the screen. Comments and supporting materials can be viewed and filtered by clicking on "View all documents and comments in this docket" and then using the filtering tools on the left side of the screen. Click on the "Help" tab on the Regulations.gov home page to get information on using Regulations.gov. The docket may be viewed after the close of the comment period in the same manner as during the comment period.

○ Regulations.gov Beta: Go to https://beta.regulations.gov/ or click "Visit New Regulations.gov Site" from the Regulations.gov Classic homepage. Enter "Docket ID OCC-2020-0038" in the Search Box and click "Search." Click on the "Comments" tab. Comments can be viewed and filtered by clicking on the "Sort By" drop-down on the right side of the screen or the "Refine Results" options on the left side of the screen. Supporting materials can Start Printed Page 2300be viewed by clicking on the "Documents" tab and filtered by clicking on the "Sort By" drop-down on the right side of the screen or the "Refine Results" options on the left side of the screen." For assistance with the Regulations.gov Beta site, please call (877) 378-5457 (toll free) or (703) 454-9859 Monday-Friday, 9 a.m.-5 p.m. ET or email [email protected]. The docket may be viewed after the close of the comment period in the same manner as during the comment period.

Board:

When submitting comments, please consider submitting your comments by email or fax because paper mail in the Washington, DC area and at the Board may be subject to delay. You may submit comments, identified by Docket No. R-1736 RIN 7100-AG06, by any of the following methods:

* Agency Website: http://www.federalreserve.gov. Follow the instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/RevisedRegs.cfm.

* Email: [email protected]. Include docket and RIN numbers in the subject line of the message.

* FAX: (202) 452-3819 or (202) 452-3102.

* Mail: Ann E. Misback, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW, Washington, DC 20551.

All public comments will be made available on the Board's website at: http://www.federalreserve.gov/generalinfo/foia/RevisedRegs.cfm as submitted, unless modified for technical reasons or to remove personally identifiable information at the commenter's request. Accordingly, comments will not be edited to remove any identifying or contact information. Public comments also may be viewed electronically or in paper in 146, 1709 New York Avenue NW, Washington, DC 20006, between 9:00 a.m. and 5:00 p.m. on weekdays.

FDIC:

* Agency Website: https://www.fdic.gov/regulations/laws/federal/. Follow the instructions for submitting comments on the Agency website.

* Email: [email protected]. Include RIN 3064-AF59 in the subject line of the message.

* Mail: James P. Sheesley, Assistant Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.

* Hand Delivery/Courier: Comments may be hand delivered to the guard station at the rear of the 550 17th Street NW, building (located on F Street) on business days between 7:00 a.m. and 5:00 p.m.

Public Inspection: All comments received will be posted without change to https://www.fdic.gov/regulations/laws/federal/--including any personal information provided--for public inspection. Paper copies of public comments may be ordered from the FDIC Public Information Center, 3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226 or by telephone at (877) 275-3342 or (703) 562-2200.

FOR FURTHER INFORMATION CONTACT:

OCC: Patrick Kelly, Director, Critical Infrastructure Policy, (202) 649-5519, Jennifer Slagle Peck, Counsel, (202) 649-5490, or Priscilla Benner, Senior Attorney, Chief Counsel's Office, (202) 649-5490, or persons who are hearing impaired, TTY, (202) 649-5597, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219.

Board: Nida Davis, Associate Director, (202) 872-4981, Julia Philipp, Lead Financial Institution Cybersecurity Policy Analyst, (202) 452-3940, Don Peterson, Supervisory Cybersecurity Analyst, (202) 973-5059, Systems and Operational Resiliency Policy, of the Supervision and Regulation Division; Jay Schwarz, Special Counsel, (202) 452-2970, Claudia Von Pervieux, Senior Counsel (202) 452-2552, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551. For the hearing impaired only, Telecommunications Device for the Deaf (TDD) users may contact (202) 263-4869.

FDIC: Robert C. Drozdowski, Special Assistant to the Deputy Director (202) 898-3971, [email protected], and Martin D. Henning, Deputy Director (202) 898-3699, [email protected], Division of Risk Management Supervision; Graham N. Rehrig, Senior Attorney (703) 314-3401, [email protected], and John Dorsey, Acting Supervisory Counsel (202) 898-3807, [email protected], Legal Division, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.

* * *

The OCC, Board, and FDIC (together, the agencies) invite comment on a notice of proposed rulemaking (proposed rule or proposal) that would require a banking organization to provide its primary federal regulator with prompt notification of any "computer-security incident" that rises to the level of a "notification incident."

The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.

This notification requirement is intended to serve as an early alert to a banking organization's primary federal regulator and is not intended to provide an assessment of the incident.

Moreover, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.

SUPPLEMENTARY INFORMATION:

I. Introduction

Cyberattacks reported to federal law enforcement have increased in frequency and severity in recent years.[1] These types of attacks may use destructive malware or other malicious software to target weaknesses in the computers or networks of banking organizations supervised by the agencies.[2] Some cyberattacks have the potential to alter, delete, or otherwise render a banking organization's data and systems unusable. Depending on the scope of an incident, a banking organization's data and system backups may also be affected, which can severely affect the ability of the banking organization to recover operations. The Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) (collectively, the agencies) are issuing a notice of proposed rulemaking (the proposal or proposed rule) that would require a banking organization to notify its primary federal regulator when the banking organization believes in good faith that a significant "computer-security incident" has occurred.[3] This notification requirement is intended to serve as an early alert to a banking organization's primary federal regulator and is not intended to include an assessment of the incident.

The agencies also recognize that a computer-security incident may be the result of non-malicious failure of hardware, software errors, actions of staff managing these computer resources, or potentially criminal in nature. Banking organizations that experience a computer-security incident that may be criminal in nature are expected to contact relevant law enforcement or security agencies, as appropriate, after the incident occurs.[4]

Moreover, banking organizations have become increasingly reliant on bank Start Printed Page 2301service providers to provide essential technology-related products and services. Service providers that provide services described in the Bank Service Company Act (BSCA)[5] to banking organizations (bank service providers)[6] also are vulnerable to cyber threats, which have the potential to disrupt, degrade, or impair the provision of banking services to their banking organization customers. Therefore, the proposed rule would require a bank service provider to notify affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair the provision of services subject to the BSCA. Given the rule's purposes of ensuring that banking organizations provide timely notice of significant computer-security incident disruptions to the agencies, the agencies believe that bank service providers should contact at least two individuals at affected banking organizations to help ensure that notice has been received.

The agencies believe that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.[7] The proposed rule refers to these significant computer-security incidents as "notification incidents." Knowing about and responding to notification incidents affecting banking organizations is important to the agencies' missions for a variety of reasons, including the following:

* The receipt of notification-incident information may give the agencies earlier awareness of emerging threats to individual banking organizations and, potentially, to the broader financial system;

* An incident may so severely impact a banking organization that it can no longer support its customers, and the incident could impact the safety and soundness of the banking organization, leading to its failure. In these cases, the sooner the agencies know of the event, the better they can assess the extent of the threat and take appropriate action;

* Based on the agencies' broad supervisory experiences, they may be able to provide information to a banking organization that may not have previously faced a particular type of notification incident;

* The agencies would be better able to conduct analyses across supervised banking organizations to improve guidance, adjust supervisory programs, and provide information to the industry to help banking organizations protect themselves; and

* Receiving notice would enable the primary federal regulator to facilitate and approve requests from banking organizations for assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection (OCCIP).[8]

As discussed below, current reporting requirements related to cyber incidents are neither designed nor intended to provide timely information to regulators regarding such incidents.

Brian P. Brooks,

Acting Comptroller of the Currency.

By order of the Board of Governors of the Federal Reserve System.

Ann Misback,

Secretary of the Board.

Federal Deposit Insurance Corporation.

By order of the Board of Directors.

Dated at Washington, DC, on or about December 15, 2020.

James P. Sheesley,

Assistant Executive Secretary.

[FR Doc. 2020-28498 Filed 1-11-21; 8:45 am]

BILLING CODE 4810-33-P; 6210-01-P; 6714-01-P

The document is published in the Federal Register: https://www.federalregister.gov/documents/2021/01/12/2020-28498/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com