Quiero saber acerca de...

khammond on DSKJM1Z7X2PROD with PROPOSALS

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules service providers to provide essential technology-related products and services. Service providers that provide services described in the Bank Service Company Act BSCA 5 to banking organizations bank service providers 6
also are vulnerable to cyber threats, which have the potential to disrupt, degrade, or impair the provision of banking services to their banking organization customers. Therefore, the proposed rule would require a bank service provider to notify affected banking organization customers immediately after the bank service provider experiences a computersecurity incident that it believes in good faith could disrupt, degrade, or impair the provision of services subject to the BSCA. Given the rules purposes of ensuring that banking organizations provide timely notice of significant computer-security incident disruptions to the agencies, the agencies believe that bank service providers should contact at least two individuals at affected banking organizations to help ensure that notice has been received.
The agencies believe that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.7 The proposed rule refers to these significant computersecurity incidents as notification incidents. Knowing about and responding to notification incidents affecting banking organizations is important to the agencies missions for a variety of reasons, including the following:
The receipt of notification-incident information may give the agencies earlier awareness of emerging threats to individual banking organizations and, potentially, to the broader financial system;
An incident may so severely impact a banking organization that it can no longer support its customers, and the incident could impact the safety and soundness of the banking organization, leading to its failure. In these cases, the sooner the agencies know of the event, 5 12

U.S.C. 186167.
service providers would include both bank service companies and third-party providers under the BSCA.
7 These computer-security incidents may include major computer-system failures, cyber-related interruptions, such as coordinated denial of service and ransomware attacks, or other types of significant operational interruptions.
6 Bank
VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

the better they can assess the extent of the threat and take appropriate action;
Based on the agencies broad supervisory experiences, they may be able to provide information to a banking organization that may not have previously faced a particular type of notification incident;
The agencies would be better able to conduct analyses across supervised banking organizations to improve guidance, adjust supervisory programs, and provide information to the industry to help banking organizations protect themselves; and Receiving notice would enable the primary federal regulator to facilitate and approve requests from banking organizations for assistance through the U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection OCCIP.8
As discussed below, current reporting requirements related to cyber incidents are neither designed nor intended to provide timely information to regulators regarding such incidents.
II. Review of Existing Regulations and Guidance The agencies considered whether the information that would be provided under the proposed rule could be obtained through existing reporting standards. Currently, banking organizations may be required to report certain instances of disruptive cyberevents and cyber-crimes through the filing of Suspicious Activity Reports SARs, and they are generally expected to notify their primary federal regulator as soon as possible when they become aware of an incident involving unauthorized access to or use of sensitive customer information. 9
These reporting standards provide the agencies with valuable insight regarding cyber-related events and information8 OCCIP coordinates with U.S. Government agencies to provide agreed-upon assistance to banking and other financial services sector organizations on computer-incident response and recovery efforts. These activities may include providing remote or in-person technical support to an organization experiencing a significant cyber event to protect assets, mitigate vulnerabilities, recover and restore services, identify other entities at risk, and assess potential risk to the broader community. The Federal Financial Institutions Examination Councils Cybersecurity Resource Guide for Financial Institutions Oct. 2018
identifies additional information available to banking organizations. Available at https
www.ffiec.gov/press/pdf/FFIEC%20
Cybersecurity%20Resource%20Guide%20for%20
Financial%20Institutions.pdf last accessed Nov.
29, 2020.
9 See 12 CFR part 30, appendix B, supp. A OCC;
12 CFR part 208, appendix D2, supp. A, 12 CFR
211.5l, 12 CFR part 225, appendix F, supp. A
Board; 12 CFR part 364, appendix B, supp. A
FDIC italics omitted.

PO 00000

Frm 00003

Fmt 4702

Sfmt 4702

2301

security compromises; however, these existing requirements do not provide the agencies with sufficiently timely information about every notification incident that would be captured by the proposed rule.
Under the reporting requirements of the Bank Secrecy Act BSA and its implementing regulations, certain banking organizations are required to file SARs when they detect a known or suspected criminal violation of federal law or a suspicious transaction related to a money-laundering activity.10 While the agencies monitor SARs regularly, SARs serve a different purpose from this proposed incident notification requirement and do not require reporting of every incident captured by the proposed definition of a notification incident. Moreover, the 30-calendar-day reporting requirement under the BSA
framework with an additional 30
calendar days provided in certain circumstances does not provide the agencies with sufficiently timely notice of reported incidents.
Additionally, the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, which interprets section 501b of the Gramm-Leach-Bliley Act GLBA and the Interagency Guidelines Establishing Information Security Standards, generally sets forth the supervisory expectation that a banking organization notify its primary federal regulator as soon as possible if the organization becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information.11 While this may provide the agencies with notice of certain computer-security incidents, this standard is too narrow in scope to address all relevant computersecurity incidents that would be covered by the proposed rule. In particular, the GLBA notification standard focuses on incidents that result in the compromise of sensitive customer information and, therefore, does not include the reporting of incidents that disrupt operations but do not compromise sensitive customer information.
Finally, the BSCA requires a banking organization to notify the appropriate Federal banking agency of the existence of service relationships within 30 days after the making of such service contracts or the performance of the 10 See, e.g., 31 U.S.C. 5311 et seq.; 31 CFR subtitle B, chapter X.
11 See 15 U.S.C. 6801; 12 CFR part 30, appendix B, supp. A OCC; 12 CFR part 208, appendix D2, supp. A, 12 CFR 211.5l, 12 CFR part 225, appendix F, supp. A Board; 12 CFR part 364, appendix B, supp. A FDIC.

E:FRFM12JAP1.SGM

12JAP1