Quiero saber acerca de...

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS

and critical operation definitions included in the resolution-planning rule issued by the Board and FDIC under section 165d of the Dodd-Frank Act.16
In particular, the second prong of the notification incident definition identifies incidents that would impact core business lines, and the third prong identifies incidents that would impact critical operations. Banking organizations subject to the Resolution Planning Rule can use the core business lines and critical operations identified in their resolution plans 17 to identify incidents that should be reported under the second and third prongs of the proposed rule.
The agencies do not expect banking organizations that are not subject to the Resolution Planning Rule to identify core business lines or critical operations, or to develop procedures to determine whether they engage in any operations, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
However, the agencies do expect all banking organizations to have a sufficient understanding of their lines of business to be able to notify the appropriate agency of notification incidents that could result in a material loss of revenue, profit, or franchise value to the banking organization.
If a banking organization is a subsidiary of another banking organization that is also subject to the notification requirements of this proposed rule, the agencies expect the subsidiary banking organization to alert its parent banking organization as soon as possible of the notification incident, in addition to notifying its primary federal regulator. The parent banking organization would need to make a separate assessment of whether it, too, has suffered a notification incident 16 Section 165d of the Dodd-Frank Act and the resolution-plan rule, 12 CFR parts 363 and 381 the Resolution Planning Rule, require certain financial companies to report periodically to the FDIC and the Board their plans for rapid and orderly resolution in the event of material financial distress or failure. On November 1, 2019, the FDIC and the Board published in the Federal Register amendments to the Resolution Planning Rule. See 84 FR 59194.
17 Elements of both the core business lines and critical operations definitions from the Resolution Planning Rule are incorporated in the proposed notification incident definition. Under the Resolution Planning Rule, core business lines means those business lines of the covered company, including associated operations, services, functions and support, that, in the view of the covered company, upon failure would result in a material loss of revenue, profit, or franchise value, and critical operations means those operations of the covered company, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States. See 12 CFR
363.2, 381.2.

VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

about which it must notify its primary federal regulator. An entity that is not itself a banking organization, but that is a subsidiary of a banking organization, would not have its own separate notification requirement under this proposed rule. Instead, if a computersecurity incident were to occur at a nonbank subsidiary of a banking organization, the parent banking organization would be expected to assess whether the incident was a notification incident, and if so, it would be required to notify its primary federal regulator.
The proposed notification requirement is intended to serve as an early alert to a banking organizations primary federal regulator about a notification incident and is not intended to include an assessment of the incident. As such, no specific information is required for the notice, and the proposed rule does not include any prescribed reporting forms or templates to minimize reporting burden.
The agencies believe that in most cases banking organizations would eventually notify their primary regulator when an event occurs that meets the high threshold of a notification incident and that this proposed rule is formalizing a process that the agencies experience suggest already exists. The agencies recognize that a banking organization may be working expeditiously to resolve the notification incidenteither directly or through a bank service providerat the time it would be expected to notify its primary federal regulator. The agencies believe, however, that 36 hours is a reasonable amount of time after a banking organization believes in good faith that a notification incident has occurred to notify its primary federal regulator, particularly because the notice would not need to include an assessment of the incident. The agencies expect only that banking organizations share general information about what is known at the time. Moreover, the notice could be provided through any form of written or oral communication, including through any technological means e.g., email or telephone, to a designated point of contact identified by the banking organizations primary federal regulator e.g., an examiner-incharge, local supervisory office, or a cyber-incident operations center. The notification, and any information provided by a banking organization related to the incident, would be subject to the agencies confidentiality rules.
Under the proposed rule, a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after it experiences a
PO 00000

Frm 00005

Fmt 4702

Sfmt 4702

2303

computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. A bank service provider would not be expected to assess whether the incident rises to the level of a notification incident for a banking organization customer. The banking organization would be responsible for making that determination because a bank service provider may not know if the services provided are critical to the banking organizations operations. If, after receiving such notice from a bank service provider, the banking organization determines that a notification incident has occurred, the banking organization would be required to notify its primary federal regulator in accordance with this proposed rule.
Typically, existing bank service provider agreements that support operations that are critical to a banking organization customer require notification to the customer as soon as possible in the event of a material incident during the normal course of business, and the agencies believe that the procedures in place to do so will generally include some redundancy to ensure that notification occurs.
Under the proposal, the agencies would expect bank service providers to continue to provide a banking organization customer with prompt notification of these material incidents.
The agencies believe that it is practical for a bank service provider to immediately notify at least two individuals at their affected banking organization customers after experiencing a computer-security incident of the severity described in the proposed rule because the notice would not need to include an assessment of the incident, and the agencies observe that there are effective automated systems for doing so currently. The agencies expect only that bank service providers would make a best effort to share general information about what is known at the time. Regulators would enforce the bank service provider notification requirement directly against bank service providers and would not cite a banking organization because a service provider fails to comply with the service provider notification requirement.
This proposal is not expected to add significant burden on banking organizations. Banking organizations should already have internal policies for responding to computer-security incidents, which the agencies believe generally already include processes for notifying their primary federal regulator and other stakeholders of incidents
E:FRFM12JAP1.SGM

12JAP1