Quiero saber acerca de...

2310

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
policies, security procedures, or acceptable use policies.
5 Notification incident is a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair
Authority: 12 U.S.C. 1817j13, 1818, 1828o, 1831i, 1831p1, 1843c8, 1844b, 19721, 3106, 3108, 3310, 33313351, 3906, 3907, and 3909; 15 U.S.C. 1681s, 1681w, 6801 and 6805.

i The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
ii Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or iii Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Subpart NComputer-Security Incident Notification Sec.
225.300 Authority, purpose, and scope.
225.301 Definitions.
225.302 Notification.
225.303 Bank service provider notification.

6 Person has the same meaning as set forth at 12 U.S.C. 1817j8A.
53.3

Notification.

A banking organization must notify the OCC of a notification incident through any form of written or oral communication, including through any technological means, to a designated point of contact identified by the OCC.
The OCC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.
53.4

Bank service provider notification.

A bank service provider is required to notify at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a computersecurity incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the Bank Service Company Act 12 U.S.C. 1861
1867 for four or more hours.
FEDERAL RESERVE SYSTEM
12 CFR Chapter II

khammond on DSKJM1Z7X2PROD with PROPOSALS

Authority and Issuance For the reasons stated in the Common Preamble and under the authority of 12
U.S.C. 321338a, 1467ag, 1818b, 1844b, 18611867, 3101 et seq., and 5365 the Board proposes to amend chapter II of Title 12, Code of Federal Regulations, as follows:
PART 225BANK HOLDING
COMPANIES AND CHANGE IN BANK
CONTROL REGULATION Y
2. The authority citation for part 225
continues to read as follows:

VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

3. Subpart N is added to read as follows:

Subpart NComputer-Security Incident Notification 225.300

Authority, purpose, and scope.

a Authority. This subpart is issued under the authority of 12 U.S.C. 1, 321
338a, 1467ag, 1818b, 1844b, 1861
1867, 3101 et seq., and 5365.
b Purpose. This subpart promotes the timely notification of significant computer-security incidents that affect Board-supervised entities and their service providers.
c Scope. This subpart applies to all U.S. bank holding companies and savings and loan holding companies;
state member banks; the U.S. operations of foreign banking organizations; and, Edge and agreement corporations. This subpart also applies to bank service providers, as defined in 225.301a2.
225.301

Definitions.

a For purposes of this subpart, the following definitions apply Banking organization means a U.S.
bank holding company; U.S. savings and loan holding company; state member bank; the U.S. operations of foreign banking organizations; and an Edge and agreement corporation.
Bank service provider means a bank service company or other person providing services to a banking organization that is subject to the Bank Service Company Act 12 U.S.C. 1861
1867.
Business line means products or services offered by a banking organization to serve its customers or support other business needs.
Computer-security incident is an occurrence that:
1 Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or 2 Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Notification incident is a computersecurity incident that a banking
PO 00000

Frm 00012

Fmt 4702

Sfmt 4702

organization believes in good faith could materially disrupt, degrade, or impair 1 The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
2 Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or 3 Those operations of a Banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
b Reserved 225.302

Notification.

A banking organization must notify the Board of a notification incident through any form of written or oral communication, including through any technological means e.g., email, telephone, text, etc., to a designated point of contact identified by the Board e.g., an examiner-in-charge, local supervisory office, or a cyber-incident operations center. The Board must receive this notification from a banking organization as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.
225.303 Bank service provider notification.

A bank service provider is required to notify at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a computersecurity incident that it believes in good faith could disrupt, degrade, or impair services provided, subject to the Bank Service Company Act 12 U.S.C. 1861
1867, for four or more hours.
FEDERAL DEPOSIT INSURANCE
CORPORATION
Authority and Issuance For the reasons stated in the Common Preamble, and under the authority of 12
U.S.C. 1463, 1811, 1813, 1817, 1819, and 18611867, the FDIC proposes to amend 12 CFR part 304 as follows:
PART 304FORMS, INSTRUCTIONS, AND REPORTS
4. Revise the authority citation for part 304 to read as follows:

Authority: 5 U.S.C. 552; 12 U.S.C. 1463, 1464, 1813, 1817, 1819, 1831, and 1861
1867.

E:FRFM12JAP1.SGM

12JAP1