Quiero saber acerca de...

66426

Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations
parties may also experience computersecurity incidents that could disrupt or degrade the provision of services to their banking organization customers or have other significant impacts on a banking organization. Therefore, a banking organization needs to receive prompt notification of computersecurity incidents that materially disrupt or degrade, or are reasonably likely to materially disrupt or degrade, these services because prompt notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact and trigger its own notification requirement.
A. Overview of Comments The agencies collectively received 35
comments from banking and financial sector entities, third-party service providers, industry groups, and other individuals.14 This section provides an overview of the general themes raised by commenters. The comments received on the proposal are further discussed below in the sections describing the final rule, including any changes that the agencies have made to the proposal in response to comments.
General Reaction and Need for a Rule A majority of commenters supported the proposal, agreeing that providing prompt notice of significant incidents is an important aspect of safety and soundness, and they supported transparent and consistent notification from bank service providers to their banking organization customers. A
number of these commenters offered suggestions to clarify certain aspects of the requirements or lessen the perceived burden. Commenters also generally supported the agencies efforts to harmonize with existing definitions and notification standards. Four commenters opposed the proposal, contending that compliance would be burdensome or duplicative of existing requirements, and may impede banking organizations and bank service providers abilities to respond effectively to incidents.
Computer-Security Incidents That Can Trigger Potential Reporting
lotter on DSK11XQN23PROD with RULES1

As described above, the proposal would have required reporting of certain computer-security incidents, defined to be consistent with the NIST
14 Comments can be accessed at: https
www.regulations.gov/document/OCC-2020-00380001 OCC; https www.federalreserve.gov/apps/
foia/ViewComments.aspx?doc_id=R-1736&doc_
ver=1 Board; and https www.fdic.gov/resources/
regulations/federal-register-publications/2021/
2021-computer-security-incident-notification-3064af59.html FDIC.

VerDate Sep<11>2014

16:32 Nov 22, 2021

Jkt 256001

definition. While several commenters supported aligning the definition with NISTs definition, most commenters asserted that the proposed definition was overly broad, could be tailored, and suggested different revisions to the proposed definition of computersecurity incident. Specifically, a number of these commenters asserted that the definition should be based on actual, rather than potential, harm and exclude violations of a banking organizations or a bank service providers policies and procedures.

Means of Bank Service Provider Notification
Notification Incidents Required To Be Reported As described above, notification incidents are computer-security incidents that require notification to the agencies. Most commenters argued that the proposed definition of notification incident was overly broad and should be narrowed and only require reporting of incidents involving actual harm.15
Commenters asserted that any definition should incorporate time, risk, and scale elements, which commenters viewed as critical. In addition, commenters urged the agencies to replace the good faith standard with a banking organizations or a bank service providers determination or a reasonable basis to conclude that an incident had occurred, to provide a more objective and concrete standard.16

Applicability to Financial Market Utilities
Timeframes for Notification The agencies received comments on the timeframes described in the proposal for banking organizations to provide notification to their regulator and for bank service providers to provide notification to their banking organization customers. These comments focused both on the amount of time provided to make the notification and the trigger that caused the time period to begin being measured. Commenters made a wide variety of suggestions, including recommendations to lengthen and shorten the periods and to provide further clarity regarding when they commenced.
15 A commenter suggested that if a banking organization had mitigation strategies in place to offset the impact to a banking organization or its customers, the incident should not be considered a significant or critical incident and therefore should not be considered a notification incident. The commenter also stated that the agencies should indicate that an outage that lasts less than 48-hours in duration does not represent a notification incident.
16 Commenters contended that the good faith standard may be unclear, and the agencies should provide guidance on how to make the good faith determination. However, some commenters preferred the good faith standard over a reasonably likely standard.

PO 00000

Frm 00024

Fmt 4700

Sfmt 4700

Commenters raised questions regarding the requirement in the proposal that a bank service provider must notify two individuals at each affected banking organization. Notably, some commenters raised concerns that such a requirement would override contractual notification provisions with which both the bank service providers and banking organizations are comfortable.

Commenters suggested that the proposal would cause unintended regulatory overlap for those financial market utilities that are designated as systemically important under Title VIII
of the Dodd-Frank Act designated FMUs and regulated by the Securities and Exchange Commission SEC or Commodity Futures Trading Commission CFTC. In addition, designated FMUs regulated by the Board are subject to Regulation HH, which includes risk-management standards.
III. Discussion of Final Rule A. Overview of the Final Rule In response to comments received on the NPR, the final rule reflects changes to key definitions and notification provisions applicable to both banking organizations and bank service providers. These changes include 1
narrowing the definition of computersecurity incident by focusing on actual, rather than potential, harm and by removing the second prong of the proposed definition relating to violations of internal policies or procedures; 2 substituting the phrase reasonably likely to in place of could in the definition of notification incident; and 3 replacing the good faith belief notification standard with a determination standard. Changes to the bank service provider notification provision include 1 adding a definition of covered services and 2
requiring that notice be provided to a bank-designated point of contact, rather than to at least two individuals at each banking organization customer. The final rule also excludes designated FMUs from the definitions of banking organization and bank service provider. 17 Such changes are intended to address comments and reduce overand unnecessary notification by both 17 The rule defines designated financial market utility as having the same meaning as set forth at 12 U.S.C. 54624.

E:FRFM23NOR1.SGM

23NOR1