Je veux savoir à propos de…

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules Proposed Information Collection Title of Information Collection:
Computer-Security Incident Notification.
Frequency of Response: On occasion;
event-generated.26
Affected Public: Businesses or other for-profit.
Respondents:
OCC: National banks, federal savings associations, federal branches and agencies, and bank service providers.
FDIC: All insured state nonmember banks, insured state-licensed branches of foreign banks, State savings associations, and bank service providers.
Board: All state member banks as defined in 12 CFR 208.2g, bank holding companies as defined in 12 U.S.C. 1841, savings and loan holding companies as defined in 12
U.S.C. 1467a, foreign banking organizations as defined in 12 CFR 211.21o, foreign banks that do not operate an insured branch, state branch or state agency of a foreign bank as defined in 12 U.S.C. 3101b11 and 12, Edge or agreement corporations as defined in 12 CFR 211.1c2 and 3, and bank service providers.

Number of Respondents: 27
OCC: Reporting22; Disclosure801.
FDIC: Reporting96; Disclosure802.
Board: Reporting32; Disclosure801.

Estimated Hours per Response:
ReportingSections 53.3 OCC, 225.302
Board, and 304.23 FDIC: 3 hours.
DisclosureSections 53.4 OCC, 225.303
Board, and 304.24 FDIC: 3 hours.

Estimated Total Annual Burden:
OCC: Reporting 66 hours; Disclosure 2,403 hours.
FDIC: Reporting 288 hours; Disclosure 2,406 hours.
Board: Reporting 96 hours; Disclosure 2,403 hours.

khammond on DSKJM1Z7X2PROD with PROPOSALS

Abstract: The proposed rule would establish notification requirements for banking organizations upon the occurrence of a computer-security incident that rises to the level of a notification incident.
A notification incident is defined as a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair:
26 For purposes of these calculations, the agencies assume that the frequency is 1 response per respondent.
27 The number of respondents for the reporting requirement is based on allocating the estimated 150 notification incidents among the agencies based on the percentage of entities supervised by each agency. The FDIC represents the majority of the banking organizations 64 percent, while the Board supervises approximately 21 percent of the banking organizations, with the OCC supervising the remaining 15 percent of banking organizations. The number of respondents for the disclosure requirement is based on an assumption of an approximately 2 percent per year frequency of incidents from 120,220 firms, which is divided equally among the OCC, FDIC, and Board.

VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

The ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
Any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or Those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
A computer-security incident is defined as an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
The proposed rule would require a banking organization to notify its primary federal banking regulator upon the occurrence of a notification incident at the banking organization.
The agencies recognize that the proposed rule would impose a limited amount of burden, beyond what is usual and customary, on banking organizations in the event of a computer-security incident even if it does not rise to the level of a notification incident, as banking organizations will need to engage in an analysis to determine whether the relevant thresholds for notification are met. Therefore, the agencies estimated burden per notification incident takes into account the burden associated with such computer-security incidents.
The proposed rule also would require a bank service provider, as defined herein and in accordance with the BSCA, to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA
for four or more hours.
Regulatory Flexibility Act OCC: The Regulatory Flexibility Act RFA, 5 U.S.C. 601 et seq., requires an agency, in connection with a proposed rule, to prepare an Initial Regulatory Flexibility Analysis describing the impact of the rule on small entities defined by the Small Business Administration SBA for purposes of
PO 00000

Frm 00009

Fmt 4702

Sfmt 4702

2307

the RFA to include commercial banks and savings institutions with total assets of $600 million or less and trust companies with total assets of $41.5
million or less or to certify that the proposed rule would not have a significant economic impact on a substantial number of small entities.
The OCC currently supervises approximately 745 small entities.
Because the proposed rule impacts all OCC-supervised institutions, as well as all bank service providers, it would impact a substantial number of small entities. However, the expected costs of the proposal would be de minimis.
Many banks already have internal policies for responding to security incidents, which include processes for notifying their primary regulator and other stakeholders of incidents within the scope of the proposal. Additionally, while the OCC believes bank service provider contracts may already include these provisions, if current contracts do not include these provisions, then the OCC does not expect the implementation of these provisions to impose a material burden on bank service providers. Therefore, the OCC
certifies that the proposed rule, if implemented, would not have a significant economic impact on a substantial number of small entities.
Board: The Board has considered the potential impact of the proposed rule on small entities in accordance with section 603 of the RFA.28 Based on the Boards analysis, and for the reasons stated below, the Board believes that this proposed rule will not have a significant economic impact on a substantial of number of small entities.
As discussed in the SUPPLEMENTARY
INFORMATION, the agencies are proposing to require a banking organization to notify its primary federal regulator as soon as possible and no later than 36
hours after the banking organization believes in good faith that a notification incident has occurred. The proposed rule would establish a significant computer-security incident notification requirement, which would support the safety and soundness of entities supervised by the agencies. The proposed rule also would require a bank service provider, as defined herein and in accordance with the BSCA, to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair the provision of services subject to the BSCA for four or more hours.
28 5

E:FRFM12JAP1.SGM

U.S.C. 603.

12JAP1