Voglio sapere a riguardo di…

2302

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
service, whichever occurs first.12
However, the BSCA has no notification requirements if the service is disrupted.

khammond on DSKJM1Z7X2PROD with PROPOSALS

III. The Proposal The proposed rule would establish two primary requirements, which would promote the safety and soundness of banking organizations and be consistent with the agencies authorities to supervise these entities.13 First, the proposed rule would require a banking organization to notify the agencies of a notification incident. In particular, a banking organization would be required to notify its primary federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.
The agencies do not expect that a banking organization would typically be able to determine that a notification incident has occurred immediately upon becoming aware of a computersecurity incident. Rather, the agencies anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. In this context, the agencies recognize banking organizations may not come to a good faith belief that a notification incident has occurred outside of normal business hours. Only once the banking organization has made such a determination would the requirement to report within 36 hours begin.
The proposed rule would define a computer-security incident as an occurrence that i results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or ii constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. The proposed rule would define a notification incident as a computer-security incident that a banking organization believes in good faith could materially disrupt, degrade, or impair the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
any business line of a banking organization, including associated operations, services, 12 12

U.S.C. 1867c2.
12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 18611867, and 3102 OCC; 12 U.S.C. 321338a, 1467ag, 1818b, 1844b, 18611867, 3101 et seq., and 5365 Board; 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 18611867 FDIC.
13 See
VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

functions and support, and would result in a material loss of revenue, profit, or franchise value; or those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

Second, the proposed rule would require a bank service provider of a service described under the BSCA to notify at least two individuals at affected banking organization customers immediately after experiencing a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. As technological developments have increased in pace, banks have become increasingly reliant on bank service providers to provide essential technology-related products and services. The impact of computersecurity incidents at bank service providers can flow through to their banking organization customers.
Therefore, in order for a banking organization to be able to provide relevant notifications to its primary federal regulator in a timely manner, it needs to receive prompt notification of computer-security incidents from its service providers.
Bank services that are subject to the BSCA include check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution, as well as components that underlie these activities.14 Other services that are subject to the BSCA include data processing, back office services, and activities related to credit extensions, as well as components that underlie these activities.15
14 See
12 U.S.C. 186364.
12 U.S.C. 1864f. Under the BSCA, such services must be permissible for bank holding companies under section 4c8 of the Bank Holding Company Act of 1956, as amended, and 225.28 of the Boards Regulation Y. 12 U.S.C. 1841
et seq.; 12 CFR 225.28. Activities permissible under 225.28 are: 1 Extending credit and servicing loans; 2 activities related to extending credit; 3
leasing personal or real property; 4 operating nonbank depository institutions; 5 trust company functions; 6 financial and investment advisory activities; 7 agency transactional services for customer investments; 8 investment transactions as principal; 9 management consulting and counseling activities; 10 support services; 11
insurance agency and underwriting; 12
community development activities; 13 money orders, savings bonds, and travelers checks; and 14 data processing. 12 CFR 225.28.
15 See
PO 00000

Frm 00004

Fmt 4702

Sfmt 4702

The proposed rule would apply to the following banking organizations:
For the OCC, banking organizations would include national banks, federal savings associations, and federal branches and agencies.
For the Board, banking organizations would include all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S.
operations of foreign banking organizations;
Edge and agreement corporations.
For the FDIC, banking organizations would include all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

To clarify, not all computer-security incidents require a banking organization to notify its primary federal regulator; only those that rise to the level of notification incidents require notification. Other computer-security incidents, such as a limited distributed denial of service attack that is promptly and successfully managed by a banking organization, would not require notice to the appropriate agency.
The following is a non-exhaustive list of events that would be considered notification incidents under the proposed rule:
1. Large-scale distributed denial of service attacks that disrupt customer account access for an extended period of time e.g., more than 4 hours;
2. A bank service provider that is used by a banking organization for its core banking platform to operate business applications is experiencing widespread system outages and recovery time is undeterminable;
3. A failed system upgrade or change that results in widespread user outages for customers and bank employees;
4. An unrecoverable system failure that results in activation of a banking organizations business continuity or disaster recovery plan;
5. A computer hacking incident that disables banking operations for an extended period of time;
6. Malware propagating on a banking organizations network that requires the banking organization to disengage all internet-based network connections;
and 7. A ransom malware attack that encrypts a core banking system or backup data.
The agencies expect that banking organizations would consider whether other significant computer-security incidents they experience, beyond those listed above, constitute notification incidents for purposes of notifying the appropriate agency.
The definition of notification incident includes language that is consistent with the core business line
E:FRFM12JAP1.SGM

12JAP1