Voglio sapere a riguardo di…

2304

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS

within the scope of the proposal.
However, these processes are not uniform or consistent between institutions and have not always resulted in timely notification being provided to the applicable regulator, which is why the agencies are issuing this proposal. This proposal also is not expected to add significant burden on bank service providers. The agencies experiences with conducting bank service provider contract reviews during examinations indicates that most of these contracts include incidentreporting provisions. As a result, this proposal is not expected to add significant burden on a material number of bank service providers.
Each agency may provide additional clarification and guidance to its supervised banking organizations on how best to communicate with the agencies to implement the notification requirements of the rule.
IV. Impact Analysis Covered banking organizations under the proposed rule would include all depository institutions, holding companies, and certain other financial entities that are supervised by one of the agencies. According to recent Call Report and other data, the agencies supervise approximately 5,000
depository institutions along with a number of holding companies and other financial services entities that would be covered under the proposed rule.18
In addition, the proposed rule would require bank service providers as described in the BSCA to notify at least two individuals at affected banking organization customers immediately after the bank service providers experience a computer-security incident that they believe in good faith could disrupt, degrade, or impair services they provide subject to the BSCA for four or more hours. This requirement would enable a banking organization to promptly respond to an incident, determine whether it must notify its primary federal regulator that a notification incident has occurred, and take other appropriate measures related to the incident. The agencies do not have data on the number of bank service providers that would be affected by this requirement. However, several known bank service providers have selfselected the North American Industry Classification System NAICS industry Computer System Design and Related Services NAICS industry code 5415
as their primary business activity. As a conservative estimate of the population of covered bank service providers for 18 September
VerDate Sep<11>2014

30, 2020 Call Report Data.

16:31 Jan 11, 2021

Jkt 253001

this analysis, the agencies assume that all firms in this industry are bank service providers.19 According to Census counts, there were 120,220 firms in the United States under NAICS code 5415 in 2017, the most recent year for which such data is available.20
Benefits The agencies believe that prompt notification of these incidents would provide the following benefits to banking organizations and the financial industry as a whole.
Notification may assist the relevant agencies in determining whether the incident is isolated or is one of many simultaneous identical or similar incidents at multiple banking organizations. If the notification incident is isolated to a single banking organization, the primary federal regulator may be able to facilitate requests for assistance to the affected organization, arranged by the U.S.
Treasury OCCIP, to minimize the impact of the incident. This benefit may be greatest for small banking organizations with more limited computer security resources. If the notification incident is one of many simultaneous identical or similar incidents at multiple banking organizations, the agencies may also alert other banking organizations of the threat, as appropriate, while protecting confidential supervisory information, recommend preventative measures in order to better manage or prevent reoccurrence of similar incidents, or otherwise help coordinate the response and mitigation efforts. Receiving notification incident information from multiple banking organizations would also allow regulators to conduct analyses across entities to improve guidance, to adjust supervisory programs to limit the reoccurrence of such incidents in the future, and to provide information to the industry to help banking organizations protect themselves against future computersecurity incidents.
The proposal may help reduce losses in the event a notification incident is so significant that it jeopardizes a banking organizations viability, as the proposal will provide additional time for the agencies to prepare to handle a potential failure as cost-effectively and nondisruptively as possible.
19 NAICS code 5415 most likely contains many firms that are not bank service providers, so the agencies believe using the population of firms in this industry is an overestimate. However, there may be some bank service providers that do not self-identify under NAICS code 5415.
20 See U.S. Census Bureau, 2017 SUSB Annual Data Tables by Establishment Industry Mar. 2020, https www.census.gov/data/tables/2017/econ/
susb/2017-susb-annual.html.

PO 00000

Frm 00006

Fmt 4702

Sfmt 4702

The agencies do not have the information to quantify the potential benefits of the proposed rule because the benefits depend on the breadth and severity of future notification incidents, the specifics of those incidents, and the value of the assistance approved by the agencies, among other things. In addition, the agencies believe that the proposed rule would formalize a process that already exists, based on the agencies experiences. Nevertheless, as previously discussed, banking organizations face a heightened risk of disruptive and destructive attacks that have increased in frequency and severity in recent years; therefore, the agencies believe that the benefits of the proposed rule would exceed the costs detailed below.
Costs The proposed rule would require banking organizations to notify their primary federal regulator as soon as possible and no later than 36 hours after a banking organization has determined that a notification incident has occurred. The agencies reviewed available supervisory data and SARs involving cyber events against banking organizations to develop an estimate of the number of notification incidents expected to be reported annually. This review focused on descriptive criteria e.g., ransomware, trojan, zero day, etc.
that may be indicative of the type of material computer-security incident that would meet the notification incident reporting criteria. Based on this review, the agencies estimate that approximately 150 notification incidents may occur on an annual basis.21 The agencies specifically invite comment on the estimated number of incidents.
The agencies estimate that, upon occurrence of a notification incident, the affected banking organization may incur up to three hours of staff time to coordinate internal communications, consult with its bank service provider, if appropriate, and notify the banking organizations primary federal regulator.
This may include discussion of the incident among staff of the banking organization, such as the Chief Information Officer, Chief Information Security Officer, a senior legal or compliance officer, and staff of a bank service provider, as appropriate, and liaison with senior management of the 21 The agencies used conservative judgment when assessing whether a cyber-event might have risen to the level of a notification incident, so the approach may overestimate the number. However, the approach may also underestimate the number of notification incidents since supervisory and SAR
data may not capture all such incidents.

E:FRFM12JAP1.SGM

12JAP1