Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rules
khammond on DSKJM1Z7X2PROD with PROPOSALS

banking organization. The agencies believe that the regulatory burden associated with the notice requirement would be de minimis, because the communications that led to the determination of the notification incident would occur regardless of the proposed rule.22
The proposed rule also requires a bank service provider, as defined herein and in accordance with the BSCA, to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. The agencies do not have data on the frequency of incidents that would require bank service providers to notify their customers who are banking organizations. For purposes of this proposed rule, the agencies assume that 2,404 bank service providers, or approximately 2 percent 23 of the 120,220 firms under NAICS code 5415, could experience a computer-security incident each year that would require notification to affected banking organization customers. The agencies specifically invite comment on the estimated number of incidents.
The agencies believe that bank service providers would have automated systems allowing them to identify banking organization customers when a computer-security incident that meets the criteria for notification has occurred and for contacting at least two individuals at affected banking organization customers. Furthermore, the agencies anticipate that such firms would need approximately one hour to determine that a computer-security incident meets the notification criteria and two hours to identify the customers affected by the service disruption and provide notification that an incident has occurred. These activities would total 7,212 hours per year for the population of bank service providers described above.24 The agencies believe that the additional compliance costs would be de minimis for each affected bank service provider.25 Post-notification activities such as providing technical 22 Even at an elevated labor compensation rate of $200 per hour, the proposed rule would only impose additional compliance costs of $600 per notification.
23 This is informed by the estimate of the percentage of banking organizations that have notification incidents.
24 7,212 hours = 2,404 per year frequency of incidents 3 hours per incident.
25 Even at an elevated labor compensation rate of $200 per hour, the proposed rule would only impose additional compliance costs of $600 per notification.

VerDate Sep<11>2014

16:31 Jan 11, 2021

Jkt 253001

support to affected bank organization customers that would be provided during the normal course of business when managing and resolving a computer security incident are beyond the scope of the notification requirement.
The agencies invite comments on these expected benefits and costs.
V. Alternatives Considered The agencies considered several alternatives to the proposal. The agencies considered leaving the current regulations unchanged. The agencies rejected this alternative because of the significant risks that notification incidents pose to banking organizations and to the financial sector.
The agencies considered limiting the definition of notification incidents to those covered by the SAR-filing requirements. In this alternative, submission of a SAR would have served as notification of such an incident. This approach would have eliminated the additional compliance burden but would have delayed the notification and decreased the benefits provided by the proposed rule. In the proposal, however, the agencies determined that, to minimize regulatory burden, the notice requirement would not include the level of detail required of a SAR which could otherwise have created a significant burden to complete as a banking organization manages a notification incident.
The agencies considered expanding the definition of notification incident to include any incident that might disrupt a banking organizations systems or any unauthorized access to the banking organizations sensitive customer data.
However, the agencies ultimately sought to strike a balance that would minimize compliance burden by focusing only on events that are likely to cause significant harm to banking organizations.
VI. Request for Comments The agencies seek comment on all aspects of their proposal and more specifically on the following:
1. How should the definition of computer-security incident be modified, if at all? For example, should it include only occurrences that result in actual harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits? Should it include only occurrences that constitute an actual violation of security policies, security procedures, or acceptable use policies?
2. How should the definition of notification incident be modified, if at all? For example, instead of computer-

PO 00000

Frm 00007

Fmt 4702

Sfmt 4702

2305

security incident, should the definition of notification incident refer to other NIST terms and definitions, or another recognized source of terms and definitions? Should the standard for materially disrupt, degrade, or impair be altered to reduce potential redundancy between the terms or to consider different types of impact on the banking organization? Should the definition not include language that is consistent with the core business line and critical operation definitions included in the resolution-planning rule? Should those elements of the definition only apply to banking organizations that have resolution planning requirements?
3. How should the 36 hour timeframe for notification be modified, if at all, and why? Should it be made shorter or longer? Should it start at a different time? Should the timeframe be modified for certain types of notification incidents or banking organizations for example, should banks with total assets of less than $10 billion have a different timeframe?
4. Is the proposed requirement that banking organizations and bank service providers notify the appropriate party when they believe in good faith that they are experiencing or have experienced a notification incident or computer-security incident, as applicable, sufficiently clear such that banking organizations and bank service providers understand when they should provide notice? How should the believes in good faith standard be modified, if at all? For example, should the standard be reasonably believes for either banking organizations or bank service providers?
5. How should notification by banking organizations under the proposed rule be provided to the agencies? Should the agencies adopt a process for joint notification to the agencies in cases where multiple affiliates of a banking organization have notification requirements to different agencies? If so, how should joint notification be done and why? Should the agencies adopt centralized points of contact to receive notifications or should notifications be provided to regional offices such as Federal Reserve Banks or banking organization-specific supervisory teams?
6. The proposed rules definition of banking organizations and bank service providers would include the financial market utilities FMUs that are chartered as a State member bank or Edge corporation, or perform services subject to regulation and examination under the BSCA. Are there unique factors that the agencies should consider in determining how notification requirements should apply to these
E:FRFM12JAP1.SGM

12JAP1