Voglio sapere a riguardo di…

66424

Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations
Signed in Washington, DC, on November 18, 2021.
Treena V. Garrett, Federal Register Liaison Officer, U.S.
Department of Energy.
FR Doc. 202125537 Filed 112221; 8:45 am BILLING CODE 645001P

DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency 12 CFR Part 53
Docket ID OCC20200038
RIN 1557AF02

FEDERAL RESERVE SYSTEM
12 CFR Part 225
Docket No. R1736
RIN 7100AG06

FEDERAL DEPOSIT INSURANCE
CORPORATION
12 CFR Part 304
RIN 3064AF59

Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers AGENCY:

Table of Contents
The OCC, Board, and FDIC
are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any computer-security incident that rises to the level of a notification incident, as soon as possible and no later than 36
hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.
DATES: Effective date: April 1, 2022;
Compliance date: May 1, 2022.
FOR FURTHER INFORMATION CONTACT:
OCC: Patrick Kelly, Director, Critical Infrastructure Policy, 202 6495519,
I. Introduction II. Background A. Overview of Comments III. Discussion of Final Rule A. Overview of Final Rule B. Definitions i. Definition of Banking Organization ii. Definition of Bank Service Provider iii. Definition of Computer-Security Incident iv. Definition of Notification Incident v. Examples of Notification Incidents C. Banking Organization Notification to Agencies i. Timing of Notification to Agencies ii. Method of Notification to Agencies D. Bank Service Provider Notification to Banking Organization Customers i. Scope of Bank Service Provider Notification ii. Timing of Bank Service Provider Notification iii. Bank Service Provider Notification to Customers iv. Bank Service Provider Agreements Contract Notice Provisions IV. Other Rulemaking Considerations A. Bank Service Provider Material Incidents Consideration B. Methodology for Determining Number of Incidents Subject to the Rule C. Voluntary Information Sharing D. Utilizing Prompt Corrective Action Capital Classifications
The Office of the Comptroller of the Currency OCC, Treasury; the Board of Governors of the Federal Reserve System Board; and the Federal Deposit Insurance Corporation FDIC.
ACTION: Final rule.
SUMMARY:

lotter on DSK11XQN23PROD with RULES1

Carl Kaminski, Assistant Director, 202
6495490, or Priscilla Benner, Senior Attorney, Chief Counsels Office, 202
6495490, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219.
Board: Thomas Sullivan, Senior Associate Director, 202 4757656, Julia Philipp, Lead Financial Institution Cybersecurity Policy Analyst, 202
4523940, Don Peterson, Supervisory Cybersecurity Analyst, 202 9735059, Systems and Operational Resiliency Policy, of the Supervision and Regulation Division; Jay Schwarz, Assistant General Counsel, 202 452
2970, Claudia Von Pervieux, Senior Counsel 202 4522552, Christopher Danello, Senior Attorney, 202 736
1960, Legal Division, Board of Governors of the Federal Reserve System, 20th and C Streets NW, Washington, DC 20551, or https
www.federalreserve.gov/apps/
ContactUs/feedback.aspx, and click on Staff Group, Regulations.
FDIC: Rob Drozdowski, Special Assistant to the Deputy Director 202
8983971, rdrozdowski@fdic.gov, Division of Risk Management Supervision; or John Dorsey, Counsel 202 8983807, jdorsey@fdic.gov, Graham Rehrig, Senior Attorney, 202
8983829, grehrig@fdic.gov, Legal Division.
SUPPLEMENTARY INFORMATION:

VerDate Sep<11>2014

16:32 Nov 22, 2021

Jkt 256001

PO 00000

Frm 00022

Fmt 4700

Sfmt 4700

E. Ability To Rescind Notification and Obtain Record of Notice F. Single Notification Definition G. Affiliated Banking Organizations Considerations H. Consideration of the Number of Bank Service Providers V. Impact Analysis VI. Alternatives Considered VII. Effective Date VIII. Administrative Law Matters A. Paperwork Reduction Act B. Regulatory Flexibility Act C. Riegle Community Development and Regulatory Improvement Act of 1994
D. Congressional Review Act E. Use of Plain Language F. Unfunded Mandates Reform Act
I. Introduction The OCC, Board, and FDIC together, the agencies are issuing a final rule to require that a banking organization 1
promptly notify its primary Federal regulator of any computer-security incident that rises to the level of a notification incident, as those terms are defined in the final rule. As described in more detail below, these incidents may have many causes.
Examples include a large-scale distributed denial of service attack that disrupts customer account access for an extended period of time and a computer hacking incident that disables banking operations for an extended period of time.
Under the final rule, a banking organizations primary Federal regulator must receive this notification as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. This requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system. This early awareness will help the agencies react to these threats before they become systemic. The final rule separately requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, 1 For the OCC, banking organizations includes national banks, Federal savings associations, and Federal branches and agencies of foreign banks. For the Board, banking organizations includes all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S.
operations of foreign banking organizations; and Edge and agreement corporations. For the FDIC, banking organizations includes all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured State savings associations. Each agencys definition excludes financial market utilities FMUs designated under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act designated FMUs.

E:FRFM23NOR1.SGM

23NOR1