Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 223 / Tuesday, November 23, 2021 / Rules and Regulations a material service disruption or degradation for four or more hours. This separate requirement will ensure that a banking organization receives prompt notification of a computer-security incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided by a bank service provider. This notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organizations own notification requirement.

lotter on DSK11XQN23PROD with RULES1

II. Background Computer-security incidents can result from destructive malware or malicious software cyberattacks, as well as non-malicious failure of hardware and software, personnel errors, and other causes. Cyberattacks targeting the financial services industry have increased in frequency and severity in recent years.2 These cyberattacks can adversely affect banking organizations networks, data, and systems, and ultimately their ability to resume normal operations.
Given the frequency and severity of cyberattacks on the financial services industry, the agencies believe that it is important that a banking organizations primary Federal regulator be notified as soon as possible of a significant computer-security incident 3 that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organizations operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.4 The final rule refers to these significant computer-security incidents as notification incidents. 5 Timely 2 See, e.g., Financial Crimes Enforcement Network, SAR Filings by Industry Jan. 1, 2014Dec.
31, 2020 last accessed Oct. 11, 2021, https
www.fincen.gov/reports/sar-stats/sar-filingsindustry. Trend data may be found by downloading the Excel file Depository Institution and selecting the tab marked Exhibit 5..
3 As defined by the final rule, a computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. To promote uniformity of terms, the agencies have sought to align this term generally with an existing definition from the National Institute of Standards and Technology NIST. See NIST, Computer Security Resource Center, Glossary last accessed Sept. 20, 2021, available at https csrc.nist.gov/glossary/
term/Dictionary.
4 These computer-security incidents may include major computer-system failures; cyber-related interruptions, such as distributed denial of service and ransomware attacks; or other types of significant operational interruptions.
5 As defined in the final rule, a notification incident is a computer-security incident that has
VerDate Sep<11>2014

16:32 Nov 22, 2021

Jkt 256001

notification is important as it would allow the agencies to 1 have early awareness of emerging threats to banking organizations and the broader financial system, 2 better assess the threat a notification incident poses to a banking organization and take appropriate actions to address the threat, 3 facilitate and approve requests from banking organizations for assistance through U.S. Treasury Office of Cybersecurity and Critical Infrastructure Protection OCCIP,6 4
provide information and guidance to banking organizations, and 5 conduct horizontal analyses to provide targeted guidance and adjust supervisory programs.
Notification under the Bank Secrecy Act 7 and the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 8 provide the agencies with awareness of certain computersecurity incidents.9 Nonetheless, these standards do not include all computersecurity incidents of which the agencies, as supervisors, need to be alerted and would not always result in timely notification to the agencies.
To ensure that the agencies receive timely alerts of all relevant material and materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organizations: i Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; ii business lines, including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or iii operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
6 OCCIP coordinates with U.S. Government agencies to provide agreed-upon assistance to banking and other financial services sector organizations on computer-incident response and recovery efforts. These activities may include providing remote or in-person technical support to an organization experiencing a significant cyber event to protect assets, mitigate vulnerabilities, recover and restore services, identify other entities at risk, and assess potential risk to the broader community. The Federal Financial Institutions Examination Councils Cybersecurity Resource Guide for Financial Institutions Oct. 2018
identifies additional information available to banking organizations. Available at: https
www.ffiec.gov/press/pdf/FFIEC%20Cybersecurity%
20Resource%20Guide%20for%20Financial%20
Institutions.pdf last accessed Oct. 15, 2021.
7 See 31 U.S.C. 5311 et seq.; 31 CFR subtitle B, chapter X.
8 See 15 U.S.C. 6801; 12 CFR part 30, appendix B, supplement A OCC; 12 CFR part 208, appendix D2, supplement A, 12 CFR 211.5l, 12 CFR part 225, appendix F, supplement A Board; 12 CFR
part 364, appendix B, supplement A FDIC.
9 Banking organizations that experience a computer-security incident that may be criminal in nature are expected to contact relevant law enforcement or security agencies, as appropriate, after the incident occurs. This rule does not change that expectation.

PO 00000

Frm 00023

Fmt 4700

Sfmt 4700

66425

adverse incidents, the agencies issued a notice of proposed rulemaking NPR or proposal to establish computer-security incident notification requirements for banking organizations and their bank service providers.10
The proposal would have required banking organizations to notify their primary Federal regulator within 36
hours of when they believed in good faith that a computer-security incident that rises to the level of a notification incident had occurred. As proposed, a notification incident was a computer-security incident that could materially disrupt, degrade, or impair the viability of the banking organizations operations, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.11
When drafting these proposed definitions, the agencies sought to align the terminology as much as possible with language used in the National Institute of Standards and Technologys NIST Computer Security Resource Center glossary.12 This approach was intended to promote consistency with known cybersecurity terms and definitions and thereby reduce burden.
The proposal separately would have required a bank service provider that provided services subject to the Bank Service Company Act BSCA 13 to notify at least two individuals at each affected banking organization customer immediately after the bank service provider experiences a computersecurity incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA
for four or more hours. This standard reflected the agencies conclusion that the impact of computer-security incidents at bank service providers can flow through to their banking organization customers. The agencies also recognized, however, that a bank service provider may not be able to readily assess whether an incident rises to the level of a notification incident for a particular banking organization customer.
The notification requirement for bank service providers is important because banking organizations have become increasingly reliant on third parties to provide essential services. Such third 10 86

FR 2299 Jan. 12, 2021.
computer-security incidents may include major computer-system failures, cyber-related interruptions, such as distributed denial of service and ransomware attacks, or other types of significant operational interruptions.
12 NIST is an agency of the U.S. Department of Commerce that works to develop and apply technology, measurements, and standards.
13 12 U.S.C. 186167.
11 These
E:FRFM23NOR1.SGM

23NOR1