2299 Proposed Rules Federal Register

1y ago
330.29 KB
13 Pages
Last View : 1m ago
Last Download : 5m ago
Upload by : Grant Gall

2299Proposed RulesFederal RegisterVol. 86, No. 7Tuesday, January 12, 2021This section of the FEDERAL REGISTERcontains notices to the public of the proposedissuance of rules and regulations. Thepurpose of these notices is to give interestedpersons an opportunity to participate in therule making prior to the adoption of the finalrules.DEPARTMENT OF THE TREASURY12 CFR Part 53[Docket ID OCC–2020–0038]RIN 1557–AF02FEDERAL RESERVE SYSTEM12 CFR Part 225[Docket No. R–1736]RIN 7100–AG06FEDERAL DEPOSIT INSURANCECORPORATION12 CFR Part 304RIN 3064–AF59Computer-Security IncidentNotification Requirements for BankingOrganizations and Their Bank ServiceProvidersThe Office of the Comptrollerof the Currency (OCC), Treasury; theBoard of Governors of the FederalReserve System (Board); and the FederalDeposit Insurance Corporation (FDIC).ACTION: Notice of proposed rulemaking.AGENCY:The OCC, Board, and FDIC(together, the agencies) invite commenton a notice of proposed rulemaking(proposed rule or proposal) that wouldrequire a banking organization toprovide its primary federal regulatorwith prompt notification of any‘‘computer-security incident’’ that risesto the level of a ‘‘notification incident.’’The proposed rule would require suchnotification upon the occurrence of anotification incident as soon as possibleand no later than 36 hours after thebanking organization believes in goodfaith that the incident occurred. Thisnotification requirement is intended toserve as an early alert to a bankingorganization’s primary federal regulatorand is not intended to provide anassessment of the incident. Moreover, akhammond on DSKJM1Z7X2PROD with PROPOSALSVerDate Sep 11 201416:31 Jan 11, 2021Jkt 253001Comments must be received byApril 12, 2021.ADDRESSES: You may submit comments,identified by RIN (1557–AF02 (OCC),7100–AF (Board), 3064–AF59 (FDIC)),by any of the following methods:OCC:Commenters are encouraged to submitcomments through the FederaleRulemaking Portal, if possible. Pleaseuse the title ‘‘Computer-SecurityIncident Notification Requirements forBanking Organizations and Their BankService Providers’’ to facilitate theorganization and distribution of thecomments. You may submit commentsby any of the following methods: Federal eRulemaking Portal—Regulations.gov Classic orRegulations.gov Beta:Æ Regulations.gov Classic: Go tohttps://www.regulations.gov/. Enter‘‘Docket ID OCC–2020–0038’’ in theSearch Box and click ‘‘Search.’’ Click on‘‘Comment Now’’ to submit publiccomments. For help with submittingeffective comments please click on‘‘View Commenter’s Checklist.’’ Clickon the ‘‘Help’’ tab on theRegulations.gov home page to getinformation on using Regulations.gov,including instructions for submittingpublic comments.Æ Regulations.gov Beta: Go to https://beta.regulations.gov/ or click ‘‘VisitNew Regulations.gov Site’’ from theRegulations.gov Classic homepage.Enter ‘‘Docket ID OCC–2020–0038’’ inthe Search Box and click ‘‘Search.’’Public comments can be submitted viathe ‘‘Comment’’ box below thedisplayed document information or byclicking on the document title and thenclicking the ‘‘Comment’’ box on the topleft side of the screen. For help withsubmitting effective comments pleaseclick on ‘‘Commenter’s Checklist.’’ Forassistance with the Regulations.gov Betasite, please call (877) 378–5457 (tollfree) or (703) 454–9859 Monday–Friday,9 a.m.–5 p.m. ET or email regulations@erulemakinghelpdesk.com.DATES:Office of the Comptroller of theCurrencySUMMARY:bank service provider would be requiredto notify at least two individuals ataffected banking organization customersimmediately after the bank serviceprovider experiences a computersecurity incident that it believes in goodfaith could disrupt, degrade, or impairservices provided for four or morehours.PO 00000Frm 00001Fmt 4702Sfmt 4702 Mail: Chief Counsel’s Office,Attention: Comment Processing, Officeof the Comptroller of the Currency, 4007th Street SW, Suite 3E–218,Washington, DC 20219. Hand Delivery/Courier: 400 7thStreet SW, Suite 3E–218, Washington,DC 20219.Instructions: You must include‘‘OCC’’ as the agency name and ‘‘DocketID OCC–2020–0038’’ in your comment.In general, the OCC will enter allcomments received into the docket andpublish the comments on theRegulations.gov website withoutchange, including any business orpersonal information provided such asname and address information, emailaddresses, or phone numbers.Comments received, includingattachments and other supportingmaterials, are part of the public recordand subject to public disclosure. Do notinclude any information in yourcomment or supporting materials thatyou consider confidential orinappropriate for public disclosure.Public Inspection: You may reviewcomments and other related materialsthat pertain to this rulemaking action byany of the following methods: Viewing Comments Electronically—Regulations.gov Classic orRegulations.gov Beta:Æ Regulations.gov Classic: Go tohttps://www.regulations.gov/. Enter‘‘Docket ID OCC–2020–0038’’ in theSearch box and click ‘‘Search.’’ Click on‘‘Open Docket Folder’’ on the right sideof the screen. Comments and supportingmaterials can be viewed and filtered byclicking on ‘‘View all documents andcomments in this docket’’ and thenusing the filtering tools on the left sideof the screen. Click on the ‘‘Help’’ tabon the Regulations.gov home page to getinformation on using Regulations.gov.The docket may be viewed after theclose of the comment period in the samemanner as during the comment period.Æ Regulations.gov Beta: Go to https://beta.regulations.gov/ or click ‘‘VisitNew Regulations.gov Site’’ from theRegulations.gov Classic homepage.Enter ‘‘Docket ID OCC–2020–0038’’ inthe Search Box and click ‘‘Search.’’Click on the ‘‘Comments’’ tab.Comments can be viewed and filteredby clicking on the ‘‘Sort By’’ drop-downon the right side of the screen or the‘‘Refine Results’’ options on the left sideof the screen. Supporting materials canE:\FR\FM\12JAP1.SGM12JAP1

khammond on DSKJM1Z7X2PROD with PROPOSALS2300Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rulesbe viewed by clicking on the‘‘Documents’’ tab and filtered byclicking on the ‘‘Sort By’’ drop-down onthe right side of the screen or the‘‘Refine Results’’ options on the left sideof the screen.’’ For assistance with theRegulations.gov Beta site, please call(877) 378–5457 (toll free) or (703) 454–9859 Monday–Friday, 9 a.m.–5 p.m. ETor email regulations@erulemakinghelpdesk.com. The docketmay be viewed after the close of thecomment period in the same manner asduring the comment period.Board:When submitting comments, pleaseconsider submitting your comments byemail or fax because paper mail in theWashington, DC area and at the Boardmay be subject to delay. You maysubmit comments, identified by DocketNo. R–1736 RIN 7100–AG06, by any ofthe following methods: Agency Website: http://www.federalreserve.gov. Follow theinstructions for submitting comments evisedRegs.cfm. Email: regs.comments@federalreserve.gov. Include docket andRIN numbers in the subject line of themessage. FAX: (202) 452–3819 or (202) 452–3102. Mail: Ann E. Misback, Secretary,Board of Governors of the FederalReserve System, 20th Street andConstitution Avenue NW, Washington,DC 20551.All public comments will be madeavailable on the Board’s website RevisedRegs.cfm assubmitted, unless modified for technicalreasons or to remove personallyidentifiable information at thecommenter’s request. Accordingly,comments will not be edited to removeany identifying or contact information.Public comments also may be viewedelectronically or in paper in 146, 1709New York Avenue NW, Washington, DC20006, between 9:00 a.m. and 5:00 p.m.on weekdays.FDIC: Agency Website: low the instructions for submittingcomments on the Agency website. Email: Comments@fdic.gov. IncludeRIN 3064–AF59 in the subject line ofthe message. Mail: James P. Sheesley, AssistantExecutive Secretary, Attention:Comments, Federal Deposit InsuranceCorporation, 550 17th Street NW,Washington, DC 20429. Hand Delivery/Courier: Commentsmay be hand delivered to the guardVerDate Sep 11 201416:31 Jan 11, 2021Jkt 253001station at the rear of the 550 17th StreetNW, building (located on F Street) onbusiness days between 7:00 a.m. and5:00 p.m.Public Inspection: All commentsreceived will be posted without changeto ncluding any personalinformation provided—for publicinspection. Paper copies of publiccomments may be ordered from theFDIC Public Information Center, 3501North Fairfax Drive, Room E–1002,Arlington, VA 22226 or by telephone at(877) 275–3342 or (703) 562–2200.FOR FURTHER INFORMATION CONTACT:OCC: Patrick Kelly, Director, CriticalInfrastructure Policy, (202) 649–5519,Jennifer Slagle Peck, Counsel, (202)649–5490, or Priscilla Benner, SeniorAttorney, Chief Counsel’s Office, (202)649–5490, or persons who are hearingimpaired, TTY, (202) 649–5597, Officeof the Comptroller of the Currency, 4007th Street SW, Washington, DC 20219.Board: Nida Davis, Associate Director,(202) 872–4981, Julia Philipp, LeadFinancial Institution CybersecurityPolicy Analyst, (202) 452–3940, DonPeterson, Supervisory CybersecurityAnalyst, (202) 973–5059, Systems andOperational Resiliency Policy, of theSupervision and Regulation Division;Jay Schwarz, Special Counsel, (202)452–2970, Claudia Von Pervieux, SeniorCounsel (202) 452–2552, Legal Division,Board of Governors of the FederalReserve System, 20th and C Streets NW,Washington, DC 20551. For the hearingimpaired only, TelecommunicationsDevice for the Deaf (TDD) users maycontact (202) 263–4869.FDIC: Robert C. Drozdowski, SpecialAssistant to the Deputy Director (202)898–3971, RDrozdowski@FDIC.gov, andMartin D. Henning, Deputy Director(202) 898–3699, mhenning@fdic.gov,Division of Risk ManagementSupervision; Graham N. Rehrig, SeniorAttorney (703) 314–3401, grehrig@fdic.gov, and John Dorsey, ActingSupervisory Counsel (202) 898–3807,jdorsey@fdic.gov, Legal Division,Federal Deposit Insurance Corporation,550 17th Street NW, Washington, DC20429.SUPPLEMENTARY INFORMATION:I. IntroductionCyberattacks reported to federal lawenforcement have increased infrequency and severity in recent years.1These types of attacks may usedestructive malware or other malicious1 See Federal Bureau of Investigation, internetCrime Complaint Center, 2019 internet CrimeReport at 5 (last accessed Sept. 4, 2020), availableat https://pdf.ic3.gov/2019 IC3Report.pdf.PO 00000Frm 00002Fmt 4702Sfmt 4702software to target weaknesses in thecomputers or networks of bankingorganizations supervised by theagencies.2 Some cyberattacks have thepotential to alter, delete, or otherwiserender a banking organization’s data andsystems unusable. Depending on thescope of an incident, a bankingorganization’s data and system backupsmay also be affected, which can severelyaffect the ability of the bankingorganization to recover operations. TheOffice of the Comptroller of theCurrency (OCC), Board of Governors ofthe Federal Reserve System (Board), andthe Federal Deposit InsuranceCorporation (FDIC) (collectively, theagencies) are issuing a notice ofproposed rulemaking (the proposal orproposed rule) that would require abanking organization to notify itsprimary federal regulator when thebanking organization believes in goodfaith that a significant ‘‘computersecurity incident’’ has occurred.3 Thisnotification requirement is intended toserve as an early alert to a bankingorganization’s primary federal regulatorand is not intended to include anassessment of the incident.The agencies also recognize that acomputer-security incident may be theresult of non-malicious failure ofhardware, software errors, actions ofstaff managing these computerresources, or potentially criminal innature. Banking organizations thatexperience a computer-security incidentthat may be criminal in nature areexpected to contact relevant lawenforcement or security agencies, asappropriate, after the incident occurs.4Moreover, banking organizations havebecome increasingly reliant on bank2 See Cybercriminals and Fraudsters: How BadActors Are Exploiting the Financial System Duringthe COVID–19 Pandemic: Virtual Hearing Beforethe Subcommittee on National Security,International Development and Monetary Policy ofthe U.S. House Committee on Financial Services116th Congress (2020) (written statement of TomKellerman, Head of Cybersecurity Strategy,VMware, Inc.), available at hhrg116-ba10-wstate-kellermannt-20200616.pdf.3 As defined by the proposed rule, a computersecurity incident is an occurrence that results inactual or potential harm to the confidentiality,integrity, or availability of an information system orthe information that the system processes, stores, ortransmits; or constitutes a violation or imminentthreat of violation of security policies, securityprocedures, or acceptable use policies. To promoteuniformity of terms, the agencies have sought toalign this term to the fullest extent possible with anexisting definition from the National Institute ofStandards and Technology (NIST). See NIST,Computer Security Resource Center, Glossary (lastaccessed Sept. 20, 2020), available at https://csrc.nist.gov/glossary/term/Dictionary.4 For example, a local FBI field office. See FBI,Contact Us, Field Offices, https://www.fbi.gov/contact-us/field-offices (last accessed Dec. 9, 2020).E:\FR\FM\12JAP1.SGM12JAP1

khammond on DSKJM1Z7X2PROD with PROPOSALSFederal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rulesservice providers to provide essentialtechnology-related products andservices. Service providers that provideservices described in the Bank ServiceCompany Act (BSCA) 5 to bankingorganizations (bank service providers) 6also are vulnerable to cyber threats,which have the potential to disrupt,degrade, or impair the provision ofbanking services to their bankingorganization customers. Therefore, theproposed rule would require a bankservice provider to notify affectedbanking organization customersimmediately after the bank serviceprovider experiences a computersecurity incident that it believes in goodfaith could disrupt, degrade, or impairthe provision of services subject to theBSCA. Given the rule’s purposes ofensuring that banking organizationsprovide timely notice of significantcomputer-security incident disruptionsto the agencies, the agencies believe thatbank service providers should contact atleast two individuals at affected bankingorganizations to help ensure that noticehas been received.The agencies believe that it isimportant that the primary federalregulator of a banking organization benotified as soon as possible of asignificant computer-security incidentthat could jeopardize the viability of theoperations of an individual bankingorganization, result in customers beingunable to access their deposit and otheraccounts, or impact the stability of thefinancial sector.7 The proposed rulerefers to these significant computersecurity incidents as ‘‘notificationincidents.’’ Knowing about andresponding to notification incidentsaffecting banking organizations isimportant to the agencies’ missions fora variety of reasons, including thefollowing: The receipt of notification-incidentinformation may give the agenciesearlier awareness of emerging threats toindividual banking organizations and,potentially, to the broader financialsystem; An incident may so severely impacta banking organization that it can nolonger support its customers, and theincident could impact the safety andsoundness of the banking organization,leading to its failure. In these cases, thesooner the agencies know of the event,5 12U.S.C. 1861–67.service providers would include both bankservice companies and third-party providers underthe BSCA.7 These computer-security incidents may includemajor computer-system failures, cyber-relatedinterruptions, such as coordinated denial of serviceand ransomware attacks, or other types ofsignificant operational interruptions.6 BankVerDate Sep 11 201416:31 Jan 11, 2021Jkt 253001the better they can assess the extent ofthe threat and take appropriate action; Based on the agencies’ broadsupervisory experiences, they may beable to provide information to a bankingorganization that may not havepreviously faced a particular type ofnotification incident; The agencies would be better ableto conduct analyses across supervisedbanking organizations to improveguidance, adjust supervisory programs,and provide information to the industryto help banking organizations protectthemselves; and Receiving notice would enable theprimary federal regulator to facilitateand approve requests from bankingorganizations for assistance through theU.S. Treasury Office of Cybersecurityand Critical Infrastructure Protection(OCCIP).8As discussed below, current reportingrequirements related to cyber incidentsare neither designed nor intended toprovide timely information to regulatorsregarding such incidents.II. Review of Existing Regulations andGuidanceThe agencies considered whether theinformation that would be providedunder the proposed rule could beobtained through existing reportingstandards. Currently, bankingorganizations may be required to reportcertain instances of disruptive cyberevents and cyber-crimes through thefiling of Suspicious Activity Reports(SARs), and they are generally expectedto notify their primary federal regulator‘‘as soon as possible’’ when they become‘‘aware of an incident involvingunauthorized access to or use ofsensitive customer information.’’ 9These reporting standards provide theagencies with valuable insight regardingcyber-related events and information8 OCCIP coordinates with U.S. Governmentagencies to provide agreed-upon assistance tobanking and other financial services sectororganizations on computer-incident response andrecovery efforts. These activities may includeproviding remote or in-person technical support toan organization experiencing a significant cyberevent to protect assets, mitigate vulnerabilities,recover and restore services, identify other entitiesat risk, and assess potential risk to the broadercommunity. The Federal Financial InstitutionsExamination Council’s Cybersecurity ResourceGuide for Financial Institutions (Oct. 2018)identifies additional information available tobanking organizations. Available at tions.pdf (last accessed Nov.29, 2020).9 See 12 CFR part 30, appendix B, supp. A (OCC);12 CFR part 208, appendix D–2, supp. A, 12 CFR211.5(l), 12 CFR part 225, appendix F, supp. A(Board); 12 CFR part 364, appendix B, supp. A(FDIC) (italics omitted).PO 00000Frm 00003Fmt 4702Sfmt 47022301security compromises; however, theseexisting requirements do not providethe agencies with sufficiently timelyinformation about every notificationincident that would be captured by theproposed rule.Under the reporting requirements ofthe Bank Secrecy Act (BSA) and itsimplementing regulations, certainbanking organizations are required tofile SARs when they detect a known orsuspected criminal violation of federallaw or a suspicious transaction relatedto a money-laundering activity.10 Whilethe agencies monitor SARs regularly,SARs serve a different purpose from thisproposed incident notificationrequirement and do not requirereporting of every incident captured bythe proposed definition of a notificationincident. Moreover, the 30-calendar-dayreporting requirement under the BSAframework (with an additional 30calendar days provided in certaincircumstances) does not provide theagencies with sufficiently timely noticeof reported incidents.Additionally, the InteragencyGuidance on Response Programs forUnauthorized Access to CustomerInformation and Customer Notice,which interprets section 501(b

3 As defined by the proposed rule, a computer- security incident is an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or

Related Documents:

Rules database is the basis of the rules engine and it is a collection of rules files which are established by rules engine. Rules database is maintained by rules management and it is used by rules engine. (5) Rules Matching The first step is modelling with rules files in rules database. Then, it will match rules with users'

Classification Rules -MDR, Annex VIII MDR MDD Rules 1 -4: Non-invasive devices Rules 5 -8 : Invasive devices Rules 9 -13 : Active Devices Rules 14 -22 : Special rules Rules 1 -4 : Non-invasive devices Rules 5 -8 : Invasive devices Rules 9 -12 : Active devices Rules 13 -18 : Special rules

Apr 08, 2021 · PNEG-2299 Poultry Click Watering 5 1. Safety Safety Guidelines Safety guidelines are general-to-specific safety rules that must be followed at all times. This manual is written to help you understand safe operati

4 A Brief History Commemorating the 70th Anniversary of the Publication of the First Issue of the Federal Register March 14, 1936 the printing processes of the Federal Register always have played a central role in the policies and procedures of the Federal Register system. At times those needs and capabilities have been the driving force for .

II Federal Register/Vol. 83, No. 232/Monday, December 3, 2018 The FEDERAL REGISTER (ISSN 0097-6326) is published daily, Monday through Friday, except official holidays, by the Office of the Federal Register, National Archives and Records Administration, under the Federal Register Act (44 U.S.C. Ch. 15)

59948 Federal Register/Vol. 82, No. 241/Monday, December 18, 2017/Rules and Regulations (y) ASME BPVC.VIII.2–2015, Section VIII—Rules for Construction of Pressure Vessels, Division 2, Alternative Rules; (z) ASME BPVC.VIII.3–2015, Section VIII—Rules for Construction of Pressure

TDEC 401 Water Quality Certification - Proposed USACE Nationwide 404 Permits 18 December 2020 Page 2 The proposed NWPs were published in the Federal Register Vol. 85, No. 179 on September 15, 2020. This publication of the proposed NWPs in the Federal Register serves as the ACOE's application for water quality certification under § 401 of the CWA for those NWPs that will result in a .

Howard Lees is a British Chartered Civil Engineer with 40 years construction experience. In 2004 he set up Hollin Consulting Ltd, specialising in Behavioural Management