2299 Proposed Rules Federal Register

khammond on DSKJM1Z7X2PROD with PROPOSALS2300Federal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rulesbe viewed by clicking on the‘‘Documents’’ tab and filtered byclicking on the ‘‘Sort By’’ drop-down onthe right side of the screen or the‘‘Refine Results’’ options on the left sideof the screen.’’ For assistance with theRegulations.gov Beta site, please call(877) 378–5457 (toll free) or (703) 454–9859 Monday–Friday, 9 a.m.–5 p.m. ETor email regulations@erulemakinghelpdesk.com. The docketmay be viewed after the close of thecomment period in the same manner asduring the comment period.Board:When submitting comments, pleaseconsider submitting your comments byemail or fax because paper mail in theWashington, DC area and at the Boardmay be subject to delay. You maysubmit comments, identified by DocketNo. R–1736 RIN 7100–AG06, by any ofthe following methods: Agency Website: http://www.federalreserve.gov. Follow theinstructions for submitting comments evisedRegs.cfm. Email: regs.comments@federalreserve.gov. Include docket andRIN numbers in the subject line of themessage. FAX: (202) 452–3819 or (202) 452–3102. Mail: Ann E. Misback, Secretary,Board of Governors of the FederalReserve System, 20th Street andConstitution Avenue NW, Washington,DC 20551.All public comments will be madeavailable on the Board’s website RevisedRegs.cfm assubmitted, unless modified for technicalreasons or to remove personallyidentifiable information at thecommenter’s request. Accordingly,comments will not be edited to removeany identifying or contact information.Public comments also may be viewedelectronically or in paper in 146, 1709New York Avenue NW, Washington, DC20006, between 9:00 a.m. and 5:00 p.m.on weekdays.FDIC: Agency Website: low the instructions for submittingcomments on the Agency website. Email: Comments@fdic.gov. IncludeRIN 3064–AF59 in the subject line ofthe message. Mail: James P. Sheesley, AssistantExecutive Secretary, Attention:Comments, Federal Deposit InsuranceCorporation, 550 17th Street NW,Washington, DC 20429. Hand Delivery/Courier: Commentsmay be hand delivered to the guardVerDate Sep 11 201416:31 Jan 11, 2021Jkt 253001station at the rear of the 550 17th StreetNW, building (located on F Street) onbusiness days between 7:00 a.m. and5:00 p.m.Public Inspection: All commentsreceived will be posted without changeto ncluding any personalinformation provided—for publicinspection. Paper copies of publiccomments may be ordered from theFDIC Public Information Center, 3501North Fairfax Drive, Room E–1002,Arlington, VA 22226 or by telephone at(877) 275–3342 or (703) 562–2200.FOR FURTHER INFORMATION CONTACT:OCC: Patrick Kelly, Director, CriticalInfrastructure Policy, (202) 649–5519,Jennifer Slagle Peck, Counsel, (202)649–5490, or Priscilla Benner, SeniorAttorney, Chief Counsel’s Office, (202)649–5490, or persons who are hearingimpaired, TTY, (202) 649–5597, Officeof the Comptroller of the Currency, 4007th Street SW, Washington, DC 20219.Board: Nida Davis, Associate Director,(202) 872–4981, Julia Philipp, LeadFinancial Institution CybersecurityPolicy Analyst, (202) 452–3940, DonPeterson, Supervisory CybersecurityAnalyst, (202) 973–5059, Systems andOperational Resiliency Policy, of theSupervision and Regulation Division;Jay Schwarz, Special Counsel, (202)452–2970, Claudia Von Pervieux, SeniorCounsel (202) 452–2552, Legal Division,Board of Governors of the FederalReserve System, 20th and C Streets NW,Washington, DC 20551. For the hearingimpaired only, TelecommunicationsDevice for the Deaf (TDD) users maycontact (202) 263–4869.FDIC: Robert C. Drozdowski, SpecialAssistant to the Deputy Director (202)898–3971, RDrozdowski@FDIC.gov, andMartin D. Henning, Deputy Director(202) 898–3699, mhenning@fdic.gov,Division of Risk ManagementSupervision; Graham N. Rehrig, SeniorAttorney (703) 314–3401, grehrig@fdic.gov, and John Dorsey, ActingSupervisory Counsel (202) 898–3807,jdorsey@fdic.gov, Legal Division,Federal Deposit Insurance Corporation,550 17th Street NW, Washington, DC20429.SUPPLEMENTARY INFORMATION:I. IntroductionCyberattacks reported to federal lawenforcement have increased infrequency and severity in recent years.1These types of attacks may usedestructive malware or other malicious1 See Federal Bureau of Investigation, internetCrime Complaint Center, 2019 internet CrimeReport at 5 (last accessed Sept. 4, 2020), availableat https://pdf.ic3.gov/2019 IC3Report.pdf.PO 00000Frm 00002Fmt 4702Sfmt 4702software to target weaknesses in thecomputers or networks of bankingorganizations supervised by theagencies.2 Some cyberattacks have thepotential to alter, delete, or otherwiserender a banking organization’s data andsystems unusable. Depending on thescope of an incident, a bankingorganization’s data and system backupsmay also be affected, which can severelyaffect the ability of the bankingorganization to recover operations. TheOffice of the Comptroller of theCurrency (OCC), Board of Governors ofthe Federal Reserve System (Board), andthe Federal Deposit InsuranceCorporation (FDIC) (collectively, theagencies) are issuing a notice ofproposed rulemaking (the proposal orproposed rule) that would require abanking organization to notify itsprimary federal regulator when thebanking organization believes in goodfaith that a significant ‘‘computersecurity incident’’ has occurred.3 Thisnotification requirement is intended toserve as an early alert to a bankingorganization’s primary federal regulatorand is not intended to include anassessment of the incident.The agencies also recognize that acomputer-security incident may be theresult of non-malicious failure ofhardware, software errors, actions ofstaff managing these computerresources, or potentially criminal innature. Banking organizations thatexperience a computer-security incidentthat may be criminal in nature areexpected to contact relevant lawenforcement or security agencies, asappropriate, after the incident occurs.4Moreover, banking organizations havebecome increasingly reliant on bank2 See Cybercriminals and Fraudsters: How BadActors Are Exploiting the Financial System Duringthe COVID–19 Pandemic: Virtual Hearing Beforethe Subcommittee on National Security,International Development and Monetary Policy ofthe U.S. House Committee on Financial Services116th Congress (2020) (written statement of TomKellerman, Head of Cybersecurity Strategy,VMware, Inc.), available at hhrg116-ba10-wstate-kellermannt-20200616.pdf.3 As defined by the proposed rule, a computersecurity incident is an occurrence that results inactual or potential harm to the confidentiality,integrity, or availability of an information system orthe information that the system processes, stores, ortransmits; or constitutes a violation or imminentthreat of violation of security policies, securityprocedures, or acceptable use policies. To promoteuniformity of terms, the agencies have sought toalign this term to the fullest extent possible with anexisting definition from the National Institute ofStandards and Technology (NIST). See NIST,Computer Security Resource Center, Glossary (lastaccessed Sept. 20, 2020), available at https://csrc.nist.gov/glossary/term/Dictionary.4 For example, a local FBI field office. See FBI,Contact Us, Field Offices, https://www.fbi.gov/contact-us/field-offices (last accessed Dec. 9, 2020).E:\FR\FM\12JAP1.SGM12JAP1

khammond on DSKJM1Z7X2PROD with PROPOSALSFederal Register / Vol. 86, No. 7 / Tuesday, January 12, 2021 / Proposed Rulesservice providers to provide essentialtechnology-related products andservices. Service providers that provideservices described in the Bank ServiceCompany Act (BSCA) 5 to bankingorganizations (bank service providers) 6also are vulnerable to cyber threats,which have the potential to disrupt,degrade, or impair the provision ofbanking services to their bankingorganization customers. Therefore, theproposed rule would require a bankservice provider to notify affectedbanking organization customersimmediately after the bank serviceprovider experiences a computersecurity incident that it believes in goodfaith could disrupt, degrade, or impairthe provision of services subject to theBSCA. Given the rule’s purposes ofensuring that banking organizationsprovide timely notice of significantcomputer-security incident disruptionsto the agencies, the agencies believe thatbank service providers should contact atleast two individuals at affected bankingorganizations to help ensure that noticehas been received.The agencies believe that it isimportant that the primary federalregulator of a banking organization benotified as soon as possible of asignificant computer-security incidentthat could jeopardize the viability of theoperations of an individual bankingorganization, result in customers beingunable to access their deposit and otheraccounts, or impact the stability of thefinancial sector.7 The proposed rulerefers to these significant computersecurity incidents as ‘‘notificationincidents.’’ Knowing about andresponding to notification incidentsaffecting banking organizations isimportant to the agencies’ missions fora variety of reasons, including thefollowing: The receipt of notification-incidentinformation may give the agenciesearlier awareness of emerging threats toindividual banking organizations and,potentially, to the broader financialsystem; An incident may so severely impacta banking organization that it can nolonger support its customers, and theincident could impact the safety andsoundness of the banking organization,leading to its failure. In these cases, thesooner the agencies know of the event,5 12U.S.C. 1861–67.service providers would include both bankservice companies and third-party providers underthe BSCA.7 These computer-security incidents may includemajor computer-system failures, cyber-relatedinterruptions, such as coordinated denial of serviceand ransomware attacks, or other types ofsignificant operational interruptions.6 BankVerDate Sep 11 201416:31 Jan 11, 2021Jkt 253001the better they can assess the extent ofthe threat and take appropriate action; Based on the agencies’ broadsupervisory experiences, they may beable to provide information to a bankingorganization that may not havepreviously faced a particular type ofnotification incident; The agencies would be better ableto conduct analyses across supervisedbanking organizations to improveguidance, adjust supervisory programs,and provide information to the industryto help banking organizations protectthemselves; and Receiving notice would enable theprimary federal regulator to facilitateand approve requests from bankingorganizations for assistance through theU.S. Treasury Office of Cybersecurityand Critical Infrastructure Protection(OCCIP).8As discussed below, current reportingrequirements related to cyber incidentsare neither designed nor intended toprovide timely information to regulatorsregarding such incidents.II. Review of Existing Regulations andGuidanceThe agencies considered whether theinformation that would be providedunder the proposed rule could beobtained through existing reportingstandards. Currently, bankingorganizations may be required to reportcertain instances of disruptive cyberevents and cyber-crimes through thefiling of Suspicious Activity Reports(SARs), and they are generally expectedto notify their primary federal regulator‘‘as soon as possible’’ when they become‘‘aware of an incident involvingunauthorized access to or use ofsensitive customer information.’’ 9These reporting standards provide theagencies with valuable insight regardingcyber-related events and information8 OCCIP coordinates with U.S. Governmentagencies to provide agreed-upon assistance tobanking and other financial services sectororganizations on computer-incident response andrecovery efforts. These activities may includeproviding remote or in-person technical support toan organization experiencing a significant cyberevent to protect assets, mitigate vulnerabilities,recover and restore services, identify other entitiesat risk, and assess potential risk to the broadercommunity. The Federal Financial InstitutionsExamination Council’s Cybersecurity ResourceGuide for Financial Institutions (Oct. 2018)identifies additional information available tobanking organizations. Available at tions.pdf (last accessed Nov.29, 2020).9 See 12 CFR part 30, appendix B, supp. A (OCC);12 CFR part 208, appendix D–2, supp. A, 12 CFR211.5(l), 12 CFR part 225, appendix F, supp. A(Board); 12 CFR part 364, appendix B, supp. A(FDIC) (italics omitted).PO 00000Frm 00003Fmt 4702Sfmt 47022301security compromises; however, theseexisting requirements do not providethe agencies with sufficiently timelyinformation about every notificationincident that would be captured by theproposed rule.Under the reporting requirements ofthe Bank Secrecy Act (BSA) and itsimplementing regulations, certainbanking organizations are required tofile SARs when they detect a known orsuspected criminal violation of federallaw or a suspicious transaction relatedto a money-laundering activity.10 Whilethe agencies monitor SARs regularly,SARs serve a different purpose from thisproposed incident notificationrequirement and do not requirereporting of every incident captured bythe proposed definition of a notificationincident. Moreover, the 30-calendar-dayreporting requirement under the BSAframework (with an additional 30calendar days provided in certaincircumstances) does not provide theagencies with sufficiently timely noticeof reported incidents.Additionally, the InteragencyGuidance on Response Programs forUnauthorized Access to CustomerInformation and Customer Notice,which interprets section 501(b

3 As defined by the proposed rule, a computer- security incident is an occurrence that results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or