(a) Authority. This subpart is issued under the authority of 12 U.S.C. 1,321,1467a,1818,1844,1861,and.
(b) Purpose. This subpart promotes the timely notification of computer-security incidents that may materially and adversely affect Board-supervised entities.
(c) Scope. This subpart applies to all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; and Edge and agreement corporations. This subpart also applies to their bank service providers, as defined in § 225.301(b)(2).
(a) Except as modified in this subpart, or unless the context otherwise requires, the terms used in this subpart have the same meanings as set forth in 12 U.S.C. 1813.
(b) For purposes of this subpart, the following definitions apply.
(1) Banking organization means a U.S. bank holding company; U.S. savings and loan holding company; state member bank; the U.S. operations of foreign banking organizations; and an Edge or agreement corporation; provided, however, that no designated financial market utility shall be considered a banking organization.
(2) Bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider.
(3) Business line means a product or service offered by a banking organization to serve its customers or support other business needs.
(4) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
(5) Covered services are services performed, by a person, that are subject to the Bank Service Company Act (12 U.S.C. 1861-1867).
(6) Designated financial market utility has the same meaning as set forth at 12 U.S.C. 5462(4).
(7) Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's—
(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
(8) Person has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A).
A banking organization must notify the appropriate Board-designated point of contact about a notification incident through email, telephone, or other similar methods that the Board may prescribe. The Board must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.
(a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.
(1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer.
(2) If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.
(b) The notification requirement in paragraph (a) of this section does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer.