April 12, 2021

Via Electronic Mail

Chief Counsel’s Office
Attention: Comment Processing
Office of the Comptroller of the Currency
400 7th Street SW, Suite 3E–218
Washington, DC 20219

Ann E. Misback, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue NW
Washington, DC 20551

James P. Sheesley, Assistant Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street NW
Washington, DC 20429

Re: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Docket ID OCC–2020–0038 and RIN 1557–AF02; FRB Docket No. R–1736 and RIN 7100–AG06; FDIC RIN 3064–AF59)

Ladies and Gentlemen:

The American Bankers Association (“ABA”), Bank Policy Institute (“BPI”), Institute of International Bankers (“IIB”), and the Securities Industry and Financial Markets Association (“SIFMA”) (collectively, the “Associations”)1 appreciate the opportunity to comment on the notice of proposed rulemaking2 issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the “Agencies”) relating to computer-security incident notification requirements for banking organizations and their bank service providers. The Agencies’ thoughtful review and study of cybersecurity issues is evident in the proposed rule, and the Associations welcome this positive step toward achieving clarity and consistency in the industry in this important area.

Like institutions throughout the public and private sectors, banking organizations are reliant on interrelated computer systems, and continue to be targeted in cybersecurity attacks. As such, our members recognize the importance of timely detection of significant cybersecurity threats, and fully support the Agencies’ goal of ensuring timely awareness of these threats in order to promote the safety and soundness of the U.S. financial system.3 In that regard, we appreciate the Agencies’ recognition that a requirement that banking organizations timely notify the Agencies of critical cybersecurity incidents will represent the formalization of a voluntary practice that already exists.4

The Associations also strongly support the Agencies’ efforts to minimize the regulatory burden placed on banking organizations addressing significant cybersecurity incidents, and to harmonize the proposed rule with existing definitions and notification standards.5 Harmonization and other efforts to reduce additional burden will maximize banking organizations’ ability to focus in a crisis on protecting their customers and restoring and ensuring the confidentiality, availability, and integrity of the systems on which their services and operations depend. We welcome the opportunity to collaborate with the Agencies on a rule that furthers our shared interest in this regard.

While the Associations support many aspects of the proposed rule, we believe change is warranted in several areas, and we propose revisions in those areas. Our recommendations are intended to bring additional clarity and consistency to the proposed incident notification framework, to ensure the Agencies receive timely notification of the significant cybersecurity incidents that are the focus of the proposed rule, and to minimize excess burden on banking organizations, including by avoiding unnecessary and burdensome over-reporting of less significant or easily remediated matters not intended to be captured by the proposed rule. We believe and intend that these proposed revisions will be workable for large and small institutions alike.

I. Executive Summary

• The Associations appreciate the Agencies’ efforts to ensure clarity and consistency in the reporting of significant cyber incidents while minimizing the regulatory burden on banking organizations while responding to such incidents or otherwise
  in having to divert resources to unnecessary analysis and over-reporting of less significant or easily remediated events.
• While we support the policy goals of the proposed rule, we believe that, as currently drafted, the proposed rule calls for notification of incidents well below the intended threshold of critical cybersecurity incidents. As a result, the proposed rule would lead to significant and burdensome over-reporting to the Agencies, contrary to its stated intention. We provide recommendations that we believe will better achieve the shared goals of the Agencies and banking organizations in this context.

1 See Annex A for a description of each of the Associations.

2 Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 2299 (proposed Jan. 12, 2021) (to be codified at 12 C.F.R. pt. 53; 12 C.F.R. pt. 225, 12 C.F.R. pt. 304).

3 See 86 Fed. Reg. at 2301 (“The receipt of notification-incident information may give the agencies earlier awareness of emerging threats to individual banking organizations and, potentially, to the broader financial system[.]”); id. at 2302 (“The proposed rule would establish two primary requirements, which would promote the safety and soundness of banking organizations and be consistent with
the agencies’ authorities to supervise these entities.”).

4 See id. at 2303 (“The agencies believe that in most cases banking organizations would eventually notify their primary regulator when an event occurs that meets the high threshold of a notification incident and that this proposed rule is formalizing a process that the agencies’ experience suggest already exists.”).

5 See id. at 2303 (“This proposal is not expected to add significant burden on banking organizations.”); id. at 2304 (describing that the Agencies issued this proposed rule because existing “processes are not uniform or consistent between institutions and have not always resulted in timely notification being provided to the applicable regulator”).