(a) Authority. This part is issued under the authority of 12 U.S.C. 1, 93a, 161, 481, 1463, 1464, 1861-1867, and 3102.

(b) Purpose. This part promotes the timely notification of computer-security incidents that may materially and adversely affect Office of the Comptroller of the Currency (OCC)-supervised institutions.

(c) Scope. This part applies to all national banks, Federal savings associations, and Federal branches and agencies of foreign banks. This part also applies to their bank service providers as defined in § 53.2(b)(2).

(a) Except as modified in this part, or unless the context otherwise requires, the terms used in this part have the same meanings as set forth in 12 U.S.C. 1813.

(b) For purposes of this part, the following definitions apply.

(1) Banking organization means a national bank, Federal savings association, or Federal branch or agency of a foreign bank; provided, however, that no designated financial market utility shall be considered a banking organization.

(2) Bank service provider means a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider.

(3) Business line means a product or service offered by a banking organization to serve its customers or support other business needs.

(4) Computer-security incident is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.

(5) Covered services are services performed, by a person, that are subject to the Bank Service Company Act (12 U.S.C. 1861-1867).

(6) Designated financial market utility has the same meaning as set forth at 12 U.S.C. 5462(4).

(7) Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's—

(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;

(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or

(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

(8) Person has the same meaning as set forth at 12 U.S.C. 1817(j)(8)(A).

A banking organization must notify the appropriate OCC supervisory office, or OCC-designated point of contact, about a notification incident through email, telephone, or other similar methods that the OCC may prescribe. The OCC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.

(a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.

(1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer.

(2) If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.

(b) The notification requirement in paragraph (a) of this section does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer.