Ask Reggi Your Question Now
Can you summarize 12 CFR Part 225, Subpart N?
BANK HOLDING COMPANIES AND CHANGE IN BANK CONTROL (REGULATION Y) > Computer-Security Incident Notification
Short Summary
The provided legal document content pertains to the Computer-Security Incident Notification for banking organizations. It is governed by the Code of Federal Regulations, specifically Regulation Y issued by the Board of Governors of the Federal Reserve System. The purpose of this subpart is to promote the timely notification of computer-security incidents that may materially and adversely affect Board-supervised entities. The document defines various terms used in the subpart, including banking organization, bank service provider, business line, computer-security incident, covered services, designated financial market utility, and person. A computer-security incident is defined as an occurrence that results in harm to the confidentiality, integrity, or availability of an information system or the information it processes, stores, or transmits. The document introduces the concept of a notification incident, which is a computer-security incident that materially disrupts or degrades a banking organization’s ability to carry out banking operations, activities, or processes, impacts its business lines or operations resulting in a material loss of revenue, profit, or franchise value, or poses a threat to the financial stability of the United States. The document applies to U.S. bank holding companies, U.S. savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge or agreement corporations. However, designated financial market utilities are not considered banking organizations under this subpart. The document outlines the notification requirements for banking organizations and bank service providers in the event of a computer-security incident. Banking organizations must notify the appropriate Board-designated point of contact about a notification incident as soon as possible and no later than 36 hours after determining its occurrence. Bank service providers must notify designated points of contact at affected banking organization customers as soon as possible when a computer-security incident materially disrupts or degrades covered services provided for four or more hours. The notification requirement does not apply to scheduled maintenance, testing, or software updates that were previously communicated to the banking organization customer.
Whom does it apply to?
U.S. bank holding companies, U.S. savings and loan holding companies, state member banks, U.S. operations of foreign banking organizations, and Edge or agreement corporations
What does it govern?
Computer-Security Incident Notification
What are exemptions?
Designated financial market utilities are not considered banking organizations under this subpart
What are the Penalties?
No specific penalties are mentioned in these documents
Jurisdiction
U.S. Federal Government