(a) A bank service provider
is required to notify at least one bank-designated point of contact
at each affected banking organization customer as soon as possible
when the bank service provider determines that it has experienced
a computer-security incident that has materially disrupted or degraded,
or is reasonably likely to materially disrupt or degrade, covered
services provided to such banking organization for four or more hours.
(1) A bank-designated point
of contact is an email address, phone number, or any other contact(s),
previously provided to the bank service provider by the banking organization
customer.
(2) If the
banking organization customer has not previously provided a bank-designated
point of contact, such notification shall be made to the chief executive
officer and chief information officer of the banking organization
customer, or two individuals of comparable responsibilities, through
any reasonable means.
(b) The notification
requirement in paragraph (a) of this section does not apply to any
scheduled maintenance, testing, or software update previously communicated
to a banking organization customer.
