12 CFR §304.21

1. (a)Authority. This subpart is issued under the authority of 12 U.S.C. 1463, 1811, 1813, 1817, 1819, and 1861-1867.
2. (b)Purpose. This subpart promotes the timely notification of computer-security incidents that may materially and adversely affect FDIC-supervised institutions.
3. (c)Scope. This subpart applies to all insured state nonmember banks, insured state licensed branches of foreign banks, and insured State savings associations. This subpart also applies to bank service providers, as defined in § 304.22(b)(2).