§ 53.4 Bank service provider notification.
Primary source
Verbatim text below is from the Electronic Code of Federal Regulations (eCFR), a public-domain U.S. government work. Always verify the current version with the eCFR before relying on it for any legal matter.
Full Text
(a) A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.
(1) A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer.
(2) If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilities, through any reasonable means.
(b) The notification requirement in paragraph (a) of this section does not apply to any scheduled maintenance, testing, or software update previously communicated to a banking organization customer.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.