Skip to main content

November 2021 Regulatory Updates

Collin Schwartz, Head of Legal and Regulatory Affairs, Head of Methodology

The TruSight methodology is shaped by the regulation, standards, and guidance governing the industries in which it operates. Our internal subject matter experts routinely review new regulatory requirements and guidance to ensure our methodology remains current and to provide updated information to customers for continued insight into an ever-shifting landscape. To continually equip our customers with the most up-to-date industry knowledge, below is a spotlight on November 2021 select regulatory updates.


Joint Agencies Issue Cyber Incident Notification Rule

On November 18, 2021, the FDIC, Federal Reserve Board, and the OCC issued a final rule that requires a banking organization to notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has occurred. Notification is required where the cyber incident has affected:

1. The viability of a banking organization’s operations
2. Its ability to deliver banking products and services; or
3. The stability of the financial sector.

Additionally, the rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The agencies have emphasized their belief that “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The effective date of the rule is April 1, 2022, and banking organizations are expected to implement and comply by May 1, 2022.

2021-11-17-notational-fr.pdf (fdic.gov)


NYSDFS Creates New Division to Integrate Climate Risks into Supervision

On November 3, 2021, Acting Superintendent of Financial Services Adrienne A. Harris announced the establishment of a new Climate Division at the New York State Department of Financial Services (NYSDFS), as climate change poses wide-ranging and material risks to the financial system. As the finance and insurance sectors take demonstrative steps towards managing their financial risks from climate change and supporting the low carbon transition, the new Climate Division will integrate climate risks into its supervision of regulated entities, support the industry’s growth in managing climate risks, coordinate with international, national, and state regulators, develop internal capacity on climate-related financial risks, support the capacity-building of peer regulators on climate-related supervision, and ensure fair access to financial services for all communities, especially those most impacted by climate change.

Press Release - November 03, 2021: On Cop26 Finance Day Acting Superintendent Adrienne A. Harris Announces Newly Created Climate Risk Division, New Executive Appointment | Department of Financial Services (ny.gov)


China’s Personal Information Protection Law Goes into Effect

On November 1, 2021, China’s Personal Information Protection Law (PIPL) went into effect. Although the law incorporates many of the concepts of the EU General Data Protection Regulation (GDPR), there are several distinctions. Its territorial scope extends to the processing of personal information outside of China, provided that the purpose is:

1. To provide products or services to individuals in China
2. To “analyze” or “assess” the behavior of individuals in China, or
3. For other purposes to be specified by laws and regulations

The definitions of “personal information” and “processing of personal information” are similar under the PIPL and the GDPR, but “sensitive personal information” is defined under the PIPL as “personal information that once leaked, or illegally used, may easily infringe the dignity of a natural person or cause harm to personal safety and property security, such as biometric identification information, religious beliefs, specially designated status, medical health information, financial accounts, information on individuals’ whereabouts, as well as personal information of minors under the age of 14.”

The PIPL defines the term “personal information processing entity” as an “organization or individual that independently determines the purposes and means for the processing of personal information,” which mirrors the concept of data controllers under the GDPR, and requires “personal information processing entities” to establish a “dedicated office” or appoint a “designated representative” in China, which is similar to the GDPR’s requirement to appoint an “EU representative” for offshore controllers.

One distinction between the two laws is that the PIPL narrows the GDPR’s provision of “legitimate interests” as a lawful basis for processing by enumerating legal responsibilities, news, public health emergencies, and human resources management. Another distinction is the PIPL’s requirement for separate consent for information sharing, disclosure, or overseas transfer. Restrictions or exemptions under the PIPL are also not set forth as precisely as in the GDPR. The PIPL requires personal information processing entities to complete impact assessments and retain the processing records for at least three years for:

1. Processing of sensitive personal information
2. Processing of personal information for automated decision-making
3. Entrusting vendors to process personal information, sharing personal information with other processing entities, or publicly disclosing personal information
4. Transferring personal information overseas; and
5. Other personal information processing activities that may have significant impacts on the rights and interests of individuals

Violations of the PIPL may be recorded into the “credit files” of the processing entity under China’s national social credit system.

标题 (wordpress.com) - Available only in Chinese

svgImg Coronavirus Statement

Coronavirus Statement

Our highest priority at TruSight Solutions is to maintain health and safety, and we are closely monitoring the global situation regarding the spread of coronavirus (COVID-19.) At the same time, we remain steadfast in our commitment to deliver assessment products of the highest quality for our customers and assessed parties. In light of these dual goals, this statement addresses precautions and strategies that TruSight is implementing with respect to on-site assessments and the assessors who conduct these facility visits.

Assessors who have been assigned to conduct on-site assessments have attested that they have not traveled in the past 30 days to a country with a Level 2 or Level 3 designation from the U.S. Centers for Disease Control and Prevention. (A Level 2 alert is for enhanced precautions, and a Level 3 warning is to avoid non-essential travel.)

Upon request, each individual assigned assessor will confirm this assurance in writing via email.

Any assessor currently conducting an assessment in an affected country is bound by the country’s domestic regulations and will remain in that country as long as required.

Assessors have been instructed to escalate any personal travel concerns to their manager. Individual concerns will be respected and assignments adjusted accordingly.

For reasons of health and safety, there could be a delay in conducting an assessment and/or delivering a product where a country is prohibiting travel or otherwise inhibiting movement that is necessary for such assessment. In this event, we will inform impacted vendors and customers as soon as we become aware of the situation. We may also propose performing a remote assessment in lieu of an on-site assessment and making adjustments accordingly.

As the coronavirus situation quickly evolves, TruSight is closely following developments from the World Health Organization, U.S. Centers for Disease Control and Prevention, and other domestic and international bodies. If you have questions or concerns, please reach out directly to your TruSight contacts.

scroll to top icon