Depository Information Security and Incident Notification

The division leverages federal regulations utilized by respective Federal depository banking agencies.  These regulations address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer / member information.  Additionally, these regulations also address standards with respect to the proper disposal of consumer information and response programs for unauthorized access to customer / member information, including customer notification.

Banks
Appendix B to Part 364 / Supplement A to Appendix B to Part 364  

Credit Unions
Appendix A to Part 748  /  Appendix B to Part 748

---

Communications

CSBS Cyber Hygiene Awareness Campaign for Financial Institutions

CSBS has developed series of resources that will be shared throughout the upcoming year to promote the ongoing awareness of cyber hygiene for financial institutions.  These communications will be shared on this page via the links below.  Please check back periodically for new publications as they are released. 

Series 1 - Cyber Hygiene Actions Your Institution Should Take Today [pdf]

Series 2 - End-of-Life Management & Multi-Factor Authentication [zip]

Federal Financial Institutions Examination Council (FFIEC) – Cybersecurity Assessment Tool (CAT) Sunset

On August 29, 2024, the Federal Financial Institutions Examination Council (FFIEC) released a statement announcing the sunsetting of the FFIEC Cybersecurity Assessment Tool (CAT), which will no longer be available on their website effective August 31, 2025.  While the FFIEC has determined not to update the CAT, new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.  For more information, please refer to the CAT Sunset Statement by the FFIEC [PDF]  and to the Frequently Asked Questions (FAQ) created by the Conference of State Bank Supervisors (CSBS) [PDF] to help answer any questions.

CISA - Safeguarding Our Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence, released guidance to assist critical infrastructure owners and operators to detect and mitigate efforts by foreign intelligence entities to disrupt U.S. critical infrastructure. 

Get a copy of the document here [pdf]

Updated Ransomware Self-Assessment Tool (R-SAT) – Available now!

The Bankers Electronic Crimes Taskforce, state bank regulators and the United States Secret Service collaborated to develop this tool to help financial institutions periodically assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security.  This document provides executive management and the board of directors with an overview of the institution’s preparedness towards identifying, protecting, detecting, responding, and recovering from a ransomware attack. It may also assist other third parties (such as auditors, security consultants and regulators) that might review your institution’s security practices.

Link to the updated Ransomware Self-Assessment Tool (R-SAT)

---

Notification Event Reporting

Credit Unions
Appendix B to Part 748 II.A.1.b. includes requirements for credit unions to “notify the appropriate NCUA Regional Director, and, in the case of state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member information.”

Additional guidance can be found in Letters to Credit Unions - Cyber Incident Notification Requirements

Banks
Although not required, all state-chartered banking institutions are encouraged to notify their applicable state supervisory authority as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.

Supplement A to Appendix B to Part 364 II.A.1.b. includes requirements for banks to “Notify its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.”

Additional guidance can be found in Financial Institution Letter - Computer-Security Incident Notification Rule and Federal Reserve Board - Agencies approve final rule requiring computer-security incident notification.

---