During the development of our Incident Management product, we spent a lot of time researching and reviewing guidance, so we could know exactly what should be included in a financial institution's incident management program. While not an exhaustive list, if you are looking for guidance regarding what to include in your plan, the resource below will help you get started.
If reading guidance and turning it into something actional doesn't sound like your idea of a good time, check out Tandem Incident Management. We've done the heavy reading for you and created a product to help financial institutions develop their incident response plans and track incidents in accordance with guidance. Learn more at Tandem.App/Incident-Management-Software.
|
Document |
Summary |
Reference |
|
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice |
These guidelines define the minimum requirements for what should be included in an incident response program for the compromise of customer/member data, including procedures to assess, contain, and control incidents; notify regulators; file a Suspicious Activity Report (SAR); notify customers; etc. |
FDIC 12 CFR Part 364 Appendix B, Supplement A.II FRB 12 CFR Part 208 Appendix D-2, Supplement A.II |
|
Interpretive Guidance |
This interpretive guidance supplements the security guidelines and clarifies the incident management responsibilities of financial institutions. |
Interpretive Guidance (FDIC, FRB, and OCC) |
|
Computer-Security Incident Notification Requirements for Banking Organizations and their Bank Service Providers |
This rule requires banks to notify their primary federal regulator within 36 hours of determining a "notification incident" occurred. It also requires bank service providers (subject to BSCA) to notify their affected customers ASAP when an incident occurs which may cause a disruption for four or more hours. Learn more in our blog: The New Incident Notification Rule: What Banks Need to Know. |
|
|
Contact Information for Computer-Security Incident Notifications |
Each of the federal banking agencies published contact information to be used when reporting computer-security incidents. Learn more in our blog: The New Incident Notification Rule: What Banks Need to Know. |
|
|
Cyber Incident Notification Requirements for Federally Insured Credit Unions |
This rule requires credit unions to notify the NCUA as soon as possible and within 72 hours of believing the credit union experienced a reportable cyber incident. Learn more in our blog: Reportable Cyber Incidents: An Overview of the NCUA's New Notification Rule. |
|
|
Cyber Incident Notification Requirements Guidance |
The NCUA published guidance and contact information to be used when reporting incidents. Learn more in our blog: Reportable Cyber Incidents: An Overview of the NCUA's New Notification Rule. |
|
|
Suspicious Activity Reports |
This rule requires financial institutions to file a report with federal law enforcement, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) within 30 days of detecting a suspicious transaction. |
|
|
FFIEC Information Security Booklet |
This booklet discusses incident response from an information security perspective, including threat identification and assessment; threat monitoring; incident identification and assessment; and incident response. |
|
|
FFIEC Business Continuity Management Booklet |
This booklet discusses incident response from a business continuity perspective, including preservation of life, preservation of property, incident stabilization, and communicating with stakeholders. |
|
|
FFIEC Architecture, Infrastructure, and Operations Booklet |
This booklet discusses incident response from an operational perspective, including processes to identify, assess, log, track, resolve, and report on incidents which could impact operations. |
|
|
FFIEC Management Booklet |
This booklet provides guidance on reporting incidents to the Board, government agencies, law enforcement, and regulators. |
|
|
FDIC Information Technology Risk Examination Program (InTREx) |
These examination procedures include a list of elements examiners should use to help evaluate an institution's incident response plan. |
Support and Delivery, Procedure 13 (Page 35) |
|
FDIC Supervisory Insights, Incident Response Programs: Don't Get Caught Without One |
This Supervisory Insight from the FDIC discusses the importance of an incident response program and expected minimum elements of the program. |
