During the development of our Incident Management product, we spent a lot of time researching and reviewing guidance, so we could know exactly what should be included in a financial institution's incident management program. While not an exhaustive list, if you are looking for guidance regarding what to include in your plan, the resource below will help you get started. 

If reading guidance and turning it into something actional doesn't sound like your idea of a good time, check out Tandem Incident Management. We've done the heavy reading for you and created a product to help financial institutions develop their incident response plans and track incidents in accordance with guidance. Learn more at Tandem.App/Incident-Management-Software

Document 

Summary 

Reference 

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice 

These guidelines define the minimum requirements for what should be included in an incident response program for the compromise of customer/member data, including procedures to assess, contain, and control incidents; notify regulators; file a Suspicious Activity Report (SAR); notify customers; etc. 

FDIC 12 CFR Part 364 Appendix B, Supplement A.II 

FRB 12 CFR Part 208 Appendix D-2, Supplement A.II 

NCUA 12 CFR Part 748 Appendix B.II 

OCC 12 CFR Part 30 Appendix B, Supplement A.II 

Interpretive Guidance 

This interpretive guidance supplements the security guidelines and clarifies the incident management responsibilities of financial institutions. 

Interpretive Guidance (FDIC, FRB, and OCC) 

Computer-Security Incident Notification Requirements for Banking Organizations and their Bank Service Providers 

This rule requires banks to notify their primary federal regulator within 36 hours of determining a "notification incident" occurred. It also requires bank service providers (subject to BSCA) to notify their affected customers ASAP when an incident occurs which may cause a disruption for four or more hours. Learn more in our blog: The New Incident Notification Rule: What Banks Need to Know

FDIC 12 CFR Part 304 Subpart C 

FRB 12 CFR Part 225 Subpart N 

OCC 12 CFR Part 53 

Contact Information for Computer-Security Incident Notifications 

Each of the federal banking agencies published contact information to be used when reporting computer-security incidents. Learn more in our blog: The New Incident Notification Rule: What Banks Need to Know

FDIC FIL-12-2022 

FRB SR 22-4/CA 22-3 

OCC Bulletin 2022-8 

Suspicious Activity Reports 

This rule requires financial institutions to file a report with federal law enforcement, the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) within 30 days of detecting a suspicious transaction. 

FDIC 12 CFR Part 353 

FRB 12 CFR Part 208 Subpart F 

NCUA 12 CFR Part 748 

OCC 12 CFR Part 21 Subpart B 

FFIEC Information Security Booklet 

This booklet discusses incident response from an information security perspective, including threat identification and assessment; threat monitoring; incident identification and assessment; and incident response. 

III. Security Operations 

FFIEC Business Continuity Management Booklet 

This booklet discusses incident response from a business continuity perspective, including preservation of life, preservation of property, incident stabilization, and communicating with stakeholders. 

V.F.1 Incident Response 

FFIEC Architecture, Infrastructure, and Operations Booklet 

This booklet discusses incident response from an operational perspective, including processes to identify, assess, log, track, resolve, and report on incidents which could impact operations. 

VI.C.4 Event, Incident, and Problem Management 

FFIEC Management Booklet 

This booklet provides guidance on reporting incidents to the Board, government agencies, law enforcement, and regulators. 

III.C.3 Information Security 

FFIEC Cybersecurity Assessment Tool 

This assessment includes a set of declarative statements to help institutions determine the maturity of their incident management program. 

Domain 5: Cyber Incident Management and Resilience (Page 51) 

FFIEC Cybersecurity Assessment General Observations 

This report defines cyber incident management and provides examples of procedures which should be included in a response plan. 

Cyber Incident Management and Resilience (Page 4) 

FDIC Information Technology Risk Examination Program (InTREx) 

These examination procedures include a list of elements examiners should use to help evaluate an institution's incident response plan. 

Support and Delivery, Procedure 13 (Page 35) 

FDIC Supervisory Insights, Incident Response Programs: Don't Get Caught Without One 

This Supervisory Insight from the FDIC discusses the importance of an incident response program and expected minimum elements of the program. 

FDIC: Supervisory Insights - Compliance Examinations