�౦��Ϸ����

Laws and Regulations

Key laws and regulations that pertain to �౦��Ϸ����-supervised institutions; note that other laws and regulations also may apply.

• provide operational and managerial standards that address internal controls and information systems
• address administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information
• addresses requirements for regulatory notification of certain service provider relationships
• establishes notification requirements for significant computer-security incidents for banking organizations and their bank service providers. �౦��Ϸ����-supervised banks can comply with the rule by reporting an incident to their case manager or to any member of an �౦��Ϸ���� examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the �౦��Ϸ���� by email at: incident@fdic.gov.
• , Supplement A to Appendix B, describes elements of a response program, including customer notification procedures
• The establishes �౦��Ϸ���� regulation and examination authority over certain service providers. Section 7(c)(2) requires institutions to notify the �౦��Ϸ���� within 30 days of service relationships with third parties that provide certain services as defined in Section 3 (Notification of Performance of Bank Services form).

IT Examination Resources

IT examination ratings, procedures, and work programs.

• Information Technology Risk Examination (InTREx) Program outlines risk-focused examination procedures used to assess IT and cybersecurity risks
• describes the internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT
• provides guidance to examiners for evaluating financial institution and service provider risk management processes

Supervisory Resources

Frequently asked questions, advisories, statements of policy, and other information issued by the �౦��Ϸ���� alone, or on an interagency basis, provided to promote safe-and-sound operations.

• Cybersecurity
  • provides updated references and ransomware-specific resources
  • Heightened Cybersecurity Risk Considerations focuses on risk management principles that can reduce the risk of a cyber-attack and minimize business disruptions for the financial services industry and other critical business sectors
  • emphasizes the benefits of using a standardized approach to assess and improve cybersecurity preparedness.
  • provides awareness of the potential role of cyber insurance in financial institutions’ risk management programs.
  • FFIEC assists institutions with identifying cybersecurity risks and determining preparedness
  • provide information related to the FFIEC Cybersecurity Assessment Tool
• IT Security
  • FFIEC Joint Statement on Risk Management for Cloud Computing Services addresses the use of cloud computing services and security risk management principles in the financial services sector.
  • alerts financial institutions to specific risk mitigation techniques related to destructive malware
  • alerts financial institutions to specific risk mitigation techniques related to cyber attacks that compromise credentials
  • Vulnerability Alerts: and advise of material security vulnerabilities
  • outlines the risks posed by continued DDoS attacks on public-facing web sites
  • Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers provides information about the risk associated with sensitive information stored on these devices
  • Guidance on the Security Risks of VoIP addresses the delivery of traditional telephone voice communications over the Internet
  • Guidance on Mitigating Risks from Spyware provides recommendations to prevent and detect spyware on bank computers and outlines practices that customers can use to ensure security of the online banking relationship
  • Guidance on How Financial Institutions Can Protect Against Pharming Attacks describes the practice of “pharming,” how it occurs, and potential preventative approaches
  • Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance discusses due diligence when selecting computer software or a service provider
  • FFIEC Guidance on Risk Management of Free and Open Source Software is a supplement to the FFIEC Development and Acquisition handbook
  • Interagency Informational Brochure on Internet “Phishing” Scams helps consumers identify and combat “phishing” scams
  • Guidance on the Risks Associated With Instant Messaging includes information about how risks associated with publicly available instant messaging can be mitigated
  • Guidance on Developing an Effective Computer Virus Protection Program provides information on the risks associated with computer viruses and how these risks can be mitigated
  • Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes describes how financial institutions can assist in protecting their customers
  • Guidance on Developing an Effective Software Patch Management Program provides information about how to mitigate risks from commercial software vulnerabilities
  • Guidance on the Risks Associated with Weblinking outlines useful risk-management techniques for institutions that develop and maintain their own websites, as well as for those that use third-party service providers for that function
  • Managing Risks Associated with Wireless Technology and Wireless Customer Access addresses the potential compromise of customer information and risk mitigation
  • Guidance on Identity Theft and Pretext Calling provides a summary of federal laws for these topics, discusses steps to protect customer information, and highlights the importance of consumer education
  • Protecting Internet Domain Names alerts bank management to potential domain name-related problems
  • Risks to Financial Institutions Involving Client/Server Computer Systems outlines fundamental controls associated with the client/server environment
• Authentication
  • sets forth examples of effective authentication and access risk management principles and practices for financial institution systems and digital banking services.
• Identity Theft
  • Supervisory Policy on Identity Theft describes steps that can be taken to detect and prevent identity theft and mitigate the effects in order to protect consumers and help ensure institutions’ safe-and-sound operations
  • Frequently Asked Questions provide responses relating to identity theft red flags, address discrepancies, and change of address requests
  • �౦��Ϸ���� Study Supplement on “Account-Hijacking” Identity Theft identifies trends in identity theft in general and account hijacking in particular
• Third-Party Relationships
  • Third-Party Risk Management, A Guide for Community Banks  helps community banks implement third-party risk management programs
  • Interagency Guidance on Third-Party Relationships: Risk Management provides sound principles that support a risk-based approach to third-party risk management.
  • Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks helps community banks conduct due diligence when considering relationships with financial technology (fintech) companies.
  • Technology Service Provider Contracts describes examiner observations about gaps in financial institutions’ contracts with service providers that may impact business continuity and incident response plans
• Payments
  • advises institutions to actively manage the risks associated with these services
  • Clarification of Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors and related guidance on payment processor relationships to address risk management principles, potential risks, and the facilitation of payment processing services
  • describes risks related to cyber-attacks
  • addresses risk identification, assessment, and mitigation, and the measurement and monitoring of residual risk exposure
• Business Continuity Management
  • Sound Practices to Strengthen Operational Resilience provides a comprehensive approach that banks may use to strengthen and maintain their operational resilience.
  • highlights the importance of business continuity planning to help minimize the disruption of services
  • Major Disaster Examiner Guidance outlines supervisory practices used to assess the financial condition of insured depository institutions affected by a disaster that results in the President declaring an area a major disaster with individual assistance
  • Lessons Learned from Hurricane Katrina is a compilation of experiences that may be helpful in preparing for a catastrophic event
  • Interim Sponsorship Policy for Government Emergency Telecommunications Service (GETS) Cards describes circumstances under which qualifying private sector financial institutions may request federal sponsorship in the Cybersecurity and Infrastructure Security Agency’s

Other Resources

Supplemental information related to safe-and-sound banking operations.

• provides resource materials on current issues in the financial industry, including Information Technology and Cybersecurity
• provides resources to increase awareness of cybersecurity risks and to assess and mitigate cybersecurity risks
• provides information on a voluntary cybersecurity framework developed by the National Institute of Standards and Technology
• Technology Outsourcing: Informational Tools for Community Bankers provides resources for selecting service providers, drafting contract terms, and providing oversight for multiple service providers

Technical Assistance Video Program

The Technical Assistance Video Program is a series of educational videos designed to provide useful information to bank directors, officers, and employees on areas of supervisory focus and regulatory changes. These videos are available on the �౦��Ϸ����’s YouTube channel.

• for Board Members provides background information on cybersecurity and discusses the board’s role in overseeing their bank’s cybersecurity efforts.
• discusses the important role bank officers have in designing and maintaining information security programs in a dynamic and evolving cyber threat environment.
• provides information for bank directors and trustees regarding oversight of a bank’s information technology program and �౦��Ϸ���� information technology examinations.
• Cyber Challenge: A Community Bank Cyber Exercise encourages community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.