Information Technology (IT) and Cybersecurity

Laws and Regulations

Key laws and regulations that pertain to FDIC-supervised institutions; note that other laws and regulations also may apply.

• Appendix A to Part 364 — Interagency Guidelines Establishing Standards for Safety and Soundness provide operational and managerial standards that address internal controls and information systems
• Appendix B to Part 364 — Interagency Guidelines Establishing Information Security Standards address administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information
• Section 304.3(d) — Reports addresses requirements for regulatory notification of certain service provider relationships
• The Bank Service Company Act establishes FDIC regulation and examination authority over certain service providers

Supervisory Resources

Frequently asked questions, advisories, statements of policy, and other information issued by the FDIC alone, or on an interagency basis, provided to promote safe-and-sound operations.

• Information Technology Risk Examination (InTREx) Program outlines risk-focused examination procedures used to assess IT and cybersecurity risks
• Uniform Rating System for Information Technology describes the internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT
• Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook provides guidance to examiners for evaluating financial institution and service provider risk management processes
• Computer-Security Incident Notification Final Rule establishes notification requirements for significant computer-security incidents for banking organizations and their bank service providers.
  • Computer-Security Incident Notification Implementation sets forth procedures for FDIC-supervised banks when reporting an incident to their supervisory team  
• Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice describes elements of a response program, including customer notification procedures
• Required Notification for Compliance with the Bank Service Company Act reminds institutions to notify the FDIC in writing of contractor relationships with third parties that provide certain services to the institution
• Cybersecurity
  • Updated FFIEC Cybersecurity Resource Guide for Financial Institutions announces updates to the FFIEC’s Cybersecurity Resource Guide for Financial Institutions which now includes updated references and ransomware-specific resources
  • Heightened Cybersecurity Risk Considerations focuses on risk management principles that can reduce the risk of a cyber-attack and minimize business disruptions for the financial services industry and other critical business sectors
  • Cyber Insurance and Its Potential Role in Risk Management Programs provides awareness of the potential role of cyber insurance in financial institutions’ risk management programs.
    
  • FFIEC Cybersecurity Assessment Tool assists institutions with identifying cybersecurity risks and determining preparedness
  • Frequently Asked Questions provide information related to the FFIEC Cybersecurity Assessment Tool
• IT Security
  • FFIEC Joint Statement on Risk Management for Cloud Computing Services addresses the use of cloud computing services and security risk management principles in the financial services sector.
  • FFIEC Joint Statements on Destructive Malware and Compromised Credentials alerts financial institutions to specific risk mitigation techniques related to destructive malware and cyber attacks that compromise credentials
  • Technology Alerts: GNU Bourne-Again Shell (Bash) Vulnerability and OpenSSL “Heartbleed” Vulnerability advise of material security vulnerabilities
  • Distributed Denial of Service (DDoS) Attacks outlines the risks posed by continued DDoS attacks on public-facing web sites
  • Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers provides information about the risk associated with sensitive information stored on these devices
  • Guidance on the Security Risks of VoIP addresses the delivery of traditional telephone voice communications over the Internet
  • Guidance on Mitigating Risks from Spyware provides recommendations to prevent and detect spyware on bank computers and outlines practices that customers can use to ensure security of the online banking relationship
  • Guidance on How Financial Institutions Can Protect Against Pharming Attacks describes the practice of “pharming,” how it occurs, and potential preventative approaches
  • Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance discusses due diligence when selecting computer software or a service provider
  • FFIEC Guidance on Risk Management of Free and Open Source Software is a supplement to the FFIEC Development and Acquisition handbook
  • Interagency Informational Brochure on Internet “Phishing” Scams helps consumers identify and combat “phishing” scams
  • Guidance on the Risks Associated With Instant Messaging includes information about how risks associated with publicly available instant messaging can be mitigated
  • Guidance on Developing an Effective Computer Virus Protection Program provides information on the risks associated with computer viruses and how these risks can be mitigated
  • Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes describes how financial institutions can assist in protecting their customers
  • Guidance on Developing an Effective Software Patch Management Program provides information about how to mitigate risks from commercial software vulnerabilities
  • Guidance on the Risks Associated with Weblinking outlines useful risk-management techniques for institutions that develop and maintain their own websites, as well as for those that use third-party service providers for that function
  • Managing Risks Associated with Wireless Technology and Wireless Customer Access addresses the potential compromise of customer information and risk mitigation
  • Guidance on Identity Theft and Pretext Calling provides a summary of federal laws for these topics, discusses steps to protect customer information, and highlights the importance of consumer education
  • Protecting Internet Domain Names alerts bank management to potential domain name-related problems
  • Risks to Financial Institutions Involving Client/Server Computer Systems outlines fundamental controls associated with the client/server environment
• Authentication
  • Authentication and Access to Financial Institution Services and Systems sets forth examples of effective authentication and access risk management principles and practices for financial institution systems and digital banking services.
• Identity Theft
  • Supervisory Policy on Identity Theft describes steps that can be taken to detect and prevent identity theft and mitigate the effects in order to protect consumers and help ensure institutions’ safe-and-sound operations
  • Frequently Asked Questions provide responses relating to identity theft red flags, address discrepancies, and change of address requests
  • FDIC Study Supplement on “Account-Hijacking” Identity Theft identifies trends in identity theft in general and account hijacking in particular
• Third-Party Relationships
  • Interagency Guidance on Third-Party Relationships: Risk Management provides sound principles that support a risk-based approach to third-party risk management.
    
  • Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks helps community banks conduct due diligence when considering relationships with financial technology (fintech) companies.
    
  • Technology Service Provider Contracts describes examiner observations about gaps in financial institutions’ contracts with service providers that may impact business continuity and incident response plans
• Payments
  • Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks advises institutions to actively manage the risks associated with these services
  • Clarification of Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors and related guidance on payment processor relationships to address risk management principles, potential risks, and the facilitation of payment processing services
  • Statement on ATM and Card Authorization Systems describes risks related to cyber-attacks
  • Risk Management of Remote Deposit Capture addresses risk identification, assessment, and mitigation, and the measurement and monitoring of residual risk exposure
• Business Continuity Management
  • Sound Practices to Strengthen Operational Resilience provides a comprehensive approach that banks may use to strengthen and maintain their operational resilience.
    
  • Statement on Pandemic Planning highlights the importance of business continuity planning to help minimize the disruption of services
  • Major Disaster Examiner Guidance outlines supervisory practices used to assess the financial condition of insured depository institutions affected by a disaster that results in the President declaring an area a major disaster with individual assistance
  • Lessons Learned from Hurricane Katrina is a compilation of experiences that may be helpful in preparing for a catastrophic event
  • Interim Sponsorship Policy for Government Emergency Telecommunications Service (GETS) Cards describes circumstances under which qualifying private sector financial institutions may request federal sponsorship in the Cybersecurity and Infrastructure Security Agency’s Government Emergency Telecommunications Service (GETS)

Other Resources

Supplemental information related to safe-and-sound banking operations.

• FFIEC Industry Outreach Website provides resource materials on current issues in the financial industry, including Information Technology and Cybersecurity
• FFIEC Cybersecurity Awareness Website provides resources to increase awareness of cybersecurity risks and to assess and mitigate cybersecurity risks
• NIST Cybersecurity Framework Website provides information on a voluntary cybersecurity framework developed by the National Institute of Standards and Technology
• Technology Outsourcing: Informational Tools for Community Bankers provides resources for selecting service providers, drafting contract terms, and providing oversight for multiple service providers

Videos/Webcasts/Teleconferences

Informational videos and recordings of prior webcasts and teleconferences.

• FDIC Technical Assistance Videos
  • Cybersecurity Awareness, a video series designed to assist bank directors with understanding cybersecurity risks and related risk management programs
  • Cyber Challenge: A Community Bank Cyber Exercise designed to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions

The FDIC’s Technical Assistance Video Program includes educational videos designed to provide bank directors, officers, and employees with useful information about areas of supervisory focus and regulatory changes.