Skip to Main Content

Supervision News Flash

December 2019

Cyberattacks and Incident Reporting – Reminders and Clarification

Security while using the laptop

Cyberattacks, security incidents and data breaches occur daily, and we have seen an increasing number of banks in the Fifth District affected by these events. In light of this, we decided to revisit this topic so that you are prepared to report an incident when it occurs. In addition to a reminder about incident response, we also share an important clarification below regarding the concept of “access.”

This article is a follow up to a News Flash article titled Planning for the Inevitable: Security Breaches, published in 2017 related to incident response planning. Our guidance has not changed, and the expectations remain the same for financial institutions. Each institution should have appropriate practices in place to mitigate these attacks or security incidents.

What you should know — The Reminders

In 2005, the Federal Reserve issued a joint SR 05-23 and CA 05-10 Letter, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, which outlines the requirements for an incident response program. The guidance also clearly states that a financial institution should notify its primary federal regulator of a security incident involving unauthorized access to sensitive customer information, whether or not the institution notifies its customers. This guidance clearly defines sensitive customer information and unauthorized access to that information. Note that the incident-response guidance is broader than just reporting cyber incidents. It also covers things such as sending the wrong statement to a customer or accidentally emailing confidential information to a person outside of your organization.

What you should know — Access Clarified

Access, as defined by the FFIEC Information Security Booklet, refers to the ability to physically or logically enter or make use of an IT system or area — secured or unsecured — and is the process of interacting with a system. It is the concept of “access” where we want to clarify our expectations regarding regulatory reporting of security incidents, because there seems to be a misunderstanding about what “access” really means. Access does not simply mean that an intruder has transmitted sensitive customer information externally; instead, access can also indicate that someone or something has entered your system(s) where customer information resides, giving them the ability to review the information in your systems whether they transmit it externally or not. Additionally, unauthorized access to customer information can also occur by accidental disclosure, by an employee for example.  This unauthorized “access” to sensitive customer information is the key factor in determining whether you should report the security incident to your primary federal regulator and potentially to law enforcement.

What you should do

Review your bank’s incident response processes and ensure your employees are aware of and well trained on how to handle an attack, security breach or accidental disclosure. Make sure you clearly outline notification procedures in your institution’s response plan and contact your primary federal regulator as soon as possible once you become aware of an incident involving unauthorized access to sensitive customer information. Consider filing a suspicious activity report and consult FinCEN guidance.

Why this is important

You probably wonder what happens to the information reported to us. All Reserve Banks are required to notify the Board of Governors (Board) of security incidents reported to us. We can only share with the Board what we know, which is why it is so important that you share the information with us as quickly as possible (national and nonmember banks should follow their primary federal regulator’s guidelines). Board staff follows the progress of the incidents and utilizes the information to inform future supervisory guidance and identify trends in information security developments.


If you have questions about your incident response procedures or you are trying to determine whether notification is required, contact Operational Risk Managing Examiner Cara Mitchell at, or call her at (804) 697-2627 to discuss.

phone Contact Us