In 2005, interagency guidance was issued to address response programs for unauthorized access to customer information maintained by financial institutions and their service providers. , Today, the guidance is just as important, if not more, for institutions weathering today's economy. The guidance states that every financial institution should develop and implement a response program while providing for flexibility in designing a risk-based response program that is tailored to the size, complexity, and nature of the institution's operations.
The quality of an institution's response to incidents involving a breach of customer information and containment of the breach are a function of the institution's culture, established processes, and training. Preparation is essential to determining the success of the response to a security breach incident. Assigning responsibilities to staff members and offering adequate training help ensure that the response to an incident will be organized and efficient.
Institutions that have adequate resources should create a formal incident response team. Whether a formal response team is in place or not, quick action by the staff is very important for helping to contain a breach and minimizing the damage, including loss to the institution. Regular testing of response processes and procedures will provide good feedback on the adequacy of the preparations. And ongoing customer education is also important to help reduce the number of incidents and the breadth of the incident if one does occur.
An institution's response program should contain procedures for the following:
Institutions should notify their primary federal regulator when there is a security breach involving senstive customer information, including the nature of the breach and whether law enforcement has been notified or a suspicious activity report has been or will be filed. Information should also include the response action taken, the number of customers affected, whether customers have been or will be notified, and whether a service provider is involved. For more information, please reference the guidance and the FFIEC IT Handbook .