skip navigation

Saturday, July 26, 2014

[ – ] Text Size [ + ]  |  Print Page

SRC Insights: Third Quarter 2009

Responding to a Security Breach: Be Prepared

In 2005, interagency guidance was issued to address response programs for unauthorized access to customer information maintained by financial institutions and their service providers. , Today, the guidance is just as important, if not more, for institutions weathering today's economy. The guidance states that every financial institution should develop and implement a response program while providing for flexibility in designing a risk-based response program that is tailored to the size, complexity, and nature of the institution's operations.

The quality of an institution's response to incidents involving a breach of customer information and containment of the breach are a function of the institution's culture, established processes, and training. Preparation is essential to determining the success of the response to a security breach incident. Assigning responsibilities to staff members and offering adequate training help ensure that the response to an incident will be organized and efficient.

Institutions that have adequate resources should create a formal incident response team. Whether a formal response team is in place or not, quick action by the staff is very important for helping to contain a breach and minimizing the damage, including loss to the institution. Regular testing of response processes and procedures will provide good feedback on the adequacy of the preparations. And ongoing customer education is also important to help reduce the number of incidents and the breadth of the incident if one does occur.

An institution's response program should contain procedures for the following:

  1. Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused
  2. Notifying the institution's primary federal regulator as soon as possible once the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
  3. Complying with applicable suspicious activity reporting regulations and guidance to ensure that appropriate law enforcement authorities are notified in a timely manner
  4. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts
  5. Notifying customers as soon as possible when it is determined that misuse of sensitive customer information has occurred or is reasonably possible.

Institutions should notify their primary federal regulator when there is a security breach involving senstive customer information, including the nature of the breach and whether law enforcement has been notified or a suspicious activity report has been or will be filed. Information should also include the response action taken, the number of customers affected, whether customers have been or will be notified, and whether a service provider is involved. For more information, please reference the guidance and the FFIEC IT Handbook External Link.

  • 1   Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice was a joint effort of the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision. For the Federal Reserve, reference SR Letter 05-23, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. External Link.
  • 2   The guidance interprets the Interagency Guidelines Establishing Information Security Standards, 12 CFR, part 208, app. D-2 and 12 CFR, part 225, app. F.
  • 3   Please refer to the Interagency Guidelines Establishing Information Security Standards for the formal definition of sensitive customer information.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.