Information Technology (IT) and Cybersecurity

Laws and Regulations

Key laws and regulations that pertain to FDIC-supervised institutions; note that other laws and regulations also may apply.

• Appendix A to Part 364 — Interagency Guidelines Establishing Standards for Safety and Soundness provide operational and managerial standards that address internal controls and information systems
• Appendix B to Part 364 — Interagency Guidelines Establishing Information Security Standards address administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information
• Section 304.3(d) — Reports addresses requirements for regulatory notification of certain service provider relationships
• Computer-Security Incident Notification Final Rule establishes notification requirements for significant computer-security incidents for banking organizations and their bank service providers. FDIC-supervised banks can comply with the rule by reporting an incident to their case manager or to any member of an FDIC examination team if the event occurs during an examination. If a bank is unable to access its supervisory team contacts, the bank may notify the FDIC by email at: incident@fdic.gov.
• Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, Supplement A to Appendix B, describes elements of a response program, including customer notification procedures
• The Bank Service Company Act establishes FDIC regulation and examination authority over certain service providers. Section 7(c)(2) requires institutions to notify the FDIC within 30 days of service relationships with third parties that provide certain services as defined in Section 3 (Notification of Performance of Bank Services form).

IT Examination Resources

IT examination ratings, procedures, and work programs.

• Information Technology Risk Examination (InTREx) Program outlines risk-focused examination procedures used to assess IT and cybersecurity risks
• Uniform Rating System for Information Technology describes the internal rating system used by federal and state regulators to uniformly assess financial institution and service provider risks introduced by IT
• Federal Financial Institutions Examination Council (FFIEC) Information Technology (IT) Examination Handbook provides guidance to examiners for evaluating financial institution and service provider risk management processes

Supervisory Resources

Frequently asked questions, advisories, statements of policy, and other information issued by the FDIC alone, or on an interagency basis, provided to promote safe-and-sound operations.

• Cybersecurity
  • FFIEC Cybersecurity Resource Guide for Financial Institutions provides updated references and ransomware-specific resources
  • Heightened Cybersecurity Risk Considerations focuses on risk management principles that can reduce the risk of a cyber-attack and minimize business disruptions for the financial services industry and other critical business sectors
  • FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness emphasizes the benefits of using a standardized approach to assess and improve cybersecurity preparedness.
  • Cyber Insurance and Its Potential Role in Risk Management Programs provides awareness of the potential role of cyber insurance in financial institutions’ risk management programs.
  • FFIEC Cybersecurity Assessment Tool assists institutions with identifying cybersecurity risks and determining preparedness
  • Frequently Asked Questions provide information related to the FFIEC Cybersecurity Assessment Tool
• IT Security
  • FFIEC Joint Statement on Risk Management for Cloud Computing Services addresses the use of cloud computing services and security risk management principles in the financial services sector.
  • FFIEC Joint Statement on Destructive Malware alerts financial institutions to specific risk mitigation techniques related to destructive malware
  • FFIEC Joint Statement on Compromised Credentials alerts financial institutions to specific risk mitigation techniques related to cyber attacks that compromise credentials
  • Vulnerability Alerts: GNU Bourne-Again Shell (Bash) Vulnerability and OpenSSL “Heartbleed” Vulnerability advise of material security vulnerabilities
  • Distributed Denial of Service (DDoS) Attacks outlines the risks posed by continued DDoS attacks on public-facing web sites
  • Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers provides information about the risk associated with sensitive information stored on these devices
  • Guidance on the Security Risks of VoIP addresses the delivery of traditional telephone voice communications over the Internet
  • Guidance on Mitigating Risks from Spyware provides recommendations to prevent and detect spyware on bank computers and outlines practices that customers can use to ensure security of the online banking relationship
  • Guidance on How Financial Institutions Can Protect Against Pharming Attacks describes the practice of “pharming,” how it occurs, and potential preventative approaches
  • Guidance on Developing an Effective Computer Software Evaluation Program to Assure Quality and Regulatory Compliance discusses due diligence when selecting computer software or a service provider
  • FFIEC Guidance on Risk Management of Free and Open Source Software is a supplement to the FFIEC Development and Acquisition handbook
  • Interagency Informational Brochure on Internet “Phishing” Scams helps consumers identify and combat “phishing” scams
  • Guidance on the Risks Associated With Instant Messaging includes information about how risks associated with publicly available instant messaging can be mitigated
  • Guidance on Developing an Effective Computer Virus Protection Program provides information on the risks associated with computer viruses and how these risks can be mitigated
  • Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes describes how financial institutions can assist in protecting their customers
  • Guidance on Developing an Effective Software Patch Management Program provides information about how to mitigate risks from commercial software vulnerabilities
  • Guidance on the Risks Associated with Weblinking outlines useful risk-management techniques for institutions that develop and maintain their own websites, as well as for those that use third-party service providers for that function
  • Managing Risks Associated with Wireless Technology and Wireless Customer Access addresses the potential compromise of customer information and risk mitigation
  • Guidance on Identity Theft and Pretext Calling provides a summary of federal laws for these topics, discusses steps to protect customer information, and highlights the importance of consumer education
  • Protecting Internet Domain Names alerts bank management to potential domain name-related problems
  • Risks to Financial Institutions Involving Client/Server Computer Systems outlines fundamental controls associated with the client/server environment
• Authentication
  • Authentication and Access to Financial Institution Services and Systems sets forth examples of effective authentication and access risk management principles and practices for financial institution systems and digital banking services.
• Identity Theft
  • Supervisory Policy on Identity Theft describes steps that can be taken to detect and prevent identity theft and mitigate the effects in order to protect consumers and help ensure institutions’ safe-and-sound operations
  • Frequently Asked Questions provide responses relating to identity theft red flags, address discrepancies, and change of address requests
  • FDIC Study Supplement on “Account-Hijacking” Identity Theft identifies trends in identity theft in general and account hijacking in particular
• Third-Party Relationships
  • Third-Party Risk Management, A Guide for Community Banks  helps community banks implement third-party risk management programs
  • Interagency Guidance on Third-Party Relationships: Risk Management provides sound principles that support a risk-based approach to third-party risk management.
  • Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks helps community banks conduct due diligence when considering relationships with financial technology (fintech) companies.
  • Technology Service Provider Contracts describes examiner observations about gaps in financial institutions’ contracts with service providers that may impact business continuity and incident response plans
• Payments
  • Statement on Cybersecurity of Interbank Messaging and Wholesale Payment Networks advises institutions to actively manage the risks associated with these services
  • Clarification of Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors and related guidance on payment processor relationships to address risk management principles, potential risks, and the facilitation of payment processing services
  • Statement on ATM and Card Authorization Systems describes risks related to cyber-attacks
  • Risk Management of Remote Deposit Capture addresses risk identification, assessment, and mitigation, and the measurement and monitoring of residual risk exposure
• Business Continuity Management
  • Sound Practices to Strengthen Operational Resilience provides a comprehensive approach that banks may use to strengthen and maintain their operational resilience.
  • Statement on Pandemic Planning highlights the importance of business continuity planning to help minimize the disruption of services
  • Major Disaster Examiner Guidance outlines supervisory practices used to assess the financial condition of insured depository institutions affected by a disaster that results in the President declaring an area a major disaster with individual assistance
  • Lessons Learned from Hurricane Katrina is a compilation of experiences that may be helpful in preparing for a catastrophic event
  • Interim Sponsorship Policy for Government Emergency Telecommunications Service (GETS) Cards describes circumstances under which qualifying private sector financial institutions may request federal sponsorship in the Cybersecurity and Infrastructure Security Agency’s Government Emergency Telecommunications Service (GETS)

Other Resources

Supplemental information related to safe-and-sound banking operations.

• FFIEC Industry Outreach Website provides resource materials on current issues in the financial industry, including Information Technology and Cybersecurity
• FFIEC Cybersecurity Awareness Website provides resources to increase awareness of cybersecurity risks and to assess and mitigate cybersecurity risks
• NIST Cybersecurity Framework Website provides information on a voluntary cybersecurity framework developed by the National Institute of Standards and Technology
• Technology Outsourcing: Informational Tools for Community Bankers provides resources for selecting service providers, drafting contract terms, and providing oversight for multiple service providers

Technical Assistance Video Program

The Technical Assistance Video Program is a series of educational videos designed to provide useful information to bank directors, officers, and employees on areas of supervisory focus and regulatory changes. These videos are available on the FDIC’s YouTube channel.

• Cybersecurity Awareness for Board Members provides background information on cybersecurity and discusses the board’s role in overseeing their bank’s cybersecurity efforts.
• Cybersecurity Awareness for Bank Officers discusses the important role bank officers have in designing and maintaining information security programs in a dynamic and evolving cyber threat environment.
• Information Technology provides information for bank directors and trustees regarding oversight of a bank’s information technology program and FDIC information technology examinations.
• Cyber Challenge: A Community Bank Cyber Exercise encourages community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.