Summer Regulatory Summit eBook

Additional Considerations

• Control (Emergency Preparedness – Incident Response) : o Does the Organization have a formal, documented Incident Response Plan, and does it include all vital information to allow management to respond to a cyber event in an efficient and timely manner? • Recommendation : o The Organization should document an Incident Response Plan addressing Information Technology and Information Security breaches. The documented Incident Response Plan should, at a minimum include procedures to: ƒ Establish a Computer Incident Response Team (CIRT) ƒ Assess the nature of the incident (malicious code, cracker/hacker attacks, and other technical vulnerabilities) ƒ Assess the scope of the incident, the level of response, and reporting requirements ƒ Identify what customer information systems and/or types of customer information have been accessed or misused ƒ Notify the primary federal regulator (FDIC, OCC, and Federal Reserve must be notified within 36 hours) • FDIC, OCC, Federal Reserve supervised Institutions - required to notify their primary regulator as soon as possible and no later than 36 hours after it is determined a computer-security incident rises to the level of a notification incident has occurred; full compliance May 1, 2022 • NCUA Rule final Sept 2023 - 12 CFR Part 748, RIN 3133-AF47

ƒ File a Suspicious Activity Report (SAR) ƒ Contain and control each type of incident ƒ Document an incident report ƒ Respond to incident reports from vendors or service providers

ƒ Provide customer notifications where appropriate including: Description of the incident, Type of information subject to unauthorized access, Measures taken to prevent further unauthorized access, Telephone number for information and assistance, Reminder to remain vigilant over next twelve to twenty-four months, Reminder to report suspected identity theft incidents to the Organization

ƒ Hold a ‘Lessons Learned’ meeting ƒ Test the plan on a regular basis

© SBS CyberSecurity, LLC www.sbscyber.com

37