About Us | Contact Us
View Cart

Incident Response Boilerplate Update

By Adam Reynolds | Monday, October 15, 2018 - Leave a Comment

We have recently made a significant change to our Incident Response Policy regarding Disclosure Incidents.


At infotex we are always revising and updating our boilerplates. We have recently made a significant change to our Incident Response Policy regarding Disclosure Incidents. It is of course very important to comply with all applicable laws and regulations, but understanding which of these you are required to comply with, and when compliance is necessary, will prevent undue burden on your institution. We want our policy to queue up that financial institutions do not have to comply with state law if their policy requires them to comply with federal law (such as FDIC’s Financial Institution Letter 27-2005, the OCC Supervisor Letter 2005-13, SR 05-23 / CA 05-10 for Federal Reserve banks, and NCUA Rules and Regulation 748 Appendix B for NCUA institutions).  This will get you out of a lot of busy work required by the state if you don’t need the help of law enforcement.

If you DO need law enforcement’s help, they will ask you to hit on certain parts of state law.  (Usually notifying the State Attorney General’s office.)  And there may be other reasons you should comply with state law that arise out of the unpredictable incident itself.

Thus, our boilerplate USED to say:

  • Disclosure Incidents:  These are incidents which, because of some statute or regulation, require [name of financial institution] to notify customers, law enforcement, examiners, or the board of directors.  The [Incident Response Team (IRT) / IRT / Technology Steering Committee / Disaster Recovery Team] must comply with all applicable laws and regulations, including state laws such as [Indiana Code 24-4.9 / applicable law in your state] and federal regulations such as the [FDIC’s Financial Institution Letter 27-2005, the OCC Supervisor Letter 2005-13, SR 05-23 / CA 05-10 for Federal Reserve banks, and NCUA Rules and Regulation 748 Appendix B for NCUA institutions —> the FFIEC’s Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice] and/or any other applicable guidance or regulations as they are developed.

However, we feel this can be interpreted to mean that you are REQUIRED to comply with state law.  Not so.

In the newest version of our boilerplate, we have changed our wording to reflect that while federal regulations regarding disclosure incidents should always be followed, state regulations should only be addressed when absolutely necessary.  The new language is as follows:

  • Disclosure Incidents:  These are incidents which, because of some statute or regulation, require [name of financial institution] to notify customers, law enforcement, examiners, or the board of directors.  The [Incident Response Team (IRT) / IRT / Technology Steering Committee / Disaster Recovery Team] must comply with all applicable laws and regulations, including (only when absolutely necessary) the state laws such as [Indiana Code 24-4.9 / applicable law in your state] and always including federal regulations such as the [FDIC’s Financial Institution Letter 27-2005, the OCC Supervisor Letter 2005-13, SR 05-23 / CA 05-10 for Federal Reserve banks, and NCUA Rules and Regulation 748 Appendix B for NCUA institutions —> the FFIEC’s Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice] and/or any other applicable guidance or regulations as they are developed.

Please note that we have passed our interpretation of this issue on to our own attorneys, who have agreed that we are interpreting it correctly, with one all-caps stipulation:  THE BANK STILL HAS TO COMPLY WITH FEDERAL GUIDANCE.  (To which we said, hey, they’re banks, of course they will comply with the federal guidance!!)


Adam Reynolds is a Staff Auditor at infotex.


same_strip_012513


 

Latest News
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]