Incident response – to report or not?
For the purposes of regulator reporting and customer notification, it is critical that we first define an “incident”. Here is how an incident is defined by the FFIEC:
“A security incident represents the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data.”
But does every incident require reporting and notification? No, only if the incident results in an actual intrusion. This is reinforced in the Suspicious Activity Report (SAR), under item 35(f) “Computer Intrusion”. It states in part
“…a “computer intrusion” is defined as gaining access to a computer system of a financial institution… For purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information.”
Furthermore the intrusion must either have resulted in, or could reasonably result in, access to non-public information. Item 11 in Objective 5 of the FFIEC Information Security IT Examination Procedures states:
“If the institution experienced unauthorized access to sensitive customer information, the examiner must determine that it:
- Conducted a prompt investigation to determine the likelihood the information accessed has been or will be misused;
- Notified customers when the investigation determined misuse of sensitive customer information has occurred or is reasonably possible;
- Delivered notification to customers, when warranted, by means the customer can reasonably be expected to receive, for example, by telephone, mail, or electronic mail; and
- Appropriately notified its primary federal regulator.”
So in summary it seems like the key to whether or not agency reporting is required is that the incident actually resulted in a successful intrusion. Customer notification is required if there is a reasonable belief that the intrusion may result in the misuse of customer information.
2 comments
Write a Comment
You must be logged in to post a comment.
September 12, 2012
A Bank was sending notification (instructions) to customers obtained through acquisition for customers using online banking and inadvertently sent blind e-mail where customers received the e,mail addresses of all 100 customers. There was no customer information (i.e., addresses, account numbers, etc) included in the email, only instructions for online banking. Should this be considered for incident response and what action, if any, should the bank initiate.
Thank you for your time.
September 13, 2012
Thanks for the question, it’s a good one! First off, any time there is any doubt the incident response team should investigate. Don’t let the decision to not act be made unilaterally, even if it turns out to be the correct decision. That said, the team needs to determine whether either NPI or PII was disclosed, and if so, is regulator and/or customer notification required. Based on your description of the incident it would appear that non-public information was disclosed because the fact that the individuals were both bank customers, and were e-banking customers, was not publicly known. However it doesn’t appear as if personally identifiable information was disclosed. What the team must determine is this: Is it reasonably possible that someone that received the email could use the email address of another recipient to launch a phishing attack, knowing only that they use the same bank and have the same e-banking product? I would suggest that although it was not probable, it was possible, and that the bank should initiate customer notification procedures.
Thanks again for the question…what are your thoughts?