Information Technology Supervision

I want to know about...

• Reporting cybersecurity breaches
• Requesting service-provider examination reports
• IT regulations
• IT supervision and regulation letters
• IT guidance
• IT frequently asked questions
• IT outreach information
• Who to contact about IT examinations

Reporting cybersecurity breaches

Given the heightened cyber threat environment, we would like to remind you of our expectations for effective computer security incident response and reporting, in the event your bank experiences a cybersecurity breach.

For incidents reportable under both SR 22-4 Contact Information in Relation to Computer-Security Incident Notification Requirements and SR 05-23 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, following the SR 22-4 process will also fulfill SR 05-23 requirements.

To report an SR 22-4—Computer-Security Incident:

• Email the Federal Reserve System incident mailbox at incident@frb.gov or contact the Incident Notification Line at 866-364-0096, and
• Notify your Central Point of Contact.

To report an SR 05-23—Sensitive Customer Data Incident:

• Email the Dallas BS&R Incident mailbox at BSR.Incident.Report@dal.frb.org
• Contact an IT director of examinations:
• Meeoak Cho, Assistant Vice President

For more information, see Cybersecurity IT Incident Response and Reporting

Requesting service-provider examination reports

The Federal Banking Agencies distribute Reports of Examination (ROE) resulting from its supervision of Technology Service Providers to regulated financial institutions that are either included in the customer list or can demonstrate they had an active contract at the time of the examination.

Please direct requests for service-provider examination reports to:

• Meeoak Cho, Assistant Vice President

IT regulations

• Regulation H – Interagency Guidelines Establishing Information Security Standards
• Regulation V – Subpart J – Identity Theft Red Flags
• Regulation II (Debit Card Interchange Fees and Routing) – Compliance Guide
• All Regulations
• Also see IT Frequently Asked Questions section below for more information

IT supervision and regulation letters

• IT Supervisory Policy and Guidance Topics
• Supervision and Regulation (SR) Letters – SR letters, address significant policy and procedural matters related to the Federal Reserve System’s supervisory responsibilities
• Cybersecurity
  • SR 21-14 - Authentication and Access to Financial Institution Services and Systems
  • SR 21-11 - FFIEC Architecture, Infrastructure, and Operations Examination Handbook
  • SR 19-13 - FFIEC Information Technology Examination Handbook (Business Continuity Management)
• Incident response
  • SR 22-4—Contact Information in Relation to Computer-Security Incident Notification Requirements
  • Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
  • SR 05-23 – Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
  • Quick Reference Guide – Cybersecurity Incident Response

IT guidance

The Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) provides guidance to examiners and financial institutions on the characteristics of an effective information technology (IT) program.

Details can be found at the following:

• FFIEC Main Page
  • IT Handbook InfoBase
  • Cybersecurity Awareness
    • Cybersecurity Assessment Tool (CAT)
  • Appendix A: Uniform Rating System Information Technology (URSIT)
  • Pandemic Planning

IT frequently asked questions

• Identity Theft Red Flags Program
• Regulation II – Debit Card Interchange Fees and Routing

IT outreach information

• Speaker request form
• “Banks Face Growing Cybercrime Threat,” Southwest Economy, Fourth Quarter 2019

Who to contact about IT examinations

• Lorenzo Garza, Vice President
• Meeoak Cho, Assistant Vice President