Banking agencies promise new approach for handling sensitive information

Banking agencies promise new approach for handling sensitive information

The Federal Reserve, FDIC and Office of the Comptroller of the Currency today announced a “coordinated approach” for handling sensitive information used in bank examinations, including a new pledge to notify banks about data breaches that threaten to expose that information.

The joint statement comes more than a year after the OCC notified Congress that a cyber incident led to unauthorized access of highly sensitive information about the financial condition of the institutions the agency supervises. In the statement, the agencies said they will rely on bank management to identify data and documents requested for exams that should be considered highly sensitive.

“For highly sensitive information, the [federal banking agencies, or FBAs] will consider a range of potential options to minimize collection and storage by the FBAs, including on-site review, direct digital review from the systems of the supervised bank, redacted or summarized versions of documents, and additional measures related to transmission of, and access to, sensitive information,” they said.

The agencies also committed to notifying banks of a confirmed or suspected leak of their sensitive information “as soon as practicable and within no more than 72 hours, once the agency impacted has a reasonable basis to believe a compromise has occurred and determines the banks affected, subject to applicable legal considerations.”

The agencies also plan to provide their examiners with written guidance and training on handling sensitive information, according to the statement.

ABA encouraged by announcement

The American Bankers Association appreciates that federal agencies recognize that increasingly sophisticated cyber threats pose risks not only to financial institutions, but also to the regulators that collect and maintain highly sensitive supervisory information, said Paul Benda, EVP for risk, fraud and cybersecurity at ABA.

“Banks and regulators share a common responsibility to protect sensitive data from nation-state actors and other well-resourced cyber adversaries,” Benda said. “We are encouraged by the agencies’ commitment to strengthen their cybersecurity practices, provide greater flexibility for the review of highly sensitive information, and explore approaches that allow such information to remain within banks’ own systems whenever possible.

“We also appreciate the agencies’ commitment to timely notification when a cybersecurity incident affects a bank’s information,” he added. “These steps represent meaningful progress toward strengthening the resilience of the supervisory process and enhancing cybersecurity across the financial system.”

ABA Banking Journal Staff

Source link