FFIEC
cybersecurity examination expectations for US-supervised financial institutions
The Federal Financial Institutions Examination Council coordinates examination policy across the OCC, the Federal Reserve, the FDIC, the NCUA, and the CFPB. The FFIEC IT Examination Handbook and the Cybersecurity Assessment Tool (CAT) are the working framework federal banking examiners use to read the cybersecurity programme. This page covers the booklets, the CAT inherent risk and maturity model, the testing and adversarial exercise cadence, the Computer Security Incident Notification Rule, and the evidence pack a workspace-driven programme keeps in one place.
No credit card required. Free plan available forever.
FFIEC in context: cybersecurity expectations for US-supervised financial institutions
The Federal Financial Institutions Examination Council (FFIEC) is the interagency body that coordinates examination policy across the OCC, the Federal Reserve, the FDIC, the NCUA, and the CFPB, with state regulators represented through the CSBS. The FFIEC does not directly supervise institutions; instead, the member agencies adopt and apply the FFIEC IT Examination Handbook and the FFIEC Cybersecurity Assessment Tool (CAT) when they examine supervised banks, credit unions, savings associations, bank holding companies, and the technology service providers that support them. For a US-regulated financial institution, FFIEC expectations are not an optional reference: they are the working framework an OCC, Federal Reserve, FDIC, or NCUA examiner uses to read the cybersecurity programme.
FFIEC sits inside a wider international picture for financial-sector cybersecurity supervision. For European entities, the Digital Operational Resilience Act sets the comparable obligations, including threat-led penetration testing on critical functions through the TIBER-EU framework. For UK entities, the CBEST scheme applies the intelligence-led approach under the Bank of England and the Financial Conduct Authority. For Hong Kong entities, the HKMA Cyber Resilience Assessment Framework operates an inherent risk, maturity, and iCAST sequence. For Singapore entities, the MAS Technology Risk Management Guidelines carry the equivalent obligation, for Australian entities the APRA CPS 234 prudential standard applies, and for India entities the RBI Cyber Security Framework sets the equivalent supervisory expectation through the Master Direction on IT Governance and CSITE examination. FFIEC sets the equivalent US expectation, with the Information Security booklet as the central reference and the CAT as the maturity-scoring instrument many institutions adopt.
In-scope entities: who FFIEC examination expectations apply to
FFIEC examination expectations apply across the supervised population of the FFIEC member agencies. The depth of application is calibrated to the institution size, complexity, and risk profile rather than to a single threshold. The summary below is the working categorisation; the FFIEC member agencies and the CFPB remain the authoritative source for any specific scope question.
National banks, federal savings associations, and federal branches
Institutions chartered or licensed by the Office of the Comptroller of the Currency (OCC), including national banks, federal savings associations, federal branches, and federal agencies of foreign banks. The OCC operates as a member of the FFIEC and applies the FFIEC IT Examination Handbook (especially the Information Security booklet) and the Cybersecurity Assessment Tool (CAT) during examinations of supervised institutions.
State member banks and bank holding companies
State-chartered banks that are members of the Federal Reserve System, bank holding companies, and savings and loan holding companies supervised by the Federal Reserve Board. The Federal Reserve incorporates FFIEC handbooks and the CAT into supervisory expectations and applies them through the targeted IT examination programme that runs alongside the safety-and-soundness examination cycle.
State non-member banks, state savings associations, and insured branches
State-chartered banks that are not members of the Federal Reserve System, state savings associations, and insured US branches of foreign banks supervised by the Federal Deposit Insurance Corporation (FDIC). The FDIC examines these institutions against FFIEC IT examination expectations and uses the CAT (or institution-selected equivalent maturity model) as part of the cybersecurity supervisory dialogue.
Federally insured credit unions
Federally chartered and federally insured state-chartered credit unions supervised by the National Credit Union Administration (NCUA). The NCUA participates in the FFIEC and applies FFIEC examination guidance through its Automated Cybersecurity Evaluation Toolbox (ACET), which mirrors the CAT structure and applies the same inherent risk and maturity scoring discipline to credit unions of all sizes.
State financial regulators (CSBS), territorial regulators, and CFPB activities
The Conference of State Bank Supervisors (CSBS) is a voting FFIEC member representing state regulators, and the Consumer Financial Protection Bureau (CFPB) is a voting member representing consumer financial protection oversight. State examiners regularly apply FFIEC IT Examination Handbook expectations to state-chartered institutions during the alternating examination cycle alongside federal regulators.
Third-party service providers under TSP examination
The Bank Service Company Act and the FFIEC Information Technology Examination Handbook give the federal banking agencies authority to examine technology service providers that perform regulated services for supervised institutions. Core processors, hosted banking platforms, payment processors, and managed service providers carry the same FFIEC examination expectations as the institutions they serve, with the supervised institution remaining accountable for the security of the service it consumes.
The FFIEC IT Examination Handbook: the booklets examiners read
The FFIEC IT Examination Handbook is a series of booklets that together describe the examination expectations for the institution information technology and information security programme. Examiners do not read the booklets in isolation; the cybersecurity examination usually touches the Information Security booklet at the centre, with Architecture/Infrastructure/Operations, Business Continuity Management, Outsourcing Technology Services, and Audit read alongside it. Each booklet defines control objectives, examiner procedures, and workpapers that frame the supervisory dialogue.
Information Security booklet
The Information Security booklet is the central FFIEC reference for cybersecurity examination expectations. It defines the information security programme governance model, risk identification and assessment, control implementation across access management, configuration management, change management, secure software development, network security, encryption, and the security operations programme. Examiners use the booklet as the structural framework for the IT examination, and the institution evidences how its programme meets each section.
Architecture, Infrastructure, and Operations booklet
Updated 2021 to replace the legacy Operations booklet, the Architecture, Infrastructure, and Operations booklet (AIO) covers IT architecture governance, infrastructure design, operational resilience, change management, technology resilience testing, and the operating model that supports the institution information security programme. The AIO sits alongside the Information Security booklet as the operational counterpart that examiners read together.
Business Continuity Management booklet
The Business Continuity Management booklet defines the institution resilience expectations: business impact analysis, recovery time and recovery point objectives, the disaster recovery and business continuity programme, recovery testing, and the integration of cybersecurity incident response with broader continuity planning. Cyber incident scenarios sit explicitly inside the BCM scope, with ransomware, destructive attack, and prolonged outage scenarios called out as required exercise inputs.
Outsourcing Technology Services booklet
The Outsourcing Technology Services booklet sets the third-party risk management expectations for the institution use of technology service providers. Vendor due diligence, contract requirements, ongoing monitoring, performance management, and exit planning all sit inside this booklet. The institution remains accountable for the security of services it outsources, and the booklet calibrates the depth of due diligence to the criticality of the outsourced service.
Audit booklet
The Audit booklet describes the IT audit function the institution operates, including the independence of the audit function, audit scope and frequency, reporting lines to the audit committee, and the integration of IT audit with the wider institution audit programme. Examiners look at IT audit coverage of cybersecurity controls and at the closure of audit findings as part of the supervisory dialogue.
Management booklet
The Management booklet defines the IT governance expectations: board oversight, IT strategic planning, IT risk management integrated with enterprise risk, and the IT operating model. The cybersecurity programme accountability sits inside the management framework the booklet describes, and examiners examine whether the board has visibility into cyber risk through routine reporting rather than only at incident time.
Retail Payment Systems and Wholesale Payment Systems booklets
The Retail Payment Systems booklet covers card networks, ACH, mobile and online payment products, and the cybersecurity controls that apply to retail payment infrastructure. The Wholesale Payment Systems booklet covers Fedwire, CHIPS, SWIFT-routed wholesale payments, and the controls that protect large-value transfer infrastructure. Both booklets sit alongside the Information Security booklet for institutions that operate or rely on payment systems.
Development and Acquisition, E-Banking, and other supporting booklets
The Development and Acquisition booklet, the E-Banking booklet, the Supervision of Technology Service Providers booklet, and the Wholesale and Retail Payment Systems booklets all carry security expectations that examiners read together with the Information Security booklet. The institution evidence pack sits across the booklets the supervisory examination touches rather than only in the central booklet.
Vulnerability scanning evidence, penetration test findings, and configuration assessment records sit at the centre of the Information Security booklet expectations. The penetration testing workflow keeps engagement, findings, and remediation tied to a single record. The scanner result triage workflow covers turning raw scanner output into assessor-ready findings without losing the audit trail. For the analytical view of how a finding ages into a remediation backlog, the aging pentest findings research covers why an open finding that lingers across cycles reads to a federal banking examiner as a programme weakness rather than as a delivery delay.
The FFIEC Cybersecurity Assessment Tool (CAT): inherent risk and maturity
The FFIEC Cybersecurity Assessment Tool, first published in 2015 and updated periodically, is a self-assessment instrument the institution applies to declare its cyber inherent risk and its cybersecurity maturity. The CAT is voluntary as a published tool; in practice it is widely adopted because examiners apply equivalent diagnostic questions during examination. The NCUA Automated Cybersecurity Evaluation Toolbox (ACET) mirrors the CAT for credit unions. Some institutions adopt the NIST Cybersecurity Framework or the Cyber Risk Institute Profile as functionally equivalent maturity instruments, and FFIEC member agencies have signalled either is acceptable provided the maturity claim is evidenced.
The CAT runs in two halves: an inherent risk profile across five categories, and a maturity declaration across five domains scored at five maturity levels. The institution compares the two halves to evidence that maturity matches inherent risk and that any gap is explicitly accepted, in remediation, or being escalated.
Inherent risk profile categories
Technologies and connection types
The technologies the institution operates and the connections those technologies maintain to external entities. Categories include the number of internet-facing systems, the number of mobile and remote access connections, the number of internal networks, the use of cloud computing, the use of personal devices, and the integration of operational technology. Higher technology complexity and higher external connectivity drive higher inherent risk scoring at this category.
Delivery channels
The customer-facing delivery channels the institution operates. Categories include online banking, mobile banking, ATM and debit card processing, person-to-person payments, and the API surfaces the institution exposes to customers, partners, and aggregators. Higher delivery-channel breadth and higher transaction velocity drive higher inherent risk scoring at this category.
Online and mobile products and technology services
The product mix and technology services the institution offers, including wire transfer services, ACH origination, treasury management, merchant services, prepaid cards, trust and wealth management technology, and digital lending platforms. Higher product complexity and higher transaction value drive higher inherent risk scoring at this category.
Organisational characteristics
Institution-level characteristics including the number of locations, the number of employees and contractors with privileged access, the merger and acquisition activity, the changes in technology environment, the number of direct employees in cybersecurity functions, and the geographic footprint. Higher organisational complexity and higher rate of change drive higher inherent risk scoring at this category.
External threats
The external threat picture against the institution, including the volume and sophistication of attacks targeting the institution, the institution profile in adversary targeting, and the threats that materialised against peer institutions in the same operating model. The category is informed by threat intelligence from FS-ISAC, regulator advisories, peer reporting, and the institution own observations of attempted attacks.
Cybersecurity maturity domains
Domain 1: Cyber risk management and oversight
Governance of the cyber risk programme, including board and senior management oversight, the cyber risk appetite, the cybersecurity programme structure, staffing and resourcing, training and awareness, and the integration of cyber risk into the wider enterprise risk framework. Maturity at this domain is examined against whether the board operates the programme as a board-level obligation with documented escalation rather than as a delegated technology operations matter.
Domain 2: Threat intelligence and collaboration
The threat intelligence capability the institution maintains, the sources it consumes, the integration of intelligence into operational decisions, and the collaboration the institution participates in (FS-ISAC, peer information sharing, regulator advisories, law enforcement liaison). The CAT examines whether the threat intelligence is actionable inside the institution rather than only consumed, and whether the institution shares its own observations into the sector.
Domain 3: Cybersecurity controls
The control catalogue the institution implements across preventative, detective, and corrective categories. Coverage spans access management, configuration management, secure software development, change management, network security, encryption, endpoint protection, data loss prevention, vulnerability management, and security operations. The CAT scores controls at five maturity levels (baseline, evolving, intermediate, advanced, innovative) and the institution evidences the level it operates at per declaration.
Domain 4: External dependency management
The institution management of third-party service providers, including critical service provider identification, due diligence, contract requirements, ongoing monitoring, and the integration of third-party security into the institution risk picture. The CAT specifically examines connections to critical providers, the security of those connections, and the institution capacity to detect and respond to a third-party security incident.
Domain 5: Cyber incident management and resilience
The institution incident response capability, including detection, containment, eradication, and recovery; the integration of incident response with business continuity and disaster recovery; the testing programme that exercises the incident response plan; and the post-incident review and lessons learned closure. The CAT examines whether the institution can detect, respond, and recover from cyber incidents at a tempo matched to the inherent risk of its operating model.
Penetration testing, vulnerability assessment, and red team exercises under FFIEC
The Information Security booklet expects the institution to test the effectiveness of its information security controls through a programme of independent assessments, vulnerability scans, and penetration tests. The cadence and depth of testing scale with the institution inherent risk and the criticality of the system tested. Internet-facing systems, online and mobile banking platforms, payment processing infrastructure, and any system that processes non-public personal information typically receive testing on at least an annual cadence and on material change.
Larger institutions and institutions with significant transaction volume frequently run adversarial exercises (red team or scenario-led testing) on top of the recurring pentest programme. Adversarial exercises evidence the detection and response capability against realistic threat actor behaviour rather than only enumerating exploitable vulnerabilities. For institutions that operate or rely on wholesale payment infrastructure, the SWIFT Customer Security Programme adds an independent assessment cadence that reads alongside the FFIEC testing record.
For the workflow that runs adversarial exercises from scope to attestation on a single engagement record, the threat-led penetration testing workflow covers the cycle end to end. The red teaming workflow keeps timestamps, attack paths, and operator notes structured so the closure record is the working record rather than a rebuilt one. For the recurring pentest cycle that tracks the FFIEC IT examination cadence, the penetration testing workflow keeps the engagement record and the remediation backlog tied to a single defensible artefact, and the retesting workflow evidences the closure of findings the examiner expects to see verified rather than self-attested.
Third-party risk and the Bank Service Company Act
The Bank Service Company Act and the FFIEC Outsourcing Technology Services booklet give the federal banking agencies authority to examine technology service providers (TSPs) that perform regulated services for supervised institutions. Core processors, hosted banking platforms, payment processors, and managed service providers carry the same FFIEC examination expectations as the institutions they serve. The institution remains accountable for the security of the service it consumes, even where the FFIEC member agency is examining the TSP directly.
The 2023 Interagency Guidance on Third-Party Relationships (issued jointly by the OCC, the Federal Reserve, and the FDIC) replaced the previous agency-specific guidance and operates alongside the FFIEC Outsourcing Technology Services booklet. The institution evidence pack records the third-party risk assessment, the contract requirements, the ongoing monitoring, and the exit planning calibrated to the criticality of the outsourced service.
For the wider operational context that a US-regulated institution may run alongside FFIEC, the banking and fintech security consultancies workspace covers how a service provider delivering FFIEC-aligned, PCI DSS, SWIFT CSP, and SOC 2 work across multiple regulated clients keeps the evidence record consistent without writing the same finding three times.
Incident notification: the Computer Security Incident Notification Rule
The Computer Security Incident Notification Rule, jointly issued by the OCC, the Federal Reserve, and the FDIC, took effect on 1 May 2022 and requires a banking organisation to notify its primary federal regulator no later than 36 hours after determining a notification incident has occurred. A notification incident is a computer security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organisation operations or its ability to deliver banking products and services to a material portion of its customer base, or to the broader financial sector. The 36-hour clock starts at materiality determination, not at incident detection.
The Rule also requires bank service providers to notify their bank customer of an incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services to that bank customer for four or more hours. The notification record sits in the institution evidence pack alongside the incident response artefacts and the post-incident review.
Customer notification of unauthorised access to non-public personal information operates through the Interagency Guidelines Establishing Information Security Standards under Section 501(b) of the Gramm-Leach-Bliley Act and the related Interpretive Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The institution evidence pack records both the regulator notification and the customer notification trail when a notifiable incident occurs.
FFIEC and adjacent frameworks: NIST CSF, NIST 800-53, PCI DSS, SOC 2, GLBA
Most FFIEC-supervised institutions run more than one framework at the same time. The institution may operate the PCI DSS standard on the payment card environments, the SOC 2 framework on the technology service operations, the SWIFT Customer Security Programme on the wholesale messaging infrastructure, the NIST Cybersecurity Framework as a control catalogue reference, and the NIST 800-53 catalogue when the institution serves the federal government. The FFIEC IT Examination Handbook explicitly recognises NIST CSF mapping as a way the institution can structure its cybersecurity programme. The Cyber Risk Institute Profile, derived from NIST CSF and tailored for the financial sector, is also widely adopted as the operational implementation catalogue read alongside the CAT.
FFIEC evidence reads against the controls these frameworks already operationalise; the same evidence pack often satisfies more than one regime when the mapping is built into the workspace from the start rather than rebuilt at examination time. For institutions that also satisfy New York DFS Part 500, the technology and cybersecurity controls overlap substantially, and the same testing programme typically supports both supervisory regimes with the additional Part 500-specific notification and certification artefacts maintained separately.
Evidence the federal banking examiner (and your board) expect
FFIEC examinations that go badly usually go badly because the artefacts are scattered across drives, secure email threads, and screenshots. Build the evidence pack as the work happens, retain raw evidence alongside the structured record, and tie every artefact back to the booklet, the CAT domain, and the owner who produced it. The federal banking examiner reads the way the underlying record reads.
- Inherent risk profile from the FFIEC CAT (or institution-selected equivalent), with the working notes, the score per category, and the next refresh date the institution operates against
- Cybersecurity maturity declaration from the CAT (or equivalent), with the maturity level claim per domain, the supporting evidence per declaration, and the closure of any gap the institution has identified
- Information security policy framework versioned and dated, with the constituent policies (access management, change management, vulnerability management, incident management, third-party management) tied to the controls they operationalise
- Information asset register with classification by criticality and sensitivity, owner, and the controls applied per asset class, refreshed on a documented cadence and on material change
- Third-party register with the vendor risk assessment of each technology service provider, the contract reference, the security expectations and SLA terms, and the ongoing monitoring evidence per provider
- Penetration test reports with scope, methodology, findings, severity, remediation plans, and retest evidence per finding, attached to the asset register entries the testing covered, on a cadence calibrated to the institution inherent risk
- Vulnerability scanning evidence across the asset register, with findings tied to the relevant assets, severity, remediation owners, and SLA progress per finding
- Incident register with detection time, response actions, materiality determination time, regulatory notification record (where the Computer Security Incident Notification Rule applies), post-incident review, and lessons learned applied
- Business continuity and disaster recovery test record, including ransomware and destructive attack scenario exercises, with the gaps each exercise surfaced and the closure of those gaps tracked over time
- Internal audit reports covering design and operating effectiveness of cybersecurity controls, including third-party-managed assets, with the reliance basis on third-party assurance documented per audit
- Board reporting record showing the cadence and content of cybersecurity updates to the board and the audit committee, with the escalation path operating before an incident rather than assembled during one
- Customer notification record where the Interagency Guidelines Establishing Information Security Standards (Section 501(b) of GLBA) require notification of unauthorised access to customer information
Where SecPortal fits in an FFIEC-aligned programme
SecPortal is the operating layer for the FFIEC programme, not a replacement for the FFIEC member agency, the pentest provider, or the threat intelligence partner. The platform handles scope, role records, findings, replay notes, attestation artefacts, and the closure pack so the work runs as a structured workflow rather than a long encrypted email thread. Compliance tracking maps the FFIEC evidence pack to NIST CSF, NIST 800-53, PCI DSS, and SOC 2 for institutions that have to satisfy more than one regime from the same body of work.
- Engagement management dedicated to an FFIEC-aligned testing programme, with the in-scope asset class, the testing cadence, and the assessor or pentester record tracked on a single workspace
- Findings management with CVSS 3.1 scoring, MITRE ATT&CK tagging, and 300+ templates so each pentest, vulnerability, or assessor finding ties to the affected system, the asset register, and the remediation owner
- Compliance tracking that maps FFIEC handbook areas and CAT domains to the operationalised controls, alongside related frameworks (PCI DSS, SOC 2, NIST 800-53, NIST CSF) the institution may already operate against
- AI report generation that turns assessment notes, vulnerability output, penetration test findings, and remediation actions into the audit-ready report and the board-ready narrative without manual rewriting
- External and authenticated scanning to feed the vulnerability management programme with continuous evidence rather than a single examination-time snapshot
- Continuous monitoring with scheduled scans so the asset register carries a coverage record across the year that internal audit and the federal banking examiner can read on request
- Findings audit trail with reasons and re-evaluation dates so suppressions, deviations, and risk acceptances are defensible at internal audit, at audit committee review, and at FFIEC examination
FFIEC operates as a continuous programme rather than a single attestation. The asset register, the third-party register, the testing cadence, and the audit trail carry value across cycles when each iteration inherits the prior evidence pack rather than rebuilding from scratch. For consultants delivering FFIEC-aligned work to multiple US-regulated clients, the banking and fintech security consultancies workspace bundles the platform with branded client portals and AI report generation so the deliverable looks as polished as the work behind it.
For programmes that want continuous detection and trend evidence between IT examination cycles, the continuous monitoring capability and attack surface management capability produce the cadence and coverage record that examiners read most easily during the scoping conversation.
Scope and limitations
The FFIEC IT Examination Handbook and the CAT are operated by the FFIEC member agencies (the OCC, the Federal Reserve, the FDIC, the NCUA, the CFPB, and the State Liaison Committee through CSBS). The supervised institution evidences how its programme meets the booklet expectations during examination. SecPortal is the workspace that holds the engagement, the testing programme, the findings, the remediation record, and the audit trail. Examination responses, regulator filings, and incident notifications remain actions the institution takes through the channels each regulator prescribes; SecPortal holds the supporting record so the response is grounded in the evidence pack rather than reconstructed from email and shared drives at the deadline moment.
The CAT is voluntary as a published instrument; in practice many institutions adopt it (or ACET, the NIST CSF, or the Cyber Risk Institute Profile) because examiners apply equivalent diagnostic questions during examination. This page describes the structure of FFIEC examination expectations and how a workspace-driven programme plays against them; the authoritative reference for the obligations remains the FFIEC IT Examination Handbook booklets, the CAT, the NCUA ACET, the Computer Security Incident Notification Rule, the Bank Service Company Act, and the agency-specific guidance the institution primary regulator issues.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Information Security booklet
The central FFIEC reference for cybersecurity examination expectations. Defines information security programme governance, risk identification and assessment, control implementation across access management, configuration management, change management, secure software development, network security, encryption, and security operations. Examiners use the booklet as the structural framework for the IT examination.
Architecture, Infrastructure, and Operations booklet
Updated 2021 to replace the legacy Operations booklet, the AIO booklet covers IT architecture governance, infrastructure design, operational resilience, change management, technology resilience testing, and the operating model that supports the institution information security programme. Examiners read it alongside the Information Security booklet.
Cybersecurity Assessment Tool: inherent risk profile
Inherent risk scored across five categories (technologies and connection types, delivery channels, online and mobile products and technology services, organisational characteristics, external threats). The CAT is voluntary as a published instrument but widely adopted because examiners apply equivalent diagnostic questions during examination.
Cybersecurity Assessment Tool: maturity declaration
Cybersecurity maturity scored at five levels (baseline, evolving, intermediate, advanced, innovative) across five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. The institution evidences the maturity level claim per declaration.
Penetration testing, vulnerability assessment, and red team exercises
Recurring vulnerability assessments, penetration testing on internet-facing and critical internal systems, and a managed remediation backlog. Cadence and depth scale with institution inherent risk and system criticality, with internet-facing and online or mobile banking systems typically tested at least annually and on material change.
Outsourcing Technology Services and Bank Service Company Act
Third-party risk management for technology service providers (core processors, hosted banking platforms, payment processors, managed service providers). The 2023 Interagency Guidance on Third-Party Relationships replaced previous agency-specific guidance and operates alongside the FFIEC Outsourcing Technology Services booklet.
Business Continuity Management and resilience exercises
Business impact analysis, recovery time and recovery point objectives, the disaster recovery and business continuity programme, recovery testing, and the integration of cybersecurity incident response with broader continuity planning. Cyber incident scenarios (ransomware, destructive attack, prolonged outage) sit explicitly inside the BCM scope.
Computer Security Incident Notification Rule (36-hour notification)
Effective 1 May 2022, the rule requires a banking organisation to notify its primary federal regulator no later than 36 hours after determining a notification incident has occurred. Bank service providers must notify their bank customer of an incident that materially disrupts services for four or more hours. The 36-hour clock starts at materiality determination.
Section 501(b) GLBA and customer notification
Customer notification of unauthorised access to non-public personal information operates through the Interagency Guidelines Establishing Information Security Standards under Section 501(b) of GLBA and the Interpretive Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. The notification trail sits in the institution evidence pack alongside the regulator notification record.
Run an FFIEC-aligned programme on one defensible record
Hold the asset register, the testing programme, the CAT inherent risk and maturity workings, and the federal banking examination evidence record in one workspace. Start free.
No credit card required. Free plan available forever.