12 C.F.R. § 609.930

Current through October 31, 2024
Section 609.930 - [Effective 1/1/2025] Cyber risk management
(a)Cyber risk management program. Each System institution must implement a comprehensive, written cyber risk management program consistent with the size, risk profile, and complexity of the institution's operations. The program must ensure controls exist to protect the security and confidentiality of current, former, and potential customer and employee information, protect against reasonably anticipated cyber threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information.
(b)Role of the board. Each year, the board of directors of each System institution or an appropriate committee of the board must:
(1) Approve a written cyber risk program. The program must be consistent with industry standards to ensure the institution's safety and soundness and compliance with law and regulations;
(2) Oversee the development, implementation, and maintenance of the institution's cyber risk program; and
(3) Determine necessary expertise for executing the cyber risk management plan and, where practical, delegate day-to-day responsibilities to management and employees.
(c)Cyber risk program. Each institution's cyber risk program must, at a minimum:
(1) Include an annual risk assessment of the internal and external factors likely to affect the institution. The risk assessment, at a minimum, must:
(i) Identify and assess internal and external factors that could result in unauthorized disclosure, misuse, alteration, or destruction of current, former, and potential customer and employee information or information systems; and
(ii) Assess the sufficiency of policies, procedures, internal controls, and other practices in place to mitigate risks.
(2) Identify systems and software vulnerabilities, prioritize the vulnerabilities and the affected systems based on risk, and perform timely remediation. The particular security measures an institution adopts will depend upon the size, risk profile, and complexity of the institution's operations and activities.
(3) Maintain an incident response plan that contains procedures the institution must implement when it suspects or detects unauthorized access to current, former, or potential customer, employee, or other sensitive or confidential information. An institution's incident response plan must be reviewed and updated periodically, but at least annually, to address new threats, concerns, and evolving technology. The incident response plan must contain procedures for:
(i) Assessing the nature and scope of an incident, and identifying what information systems and types of information have been accessed or misused;
(ii) Acting to contain the incident while preserving records and other evidence;
(iii) Resuming business activities during intrusion response;
(iv) Notifying the institution's board of directors when the institution learns of an incident involving unauthorized access to or use of sensitive or confidential customer, and/or employee information, or unauthorized access to financial institution information including proprietary information;
(v) Notifying FCA as soon as possible or no later than 36 hours after the institution determines that an incident has occurred; and
(vi) Notifying former, current, or potential customers and employees and known visitors to your website of an incident when warranted, and in accordance with state and federal laws.
(4) Describe the plan to train employees, vendors, contractors, and the institution board to implement the institution's cyber risk program.
(5) Include policies for vendor management and oversight. Each institution, at a minimum, must:
(i) Exercise appropriate due diligence in selecting vendors;
(ii) Negotiate contract provisions, when feasible, that facilitate effective risk management and oversight and specify the expectations and obligations of both parties;
(iii) Conduct a vendor risk assessment on all vendors; and
(iv) Monitor its IT and cyber risk management related vendors to ensure they have satisfied agreed upon expectations and deliverables. Monitoring may include reviewing audits, summaries of test results, or other equivalent evaluations of its vendors.
(6) Maintain robust internal controls by regularly testing the key controls, systems, and procedures of the cyber risk management program.
(i) The frequency and nature of such tests are to be determined by the institution's risk assessment.
(ii) Tests must be conducted or reviewed by independent third parties or staff independent of those who develop or maintain the cyber risk management program.
(iii) Internal systems and controls must provide reasonable assurances that System institutions will prevent, detect, and remediate material deficiencies on a timely basis.
(d)Privacy. Institutions must consider privacy and other legal compliance issues, including but not limited to, the privacy and security of System institution information; current, former, and potential borrower information; and employee information, as well as compliance with statutory requirements for the use of electronic media.
(e)Board reporting requirements. At a minimum, each institution must report quarterly to its board or an appropriate committee of the board. The report must contain material matters related to the institution's cyber risk management program, including specific risks and threats.

12 C.F.R. §609.930

88 FR 85832 , 1/1/2025