Cybersecurity and Operational Resilience
Operational resilience is the ability to deliver operations, including core business lines and critical operations, through a disruption from any hazard. It is the outcome of effective operational risk management, combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.
A strong cybersecurity program underpins an organization's operational resilience. The appropriate implementation, use, and protection of information systems can help an organization identify and detect risks to operational resilience and enhance its ability to withstand disruptions or failures from any hazard.
Disruptions or failures in a banking organization's information systems have the potential to materially disrupt or degrade the organization's ability to carry out banking activities or deliver products and services to its customers. Severe disruptions or failures could result in a material loss of a banking organization's revenue, profit, or franchise value. If the organization performs critical operations, severe disruptions or failures could also pose a threat to the financial stability of the United States.
In November 2021, the Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (the agencies) issued a final rule (PDF) establishing computer-security incident notification requirements for banking organizations and their bank service providers. The agencies expect this requirement will help promote early awareness of emerging threats to banking organizations and the broader financial system.
To comply with the rule, a banking organization whose primary federal regulator is the Board must notify the Board about a notification incident by email to [email protected] or telephone to (866) 364-0096. The Board must receive this notification as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. If a banking organization is in doubt as to whether it is experiencing a notification incident, the Board encourages the banking organization to contact the Board by email to [email protected] or telephone to (866) 364-0096.
The final rule also requires a bank service provider to notify its affected banking organization customers as soon as possible of a computer-security incident that is likely to cause a material disruption or degradation in services for four or more hours. Once a banking organization receives such a notice from its service provider, the bank will need to determine whether it is experiencing a notification incident. If this is the case, the bank is required to notify its primary federal regulator.
The ultimate goal of the rule is to mitigate information security risks to banking organizations and safeguard the U.S. financial system. To that end, banks and financial institutions will find information technology guidance, policy letters, and resources on the Information Technology Guidance page of the Board's website. Operational resilience guidance, policy letters, and resources are available on the Operational Resilience Guidance page of the Board's website. Community banks will find resources on information technology and information security on the Community Banking Connections website, a primary source for information on guidance, tools, and resources that help community banks across the United States.