Incident response – to report or not?
For the purposes of regulator reporting and customer notification, it is critical that we first define an “incident”. Here is how an incident is defined by the FFIEC:
“A security incident represents the attempted or successful unauthorized access, use, modification, or destruction of information systems or customer data.”
But does every incident require reporting and notification? No, only if the incident results in an actual intrusion. This is reinforced in the Suspicious Activity Report (SAR), under item 35(f) “Computer Intrusion”. It states in part
“…a “computer intrusion” is defined as gaining access to a computer system of a financial institution… For purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information.”
Furthermore the intrusion must either have resulted in, or could reasonably result in, access to non-public information. Item 11 in Objective 5 of the FFIEC Information Security IT Examination Procedures states:
“If the institution experienced unauthorized access to sensitive customer information, the examiner must determine that it:
- Conducted a prompt investigation to determine the likelihood the information accessed has been or will be misused;
- Notified customers when the investigation determined misuse of sensitive customer information has occurred or is reasonably possible;
- Delivered notification to customers, when warranted, by means the customer can reasonably be expected to receive, for example, by telephone, mail, or electronic mail; and
- Appropriately notified its primary federal regulator.”
So in summary it seems like the key to whether or not agency reporting is required is that the incident actually resulted in a successful intrusion. Customer notification is required if there is a reasonable belief that the intrusion may result in the misuse of customer information.