Cybersecurity Incident Report


Banks, trust companies, and money services businesses are facing a surge of attacks that come in various forms by cybercriminals. These attacks have the potential to cause significant business disruption and potential loss of confidential business information, trade secrets, organizational strategies, and financial information.

Rules require regulated entities to promptly report material computer-security or cybersecurity incidents to the Banking Commissioner, whether the incident is experienced by a system maintained by the entity, an affiliate, or third-party service provider.

The required notice is confidential pursuant to the Texas Finance Code.

State-Chartered Banks

The rule allows banks to submit to the Banking Commissioner the same computer security incident notification required by federal bank regulatory agencies under federal law.  Texas state member banks should refer to 12 C.F.R 225 subpart N and non-member banks to part 304 subpart C for the definition of a “notification incident” that would require notice to a bank’s federal regulator and therefore the Department. 

Financial institutions are required to notify regulators within 36 hours after determining a notification incident has occurred. 

The notice should include:

  • Contact information for the entity regarding the incident. Include:
    • Name.
    • City of the entity.
    • Basic description of the event.
    • Contact Information.

An entity must notify the Department of the incident by either email, regular mail, or by phone. Any confidential personal identifiable information or other confidential information should be uploaded via the Data Exchange (DEX) portal to the correspondence folder.

Trust Companies and MSBs

Rules for trust companies and money services businesses require the Department be notified as soon as practicable, prior to customer notification, but not later than 15 days following the entity’s determination that a qualifying cybersecurity incident has occurred. A cybersecurity incident must be reported if other state or federal law requires notification of a security breach to regulatory or law enforcement agencies or affected customers, or if the entity’s ability to conduct business is substantially affected.

Trust companies and money services businesses shall notify the Banking Commissioner by submitting information that addresses the following:

  • Description of the cybersecurity incident to include:
    • Approximate date of the incident
    • Date incident was discovered
    • Nature of any data that may have been illegally obtained or accessed.
  • A list of the state and federal regulatory agencies, self-regulatory bodies, and foreign regulatory agencies to whom the notice has been or will be provided. Do not include the filing of a suspicious activity report related to the cybersecurity incident in the list.
  • Contact information for the entity regarding the incident. Include:
    • Name
    • Address
    • Telephone number
    • Email address.

The notice should be supplemented as additional information becomes available. If not all the information above is known, the entity is encouraged to report what is known, rather than wait until all details of the incident are confirmed.

An entity must notify the Department of the incident by either email or regular mail. Any confidential personal identifiable information or other confidential information should be uploaded via the Data Exchange (DEX) portal to the correspondence folder.

Information Technology Resources

Corporate Account Takeover
Best practices for reducing the risks of CATO, minimum standards risk management, and other helpful resources.

Conference of State Bank Supervisors (CSBS) - Cybersecurity
Executive Leadership of Cybersecurity resources and information.

Financial Services - Information Sharing and Analysis Center (FS-ISAC)
Resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC was created by and for members and operates as a member-owned non-profit entity.

Regulations and Publications for Financial Institutions
FDIC Users Guide for Technology

Cyber Challenge: A Community Bank Cyber Exercise
FDIC developed exercises for to help institutions discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.

Avoiding Common ACH Origination Weaknesses
Recommended Practices for Financial Institutions

Ransomware Guide
The U.S. Government interagency technical guidance document aimed to inform Chief Information Officers and Chief Information Security Officers at critical infrastructure entities, including small, medium, and large organizations. This document provides an aggregate of already existing Federal Government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.

Cyber Security Assessment Tools

The following tools and resources can help management and directors understand supervisory expectations, increase awareness of cyber risks, and assess and mitigate cyber risks.

Departmental Cyber Notices

  • Notice 2020-01: Requirements for a Cybersecurity Incident Report filed by a Texas State-Chartered Bank or Trust Company
  • Notice 2013-03 – Oversight of Cyber –Crime Risks
  • Notice 2015-08 – Cybersecurity Assessments and the FFIEC Cybersecurity Assessment Tool

Ask a Question

1 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.