Banks, trust companies, and money services businesses are facing a surge of attacks in various forms by cybercriminals. These attacks have the potential to cause significant business disruption and potential loss of confidential business information, trade secrets, organizational strategies, and financial information.
New rules, which became effective January 2, 2020, require these regulated entities to report cybersecurity incidents to the Banking Commissioner promptly if they experience a material cybersecurity incident in its information systems, whether maintained by the entity, an affiliate or third-party service provider.
- State-Chartered Banks - Title 7, Texas Administrative Code §3.24
- Trust Companies - Title 7, Texas Administrative Code §17.5
- Money Services Businesses - Title 7, Texas Administrative Code §33.30
The new rules require the notice to be submitted to the Department as soon as practicable, prior to customer notification, but not later than 15 days following the entity’s determination that a qualifying cybersecurity incident has occurred. A cybersecurity incident must be reported if other state or federal law will require reporting of the breach to regulatory or law enforcement agencies or affected customers, or if the entity’s ability to conduct business is substantially affected. The required notice is confidential pursuant to the Texas Finance Code.
State-chartered banks, trust companies, and money service businesses shall notify the Banking Commissioner by submitting information that addresses the following:
- Description of the cybersecurity incident to include:
- Approximate date of the incident;
- Date incident was discovered, and
- Nature of any data that may have been illegally obtained or accessed.
- A list of the state and federal regulatory agencies, self-regulatory bodies, and foreign regulatory agencies to whom the notice has been or will be provided. Do not include the filing of a suspicious activity report related to the cybersecurity incident in the list.
- Contact information for the entity regarding the incident. Include:
- Telephone number; and
- Email address.
The notice should be supplemented as additional information becomes available. If not all the information above is known, the entity is encouraged to report what is known, rather than wait until all details of the incident are confirmed.
An entity must notify the Department of the incident by either email or regular mail. Any confidential personal identifiable information or other confidential information should be uploaded via the Data Exchange (DEX) portal to the correspondence folder.
- State-Chartered Banks and Trust Companies email:firstname.lastname@example.org
- Money Service Businesses email: email@example.com
Information Technology Resources
Corporate Account Takeover
Best practices for reducing the risks of CATO, minimum standards risk management, and other helpful resources.
Conference of State Bank Supervisors (CSBS) - Cybersecurity
Executive Leadership of Cybersecurity resources and information.
Financial Services- Information Sharing and Analysis Center (FS-ISAC)
Resource for cyber and physical threat intelligence analysis and sharing. FS-ISAC was created by and for members and operates as a member-owned non profit entity.
Regulations and Publications for Financial Institutions
FDIC Users Guide for Technology
Cyber Challenge: A Community Bank Cyber Exercise
FDIC developed exercises for to help institutions discuss operational risk issues and the potential impact of information technology disruptions on common banking functions.
Avoiding Common ACH Origination Weaknesses
Recommended Practices for Financial Institutions
The U.S. Government interagency technical guidance document aimed to inform Chief Information Officers and Chief Information Security Officers at critical infrastructure entities, including small, medium, and large organizations. This document provides an aggregate of already existing Federal Government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.
The following tools and resources can help management and directors understand supervisory expectations, increase awareness of cyber risks, and assess and mitigate cyber risks.
- NIST Cybersecurity Framework
- FFIEC Cybersecurity Assessment Tool (CAT)
- *Automated Version of FFIEC CAT - developed by FS-ISAC Please note: The Automated Version of the FFIEC Cybersecurity Assessment Tool was developed by FS-ISAC and industry trade associations. The Department is not responsible for the tool or the completeness of this version.