‘Enhanced security measures’ keep some exam docs on site, give banks power over what is ‘highly sensitive’

Reviewing examination materials on the site of the bank exam, rather than transferring the materials onto the examining agency’s systems, is one of the methods outlined in a joint statement issued by regulators Thursday focusing on “enhanced security procedures.”

In their joint statement, the three federal banking agencies said the statement described the security procedures for review of “highly sensitive information in connection with examinations of supervised banks.” They said the statement discusses a “coordinated approach” to identifying highly sensitive data and documents. It also discusses enhanced procedures for the review of such information to reduce any cybersecurity risks while ensuring that the agencies always have access to such information during an examination, they said.

“The agencies recognize the importance of keeping a bank’s highly sensitive information confidential and protecting it against disclosure to or from access by unauthorized persons as a result of cybersecurity vulnerabilities,” the agencies said.

They also have committed, they said, to notify affected banks of any potential or confirmed material data breach involving confidential supervisory information. They committed to doing that “as soon as practicable” but no later than 72 hours after discovery, unless legal restrictions apply, according to the statement.

In particular, the agencies said, certain categories of data and documents “have additional levels of sensitivity and heightened risks from disclosure (referenced as highly sensitive information).” Those may include documents and data that contain detailed information on:

  • technology/network diagrams and schematics;
  • detailed penetration test results;
  • technical details of specific information technology control weaknesses; and
  • succession planning.

Notably, the banking agencies said they will rely on bank management to identify data and documents requested for an examination that the banks believe should be considered highly sensitive information. This will allow the agencies, they said, to evaluate whether additional protocols should be invoked in the review of that information during examinations.

For “highly sensitive information,” the agencies said, they will consider a range of potential options to minimize their collection and storage. That includes on-site review, direct digital review from the systems of the supervised bank, redacted or summarized versions of documents, and other measures related to transmission of, and access to, sensitive information.

“Banks that have information they believe could be highly sensitive in nature should discuss their concerns with their examiners or primary agency contact,” the agencies said. “Examiners or primary agency contacts will then discuss with bank management whether the information falls into the highly sensitive category and, if so, which method(s) they will employ to protect such information.”

Agencies issue joint statement on handling of highly sensitive information during bank examinations

Be the first to comment

Leave a Reply

Your email address will not be published.