← All sectors
Resilience Rulebook · By sector

Financial Services

Operational-resilience, BCDR, and crisis-handling obligations across banking, insurance, markets and payments — from US federal and state regulators, the EU (DORA), the UK (PRA/FCA) and Canada (OSFI).

A WSquare Advisory analysis In partnership with Resilis
For information purposes only. Automated, LLM-assisted triage reviewed by WSquare Advisory — not legal advice. Applicability is entity-by-entity; confirm against the source rule text.
Jurisdiction
Domain
Jur.RegulatorDomainObligation (with source quote)CitationStatus
CACA_OSFIbusiness continuityEstablish and maintain an Enterprise Disaster Recovery Program (EDRP) to support ability to deliver technology services through disruption and operate within risk tolerance.
“FRFIs should establish and maintain an Enterprise Disaster Recovery Program (EDRP) to support its ability to deliver technology services through disruption and operate within its risk tolerance.”
OSFI B-13, Section 2.9, Principle 12final
CACA_OSFIbusiness continuityAlign the disaster recovery program with the business continuity management program.
“FRFIs should align the disaster recovery program with its business continuity management program.”
OSFI B-13, Section 2.9.1final
CACA_OSFIbusiness continuityManage key EDRP dependencies including data security/storage requirements, locations of backup sites, service provider locations relative to primary data centres, and other critical technology assets.
“FRFIs should manage key dependencies required to support the EDRP, such as: Information security requirements for data security and storage (e.g., encryption); and, Location of technology asset centres, backup sites, service provider locations and proximity to primary data centre”
OSFI B-13, Section 2.9.2final
CACA_OSFIbusiness continuityRegularly perform scenario testing on disaster recovery capabilities against severe but plausible scenarios to validate recovery strategies and confirm ability to meet pre-defined requirements.
“FRFIs should regularly validate and report on their disaster recovery strategies, plans and/or capabilities against severe but plausible scenarios...The FRFI's backup and recovery capabilities and processes to validate resiliency strategies, plans and actions, and confirm the org”
OSFI B-13, Section 2.9.3, Principle 13final
CACA_OSFIbusiness continuityDR scenario testing must include critical third-party technologies and integration points with upstream/downstream dependencies, both on- and off-premises.
“Critical third-party technologies and integration points with upstream and downstream dependencies, including both on- and off-premises technology.”
OSFI B-13, Section 2.9.3final
CACA_OSFIbusiness continuityDR scenarios must be forward-looking and consider new/emerging risks, material changes to business/technology, situations causing prolonged outage, and prior incident history.
“These scenarios should be forward-looking and consider, where appropriate: New and emerging risks or threats; Material changes to business objectives or technologies; Situations that can lead to prolonged outage; and, Previous incident history and known technology complexities or”
OSFI B-13, Section 2.9.3final
CACA_OSFIbusiness continuityDefine standards and implement incident/problem management processes including governance structure for timely identification, escalation, system restoration/recovery, and root cause investigation.
“FRFIs should define standards and implement processes for incident and problem management. Standards should provide an appropriate governance structure for timely identification and escalation of incidents, restoration and/or recovery of an affected system, and investigation and ”
OSFI B-13, Section 2.7.1final
CACA_OSFIbusiness continuityImplement incident response procedures including internal/external communication with escalation/notification triggers, and establish and periodically test incident management processes with third parties.
“Developing and implementing incident response procedures that mitigate the impacts of incidents, including internal and external communication actions that contain escalation and notification triggers and processes...Establishing and periodically testing incident management proce”
OSFI B-13, Section 2.7.2final
CACA_OSFIbusiness continuityConduct periodic exercises and testing of incident management processes, playbooks, and response tools to validate and maintain their effectiveness.
“Performing periodic testing and exercises using plausible scenarios in order to identify and remedy gaps in incident response actions and capabilities; Conducting periodic exercises and testing of incident management process, playbooks, and other response tools (e.g., coordinatio”
OSFI B-13, Section 2.7.2final
CACA_OSFIbusiness continuityDevelop problem management processes for detection, categorization, investigation and resolution of incident causes, including post-incident reviews and root cause/impact diagnostics to improve incident management.
“FRFIs should develop problem management processes that provide for the detection, categorization, investigation and resolution of suspected incident cause(s). Processes should include post-incident reviews, root cause and impact diagnostics and identification of trends or pattern”
OSFI B-13, Section 2.7.3final
CACA_OSFIbusiness continuityDesign and implement technology architecture using Resilience-by-Design and Availability-by-Design principles, commensurate with business needs.
“Using a risk-based approach, systems and associated infrastructure should be designed and implemented to achieve availability, scalability, security (Secure-by-Design) and resilience (Resilience-by-Design), commensurate with business needs.”
OSFI B-13, Section 2.1.2final
CACA_OSFIbusiness continuityMaintain a current comprehensive asset inventory cataloguing technology assets throughout their lifecycle, including documented interdependencies between critical assets to assist in response to security and operational incidents.
“Documented interdependencies between critical technology assets, where appropriate, to enable proper change and configuration management processes, and to assist in response to security and operational incidents, including cyber attacks.”
OSFI B-13, Section 2.2.2final
CACA_OSFIbusiness continuityContinuously monitor technology currency and proactively implement plans to mitigate risks from unpatched, outdated, or unsupported assets; replace/upgrade assets before maintenance ceases.
“FRFIs should continuously monitor the currency of software and hardware assets...It should proactively implement plans to mitigate and manage risks stemming from unpatched, outdated or unsupported assets and replace or upgrade assets before maintenance ceases.”
OSFI B-13, Section 2.2.5final
CACA_OSFIbusiness continuityEnsure changes to technology assets in production are documented, assessed, tested, approved, implemented and verified in a controlled manner, with defined emergency change controls. [adjacent]
“FRFIs should ensure that changes to technology assets in the production environment are documented, assessed, tested, approved, implemented and verified in a controlled manner...The standard should also define emergency change and control requirements to ensure that such changes ”
OSFI B-13, Section 2.5.1final
CACA_OSFIbusiness continuityDefine technology service management standards with performance indicators/service targets and remediation processes to ensure technology services support business continuity.
“FRFIs should establish technology service management standards with defined performance indicators and/or service targets that can be used to measure and monitor the delivery of technology services. Processes should also provide for remediation where targets are not being met.”
OSFI B-13, Section 2.8.1final
CACA_OSFIbusiness continuityDefine and continuously monitor performance and capacity requirements with thresholds on infrastructure utilisation to ensure technology supports current and future business needs.
“FRFIs should define performance and capacity requirements with thresholds on infrastructure utilization. These requirements should be continuously monitored against defined thresholds to ensure technology performance and capacity support current and future business needs.”
OSFI B-13, Section 2.8.2final
CACA_OSFIbusiness continuityEstablish cyber incident response capabilities (team, tools, playbooks) available on a continuous basis to rapidly respond, contain and recover from cyber security events materially impacting technology assets.
“FRFIs should establish a cyber incident response team with tools and capabilities available on a continuous basis to rapidly respond, contain and recover from cyber security events and incidents that could materially impact the FRFI's technology assets, customers and other stakeh”
OSFI B-13, Section 3.4.4final
CACA_OSFIbusiness continuityMaintain cyber security incident management process and playbooks to enable timely and effective management of cyber security incidents.
“FRFIs should maintain a cyber security incident management process and playbooks to enable timely and effective management of cyber security incidents.”
OSFI B-13, Section 3.4.3final
CACA_OSFIbusiness continuityAlign and integrate cyber security, technology, crisis management and communication protocols, including capabilities for timely escalation and stakeholder coordination during major cyber events.
“FRFIs should ensure the alignment and integration between their cyber security, technology, crisis management and communication protocols. This should include capabilities to enable comprehensive and timely escalation and stakeholder coordination (internal and external) in respon”
OSFI B-13, Section 3.4.1final
CACA_OSFIbusiness continuityConduct forensic investigation for incidents where technology assets may have been materially exposed; perform detailed post-incident assessment including RCA for high-severity incidents.
“FRFIs should conduct a forensic investigation for incidents where technology assets may have been materially exposed. For high-severity incidents, the FRFI should conduct a detailed post-incident assessment of direct and indirect impacts...including a root cause analysis to ident”
OSFI B-13, Section 3.4.5final
CACA_OSFIbusiness continuityMaintain continuous security logging for technology assets and defence layers; implement minimum log retention periods; ensure logs support timely forensic investigation of cyber events. [adjacent]
“FRFIs should ensure continuous security logging for technology assets and different layers of defence tools...FRFIs should implement minimum security log retention periods and maintain cyber security event logs to facilitate a thorough and unimpeded forensic investigation of cybe”
OSFI B-13, Section 3.3.1final
CACA_OSFIbusiness continuityProactively identify, defend, detect, respond and recover from cyber security threats and incidents to maintain confidentiality, integrity and availability of technology assets.
“FRFIs should proactively identify, defend, detect, respond and recover from external and insider cyber security threats, events and incidents to maintain the confidentiality, integrity and availability of its technology assets.”
OSFI B-13, Section 3.0final
CACA_OSFIbusiness continuityImplement enhanced controls to rapidly contain cyber threats, defend critical technology assets, and remain resilient against cyber attacks, including designing application controls to limit cyber attack impact.
“FRFIs should employ enhanced controls and functionality to rapidly contain cyber security threats, defend its critical technology assets and remain resilient against cyber attacks...Designing application controls to contain and limit the impact of a cyber attack.”
OSFI B-13, Section 3.2.3final
CACA_OSFIbusiness continuityEstablish technology and cyber risk management framework including risk appetite, tolerance levels, and processes for identifying, assessing, managing and reporting technology/cyber risks including emerging threats. [adjacent]
“Technology and cyber risk appetite and measurement (e.g., limits, thresholds and tolerance levels)...Management of unique risks posed by emerging threats and technologies...Reporting to Senior Management on technology and cyber risk appetite measures, exposures and trends.”
OSFI B-13, Section 1.3.2final
CACA_OSFIbusiness continuityIdentify critical operations and assess their ability to withstand disruptions; map all internal and external dependencies end to end, covering people, technology, processes, information, facilities, and third parties.
“Critical operations should be identified and assessed for their ability to withstand disruptions... Once identified, critical operations should be mapped for internal and external dependencies.”
Guideline E-21, Section 3.1final
CACA_OSFIbusiness continuityEstablish tolerances for disruption for each critical operation, setting the maximum level of disruption the institution can withstand across a range of severe but plausible scenarios.
“Tolerances for disruption should set out the maximum level of disruption a financial institution can withstand across a range of severe but plausible scenarios.”
Guideline E-21, Section 3.2final
CACA_OSFIbusiness continuityConduct regular scenario testing of critical operations against severe-but-plausible disruptions, using tabletop exercises, simulations, and live-systems testing, to assess whether operations can persist within tolerances for disruption.
“Regular scenario testing improves understanding of when tolerances for disruption would be breached... a variety of testing methodologies should be used, including table-top exercises, simulations, and live-systems testing.”
Guideline E-21, Section 3.3final
CACA_OSFIbusiness continuityConduct business impact analyses to assess risks and potential impacts of disruptive events, identify the impact of disruptions, and establish maximum recovery objectives; review and update the analyses regularly.
“A business impact analysis assesses the risks and potential impacts of a range of disruptive events on operations. It should identify and measure: The impact of disruptions. The maximum limits on recovery objectives before severe consequences or losses occur.”
Guideline E-21, Section 4.1.1final
CACA_OSFIbusiness continuityDevelop business continuity plans (BCPs) covering response and recovery actions for a range of threats, including protocols for plan invocation, roles and responsibilities, backup personnel, staff safety, recovery targets, workarounds, and internal/external communication plans.
“Business continuity plans set out the response and recovery actions for a range of potential threats... This should include: Establishing protocols for invoking the plan... Defining roles and responsibilities... Setting targets for recovery levels and times.”
Guideline E-21, Section 4.1.2final
CACA_OSFIbusiness continuityRegularly test business continuity plans using scenarios that include long-duration and simultaneous disruptions involving critical third parties; address gaps identified and maintain contingency plans for critical third parties.
“Business continuity plan tests should provide reasonable assurance that plans are effective... Tests should consider a range of severe but plausible circumstances, including scenarios with disruptions that: Are long in duration. Are simultaneous in nature. Involve critical third ”
Guideline E-21, Section 4.1.3final
CACA_OSFIbusiness continuityEstablish a crisis management plan with escalation protocols to senior management and the board, plan invocation criteria, internal and external communications protocols, and conduct regular testing and lessons-learned exercises.
“A crisis management plan should be established that ensures effective, coordinated, and timely responses to potential crises... It should include: Protocols for escalation to senior management and the board. Criteria for invoking the plan. Internal and external communications pro”
Guideline E-21, Section 4.3final
CACA_OSFIbusiness continuityMaintain a senior-level crisis management team responsible for decision-making, coordination, and oversight of strategies to address crises affecting operations.
“A crisis management team can help ensure effective communication, expedited recovery, and an effective response to the crisis.”
Guideline E-21, Section A5 (definition) and Section 4.3final
CACA_OSFIbusiness continuityIntegrate business continuity risk management with operational resilience, evolving its focus from business processes to critical operations end to end, and including business impact analyses and tested BCPs.
“Business continuity risk management is the process of planning for, and recovering from, disruptions to operations. It should be integrated with and strengthen operational resilience. Over time, its focus should evolve from business processes to critical operations end to end.”
Guideline E-21, Section 4.1final
CACA_OSFIbusiness continuityProvide staff with training on business continuity plans, including plan activation and management of operations during disruption.
“Staff should be provided with training on business continuity plans, including their activation and how operations will be managed during disruption.”
Guideline E-21, Section 4.1.2final
CACA_OSFIbusiness continuityObtain sufficient information about critical third parties to assess their resilience, and coordinate with them to conduct broader resilience exercises where possible.
“Where a third party is identified as critical, sufficient information should be obtained to assess its resilience... The financial institution should also coordinate with critical third parties, where possible, to conduct broader exercises.”
Guideline E-21, Sections 3.1 and 3.3final
CACA_OSFIbusiness continuityRequire critical third parties to demonstrate robustness in their own business continuity plans and testing, and maintain contingency plans for critical third-party failures.
“Critical third parties should also demonstrate robustness in their own business continuity plans and testing. There should be processes to address gaps identified during testing, as well as contingency plans for critical third parties.”
Guideline E-21, Section 4.1.3final
CACA_OSFIbusiness continuityImplement a data risk management framework including a strategy and programme covering data governance, architecture, classification, integrity/availability controls, and processes for escalating and responding to data breaches and data-related incidents. [adjacent]
“It should also comprise a specific data risk management framework that includes a data risk management strategy and program... Processes for escalating and responding to data breaches and other data-related incidents.”
Guideline E-21, Section 4.7final
CACA_OSFIbusiness continuityEnsure data supporting critical operations is accurate, complete, timely, secure, and protected, using methodologies that maintain integrity, adaptability, confidentiality, and availability throughout the data lifecycle.
“Effective data risk management ensures that data is accurate, complete, timely, secure, and protected... Methodologies for ensuring the integrity, adaptability, confidentiality, and availability of data throughout its lifecycle.”
Guideline E-21, Section 4.7final
CACA_OSFIbusiness continuityEmbed effective technology and cyber risk management as a foundation of operational resilience, aligned with Guideline B-13, to prevent wide-scale operational disruption from technology failure, infiltration, or data loss.
“A critical technology failure, infiltration, or loss of data can result in wide-scale disruption impacting operations. Sound technology and cyber risk management is fundamental to bolstering operational resilience.”
Guideline E-21, Section 4.5final
CACA_OSFIbusiness continuityManage third-party operational resilience risks (including disruption at a third party or loss/corruption of critical data) as part of operational resilience, aligned with Guideline B-10.
“Threats to operational resilience can arise from critical third-party arrangements, including disruption at the third party or the loss or corruption of critical data. Accordingly, effective third-party risk management is an important contributor to operational resilience.”
Guideline E-21, Section 4.6final
CACA_OSFIbusiness continuityConduct scenario analysis at both business-unit and enterprise-wide levels using a range of severe but plausible scenarios; use results to inform operational resilience scenario testing.
“Scenario analysis should be conducted using appropriate techniques at both the business unit and enterprise-wide levels and incorporate a range of severe but plausible scenarios... Scenario analysis results may be used to inform operational resilience scenario testing.”
Guideline E-21, Section 2.3.4final
CACA_OSFIbusiness continuityEnsure senior management and the board receive timely reports on operational resilience scenario testing results, including analysis of deficiencies, assessment of whether critical operations can be maintained within tolerances, and plans to address shortcomings.
“Senior management and the board of directors should also receive the results of scenario analysis... and scenario testing... This should include: Analysis of deficiencies. An assessment of operational resilience, and whether critical operations can be maintained within establishe”
Guideline E-21, Section 2.4.2final
CACA_OSFIbusiness continuityEnsure breaches of tolerances for disruption are appropriately escalated to senior management and addressed in a timely and sustainable manner.
“Ensuring breaches of tolerances for disruption are appropriately escalated and addressed.”
Guideline E-21, Section 1.1final
CACA_OSFIbusiness continuityPerform change management assessments for significant operational changes (new products, acquisitions, new tech systems, process changes), including deploying tested contingency plans if a change fails and testing changes before implementation.
“Deploy tested contingency plans in the event a change fails. Test the change on systems and processes before introducing it.”
Guideline E-21, Section 4.4final
CACA_OSFIbusiness continuityConduct ongoing monitoring of adherence to tolerances for disruption and operational risk limits, using comprehensive metrics; ensure key risk indicators include escalation protocols when risk levels approach or exceed limits.
“Ongoing monitoring should be conducted to help prepare for, and respond to, changes in operational risks. It should assess adherence to the operational risk appetite statement and operational risk limits, as well as tolerances for disruption.”
Guideline E-21, Sections 2.4.1 and 2.3.2final
CACA_OSFIbusiness continuityCapture and analyse operational risk event data (actual, potential, and near-misses) to determine root causes, contributing risk categories, and corrective measures; use findings to strengthen resilience controls.
“Operational risk event data exceeding established limits should be captured to assess: What the root cause of the operational risk event is... What corrective measures ought to be taken to address deficiencies or control failures.”
Guideline E-21, Section 2.3.3final
CACA_OSFIbusiness continuityEnsure independent risk and compliance functions oversee and challenge resilience activities, including escalation channels for significant issues, and that internal audit provides independent assurance on operational risk management controls and systems.
“The independent risk and compliance functions oversee and challenge the risk and resilience activities... Internal audit or a similar function should provide independent assurance to senior management and the board of directors that operational risk management controls, policies ”
Guideline E-21, Sections 1.3 and 1.4final
CACA_OSFIbusiness continuityConduct lessons-learned exercises following a crisis and incorporate findings into the crisis management plan; share the plan with relevant business units and impacted external parties.
“Lessons-learned exercises should be undertaken following a crisis and incorporated into the plan. The crisis management plan should be regularly tested and shared with the relevant business units in the financial institution and any impacted external parties, as appropriate.”
Guideline E-21, Section 4.3final
CACA_OSFIbusiness continuityEstablish and maintain a third-party risk management program that addresses the comprehensive set of third-party risks within an expanded third-party ecosystem, with emphasis on governance and risk management to protect operational and financial resilience.
“Addresses a comprehensive set of third-party risks within an expanded third-party ecosystem, placing emphasis on governance and risk management programs and setting outcomes-focused, principles-based expectations”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
CACA_OSFIbusiness continuityApply the Guideline proportionately, based on the level of risk and criticality of each third-party arrangement and the size, nature, scope, complexity, and risk profile of the FRFI, including for operational resilience purposes.
“apply the Guideline in a manner that is proportionate to the level of risk and criticality of each arrangement and to the size, nature, scope, complexity, and risk profile of the FRFI”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
CACA_OSFIbusiness continuityManage subcontractor (fourth-party) risk according to the level of risk and criticality of the given third-party arrangement, to protect continuity of critical activities.
“FRFIs managing subcontractor risk according to the level of risk and criticality of the given third-party arrangement”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
CACA_OSFIbusiness continuityTake reasonable steps to manage concentration risks related to the FRFI's own third-party arrangements (e.g., over-reliance on a single provider for critical services).
“taking reasonable steps to manage concentration risks related to their own third-party arrangements”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
CACA_OSFIbusiness continuityAssess systemic concentration risk (i.e., sector-wide dependence on common critical third-party providers) to the greatest extent possible.
“assessing systemic concentration risk to the greatest extent possible”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
CACA_OSFIbusiness continuityEnsure that third-party arrangements commencing on or after May 1, 2024 adhere to Guideline B-10 from inception, including operational resilience requirements.
“third-party arrangements commencing on or after the effective date adhere to the guideline”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
CACA_OSFIbusiness continuityReview and update pre-existing third-party arrangements at the earliest opportunity so that they adhere to Guideline B-10 by May 1, 2024 or as soon as possible thereafter.
“those entered into prior are being reviewed and updated at the earliest opportunity so that they adhere to the guideline by its effective date or as soon as possible thereafter”
OSFI Guideline B-10 (April 24, 2023 cover letter)final
USCA_PRIVACYcybersecurityEstablish and maintain a cybersecurity program consisting of policies, procedures, and practices that protect personal information from unauthorized access, destruction, use, modification, or disclosure, and protect against loss of availability of personal information. [adjacent]
“"Cybersecurity program" means the policies, procedures, and practices that protect personal information from unauthorized access, destruction, use, modification, or disclosure; and protect against unauthorized activity resulting in the loss of availability of personal information”
§ 7001(k)final
USCA_PRIVACYcybersecurityCreate a cybersecurity audit report documenting the required information for each completed annual cybersecurity audit. [adjacent]
“"Cybersecurity audit report" means the document that every business must create as part of its cybersecurity audit. The cybersecurity audit report includes the information set forth in section 7123, subsection (e).”
§ 7001(l)final
USCA_PRIVACYcybersecurityConduct penetration testing of information systems by authorizing attempted circumvention or defeat of security features to identify vulnerabilities that could compromise availability or security of personal information. [adjacent]
“"Penetration testing" means testing the security of an information system by attempting to circumvent or defeat its security features by authorizing attempted penetration of the information system.”
§ 7001(bb)final
USCA_PRIVACYcybersecurityManage and control privileged accounts to prevent unauthorized configuration changes or unauthorized access that could affect availability and security of personal information. [adjacent]
“"Privileged account" means any authorized user account or service account that can be used to perform functions that other user accounts are not authorized to perform, including but not limited to the ability to add, change, or remove other accounts, or make configuration changes”
§ 7001(hh)final
USCA_PRIVACYcybersecurityScope the business's information system (including third-party-owned resources used for processing personal information) within the cybersecurity program and audit, addressing risks to all such resources. [adjacent]
“"Information system" means the resources (e.g., network, hardware, and software) organized for the processing of personal information or that can provide access to personal information. The business's information system includes the resources organized for the business's processi”
§ 7001(t)final
EUEU_AIartificial intelligenceShall be taken into account when ensuring compliance with those requirements. (Art. 9) [adjacent]
“shall be taken into account when ensuring compliance with those requirements.”
Article 9, Regulation (EU) 2024/1689final
EUEU_AIartificial intelligenceShall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural person (Art. 14) [adjacent]
“shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which they are in use.”
Article 14, Regulation (EU) 2024/1689final
EUEU_AIartificial intelligenceAccuracy, robustness and cybersecurity (Art. 15) [adjacent]
“shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity, and that they perform consistently in those respects throughout their lifecycle.”
Article 15, Regulation (EU) 2024/1689final
EUEU_ESAbusiness continuityRanking of ICT third-party providers in the supply chain Financial entities shall assign a rank to each ICT third-party (Art. 2)
“shall assign a rank to each ICT third-party service provider.”
Article 2, Implementing Reg (EU) 2024/2956final
EUEU_ESAbusiness continuityGeneral requirements for the templates of the register of information (Art. 3) [adjacent]
“shall use the templates set out in Annex I to IV to maintain and update the register of information in accordance with Article 28(3) of Regulation (EU) 2022/2554, at entity level, or at sub-consolidated and consolidated level.”
Article 3, Implementing Reg (EU) 2024/2956final
EUEU_ESAbusiness continuityContent of the register of information (Art. 5)
“shall include in the register of information, in accordance with the instructions set out in Annex I, the following information: (a) general information on the financial entity maintaining and updating the register of information at entity, sub-consolidated and consolidated level”
Article 5, Implementing Reg (EU) 2024/2956final
EUEU_ESAcybersecurityIdentification of financial entities required to perform TLPT (Art. 2)
“shall assess whether any financial entity is required to perform TLPT, taking into account the impact of those financial entities, their systemic character and their ICT risk profile, on the basis of all of the following criteria: (a) impact-related and systemic character related”
Article 2, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityTCT and TLPT Test Managers (Art. 3)
“shall assign the responsibility for coordinating TLPT-related activities to a TCT.”
Article 3, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityOrganisational arrangements for financial entities (Art. 4) [adjacent]
“shall appoint a control team lead which shall be responsible for the day-to-day management of the TLPT and the decisions and actions of the control team.”
Article 4, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityRisk management for TLPT (Art. 5) [adjacent]
“shall assess the risks associated with the testing of live production systems of critical or important functions of the financial entity, including potential impacts on: (a) the financial sector;”
Article 5, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityRisk management for pooled or joint TLPTs (Art. 6) [adjacent]
“shall conduct its own risk assessment and establish its own risk management measures.”
Article 6, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecuritySelection of TLPT providers (Art. 7) [adjacent]
“shall take measures to manage the risks relating to the TLPT and shall in particular ensure that, for each TLPT: (a) the threat intelligence provider and external testers provide the control team with a detailed curriculum vitae and copies of certifications that, according to rec”
Article 7, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecuritySpecificities for pooled or joint TLPTs (Art. 8) [adjacent]
“shall follow each of the steps set out in Articles 9 to 15.”
Article 8, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityPreparation phase (Art. 9)
“shall initiate a TLPT following a notification from the TLPT authority that a TLPT is to be carried out.”
Article 9, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityTesting phase (Art. 10)
“shall analyse generic and sector-specific threat intelligence relevant for the financial entity.”
Article 10, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityTesting phase (Art. 11)
“shall prepare the red team test plan that shall contain the information set out in Annex IV.”
Article 11, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityRemediation plan (Art. 13)
“shall provide the remediation plans and the documentation referred to in Article 26(6) of Regulation (EU) 2022/2554 to the TLPT authority and, where different, to the financial entity’s competent authority.”
Article 13, Delegated Reg (EU) 2025/1190final
EUEU_ESAcybersecurityUse of internal testers (Art. 15)
“shall establish all of the following arrangements for the use of internal testers: (a) the establishment and implementation of a policy for the management of internal testers in a TLPT;”
Article 15, Delegated Reg (EU) 2025/1190final
EUEU_ESAcrisis managementDuration and service downtime (Art. 3)
“shall measure the duration of an incident as referred to in Article 18(1), point (b), of Regulation (EU) 2022/2554, from the moment the incident occurs until the moment when it is resolved.”
Article 3, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementGeographical spread For the purpose of determining the geographical spread with regard to the areas affected by the inci (Art. 4)
“shall assess whether the incident has or had an impact in other Member States, and in particular the significance of the impact in relation to any of the following: (a) clients and financial counterparts in other Member States;”
Article 4, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementShall take into account the following: (a) in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity (Art. 5)
“shall take into account the following: (a) in relation to the availability of data, whether the incident has rendered the data on demand by the financial entity, its clients or its counterparts temporarily or permanently inaccessible or unusable;”
Article 5, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementCriticality of services affected For the purpose of determining the criticality of the services affected as referred to (Art. 6)
“shall assess whether the incident: (a) affects or has affected ICT services or network and information systems that support critical or important functions of the financial entity;”
Article 6, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementMajor incidents (Art. 8)
“shall be considered a major incident for the purposes of Article 19(1) of Regulation (EU) 2022/2554 where it has affected critical services as referred to in Article 6 and where either of the following conditions is fulfilled: (a) the materiality threshold referred to in”
Article 8, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementShall be considered as one major incident where they meet all of the following conditions: (a) they have occurred at least twice within 6 months; (Art. 9)
“shall be considered as one major incident where they meet all of the following conditions: (a) they have occurred at least twice within 6 months;”
Article 9, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementShall be considered significant where all of the following conditions are fulfilled: (a) the cyber threat, if materialised, could affect or could have affected (Art. 10)
“shall be considered significant where all of the following conditions are fulfilled: (a) the cyber threat, if materialised, could affect or could have affected critical or important functions of the financial entity, or could affect other financial entities, third-party providers”
Article 10, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementRelevance of major incidents to competent authorities in other Member States The assessment of whether the major inciden (Art. 11)
“shall be based on whether the incident has a root cause originating from another Member State or whether the incident has or has had a significant impact in another Member State in relation to any of the following: (a) clients or financial counterparts;”
Article 11, Delegated Reg (EU) 2024/1772final
EUEU_ESAcrisis managementDetails of major incidents to be shared with other competent authorities The details of major incidents to be submitted (Art. 12)
“shall contain the same level of information, without any anonymisation, as the notifications and reports of major incidents received from financial entities in accordance with Article 19(4) of Regulation (EU) 2022/2554.”
Article 12, Delegated Reg (EU) 2024/1772final
EUEU_ESAbusiness continuityOverall risk profile and complexity The policy on the use of ICT services supporting critical or important functions pro (Art. 1)
“shall take into account the size and the overall risk profile of the financial entity, and the nature, scale and elements of increased or reduced complexity of its services, activities and operations, including elements relating to: (a) the type of ICT services included in the co”
Article 1, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityGroup application Where this Regulation applies on a sub-consolidated or consolidated basis, the parent undertaking that (Art. 2) [adjacent]
“shall ensure that the policy is implemented consistently in all financial entities that are part of the group and is adequate for the effective application of this Regulation at all relevant levels of the group.”
Article 2, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityGovernance arrangements (Art. 3) [adjacent]
“shall review the policy at least once a year and update it where necessary.”
Article 3, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityMain phases of the life cycle for the adoption and use of contractual arrangements The policy shall specify the requirem (Art. 4)
“shall specify the requirements, including the rules, the responsibilities and the processes, for each main phase of the lifecycle of the contractual arrangement, covering at least the following: (a) the responsibilities of the management body, including its involvement, as approp”
Article 4, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityEx-ante risk assessment (Art. 5) [adjacent]
“shall require that the business needs of the financial entity are defined before a contractual arrangement is concluded.”
Article 5, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityContractual clauses (Art. 8)
“shall specify that the relevant contractual arrangement are to be in written form and are to include all the elements referred to in Article 30(2) and (3) of Regulation (EU) 2022/2554.”
Article 8, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityMonitoring of the contractual arrangements (Art. 9)
“shall require that the contractual arrangements specify the measures and key indicators to monitor, on an ongoing basis, the performance of ICT third party service providers, including measures to monitor compliance with requirements regarding the confidentiality, availability, i”
Article 9, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityExit from and termination of the contractual arrangements The policy shall contain requirements for a documented exit pl (Art. 10)
“shall contain requirements for a documented exit plan for each contractual arrangement and for the periodic review and testing of the documented exit plan.”
Article 10, Delegated Reg (EU) 2024/1773final
EUEU_ESAbusiness continuityOverall risk profile and complexity When developing and implementing the ICT security policies, procedures, protocols an (Art. 1) [adjacent]
“shall be taken into account, including elements relating to: (a) encryption and cryptography;”
Article 1, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityGeneral elements of ICT security policies, procedures, protocols, and tools (Art. 2) [adjacent]
“shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework.”
Article 2, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityICT risk management Financial entities shall develop, document, and implement ICT risk management policies and procedure (Art. 3) [adjacent]
“shall develop, document, and implement ICT risk management policies and procedures that shall contain all of the following: (a) an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2”
Article 3, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityICT asset management policy (Art. 4) [adjacent]
“shall develop, document, and implement a policy on management of ICT assets.”
Article 4, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityICT asset management procedure (Art. 5) [adjacent]
“shall develop, document, and implement a procedure for the management of ICT assets.”
Article 5, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityShall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and avai (Art. 7)
“shall process data in use in a separated and protected environment, or take equivalent measures to ensure the confidentiality, integrity, authenticity, and availability of data.”
Article 7, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityShall adopt mitigation and monitoring measures that ensure resilience against cyber threats. (Art. 8)
“shall adopt mitigation and monitoring measures that ensure resilience against cyber threats.”
Article 8, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityShall develop, document, and implement policies and procedures to manage the ICT operations. (Art. 9) [adjacent]
“shall develop, document, and implement policies and procedures to manage the ICT operations.”
Article 9, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityVulnerability and patch management (Art. 10) [adjacent]
“shall develop, document, and implement vulnerability management procedures.”
Article 10, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityData and system security (Art. 11)
“shall develop, document, and implement a data and system security procedure.”
Article 11, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityLogging (Art. 12) [adjacent]
“shall, as part of the safeguards against intrusions and data misuse, develop, document, and implement logging procedures, protocols and tools.”
Article 12, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityNetwork security management Financial entities shall, as part of the safeguards ensuring the security of networks agains (Art. 13) [adjacent]
“shall, as part of the safeguards ensuring the security of networks against intrusions and data misuse, develop, document, and implement policies, procedures, protocols, and tools on network security management, including all of the following: (a) the segregation and segmentation ”
Article 13, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityICT systems acquisition, development, and maintenance (Art. 16) [adjacent]
“shall develop, document and implement a policy governing the acquisition, development, and maintenance of ICT systems.”
Article 16, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityICT change management (Art. 17) [adjacent]
“shall include in the ICT change management procedures referred to in Article 9(4), point (e), of Regulation (EU) 2022/2554, in respect of all changes to software, hardware, firmware components, systems, or security parameters, all of the following elements: (a) a verification of ”
Article 17, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityPhysical and environmental security (Art. 18) [adjacent]
“shall specify, document, and implement a physical and environmental security policy.”
Article 18, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityHuman resources policy Financial entities shall include in their human resource policy or other relevant policies all of (Art. 19) [adjacent]
“shall include in their human resource policy or other relevant policies all of the following ICT security related elements: (a) the identification and assignment of any specific ICT security responsibilities;”
Article 19, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityICT-related incident management policy As part of the mechanisms to detect anomalous activities, including ICT network p (Art. 22)
“shall develop, document, and implement an ICT-related incident policy through which they shall: (a) document the ICT-related incident management process referred to in Article 17 of Regulation (EU) 2022/2554;”
Article 22, Delegated Reg (EU) 2024/1774final
EUEU_ESAbusiness continuityShall be considered a sector-specific Union legal act for the purposes of (Art. 3) [adjacent]
“shall be considered a sector-specific Union legal act for the purposes of”
Article 3, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityGovernance and organisation (Art. 5) [adjacent]
“shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk, in accordance with”
Article 5, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article (Art. 6)
“shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1).”
Article 6, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityICT systems, protocols and tools In order to address and manage ICT risk, financial entities shall use and maintain upda (Art. 7)
“shall use and maintain updated ICT systems, protocols and tools that are: (a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4;”
Article 7, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityIdentification (Art. 8) [adjacent]
“shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.”
Article 8, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityProtection and prevention (Art. 9)
“shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.”
Article 9, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityDetection (Art. 10)
“shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.”
Article 10, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityResponse and recovery (Art. 11)
“shall put in place a comprehensive ICT business continuity policy, which may be adopted as a dedicated specific policy, forming an integral part of the overall business continuity policy of the financial entity.”
Article 11, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityLearning and evolving (Art. 13)
“shall have in place capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyber-attacks, and analyse the impact they are likely to have on their digital operational resilience.”
Article 13, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityCommunication (Art. 14) [adjacent]
“shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate.”
Article 14, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityFurther harmonisation of ICT risk management tools, methods, processes and policies The ESAs shall, through the Joint Co (Art. 15)
“shall, through the Joint Committee, in consultation with the European Union Agency on Cybersecurity (ENISA), develop common draft regulatory technical standards in order to: (a) specify further elements to be included in the ICT security policies, procedures, protocols and tools ”
Article 15, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuitySimplified ICT risk management framework (Art. 16)
“shall not apply to small and non-interconnected investment firms, payment institutions exempted pursuant to Directive (EU) 2015/2366;”
Article 16, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityICT-related incident management process (Art. 17)
“shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents.”
Article 17, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall classify ICT-related incidents and shall determine their impact based on the following criteria: (a) the number and/or relevance of clients or financial c (Art. 18)
“shall classify ICT-related incidents and shall determine their impact based on the following criteria: (a) the number and/or relevance of clients or financial counterparts affected and, where applicable, the amount or number of transactions affected by the ICT-related incident, a”
Article 18, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall take into account the criteria set out in Article 4(2), as well as international standards, guidance and specifications developed and published by ENISA, (Art. 19) [adjacent]
“shall take into account the criteria set out in Article 4(2), as well as international standards, guidance and specifications developed and published by ENISA, including, where appropriate, specifications for other economic sectors.”
Article 19, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall notify the competent authority about it via alternative means. (Art. 20)
“shall notify the competent authority about it via alternative means.”
Article 20, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityCentralisation of reporting of major ICT-related incidents (Art. 21)
“shall prepare a joint report assessing the feasibility of further centralisation of incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities.”
Article 21, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuitySupervisory feedback (Art. 22) [adjacent]
“shall, upon receipt of the initial notification and of each report as referred to in Article 19(4), acknowledge receipt and may, where feasible, provide in a timely manner relevant and proportionate feedback or high-level guidance to the financial entity, in particular by making ”
Article 22, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityOperational or security payment-related incidents concerning credit institutions, payment institutions, account informat (Art. 23)
“shall also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.”
Article 23, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityGeneral requirements for the performance of digital operational resilience testing (Art. 24)
“shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6.”
Article 24, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityTesting of ICT tools and systems (Art. 25)
“shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning so”
Article 25, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityAdvanced testing of ICT tools, systems and processes based on TLPT (Art. 26)
“shall carry out at least every 3 years advanced testing by means of TLPT.”
Article 26, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall contract external testers every three tests. (Art. 27)
“shall contract external testers every three tests.”
Article 27, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityGeneral principles (Art. 28) [adjacent]
“shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework as referred to in Article 6(1), and in accordance with the following principles: (a) financial entities that have in place contractual arrangements for the use of ICT”
Article 28, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality (Art. 29)
“shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.”
Article 29, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityKey contractual provisions (Art. 30)
“shall be clearly allocated and set out in writing.”
Article 30, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall: (a) designate the ICT third-party service providers that are critical for financial entities, following an assessment that takes into account the criteri (Art. 32)
“shall: (a) designate the ICT third-party service providers that are critical for financial entities, following an assessment that takes into account the criteria specified in paragraph 2;”
Article 32, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityTasks of the Lead Overseer (Art. 33) [adjacent]
“shall conduct the oversight of the assigned critical ICT third-party service providers and shall be, for the purposes of all matters related to the oversight, the primary point of contact for those critical ICT third-party service providers.”
Article 33, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityShall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each (Art. 34) [adjacent]
“shall adopt a clear, detailed and reasoned individual oversight plan describing the annual oversight objectives and the main oversight actions planned for each critical ICT third-party service provider.”
Article 34, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityPowers of the Lead Overseer (Art. 35)
“shall have the following powers in respect of the critical ICT third-party service providers: (a) to request all relevant information and documentation in accordance with Article 37;”
Article 35, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityExercise of the powers of the Lead Overseer outside the Union (Art. 36) [adjacent]
“shall conclude administrative cooperation arrangements with the relevant authority of the third country in order to enable the smooth conduct of inspections in the third country concerned by the Lead Overseer and its designated team for its mission in that third country.”
Article 36, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityInformation-sharing arrangements on cyber threat information and intelligence (Art. 45) [adjacent]
“shall define the conditions for participation and, where appropriate, shall set out the details on the involvement of public authorities and the capacity in which they may be associated to the information-sharing arrangements, on the involvement of ICT third-party service provide”
Article 45, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityCompetent authorities Without prejudice to the provisions on the Oversight Framework for critical ICT third-party servic (Art. 46)
“shall be ensured by the following competent authorities in accordance with the powers granted by the respective legal acts: (a) for credit institutions and for institutions exempted pursuant to Directive 2013/36/EU, the competent authority designated in accordance with Article 4 ”
Article 46, Regulation (EU) 2022/2554final
EUEU_ESAbusiness continuityFinancial cross-sector exercises, communication and cooperation (Art. 49)
“shall cooperate closely with each other and exchange information to carry out their duties pursuant to Articles 47 to 54.”
Article 49, Regulation (EU) 2022/2554final
USNYDFSbusiness continuityMaintain a cybersecurity program that includes the ability to recover from Cybersecurity Events and restore normal operations and services.
“recover from Cybersecurity Events and restore normal operations and services”
23 NYCRR 500.2(b)(5)final
USNYDFSbusiness continuityInclude systems availability concerns in the written cybersecurity policy.
“systems operations and availability concerns”
23 NYCRR 500.3(f)final
USNYDFSbusiness continuityInclude incident response procedures in the written cybersecurity policy.
“incident response”
23 NYCRR 500.3(n)final
USNYDFSbusiness continuityEstablish and maintain audit trail systems designed to reconstruct material financial transactions sufficient to support normal operations, retained for at least five years. [adjacent]
“designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity”
23 NYCRR 500.6(a)(1), 500.6(b)final
USNYDFSbusiness continuityMaintain audit trails designed to detect and respond to Cybersecurity Events that could materially harm normal operations, retained for at least three years.
“audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations”
23 NYCRR 500.6(a)(2), 500.6(b)final
USNYDFSbusiness continuityConduct a periodic Risk Assessment that considers availability and effectiveness of controls to protect Information Systems, updated as necessary to address changes in operations.
“the availability and effectiveness of controls to protect Nonpublic Information and Information Systems”
23 NYCRR 500.9(a)final
USNYDFSbusiness continuityEnsure qualified cybersecurity personnel are sufficient to perform or oversee recovery from Cybersecurity Events (core cybersecurity function 500.2(b)(5)).
“qualified cybersecurity personnel...sufficient to manage the Covered Entity's cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.2(b)(1)-(6)”
23 NYCRR 500.10(a)(1)final
USNYDFSbusiness continuityImplement written policies and procedures governing Third Party Service Providers' cybersecurity practices, including periodic assessment based on risk they present.
“periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices”
23 NYCRR 500.11(a)(4)final
USNYDFSbusiness continuityRequire Third Party Service Providers to provide notice to the Covered Entity upon any Cybersecurity Event directly impacting the Covered Entity's Information Systems or its Nonpublic Information. [adjacent]
“notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity's Information Systems or the Covered Entity's Nonpublic Information being held by the Third Party Service Provider”
23 NYCRR 500.11(b)(3)final
USNYDFSbusiness continuityEstablish a written incident response plan designed to promptly respond to and recover from Cybersecurity Events affecting availability or continuing functionality of business operations.
“written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting...the continuing functionality of any aspect of the Covered Entity's business or operations”
23 NYCRR 500.16(a)final
USNYDFSbusiness continuityEnsure the incident response plan defines clear roles, responsibilities, and decision-making authority for responding to and recovering from Cybersecurity Events.
“the definition of clear roles, responsibilities and levels of decision-making authority”
23 NYCRR 500.16(b)(3)final
USNYDFSbusiness continuityEnsure the incident response plan addresses external and internal communications and information sharing during a Cybersecurity Event.
“external and internal communications and information sharing”
23 NYCRR 500.16(b)(4)final
USNYDFSbusiness continuityEnsure the incident response plan addresses identification and remediation of weaknesses in Information Systems and controls following a Cybersecurity Event.
“identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls”
23 NYCRR 500.16(b)(5)final
USNYDFSbusiness continuityEnsure the incident response plan requires documentation and reporting regarding Cybersecurity Events and incident response activities.
“documentation and reporting regarding Cybersecurity Events and related incident response activities”
23 NYCRR 500.16(b)(6)final
USNYDFSbusiness continuityEvaluate and revise the incident response plan as necessary following a Cybersecurity Event.
“the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event”
23 NYCRR 500.16(b)(7)final
USNYDFSbusiness continuityNotify the Superintendent within 72 hours of determining a Cybersecurity Event with reasonable likelihood of materially harming normal operations has occurred.
“no event later than 72 hours from a determination that a Cybersecurity Event has occurred...Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity”
23 NYCRR 500.17(a)(2)final
USNYDFSbusiness continuityNotify the Superintendent within 72 hours of determining a Cybersecurity Event requiring notice to any government body or regulatory/self-regulatory agency has occurred. [adjacent]
“no event later than 72 hours from a determination that a Cybersecurity Event has occurred...Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body”
23 NYCRR 500.17(a)(1)final
USNYDFSbusiness continuityInclude in the cybersecurity program monitoring and testing—including penetration testing and vulnerability assessments—to assess program effectiveness, supporting detection and response to threats that could disrupt operations. [adjacent]
“monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program...annual Penetration Testing...bi-annual vulnerability assessments”
23 NYCRR 500.5final
USNYDFSbusiness continuityMaintain a cybersecurity program designed to protect the availability of the Covered Entity's Information Systems.
“maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity's Information Systems”
23 NYCRR 500.2(a)final
USNYDFSbusiness continuityInclude in the cybersecurity program the ability to detect and respond to Cybersecurity Events to mitigate negative effects on operations.
“respond to identified or detected Cybersecurity Events to mitigate any negative effects”
23 NYCRR 500.2(b)(4)final
USNYDFSbusiness continuityImplement written TPSP policies that include minimum cybersecurity practices required of third parties, supporting resilience of systems accessible to or held by those providers.
“minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity”
23 NYCRR 500.11(a)(2)final
USNYDFSbusiness continuityMake available to the Superintendent upon request all documentation relevant to the cybersecurity program, including BCDR and incident response components. [adjacent]
“All documentation and information relevant to the Covered Entity's cybersecurity program shall be made available to the superintendent upon request”
23 NYCRR 500.2(d)final
USNYDFSbusiness continuityMaintain records supporting the annual compliance certification for five years, including documentation of remedial efforts for identified areas requiring improvement. [adjacent]
“maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years...document the identification and the remedial efforts planned and underway”
23 NYCRR 500.17(b)final
USNYDFSbusiness continuityInclude vendor and Third Party Service Provider management in the written cybersecurity policy to address resilience risks from third-party dependencies.
“vendor and Third Party Service Provider management”
23 NYCRR 500.3(l)final
USNYDFScrisis managementMaintain cybersecurity programs, policies, and procedures based on Risk Assessments that account for AI-related risks including deepfakes, threats from TPSPs' AI use, and AI vulnerabilities affecting availability of Information Systems.
“Covered Entities should address AI-related risks in the following areas: the organization's own use of AI, the AI technologies utilized by TPSPs and vendors, and any potential vulnerabilities stemming from AI applications that could pose a risk to the confidentiality, integrity, ”
23 NYCRR §§ 500.2 and 500.3proposed
USNYDFScrisis managementUpdate Risk Assessments at least annually and whenever a material change in business or technology affects cybersecurity risk, ensuring new AI-related risks are assessed and reflected in updated policies and procedures. [adjacent]
“The Cybersecurity Regulation requires Risk Assessments to be updated at least annually and whenever a change in the business or technology causes a material change to a Covered Entity's cybersecurity risk to ensure new risks, including those posed by AI, are assessed.”
23 NYCRR §§ 500.2, 500.3, and 500.9proposed
USNYDFScrisis managementMaintain TPSP policies and procedures including due diligence guidelines addressing AI-related cybersecurity risks posed by third-party service providers, including how TPSPs protect against AI-enabled threats that could impact the Covered Entity. [adjacent]
“One of the most important requirements for combatting AI-related risks is to maintain TPSP policies and procedures that include guidelines for conducting due diligence before a Covered Entity uses a TPSP that will access its Information Systems and/or NPI.”
23 NYCRR § 500.11(a)proposed
USNYDFScrisis managementRequire TPSPs to provide timely notification of any Cybersecurity Event that directly impacts the Covered Entity's Information Systems or NPI held by the TPSP, including AI-related threats.
“Covered Entities should require TPSPs to provide timely notification of any Cybersecurity Event that directly impacts the Covered Entity's Information Systems or NPI held by the TPSP, including threats related to AI.”
23 NYCRR § 500.11(a)proposed
USNYDFScrisis managementMaintain a monitoring process to promptly identify new security vulnerabilities in Information Systems (especially those holding NPI) to enable rapid remediation, including monitoring relevant to AI-enabled attacks. [adjacent]
“Covered Entities must have a monitoring process in place that can identify new security vulnerabilities promptly so remediation can occur quickly.”
23 NYCRR § 500.5(b)proposed
USNYDFScrisis managementMonitor Authorized User activity and email/web traffic to block malicious content and protect against installation of malicious code, including monitoring for unusual AI-related query behaviors that may indicate NPI exfiltration. [adjacent]
“Covered Entities must monitor the activity of Authorized Users as well as email and web traffic to block malicious content and protect against the installation of malicious code on their Information Systems.”
23 NYCRR §§ 500.5(b) and 500.14(a)(1)-(2)proposed
USNYDFScrisis managementImplement MFA for all Authorized Users attempting to access Covered Entities' Information Systems or NPI, including customers, employees, contractors, and TPSPs, using factors resilient to AI-enabled deepfake attacks. [adjacent]
“As of November 2025, the Cybersecurity Regulation will require MFA to be in place for all Authorized Users attempting to access Covered Entities' Information Systems or NPI, including customers, employees, contractors, and TPSPs.”
23 NYCRR § 500.12proposed
USNYDFScrisis managementImplement access controls limiting each Authorized User's access privileges to only those necessary for their job functions, limiting elevated permissions, and periodically (at minimum annually) reviewing and removing unnecessary access privileges. [adjacent]
“The controls must limit an Authorized User's access privileges to only those necessary for that Authorized User's job functions, and limit the number of Authorized Users with elevated permissions and access to NPI.”
23 NYCRR § 500.7(a)(1),(2),(4),(5),(6)proposed
USNYDFScrisis managementMaintain and update a data inventory of all Information Systems, with priority on AI-related systems critical to ongoing business operations, to support breach response and continuity.
“Covered Entities should maintain and update data inventories as they are crucial for assessing potential risks and ensuring compliance with data protection regulations. Data inventories further help entities track NPI so that if there is a breach, they know what NPI may have been”
23 NYCRR § 500.13(a)proposed
USNYDFScrisis managementIdentify all Information Systems that use or rely on AI (including AI-enabled products/services), maintain an inventory of such systems, and prioritize implementing mitigations for systems critical to ongoing business operations. [adjacent]
“Entities should identify all Information Systems that use or rely on AI, including, if applicable, the Information Systems that maintain, or rely on, AI-enabled products and services... and prioritize implementing mitigations for those systems that are critical for ongoing busine”
23 NYCRR § 500.13proposed
USNYDFScrisis managementImplement data governance procedures covering collection, storage, processing, and disposal of data, including controls to prevent threat actors from accessing data maintained for AI functioning. [adjacent]
“Entities should implement data governance procedures that include data collection, storage, processing, and disposal. Moreover, if an entity uses AI or relies on a product that uses AI, controls should be in place to prevent threat actors from accessing the vast amounts of data m”
23 NYCRR § 500.3(b)proposed
USNYDFScrisis managementProvide at least annual cybersecurity awareness training for all personnel that includes social engineering (including deepfake attacks), procedures for responding to unusual requests, and AI-related threats. [adjacent]
“Covered Entities must now provide at least annual cybersecurity awareness training that includes social engineering. Training on social engineering, including on deepfake attacks, can be effectively delivered through simulated phishing, and voice and video impersonation exercises”
23 NYCRR § 500.14(a)(3)proposed
USNYDFScrisis managementTrain relevant personnel on how to secure and defend AI systems from cybersecurity attacks and how to design/develop AI systems securely, where the entity deploys or relies on TPSP-deployed AI. [adjacent]
“If deploying AI directly, or working with a TPSP that deploys AI, relevant personnel should be trained on how to secure and defend AI systems from cybersecurity attacks, and how to design and develop AI systems securely.”
23 NYCRR § 500.14(a)(3)proposed
USNYDFScrisis managementEnsure the Senior Governing Body has sufficient understanding of AI-related cybersecurity risks, exercises oversight of cybersecurity risk management including AI risks, and regularly receives management reports on AI-related cybersecurity matters. [adjacent]
“The Cybersecurity Regulation requires the Senior Governing Body to have sufficient understanding of cybersecurity-related matters (including AI-related risks), exercise oversight of cybersecurity risk management, and regularly receive and review management reports about cybersecu”
23 NYCRR § 500.4(d)proposed
USNYDFScrisis managementConduct due diligence on TPSPs that will access Information Systems or NPI, specifically assessing AI-related threats facing those TPSPs and how TPSP compromise could impact the Covered Entity's continuity and security.
“DFS strongly recommends Covered Entities consider, among other factors, the threats facing TPSPs from the use of AI and AI-enabled products and services; how those threats, if exploited, could impact the Covered Entity; and how the TPSPs protect themselves from such exploitation.”
23 NYCRR § 500.11(a)proposed
UKUK_FCAbusiness continuityIdentify important business services (IBS) — those whose disruption could cause intolerable harm to clients or risk to market integrity.
“our rules only require firms to identify their important business services for the purposes of operational resilience”
SYSC 15A.2.1R–2Rfinal
UKUK_FCAbusiness continuityReview IBS at least annually or upon any material change to the business or market.
“firms will need to review their important business services at least once per year, or whenever there is a material change to their business or the market in which they operate”
SYSC 15A.2.1R–2Rfinal
UKUK_FCAbusiness continuitySet an impact tolerance for each IBS at the first point at which disruption would cause intolerable harm to clients or risk to market integrity.
“firms should set their impact tolerances at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity”
SYSC 15A.2.1R–2R; SYSC 15A.2.7Gfinal
UKUK_FCAbusiness continuityUse time/duration as a mandatory metric when measuring impact tolerances, supplemented by additional metrics as appropriate.
“we are proceeding as consulted to require that firms use time/duration as a mandatory metric to measure their impact tolerances”
SYSC 15A.2.1R–2Rfinal
UKUK_FCAbusiness continuityReview impact tolerances at least annually or upon material change to the business or market.
“firms should set and review their impact tolerances at least once per year or if there is a relevant change to the firm's business or the market in which it operates”
SYSC 15A.2.1R–2Rfinal
UKUK_FCAbusiness continuityRemain within impact tolerances as soon as reasonably practicable, and no later than 31 March 2025.
“Firms must be able to remain within their impact tolerances as soon as reasonably practicable, but no later than 3 years after the rules come into effect on 31 March 2022”
PS21/3 Chapter 1 para 1.32final
UKUK_FCAbusiness continuityMap each IBS by identifying and documenting the people, processes, technology, facilities and information that support it.
“firms have a clear picture of the resources that enable an important business service to function... by identifying and documenting the people, processes, technology, facilities and information that support them”
SYSC 15Afinal
UKUK_FCAbusiness continuityCapture internal processes (e.g. payroll, IT services) that support IBS delivery within mapping exercises.
“internal processes... which are necessary to the provision of important business services and should be captured by firms as part of their mapping exercises”
SYSC 15Afinal
UKUK_FCAbusiness continuityConduct scenario testing of each IBS against severe but plausible scenarios to assess ability to remain within impact tolerances.
“firms need to test their impact tolerances in a range of severe but plausible scenarios. This approach will give firms a clear idea when they initially test their impact tolerances of where such unexpected events may mean they cannot remain within tolerance”
SYSC 15Afinal
UKUK_FCAbusiness continuityInclude cyber-attacks as a scenario category in scenario testing plans for IBS.
“multiple important business services could be disrupted simultaneously due to an external factor directly affecting the service. For example, this could be due to a cyber-attack which hits a wide range of operational assets”
SYSC 15A; PS21/3 Chapter 3 para 3.12final
UKUK_FCAbusiness continuityConsider the simultaneous disruption of multiple IBS in testing plans, including shared underlying systems, processes or people.
“for substitute services which rely on the same systems, processes or people, firms should not assume, as part of their testing plans, that these services won't be affected in the event of disruption”
SYSC 15A; PS21/3 Chapter 3 para 3.12final
UKUK_FCAbusiness continuityIdentify key staff pivotal to delivering each IBS and maintain contingency plans for their incapacitation.
“firms need to understand which staff are pivotal to delivering an important business service, with contingency plans if those staff become incapacitated”
SYSC 15A; PS21/3 Chapter 1 para 1.21final
UKUK_FCAbusiness continuityReport to the FCA any failure to remain within impact tolerances in line with SYSC 15A.2.11G.
“if despite extensive scenario testing a firm finds itself not able to remain within impact tolerance for any reason, it should report the issue to the FCA in line with SYSC 15A.2.11G”
SYSC 15A.2.11Gfinal
UKUK_FCAbusiness continuityAlso report to the FCA where resuming a compromised service would cause further detriment (e.g. spreading a computer virus).
“firms should consider such circumstances in their testing plans and report any issue with remaining in tolerance to the FCA in line with SYSC 15A.2.11G”
SYSC 15A.2.11G; PS21/3 Chapter 3final
UKUK_FCAbusiness continuityWhen outsourcing IBS to third parties, work effectively with those providers to set and remain within impact tolerances; responsibility remains with the firm.
“When a firm is using a third-party provider in the provision of important business services, it should work effectively with that provider to set and remain within impact tolerances. Ultimately, the requirements... remain the responsibility of the firm”
SYSC 15A; PS21/3 Chapter 3 para 3.14final
UKUK_FCAbusiness continuityIdentify and manage third-party dependencies (including cloud providers and technology vendors) within IBS mapping to address concentration and continuity risk.
“the pandemic highlighted increasing dependence on third parties and outsourcing arrangements... some firms experienced challenges with offshore third-party providers... which affected continuity of service to UK consumers”
SYSC 15A; PS21/3 Chapter 1 para 1.19(b)final
UKUK_FCAbusiness continuityEnsure scenario testing incorporates third-party/outsourced service disruptions, including offshore provider lockdowns.
“some firms experienced challenges with offshore third-party providers, particularly where providers were under lockdown in another geographical location, which affected continuity of service”
SYSC 15A; PS21/3 Chapter 1 para 1.19(b)final
UKUK_FCAbusiness continuityIdentify the users of each IBS so that impacts of disruption are clear and communications/alternative mechanisms can be targeted.
“users of the service should be identifiable so that the impacts of disruption (through process, cyber security or technology failures) are clear”
SYSC 15A.2.4G(1); PS21/3 Chapter 2 para 2.21final
UKUK_FCAbusiness continuityConsider the needs of vulnerable consumers when setting impact tolerances and design communications/alternative mechanisms to minimise their harm during disruptions.
“Consideration of the needs of vulnerable consumers is central to a firm's setting of an impact tolerance, and firms should consider these groups when considering how much disruption could be tolerated. Firms should also construct communications and alternative mechanisms to minim”
SYSC 15A.2.7Gfinal
UKUK_FCAbusiness continuityDual-regulated firms must set up to 2 impact tolerances per IBS — one aligned to FCA objectives and one aligned to PRA objectives.
“For dual-regulated firms, we maintain the position that these firms should set up to 2 impact tolerances. This is to ensure that firms consider their impact tolerances in line with the statutory objectives of each authority”
SYSC 15A; PS21/3 Chapter 3 para 3.18–3.20final
UKUK_FCAbusiness continuityDual-regulated firms' recovery and response arrangements must be viable for both shorter and longer impact tolerance periods.
“its recovery and response arrangements are also appropriate for the longer tolerance (ie recovery and response arrangements must be viable for both shorter and longer time periods)”
SYSC 15A; PS21/3 Chapter 3 para 3.20final
UKUK_FCAbusiness continuityWhere group-level impact tolerances differ from entity-level tolerances, the group Board must consider, approve and resource the entity's tolerance.
“In situations where an entity sets an impact tolerance at a lower level than that set by the group, the group's Board should consider and approve... and ensure that the entity has appropriate resources to meet its identified tolerance”
PS21/3 Chapter 3 para 3.10final
UKUK_FCAbusiness continuityAssess, before resuming a degraded service, whether (a) it can safely resume without causing further detriment and (b) resumption benefits outweigh keeping the service unavailable.
“firms should consider whether (a) the degraded service can safely resume without causing further detriment and (b) the benefits of resuming a degraded service outweigh the negatives of keeping the service unavailable until the issues have been remediated”
SYSC 15A.2.11G; PS21/3 Chapter 3final
UKUK_FCAbusiness continuityPayments/e-money firms must apply operational resilience requirements only to their payments and/or e-money activities where other FSMA activities are not in scope.
“payments firms only have to apply our operational resilience proposals to their payments and/or e-money activities. To clarify this, we have amended SYSC 15A.1 (Application)”
SYSC 15A.1final
UKUK_FCAbusiness continuityEstablish sound, effective and comprehensive strategies, controls, processes and systems to enable compliance with all CTPS operational resilience rules.
“A critical third party must have in place sound, effective and comprehensive strategies, controls, processes and systems that enable it to comply with the rules in CTPS.”
CTPS 4.1.1Rfinal
UKUK_FCAbusiness continuityEstablish governance arrangements that include a named regulator liaison, clear escalation channels, and an approach covering prevention, response, adaptation and recovery from CTP operational incidents.
“A critical third party must ensure that its governance arrangements promote the resilience of any systemic third party service it provides, including by... establishing, overseeing and implementing an approach that covers... prevent, respond and adapt to, as well as recover from,”
CTPS 4.2.1Rfinal
UKUK_FCAbusiness continuityImplement lessons learned from CTP operational incidents and from testing and exercising into governance and operational arrangements.
“implementing lessons learned from CTP operational incidents and any testing and exercising undertaken, including but not limited to that undertaken in accordance with CTPS 5.”
CTPS 4.2.1R(4)final
UKUK_FCAbusiness continuityIdentify, monitor and manage risks to ability to deliver systemic third party services, and regularly update risk management processes using lessons from incidents, regulator engagement and testing.
“A critical third party must manage effectively risks to its ability to deliver a systemic third party service including by: (1) identifying and monitoring relevant external and internal risks; (2) ensuring that it has in place risk management processes... (3) regularly updating i”
CTPS 4.3.1Rfinal
UKUK_FCAbusiness continuityIdentify and manage supply chain risks that could affect delivery of systemic third party services, including risks from key nth-party providers.
“A critical third party must... identify and manage any risks to its supply chain that could affect its ability to deliver a systemic third party service.”
CTPS 4.4.1Rfinal
UKUK_FCAbusiness continuityTake reasonable steps to ensure key nth-party providers and connected persons in the supply chain are informed of CTP duties, cooperate in meeting them, and grant regulators access to relevant information.
“A critical third party must take reasonable steps to ensure that its key nth-party providers and persons connected with a critical third party that are part of its supply chain: (1) are informed of the CTP duties... (2) cooperate... (3) provide the regulators with access to any i”
CTPS 4.4.2Rfinal
UKUK_FCAbusiness continuityTake reasonable steps to ensure the technology resilience of systemic third party services, including sound cyber resilience strategies and regular testing and exercising of those strategies.
“A critical third party must... take reasonable steps to ensure the resilience of any technology that delivers, maintains or supports a systemic third party service, including by having: (1) sound, effective and comprehensive strategies... to adequately manage risks to its technol”
CTPS 4.5.1Rfinal
UKUK_FCAbusiness continuityImplement systematic change management for systemic third party services, including risk assessment, testing, verification and approval of all changes before implementation to minimise disruption risk.
“A critical third party must ensure that it has a systematic and effective approach to dealing with changes to a systemic third party service... implementing any change... in a way that minimises appropriately the risk of any CTP operational incident occurring; and ensuring that p”
CTPS 4.6.1Rfinal
UKUK_FCAbusiness continuityWithin 12 months of Treasury designation, map and document all resources, persons, assets, supporting services, technology, and interdependencies used to deliver each systemic third party service; update regularly thereafter.
“A critical third party must: (1) within 12 months of being designated by the Treasury, identify and document: (a) the resources... used to deliver, support and maintain each systemic third party service... and (b) any internal and external interconnections and interdependencies..”
CTPS 4.7.1Rfinal
UKUK_FCAbusiness continuityImplement measures to respond to and recover from CTP operational incidents, set a maximum tolerable level of disruption for each systemic service, and maintain an incident management playbook within 12 months of designation.
“A critical third party must manage effectively CTP operational incidents including by: (1) implementing appropriate measures to respond to and recover from CTP operational incidents... (2) setting an appropriate maximum tolerable level of disruption... (3) maintaining and operati”
CTPS 4.8.1Rfinal
UKUK_FCAbusiness continuityThe incident management playbook must set out plans and procedures to respond to and recover from CTP operational incidents and facilitate effective communication with regulators and affected firms.
“maintaining and operating an incident management playbook... which sets out the plans and procedures to be followed by the critical third party in the event of a CTP operational incident in order to: (a) respond to and recover from the CTP operational incident; and (b) facilitate”
CTPS 4.8.1R(3)final
UKUK_FCAbusiness continuityCooperate and coordinate with regulators and affected firms in response to CTP operational incidents, including through collective incident response frameworks.
“cooperating and coordinating with the regulators and affected firms in response to CTP operational incidents, including through collective incident response frameworks.”
CTPS 4.8.1R(4)final
UKUK_FCAbusiness continuityPut in place measures for effective, orderly and timely termination of any systemic third party service, including transfer support and recovery/return of firm assets in an accessible format.
“A critical third party must have in place appropriate measures to respond to a termination of any of its systemic third party services... including by putting in place: (1) arrangements to support the effective, orderly and timely termination of that service... (2) provision for ”
CTPS 4.9.1Rfinal
UKUK_FCAbusiness continuityBe able to demonstrate to regulators the ability to comply with all CTPS requirements. [adjacent]
“A critical third party must be able to demonstrate to the regulators its ability to comply with CTPS.”
CTPS 5.1.1Rfinal
UKUK_FCAbusiness continuityCarry out regular scenario testing of ability to continue providing each systemic third party service within its maximum tolerable disruption level under severe but plausible disruption scenarios covering varying nature, severity and duration.
“a critical third party must carry out regular scenario testing of its ability to continue providing each systemic third party service within its appropriate maximum tolerable level of disruption... in the event of a severe but plausible disruption... identify an appropriate range”
CTPS 5.2.1R, CTPS 5.2.2Rfinal
UKUK_FCAbusiness continuityRegularly assess effectiveness of the incident management playbook; conduct an incident management playbook exercise with a representative sample of firms within 12 months of designation and at least biennially thereafter.
“a critical third party must assess the effectiveness of its incident management playbook regularly, including undertaking an appropriate incident management playbook exercise with a representative sample of the firms... within 12 months of the critical third party being designate”
CTPS 5.3.1Rfinal
UKUK_FCAbusiness continuityPrepare and submit to regulators a report of each incident management playbook exercise, including actions taken in light of results, as soon as practicable after the exercise.
“A critical third party must, as soon as is practicable, prepare and submit to the regulators a report of the incident management playbook exercise undertaken under CTPS 5.3.1R (including any actions taken in the light of the results of that exercise).”
CTPS 5.3.2Rfinal
UKUK_FCAbusiness continuityProvide regulators with an interim self-assessment within 3 months of designation and annual self-assessments thereafter on compliance with CTPS; retain copies for at least 3 years. [adjacent]
“A critical third party must provide to the regulators: (1) within 3 months... an interim self-assessment; and (2) annually thereafter, an annual self-assessment, of the critical third party's compliance with CTPS... must keep a copy... for a period of at least 3 years.”
CTPS 6.1.1R, CTPS 6.1.2Rfinal
UKUK_FCAbusiness continuityMaintain effective and secure processes to provide firms with sufficient and timely information—including test results, self-assessments and maximum tolerable disruption levels—to enable them to manage risks from using the CTP's systemic third party services.
“A critical third party must have in place effective and secure processes and procedures to ensure sufficient and timely information is given to a firm... including... results of testing and exercising... the annual self-assessment... the appropriate maximum tolerable level of dis”
CTPS 7.1.1R, CTPS 7.1.2Rfinal
UKUK_FCAbusiness continuitySubmit an initial incident report to regulators and affected firms as soon as practicable after a CTP operational incident, covering nature/extent of disruption, detection time, affected services, geography, cause, recovery timeline and initial actions.
“A critical third party must, as soon as is practicable after the occurrence of a CTP operational incident... submit the following information... (a) a description of the CTP operational incident... (d) the anticipated amount of time it will take to resolve the CTP operational inc”
CTPS 8.1.1Rfinal
UKUK_FCAbusiness continuitySubmit intermediate incident reports to regulators and affected firms as soon as practicable after any significant change in circumstances, including when the incident is resolved.
“A critical third party must, as soon as is practicable after any significant change in circumstances... provide the regulators and the affected firms with information further to that already disclosed in relation to the CTP operational incident, including... any steps taken to re”
CTPS 8.2.1Rfinal
UKUK_FCAbusiness continuitySubmit a final incident report to regulators and affected firms within a reasonable time of resolution, covering root causes, remedial actions, recurrence likelihood, long-term implications and improvement areas.
“A critical third party must, within a reasonable time of the CTP operational incident being resolved, provide the regulators and the affected firms with the following information... (2) a description of the root causes... (3) a description of any remedial actions... (4) a descrip”
CTPS 8.3.1Rfinal
UKUK_FCAbusiness continuityNotify regulators immediately of any actual or potential circumstance that seriously and adversely impacts, or could impact, the CTP's ability to deliver systemic third party services or meet CTPS obligations.
“A critical third party must notify the regulators immediately where there is an actual or potential circumstance or event that seriously and adversely impacts, or could seriously and adversely impact, the critical third party's ability to deliver any of its systemic third party s”
CTPS 9.1.1Rfinal
UKUK_FCAbusiness continuityEnsure all information provided to regulators and firms under CTP duties (including incident reports and notifications) is factually accurate, complete and fairly based; correct any inaccurate information immediately upon discovery. [adjacent]
“A critical third party must take reasonable steps to ensure that all information it gives to the regulators and firms... is: (1) factually accurate or, in the case of estimates and judgements, fairly and properly based... (2) complete... If a critical third party becomes aware...”
CTPS 10.1.1R, CTPS 10.1.3Rfinal
UKUK_FCAbusiness continuityWhen appointing a skilled person, contractually require and permit them to cooperate with regulators, report matters of material significance, comply with regulator instructions on reporting, and assist the skilled person with information and access. [adjacent]
“When a critical third party appoints a skilled person, the critical third party must, in a contract with that person: (1) require and permit the skilled person during and after the course of their appointment: (a) to cooperate with the regulators in connection with the discharge ”
CTPS 13.5.1Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): All firms must submit a report to the FCA as soon as practicable (within 24 hours) after an operational incident meets any notification threshold (risk of intolerable consumer harm, safety/soundness, or market stability).
“A firm must submit a report to the FCA in accordance with (2) or (3), as applicable, as soon as is practicable after the occurrence of an operational incident which the firm reasonably believes meets one or more of the notification thresholds”
SUP 15.18.6R(1) and SUP 15.18.7Gfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Enhanced reporting firms must submit an initial phase report containing mandatory fields (Annex 15.1R cols 1 & 2) to the FCA as soon as practicable after an operational incident threshold is met.
“For this initial phase of the report, an enhanced reporting firm must submit to the FCA, so far as it is aware, the information in accordance with columns (1) and (2) of the table in SUP 15 Annex 15.1R.”
SUP 15.18.6R(2)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Enhanced reporting firms must submit an intermediate phase report to the FCA as soon as practicable after any significant change in circumstances from those in the initial report, including resolution of the incident.
“For the intermediate phase of the report, an enhanced reporting firm must, so far as it is aware, submit to the FCA the additional information in accordance with columns (1) and (3) of the table in SUP 15 Annex 15.1R, as soon as is practicable after any significant change in circ”
SUP 15.18.8Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Enhanced reporting firms must submit a final phase report within 30 working days (or 60 working days if impracticable) of an operational incident being resolved.
“For the final phase of the report, an enhanced reporting firm must submit to the FCA the additional information in accordance with columns (1) and (4) of the table in SUP 15 Annex 15.1R: (1) within 30 working days; or (2) where this is impracticable, as soon as is practicable but”
SUP 15.18.9Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Non-enhanced reporting firms must submit a standard report (Annex 15.2R) to the FCA as soon as practicable after an operational incident meets any notification threshold.
“A firm other than an enhanced reporting firm must submit to the FCA, so far as it is aware, information in accordance with the table in SUP 15 Annex 15.2R.”
SUP 15.18.6R(3)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): All firms required to report operational incidents must submit reports exclusively online through the appropriate systems accessible from the FCA's website.
“A firm must submit the information required under this section to the FCA online through the appropriate systems accessible from the FCA's website.”
SUP 15.18.10Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Payment service providers must submit the initial operational incident report to the FCA within 4 hours of first detecting a major operational or security incident.
“A payment service provider must submit the report in SUP 15.18.6R to the FCA within 4 hours of first detecting a major operational or security incident.”
SUP 15.14.18DDfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Enhanced reporting firms must include in the final phase report the proportion of impact tolerance used, service downtime, number/percentage of affected customers, and transactions affected.
“What proportion of an impact tolerance has been used?... Service downtime... Number of affected customers... Percentage of service users affected... Percentage of transactions affected... Value of transactions affected... Number of transactions affected”
SUP 15 Annex 15.1R (col 4, fields 24-30)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Enhanced reporting firms must include in the final phase report lessons identified and remedial actions being taken following an operational incident.
“Describe the lesson identified... Not applicable... Not applicable... Mandatory... Describe the remedial action being taken... Not applicable... Not applicable... Mandatory”
SUP 15 Annex 15.1R (col 4, fields 41-42)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Where an operational incident originates from a third party, enhanced reporting firms must identify the third party provider name and LEI in both initial and intermediate phase reports.
“Third party provider name (note 7)... Mandatory... Mandatory... -... Third party provider legal entity identifier (note 7)... Mandatory... Mandatory... -”
SUP 15 Annex 15.1R (fields 36-37)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): In-scope firms must notify the FCA before entering into, or making significant changes to, a material third party arrangement, at an early stage before internal or external commitments are made. [adjacent]
“A firm must give the FCA notice when entering into, or significantly changing, a material third party arrangement.”
SUP 15.19.6R and SUP 15.19.9Gfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): In-scope firms must submit material third party arrangement notifications to the FCA using the data fields in Annex 16.1R (cols 1 & 2), online via the FCA's website. [adjacent]
“A firm must submit the notice required in SUP 15.19.6R to the FCA: (1) by providing the information in accordance with columns (1) and (2) of the table in SUP 15 Annex 16.1R; and (2) online through the appropriate systems accessible from the FCA's website.”
SUP 15.19.8Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): In-scope firms must maintain a register of information relating to all their material third party arrangements and submit it annually to the FCA. [adjacent]
“A firm must: (1) maintain a register of information relating to its material third party arrangements; and (2) submit the register of material third party arrangements annually to the FCA.”
SUP 16.33.6Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): In-scope firms must submit the annual material third party arrangements register to the FCA using Annex 16.1R (cols 1 & 3) fields, online via the FCA's website. [adjacent]
“The firm must submit the register of material third party arrangements specified in SUP 16.33.6R(2) to the FCA: (1) by providing the information in accordance with columns (1) and (3) of the table in SUP 15 Annex 16.1R; and (2) online through the appropriate systems accessible fr”
SUP 16.33.8Rfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record in the material third party register the substitutability of the service provider, ability to reintegrate the service, and impact of discontinuing the arrangement.
“Substitutability of the service provider... Mandatory... Mandatory... Ability of reintegration of the service... Mandatory... Mandatory... The impact of discontinuing the contractual arrangement... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 5.01-5.03)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record in the material third party register whether each arrangement supports an important business service and, if so, which service and whether the provider supports a core element of it.
“Does the contractual arrangement support an important business service?... Mandatory... Mandatory... If yes, which important business service does the contractual arrangement support... Does the service provider support a core element of the important business service?”
SUP 15 Annex 16.1R (fields 3.04-3.06)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record FCA impact tolerances (client harm and market integrity) for each material third party arrangement in both the notification and the annual register.
“Impact tolerance - FCA - client harm... Mandatory... Mandatory... Impact tolerance - FCA - market integrity... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 3.10-3.11)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record the date and outcome of the most recent risk assessment and audit for each material third party arrangement in both the notification and annual register.
“Date of the most recent risk assessment... Mandatory... Mandatory... Outcome of the most recent risk assessment... Mandatory... Mandatory... Date of the most recent audit... Mandatory... Mandatory... Outcome of the most recent audit... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 4.01-4.05)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record the date and outcome of cyber risk due diligence for each material third party arrangement in both the notification and annual register.
“Date of cyber risk due diligence... Mandatory... Mandatory... Outcome of cyber risk due diligence... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 4.08-4.09)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record governance approval details (SMF/accountable-person sign-off or committee review) and the date of approval for each material third party arrangement. [adjacent]
“Has this contractual arrangement been reviewed and signed off by an SMF holder or an accountable person of an FMI?... Mandatory... Mandatory... If not, which governance committee reviewed it?... Date of governance approval... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 4.12-4.14)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record where data is stored and where the service is delivered from for each material third party arrangement in both the notification and annual register.
“Country where the data is stored... Mandatory... Mandatory... Country where the service is delivered from... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 3.13-3.14)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must maintain a permanent record of their material third party arrangements register (SUP 16.33.6R(1)) with no specified minimum retention period.
“SUP 16.33.6R(1) Material third party arrangements Register of information relating to material third party arrangements Not specified Not specified”
SUP 16.33.6R(1) and Sch 1.2G (SUP 16.33.6R(1) entry)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Enhanced reporting firms must report in the initial phase whether an affected service is classified as an important business service and, in the intermediate phase, must confirm this mandatorily.
“Is the affected service classified as an important business service?... Optional (note 2)... Mandatory... -”
SUP 15 Annex 15.1R (field 23)final
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms subject to both SUP 15.3.8G(1)(e) and SUP 15.19 notification requirements for material outsourcing must comply with SUP 15.19; a single notification satisfying SUP 15.19 discharges both obligations. [adjacent]
“Any notification required under both SUP 15.3.8G(1)(e) and SUP 15.19 (Notification of material third party arrangements) must be made in accordance with SUP 15.19.”
SUP 15.3.10ARfinal
UKUK_FCAotherNOT YET IN FORCE (effective 2027-03-18): Firms must record in the material third party register the supply chain ranking and notice periods (for both firm and service provider) for each material third party arrangement.
“Supply chain ranking... Mandatory... Mandatory... Notice period for the service provider... Mandatory... Mandatory... Notice period for the firm... Mandatory... Mandatory”
SUP 15 Annex 16.1R (fields 2.08, 2.12-2.13)final
UKUK_PRAbusiness continuityIdentify and document important business services (IBS) — those whose disruption could pose risk to safety and soundness, financial stability, or policyholder protection.
“firms must identify their important business services...defined as the services a firm provides which, if disrupted, could pose a risk to a firm's safety and soundness or...the financial stability of the UK.”
Operational Resilience 2.1; SS1/21 §2.2final
UKUK_PRAbusiness continuitySet an impact tolerance (including a mandatory time-based metric) for each identified important business service.
“firms to set an impact tolerance for each of their important business services...An impact tolerance must, in all cases, include a time-based metric to measure the tolerable level of disruption.”
Operational Resilience 2.2, 2.4; SS1/21 §3.1, §3.6final
UKUK_PRAbusiness continuitySet impact tolerances at the point beyond which further disruption would pose a risk to safety and soundness, financial stability, or policyholder protection.
“require firms to set their impact tolerances at the point at which any further disruption to the important business service would pose a risk to the firm's safety and soundness...policyholder protection...financial stability of the UK.”
Operational Resilience 2.3; SS1/21 §3.2final
UKUK_PRAbusiness continuityEnsure ability to deliver each IBS within its impact tolerance in severe but plausible scenarios by 31 March 2025.
“firms to ensure they are able to deliver their important business services within impact tolerances in severe but plausible scenarios...no later than Monday 31 March 2025.”
Operational Resilience 2.5, 2.6; SS1/21 §4.1, §4.14final
UKUK_PRAbusiness continuityDevelop and implement effective remediation plans for IBS that cannot remain within impact tolerances, with timing proportionate to disruption impact.
“firms to develop and implement effective remediation plans for the important business services that would not be able to remain within their impact tolerance...speed at which vulnerabilities are remediated should be commensurate with the potential impact.”
SS1/21 §4.3, §4.15final
UKUK_PRAbusiness continuityMap the people, processes, technology, facilities, and information resources required to deliver each IBS, including resources provided by third parties.
“require firms to identify and document the necessary people, processes, technology, facilities, and information...required to deliver each of their important business services...irrespective of whether the resources are being provided wholly or in part by a third party.”
Operational Resilience 4.1; SS1/21 §5.1, §5.5final
UKUK_PRAbusiness continuityUpdate IBS mapping at least annually, or sooner following a significant change.
“The PRA expects firms to update their mapping annually at a minimum, or following significant change if sooner.”
SS1/21 §5.9final
UKUK_PRAbusiness continuityRegularly test ability to remain within impact tolerances using severe but plausible disruption scenarios, with testing focused on recovery and response.
“require firms to test regularly their ability to remain within impact tolerances in severe but plausible disruption scenarios...The PRA expects firms to focus on recovery and response arrangements.”
Operational Resilience 5.1; SS1/21 §6.1final
UKUK_PRAbusiness continuityDevelop a written testing plan specifying scenario types, frequency, IBS coverage, and availability/integrity testing, proportionate to potential disruption impact.
“firms to develop a testing plan that details how they will gain assurance that they can remain within impact tolerances...nature and frequency of a firm's testing should be proportionate to the potential impact that disruption could cause.”
SS1/21 §6.6final
UKUK_PRAbusiness continuityEnsure ability to remain within impact tolerances irrespective of third-party use; effectively manage third parties so they do not cause tolerance breaches.
“firms to be able to remain within impact tolerances for important business services, irrespective of whether or not they use third parties in the delivery of these services...effectively manage their use of third parties to ensure they can meet the required standard.”
SS1/21 §4.5final
UKUK_PRAbusiness continuityUnderstand and manage sub-outsourcing dependencies that may threaten operational resilience and IBS delivery.
“Firms should understand the reliance placed on sub-outsourcing arrangements and if these arrangements pose a threat to their operational resilience.”
SS1/21 §5.6final
UKUK_PRAbusiness continuityInclude third-party failure/disruption scenarios (including supply chain) as severe but plausible scenarios in operational resilience testing.
“one of the severe but plausible scenarios that firms may select for this testing could involve a failure or disruption at a third party, or their supply chain, based on previous incidents or near misses.”
SS1/21 §6.13final
UKUK_PRAbusiness continuityRequire contractual agreements for material outsourcing to include obligations for both parties to implement and test business contingency plans aligned to impact tolerances.
“contractual agreements for material outsourcing arrangements to include 'requirements for both parties to implement and test business contingency plans. For the firm, these should take account of firms' impact tolerances for important business services.'”
SS1/21 §6.13final
UKUK_PRAbusiness continuityDevelop communication strategies for internal and external stakeholders as part of operational disruption response planning, including escalation paths and decision-maker identification.
“firms to develop communication strategies for both internal and external stakeholders as part of their planning for responding to operational disruptions...plans should include the escalation paths they would use to manage communications during an incident.”
SS1/21 §4.7final
UKUK_PRAbusiness continuityReview IBS list at least annually, or sooner on significant change, to determine whether additions or removals are required.
“The PRA expects firms to review their important business services annually at a minimum, or sooner if a significant change occurs, and to determine whether any changes are required to their list of important business services.”
SS1/21 §2.10final
UKUK_PRAbusiness continuityBoard must approve and regularly review: IBS list, impact tolerances, and written self-assessment, including scenario analyses of ability to remain within tolerances.
“a firm's board must approve and regularly review the firm's important business services, impact tolerances, and written self-assessment...boards must regularly review assessments...and the scenario analyses of its ability to remain within the impact tolerance.”
Operational Resilience 7; SS1/21 §7.1final
UKUK_PRAbusiness continuityAssign overall responsibility for implementing operational resilience policies to the Chief Operations SMF24 (where it exists) with reporting to the board.
“the Chief Operations Senior Management Function (SMF) 24 should hold overall responsibility for implementing operational resilience policies and reporting to the board.”
SS1/21 §7.4final
UKUK_PRAbusiness continuityProduce and maintain a written self-assessment documenting compliance with the Operational Resilience Parts, approved by the board.
“require firms to document a self-assessment of their compliance with the Operational Resilience Part...Firms' boards are accountable for and should approve the information provided in these documents.”
Operational Resilience 6; SS1/21 §8.1final
UKUK_PRAbusiness continuitySelf-assessment must document IBS list with rationale, impact tolerances with rationale, mapping methodology, testing strategy and scenarios, lessons learned, identified vulnerabilities with remediation plans, and group-related risks.
“list their important business services...specify the impact tolerances...detail their approach to mapping...describe their strategy for testing...identify any lessons learned...identify the vulnerabilities that threaten their ability...identify any additional risks...from elsewhe”
Operational Resilience 6; SS1/21 §8.3final
UKUK_PRAbusiness continuitySet recovery time objectives and recovery point objectives for resources underpinning IBS so that the IBS can be delivered within its impact tolerance.
“requirements might include capacity specifications, recovery time objectives, and recovery point objectives. These requirements should be set to enable the firm to deliver the important business service within its impact tolerance.”
SS1/21 §3.14final
UKUK_PRAbusiness continuityCRR consolidation entities and insurers must identify important group business services and set impact tolerances at group level to capture risks from non-individually-regulated group members.
“CRR consolidation entities...or an insurer...to identify a proportionate number of important group business services and respective impact tolerances at the level of the group.”
Operational Resilience 8.6–8.13; SS1/21 §9.1final
UKUK_PRAbusiness continuityCRR consolidation entities must maintain regular dialogue with group members so CRR firms can account for additional risks to safety and soundness when assessing ability to remain within impact tolerances. [adjacent]
“the CRR consolidation entity would have regular dialogue with other members of its group so the CRR firm (or CRR firms) can take account of any additional risks to their safety and soundness when assessing their ability to remain within impact tolerance.”
Operational Resilience 8.8; SS1/21 §9.4final
UKUK_PRAbusiness continuityManage risks from intragroup third-party arrangements with the same rigour as external third parties to ensure ability to remain within impact tolerances.
“firms to manage risk and make appropriate arrangements to be able to remain within impact tolerance, whether using third parties that are other entities within their group or external providers.”
SS1/21 §4.6final
UKUK_PRAbusiness continuityHave a prioritised plan in place by 31 March 2022 setting out how the firm will achieve full within-tolerance capability, with the plan already being executed by that date.
“Firms are expected to have a prioritised plan which sets out how they will comply with the requirement to be able to remain within their impact tolerances within a reasonable time...firms must have started putting the plan into effect by Thursday 31 March 2022.”
SS1/21 §4.14final
UKUK_PRAbusiness continuityFirms must ensure their business continuity plans take into account the possibility that quality of provision of material outsourced services deteriorates to unacceptable levels, potential insolvency or failure of the service provider, and where relevant, political/jurisdictional risks.
“firms' business continuity plans under General Organisational Requirements 2.5 and 2.6 (banks) and Conditions Governing Business 2.6 (insurers) should take into account: the possibility that the quality of the provision of material outsourced services deteriorates”
SS2/21 paragraph 4.12final
UKUK_PRAbusiness continuityFirms' outsourcing policies must include documented exit strategies and termination processes, including a documented exit plan for material outsourcing arrangements covering unexpected/stressed termination and possible service interruptions, taking into account impact tolerances for important business services.
“Exit strategies and termination processes, including a requirement for a documented exit plan for material outsourcing arrangements...explicitly catering for the unexpected termination of an outsourcing agreement (a stressed or unplanned exit), and taking into account possible se”
SS2/21 paragraph 4.14 (Table 4, Termination section)final
UKUK_PRAbusiness continuityFirms' outsourcing policies must include business continuity planning (BCP) as a mandatory minimum content area.
“Business continuity planning (BCP) (see paragraph 4.10)”
SS2/21 paragraph 4.14 (Table 4, General section)final
UKUK_PRAbusiness continuityFirms must assess whether a non-material outsourcing or third party arrangement becomes material under a severe but plausible scenario (e.g. pandemic) and consider additional measures to safeguard operational resilience, such as revisions to contractual provisions.
“If a non-material outsourcing or third party arrangement becomes material due to a severe but plausible scenario, such as a pandemic, firms should consider whether additional measures to safeguard their operational resilience are warranted, such as revisions to contractual provis”
SS2/21 paragraph 5.9final
UKUK_PRAbusiness continuityFirms must assess the materiality of all outsourcing and third party arrangements (including non-outsourcing third party arrangements) using all relevant criteria, and re-assess materiality prior to signing, at appropriate intervals, on planned scale-up, and on significant service provider changes.
“Firms should determine the materiality of all third party arrangements using all relevant criteria in this chapter...Materiality may vary throughout the duration of an arrangement and should therefore be (re)assessed: prior to signing the written agreement; at appropriate interva”
SS2/21 paragraphs 5.1, 5.6, 5.8final
UKUK_PRAbusiness continuityFirms must classify an outsourcing or third party arrangement as material where failure could materially impair their operational resilience, i.e. their ability to continue providing important business services.
“a firm should generally consider an outsourcing or third party arrangement as material where a defect or failure in its performance could materially impair the...operational resilience, ie its ability to continue providing important business services”
SS2/21 paragraph 5.11final
UKUK_PRAbusiness continuityFirms must apply all requirements and expectations on operational resilience in the Operational Resilience and Insurance – Operational Resilience Parts of the PRA Rulebook to all third party arrangements, regardless of whether they fall under the definition of outsourcing.
“all relevant requirements in the Operational Resilience and Insurance – Operational Resilience Parts of the PRA Rulebook”
SS2/21 paragraph 2.7final
UKUK_PRAbusiness continuityFirms must apply PRA Fundamental Rules 2, 3, 5, 6, and 7, and the requirements on business continuity, contingency planning, and data protection under General Organisational Requirements Rule 2 to all third party arrangements.
“PRA Fundamental Rules 2, 3, 5 and 6, and 7...Rule 2 in the General Organisational Requirements Part of the PRA Rulebook...In particular, the requirements on business continuity, contingency planning, and data protection”
SS2/21 paragraph 2.7final
UKUK_PRAbusiness continuityFirms must apply standards in EBA ICT Guidelines (including Sections 3.2.3, 3.3.2, 3.4.5, and 3.7/para 86) to all third party ICT arrangements, interpreted consistently with operational resilience requirements and SS1/21.
“EBA ICT GL, including but not limited to Sections 3.2.3, 3.3.2, 3.4.5, and 3.7 (in particular, paragraph 86). These GL should be interpreted consistently with: the Operational Resilience/Insurance – Operational Resilience Parts, the expectations in this SS, and SS1/21”
SS2/21 paragraph 2.9final
UKUK_PRAbusiness continuityFirms must take into account FSB Effective Practices for Cyber Incident Response and Recovery (including paragraphs 13, 18, 19, 20, 33, and 36) and G7 Third Party Elements when managing ICT and third-party risk.
“the PRA also encourages firms to take into account global standards on ICT risk management, including but not necessarily limited to the toolkit in the FSB Effective Practices (in particular, paragraphs 13, 18, 19 and 20, 33 and 36), and the G7 Third party Elements.”
SS2/21 paragraph 2.10final
UKUK_PRAbusiness continuityFirms must assess the materiality and risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing, and where deemed material or high risk, implement proportionate, risk-based controls as robust as those applied to equivalent outsourcing arrangements.
“the PRA expects firms to assess the materiality and risks of all third party arrangements irrespective of whether they fall within the definition of outsourcing...Where a firm deems a non-outsourcing third party arrangement 'material' or 'high risk', it should implement proportio”
SS2/21 paragraphs 2.5, 2.6final
UKUK_PRAbusiness continuityBoards must set control environment including appetite and tolerance levels for outsourcing and third-party risk, and ensure appropriate risk management systems to deal with outsourced service providers, including identifying and understanding the firm's reliance on critical service providers.
“Firms' boards should: set 'the control environment throughout the firm, including the appetite and tolerance levels in respect of outsourcing'...appropriately 'identifying and [having an] understanding of the firm's reliance on critical service providers'”
SS2/21 paragraph 4.4final
UKUK_PRAbusiness continuityBoards must approve, regularly review, and implement a written outsourcing policy that aligns with and draws upon the firm's business continuity, ICT, information and cyber security, and operational resilience policies.
“Firms' boards should approve, regularly review, and implement a written outsourcing policy...This policy should align to and draw upon other relevant firm policies and strategies. For instance: business continuity...ICT...information and cyber security...operational resilience”
SS2/21 paragraph 4.10final
UKUK_PRAbusiness continuityThird-country branches must maintain firm or group-wide business continuity plans and exit strategies; systemic wholesale branches must take reasonable steps to develop local business continuity, contingency planning, and exit strategies for activities that could impact UK financial stability.
“firm or group-wide business continuity plans and exit strategies. Systemic wholesale branches should, however, take reasonable steps to develop local business continuity, contingency planning, and exit strategies (if available) covering any activities or services which they provi”
SS2/21 paragraph 3.19final
UKUK_PRAbusiness continuityFirms may rely on business continuity, contingency, and exit plans developed at group level for intragroup outsourcing, provided they adequately safeguard the firm's own operational resilience.
“rely on business continuity, contingency, and exit plans developed at group level, provided that they adequately safeguard their operational resilience.”
SS2/21 paragraph 3.6final
UKUK_PRAbusiness continuityFirms that arrange material outsourcing should maintain an Outsourcing Register covering all outsourcing arrangements, distinguishing material from non-material, effective from 31 December 2021 for banks. [adjacent]
“the EBA Outsourcing GL expect banks to maintain an up-to-date register of information on all their outsourcing arrangements, distinguishing between those which are material and those which are not ('Outsourcing Register').”
SS2/21 paragraph 4.16final
UKUK_PRAbusiness continuityFirms must keep appropriate records of their outsourcing arrangements sufficient to enable fulfilment of concentration risk expectations, and make relevant information on third-party arrangements available to the PRA in accordance with Fundamental Rule 7. [adjacent]
“The PRA expects all firms to keep appropriate records of their outsourcing arrangements...The records should also be sufficient to enable the firm to fulfil the expectations concerning concentration risk set out in 5.24.”
SS2/21 paragraph 4.15final
UKUK_PRAbusiness continuityFirms must define, document, and understand respective responsibilities of the firm and service provider (shared responsibility model) as part of effective governance of outsourcing arrangements, including for cloud computing.
“the PRA expects firms to define, document, and understand their and the service provider's respective responsibilities. In the case of cloud computing, the term commonly used to help firms and cloud providers understand their respective obligations is the 'shared responsibility m”
SS2/21 paragraph 4.5final
UKUK_PRAbusiness continuityFirms must consider concentration risk in their outsourcing and third-party arrangements (including ICT/cloud) and maintain records sufficient to enable assessment of such risks.
“The records should also be sufficient to enable the firm to fulfil the expectations concerning concentration risk set out in 5.24.”
SS2/21 paragraph 4.15final
UKUK_PRAbusiness continuityFirms must ensure their outsourcing policies include day-to-day oversight procedures including incident reporting, and processes for being notified of and responding to changes to an outsourcing arrangement or service provider.
“Procedures for the ongoing assessment of service providers' performance, including where appropriate: day-to-day oversight, including incident reporting, periodic performance assessment against service level agreements...being notified and responding to changes to an outsourcing ”
SS2/21 paragraph 4.14 (Table 4, Oversight section)final
UKUK_PRAbusiness continuityFirms that expect an outsourcing or third party arrangement to become material must take reasonable steps to ensure compliance with all material outsourcing expectations (Chapters 6-10, including business continuity and exit plans) on or before the materiality threshold is crossed.
“Where a firm expects an outsourcing or third party arrangement to become material in the future, it should take reasonable steps to ensure that it can comply with all applicable expectations for material outsourcing arrangements in Chapters 6 to 10 on or before the materiality th”
SS2/21 paragraph 5.9final
UKUK_PRAbusiness continuityFirms must make outsourced and third party providers aware of relevant internal policies including those on operational resilience and ICT/information security, to the extent needed for performance of the service.
“Firms should make outsourced and third party providers aware of relevant internal policies, including those on outsourcing, ICT, information security, or operational resilience.”
SS2/21 paragraph 4.11final
UKUK_PRAbusiness continuityThird-country branches must maintain effective processes and mechanisms for escalating concerns, issues, and regulatory feedback relating to intragroup outsourcing arrangements to the whole firm or group. [adjacent]
“effective processes and mechanisms for escalating concerns, issues, and regulatory feedback relating to their intragroup outsourcing arrangements to the whole firm or group.”
SS2/21 paragraph 3.18final
UKUK_PRAbusiness continuityFirms must re-assess materiality of outsourcing arrangements where there is a significant organisational change at the service provider or material sub-outsourced service provider that could materially change the nature, scale, or complexity of risks, including changes to ownership or financial position.
“if a significant organisational change at the service provider or a material sub-outsourced service provider takes place that could materially change the nature, scale, and complexity of the risks inherent in the outsourcing arrangement, including a significant change to the serv”
SS2/21 paragraph 5.8final
UKUK_PRAbusiness continuityFirms must consider and document how the potential impact of disruption, failure, or insolvency of a service provider affects business continuity, operational resilience, and operational risk as a materiality criterion.
“The potential impact of a disruption, failure, or...business continuity, operational resilience, and operational risk, including: conduct risk”
SS2/21 paragraph 5.13 (Table 5)final
UKUK_PRAbusiness continuityFirms must leverage their end-to-end mapping of important business services under the Operational Resilience PRA Rulebook to document and map intragroup and other third-party dependencies.
“Firms may also leverage their end-to-end mapping of important business services under Chapter 4 of the Operational Resilience – CRR Firms and Operational Resilience – Solvency II Parts of the PRA Rulebook to document and map their intragroup and other dependencies.”
SS2/21 paragraph 3.8final
UKUK_PRAbusiness continuityFirms with arrangements involving regulated financial institutions (clearing, settlement, custody) must implement appropriate monitoring and risk-based controls to manage risks to resilience from these arrangements, leveraging applicable existing regulatory requirements.
“they are third party arrangements that can give rise to significant risks to the PRA's objectives and should be subject to appropriate monitoring and risk-based controls...to manage relevant risks and promote an appropriate level of resilience.”
SS2/21 paragraph 2.12final
USCFPBcybersecurityMaintain adequate password management policies and practices, including monitoring for credential breaches at other entities where employees reuse passwords, notifying users when password resets are required, and prohibiting default enterprise logins/passwords. [adjacent]
“If a covered person or service provider does not have adequate password management policies and practices, it is unlikely they would succeed in showing countervailing benefits to consumers or competition that outweigh the potential harms, thus triggering liability.”
12 U.S.C. 5536(a)(1)(B); CFPB Circular 2022-04, Password Management sectionfinal
USCFPBcybersecurityRoutinely update systems, software, and code (including contractor-used software), and apply patches promptly upon notification of critical vulnerabilities; maintain asset inventories tracking software dependencies to ensure timely patching.
“If covered persons or service providers do not routinely update systems, software, and code (including those utilized by contractors) or fail to update them when notified of a critical vulnerability, it is unlikely they would succeed in showing countervailing benefits”
12 U.S.C. 5536(a)(1)(B); CFPB Circular 2022-04, Timely Software Updates sectionfinal
USCFPBcybersecurityAvoid use of software versions no longer actively maintained by their vendors, as running end-of-life software that cannot receive security updates constitutes inadequate data security likely to cause substantial consumer injury. [adjacent]
“It also includes the use of versions of software that are no longer actively maintained by their vendors.”
12 U.S.C. 5536(a)(1)(B); CFPB Circular 2022-04, Timely Software Updates sectionfinal
USCFPBcybersecurityImplement reasonable security measures to protect sensitive consumer information collected, processed, maintained, or stored, to avoid engaging in unfair acts or practices under the CFPA; inadequate security alone (without a breach) can constitute a violation. [adjacent]
“Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation of 12 U.S.C. 5536(a)(1)(B).”
12 U.S.C. 5536(a)(1)(B); CFPB Circular 2022-04, Response sectionfinal
USFDICcybersecurityImplement a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to the institution's size, complexity, and activities. [adjacent]
“Each insured depository institution shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution”
12 CFR 364 App. B, II.Afinal
USFDICcybersecurityDesign the information security program to protect against anticipated threats or hazards to the security or integrity of customer information and against technological failures.
“Protect against any anticipated threats or hazards to the security or integrity of such information”
12 CFR 364 App. B, II.B.2final
USFDICcybersecurityIdentify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. [adjacent]
“Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.”
12 CFR 364 App. B, III.B.1final
USFDICcybersecurityAssess the likelihood and potential damage of identified threats, taking into consideration the sensitivity of customer information.
“Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.”
12 CFR 364 App. B, III.B.2final
USFDICcybersecurityImplement response programs specifying actions to be taken when unauthorized access to customer information systems is suspected or detected, including reports to regulatory and law enforcement agencies.
“Response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies”
12 CFR 364 App. B, III.C.1.gfinal
USFDICcybersecurityImplement measures to protect against destruction, loss, or damage of customer information due to environmental hazards such as fire, water damage, or technological failures.
“Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.”
12 CFR 364 App. B, III.C.1.hfinal
USFDICcybersecurityRegularly test key controls, systems, and procedures of the information security program, with frequency determined by risk assessment, conducted or reviewed by independent parties. [adjacent]
“Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the institution's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent”
12 CFR 364 App. B, III.C.3final
USFDICcybersecurityMonitor, evaluate, and adjust the information security program in light of changes in technology, threats, customer information sensitivity, and changing business arrangements. [adjacent]
“Each institution shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and the institution's own changing busi”
12 CFR 364 App. B, III.Efinal
USFDICcybersecurityImplement monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems. [adjacent]
“Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems”
12 CFR 364 App. B, III.C.1.ffinal
USFDICcybersecurityExercise appropriate due diligence in selecting service providers that access customer information. [adjacent]
“Exercise appropriate due diligence in selecting its service providers”
12 CFR 364 App. B, III.D.1final
USFDICcybersecurityRequire service providers by contract to implement appropriate measures designed to meet the information security objectives of the Guidelines.
“Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines”
12 CFR 364 App. B, III.D.2final
USFDICcybersecurityWhere indicated by risk assessment, monitor service providers to confirm they have satisfied contractual security obligations, including reviewing audits, test summaries, or equivalent evaluations.
“Where indicated by the institution's risk assessment, monitor its service providers to confirm that they have satisfied their obligations...an institution should review audits, summaries of test results, or other equivalent evaluations of its service providers.”
12 CFR 364 App. B, III.D.3final
USFDICcybersecurityReport to the board or board committee at least annually on the status of the information security program, including risk assessment, risk management decisions, service provider arrangements, testing results, and security breaches. [adjacent]
“Each institution shall report to its board or an appropriate committee of the board at least annually...addressing issues such as: Risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations”
12 CFR 364 App. B, III.Ffinal
USFDICcybersecurityDevelop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems, including those maintained by service providers.
“every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems that occur nonetheless.”
12 CFR 364 App. B, Supplement A, II (opening paragraph)final
USFDICcybersecurityInclude in the response program procedures to assess the nature and scope of an incident and identify which customer information systems and types of customer information have been accessed or misused.
“Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused”
12 CFR 364 App. B, Supplement A, II.A.1.afinal
USFDICcybersecurityNotify the primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. [adjacent]
“Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information”
12 CFR 364 App. B, Supplement A, II.A.1.bfinal
USFDICcybersecurityTake appropriate steps to contain and control an incident to prevent further unauthorized access to customer information, while preserving records and evidence.
“Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence”
12 CFR 364 App. B, Supplement A, II.A.1.dfinal
USFDICcybersecurityRequire service providers by contract to notify the institution as soon as possible of unauthorized access incidents to the institution's customer information, enabling the institution to implement its response program.
“an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of an”
12 CFR 364 App. B, Supplement A, II (opening paragraph)final
USFDICcybersecurityEnsure the board of directors approves the written information security program and oversees its development, implementation, and maintenance, including assigning specific implementation responsibility. [adjacent]
“The board of directors or an appropriate committee of the board of each insured depository institution shall: 1. Approve the institution's written information security program; and 2. Oversee the development, implementation, and maintenance of the institution's information securi”
12 CFR 364 App. B, III.Afinal
USFDICcybersecurityTrain staff to implement the institution's information security program. [adjacent]
“Train staff to implement the institution's information security program.”
12 CFR 364 App. B, III.C.2final
USFDICcybersecurityAssess the sufficiency of existing policies, procedures, customer information systems, and other arrangements in place to control identified risks.
“Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.”
12 CFR 364 App. B, III.B.3final
USFDICcybersecurityWhere a service provider maintains systems involved in an unauthorized access incident, the financial institution remains responsible for customer and regulator notification, though it may authorize the service provider to notify on its behalf. [adjacent]
“Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator.”
12 CFR 364 App. B, Supplement A, II.A.2final
USFRBbusiness continuityEstablish a board-approved robust operational risk management framework that identifies and mitigates plausible sources of operational risk, ensures high security and reliability, and provides for rapid recovery of critical operations.
“manage its operational risks by establishing a robust operational risk-management framework that is approved by its board of directors”
12 CFR 234.3(a)(17)final
USFRBbusiness continuityMaintain a business continuity plan incorporating a secondary site with a distinct risk profile from the primary site.
“business continuity plan that (1) incorporates the use of a secondary site at a location with a distinct risk profile from the primary site”
12 CFR 234.3(a)(17)(vii)final
USFRBbusiness continuityMaintain a BCP designed to enable critical systems to recover and resume operations no later than two hours following disruptive events.
“is designed to enable critical systems to recover and resume operations no later than two hours following disruptive events”
12 CFR 234.3(a)(17)(vii)final
USFRBbusiness continuityMaintain a BCP designed to enable completion of settlement by the end of the day of disruption, even in extreme circumstances.
“is designed to enable it to complete settlement by the end of the day of the disruption, even in case of extreme circumstances”
12 CFR 234.3(a)(17)(vii)final
USFRBbusiness continuityTest the business continuity plan at least annually.
“is tested at least annually”
12 CFR 234.3(a)(17)(vii)final
USFRBbusiness continuityConduct tests of systems, policies, procedures, and controls in accordance with a documented testing framework that addresses at minimum scope, frequency, participation, interdependencies, and reporting.
“conduct tests of its systems, policies, procedures, and controls in accordance with a documented testing framework”
12 CFR 234.3(a)(17)(i)(A)(1)final
USFRBbusiness continuityEnsure testing assesses whether systems, policies, procedures, or controls function as intended.
“a designated FMU's testing assess whether its systems, policies, procedures, or controls function as intended”
12 CFR 234.3(a)(17)(i)(A)(2)final
USFRBbusiness continuityConduct review of design, implementation, and testing of affected and similar systems, policies, procedures, and controls after any material operational incident.
“conduct a review of the design, implementation, and testing of systems, policies, procedures, and controls after the designated FMU experienced any material operational incidents”
12 CFR 234.3(a)(17)(i)(B)final
USFRBbusiness continuityConduct review of affected and similar systems, policies, procedures, and controls when a change to the operating environment could significantly affect plausible sources or mitigants of operational risk.
“review the design, implementation, and testing of systems, policies, procedures, and controls after significant changes to the environment in which it operates”
12 CFR 234.3(a)(17)(i)(B)final
USFRBbusiness continuityRemediate deficiencies identified during tests and reviews as soon as possible, following established governance processes, including risk analysis, prioritization, and validation.
“remediate, as soon as possible and following established governance processes, any deficiencies identified during tests and reviews”
12 CFR 234.3(a)(17)(i)(C)final
USFRBbusiness continuityEstablish a documented framework for incident management providing for prompt detection, analysis, and escalation of incidents; appropriate response procedures; and incorporation of lessons learned.
“establish a documented framework for incident management that provides for the prompt detection, analysis, and escalation of an incident; appropriate procedures for addressing an incident; and incorporation of lessons learned following an incident”
12 CFR 234.3(a)(17)(vi)final
USFRBbusiness continuityInclude within the incident management framework a plan for notification and communication of material operational incidents identifying entities to be notified, including non-participants that could be affected.
“include a plan for notification and communication of material operational incidents. This plan, among other things, would need to identify the entities that would be notified of operational incidents, including non-participants”
12 CFR 234.3(a)(17)(vi)final
USFRBbusiness continuityImmediately notify the Board when the designated FMU activates its business continuity plan or has a reasonable basis to conclude there is an actual or likely disruption or material degradation to critical operations, services, or ability to fulfill obligations on time.
“notify the Board immediately when it activated its business continuity plan or had a reasonable basis to conclude that (1) there was an actual or likely disruption, or material degradation, to any of its critical operations or services”
12 CFR 234.3(a)(17)(vi)(A)(1)final
USFRBbusiness continuityImmediately notify the Board when the designated FMU has a reasonable basis to conclude there is an unauthorized entry, or a vulnerability that could allow unauthorized entry, into its computer/network/electronic systems that affects or could affect critical operations or services.
“unauthorized entry or a vulnerability that could allow unauthorized entry, into the designated FMU's computer, network, electronic, technical, automated, or similar systems that affects or has the potential to affect its critical operations or services”
12 CFR 234.3(a)(17)(vi)(A)(2)final
USFRBbusiness continuityNotify the Board of incidents in accordance with the process established by the Board. [adjacent]
“a designated FMU must notify the Board of incidents 'in accordance with the process established by the Board'”
12 CFR 234.3(a)(17)(vi)(A)final
USFRBbusiness continuityEstablish criteria and processes for timely communication and responsible disclosure of material operational incidents to participants or other relevant entities, including appropriate communication methods.
“establish criteria and processes, including the appropriate methods of communication, to provide for timely communication and responsible disclosure of material operational incidents to its participants or other relevant entities”
12 CFR 234.3(a)(17)(vi)(B)final
USFRBbusiness continuityImmediately notify affected participants in the event of actual disruptions or material degradation to critical operations or services or to the ability to fulfill obligations on time.
“notify affected participants immediately in the event of actual disruptions or material degradation to its critical operations or services or to its ability to fulfill its obligations on time”
12 CFR 234.3(a)(17)(vi)(B)(1)final
USFRBbusiness continuityNotify all participants and other relevant entities in a timely and responsible manner of all other material operational incidents that require immediate Board notification.
“notify all participants and other relevant entities in a timely and responsible manner of all other material operational incidents that require immediate notification to the Board”
12 CFR 234.3(a)(17)(vi)(B)(2)final
USFRBbusiness continuityIdentify and mitigate plausible sources of operational risk (internal and external) through appropriate systems, policies, procedures, and controls that are reviewed, audited, and tested periodically and after major changes.
“identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls that are reviewed, audited, and tested periodically and after major changes”
12 CFR 234.3(a)(17)(i)final
USFRBbusiness continuityIdentify, monitor, and manage operational risks the designated FMU may pose to other FMUs and trade repositories. [adjacent]
“identify, monitor, and manage the operational risks it may pose to other FMUs and trade repositories”
12 CFR 234.3(a)(17)final
USFRBbusiness continuityEnsure adequate, scalable capacity to handle increasing stress volumes.
“have adequate, scalable capacity to handle increasing stress volumes”
12 CFR 234.3(a)(17)final
USFRBbusiness continuityAddress potential and evolving vulnerabilities and threats to operational risk, including supply chain and ransomware threats, through systems, policies, procedures, and controls.
“address potential and evolving vulnerabilities and threats”
12 CFR 234.3(a)(17)final
USNCUAbusiness continuityEstablish a written vital records preservation program within six months of insurance certificate issuance to identify, store, and reconstruct vital records in the event such records are destroyed.
“The board of directors of a credit union is responsible for establishing a vital records preservation program within six months of its insurance certificate being issued. The program must be in writing and contain procedures for maintaining duplicate vital records at a vital reco”
12 CFR 749.2(a)final
USNCUAbusiness continuityInclude in the written program designated staff responsible for vital records preservation.
“The procedures must include: (1) Designated staff responsible for vital records preservation”
12 CFR 749.2(a)(1)final
USNCUAbusiness continuityInclude in the written program a schedule for the storage and destruction of vital records.
“The procedures must include: (2) A schedule for the storage and destruction of vital records”
12 CFR 749.2(a)(2)final
USNCUAbusiness continuityMaintain a records preservation log that will aid in locating and easily accessing vital records, in electronic or any other format as determined by the credit union.
“A records preservation log as determined by the credit union that will aid in locating and easily accessing the vital records. The log may be in electronic or any other format as determined by the credit union.”
12 CFR 749.2(a)(3)final
USNCUAbusiness continuityStore duplicate vital records at a vital records center located far enough from the credit union's offices to avoid simultaneous loss of both sets of records in a catastrophic event.
“contain procedures for maintaining duplicate vital records at a vital records center... a storage facility...at any location far enough from the credit union's offices to avoid the simultaneous loss of both sets of records in the event of a catastrophic act.”
12 CFR 749.2(a); 12 CFR 749.1 (definition of 'Vital records center')final
USNCUAbusiness continuityEnsure the vital records preservation program covers the six specified categories of vital records, including member account balances, financial reports, bank reconcilements, account/investment lists, and emergency contact information.
“Vital records are the most recent and current versions of the records a credit union needs to restore vital member services. These records are: (1) A list of share, deposit, and loan balances... (2) A financial report... (3) Bank reconcilements... (4) A list of the credit union's”
12 CFR 749.1 (definition of 'Vital records', subsections (1)-(5))final
USNCUAbusiness continuityWhere vital records are maintained by an off-site data processor, ensure the service agreement specifies that the data processor safeguards against simultaneous destruction of production and back-up information.
“A credit union that has some or all of its vital records maintained by an off-site data processor is considered to be in compliance for the storage of those records if the service agreement specifies the data processor safeguards against the simultaneous destruction of production”
12 CFR 749.2(b)final
USNCUAbusiness continuityMaintain, or contract with a third-party service provider to maintain, any equipment or software necessary for the vital records center so the credit union can access its records.
“A credit union must maintain, or contract with a third-party service provider to maintain, any equipment or software for its vital records center necessary for the credit union to access its records.”
12 CFR 749.3final
USNCUAbusiness continuityMaintain effective oversight of any third-party service provider contracted to maintain vital records to ensure the records meet the requirements of 12 CFR 749.3.
“If a credit union contracts with a third-party service provider to maintain its records, the credit union must maintain effective oversight of the third-party service provider to ensure the records meet the requirements of this section.”
12 CFR 749.3final
USNCUAbusiness continuityPreserve vital records in a format that accurately reflects the information, remains accessible to all entitled persons, and is capable of reproduction by transmission, printing, or otherwise.
“Preserved vital records may be in any format that can be used to reconstruct the credit union's vital records. The format used must accurately reflect the information in the record, remain accessible to all persons entitled to access by statute, regulation, or rule of law, and be”
12 CFR 749.4final
USNCUAcybersecurityReport a reportable cyber incident to the NCUA-designated point of contact as soon as possible and no later than 72 hours after the FICU reasonably believes a reportable cyber incident has occurred.
“The NCUA must receive this notification as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident”
12 CFR 748.1(c)final
USNCUAcybersecurityReport via email, telephone, or other NCUA-prescribed method to the NCUA-designated point of contact upon occurrence of a reportable cyber incident.
“Each federally insured credit union must notify the appropriate NCUA-designated point of contact of the occurrence of a reportable cyber incident via email, telephone, or other similar methods that the NCUA may prescribe.”
12 CFR 748.1(c)final
USNCUAcybersecurityReport a cyber incident causing a substantial loss of confidentiality, integrity, or availability of a network or member information system resulting from unauthorized access to sensitive data, disruption of vital member services, or serious impact on safety and resiliency of operational systems.
“A substantial loss of confidentiality, integrity, or availability of a network or member information system...that results from the unauthorized access to or exposure of sensitive data, disrupts vital member services...or has a serious impact on the safety and resiliency of opera”
12 CFR 748.1(c)(1)(i)(A)final
USNCUAcybersecurityReport a cyber incident where a cyberattack or exploitation of vulnerabilities causes disruption of business operations, vital member services, or a member information system.
“A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.”
12 CFR 748.1(c)(1)(i)(B)final
USNCUAcybersecurityReport within 72 hours a cyber incident where a compromise of a credit union service organization, cloud service provider, third-party data hosting provider, or supply chain causes disruption of business operations or unauthorized access to sensitive data.
“A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”
12 CFR 748.1(c)(1)(i)(C)final
USNCUAcybersecurityWhen notified by a third-party of a compromise affecting the FICU, report to NCUA within 72 hours of that third-party notification, whichever is sooner than the FICU's own reasonable belief.
“within 72 hours of being notified by a third-party, whichever is sooner.”
12 CFR 748.1(c)final
USNCUAbusiness continuityA FICU board of directors must establish a written succession plan that addresses specified positions and contains required information to ensure continuity of critical leadership. [adjacent]
“a FICU board of directors establish a written succession plan that addresses specified positions and contains certain information”
12 CFR 701.4(e)final
USNCUAbusiness continuityThe FICU board of directors must review the succession plan no less than every 24 months to ensure it remains current and adequate. [adjacent]
“a credit union board must review its succession plan no less than every 24 months, as opposed to the annual review that would have been required under the proposed rule”
12 CFR 701.4(e)final
USNCUAbusiness continuityNewly appointed FICU board members must obtain working familiarity with the succession plan no later than six months after appointment. [adjacent]
“newly appointed members of the board of directors have a working familiarity with the succession plan no later than six months after appointment”
12 CFR 701.4(e)final
USNCUAbusiness continuityThe succession plan must identify the anticipated vacancy date for each covered position, such as the incumbent's retirement eligibility date or announced departure date. [adjacent]
“The final rule does not require the FICU use a specific date, but suggests some possible proxies, including the individual's anticipated retirement date or announced departure date. A credit union can also note that a retirement or departure date is unknown.”
12 CFR 701.4(e)final
USNCUAbusiness continuityThe succession plan must cover specified senior leadership positions responsible for oversight or day-to-day management of the FICU, including management officials and senior executive officers per 12 CFR 701.14(b)(2). [adjacent]
“succession plans are intended to cover senior leadership positions responsible for the oversight of the FICU or its day-to-day management”
12 CFR 701.4(e)(2)final
USNCUAbusiness continuityThe succession plan may include other personnel the board deems critical given the FICU's size, complexity, or risk of operations, including positions required due to planned operational changes. [adjacent]
“other personnel the board of directors deems critical given the [FICU's] size, complexity, or risk of operations. This includes new positions that may be required due to planned changes in operations, supervisory landscape, or corporate structure.”
12 CFR 701.4(e)(2)(iii)final
USNCUAbusiness continuityFISCUs must adhere to the NCUA succession planning requirements to the extent they do not conflict with an applicable state requirement; NCUA defers to enforceable state requirements where no conflict exists. [adjacent]
“a FISCU must adhere to the succession planning requirements 'to the extent these regulatory provisions do not conflict with an applicable state requirement.'”
12 CFR 741.228final
USNCUAbusiness continuityDevelop and maintain a written security program within 90 days of insurance effective date that prevents destruction of vital records and responds to unauthorized access incidents.
“Each federally insured credit union will develop a written security program within 90 days of the effective date of insurance.”
12 CFR 748.0(a), 748.0(b)(3), 748.0(b)(5)final
USNCUAbusiness continuityNotify the NCUA regional director within 5 business days of any catastrophic act causing physical destruction or interruption of vital member services projected to last more than two consecutive business days.
“Each federally insured credit union will notify the regional director within 5 business days of any catastrophic act that occurs at its office(s).”
12 CFR 748.1(b)final
USNCUAbusiness continuityPrepare and file a record of each catastrophic act at the credit union's main office, documenting location, timing, losses, operational deficiencies, and corrective actions.
“Within a reasonable time after a catastrophic act occurs, the credit union shall ensure that a record of the incident is prepared and filed at its main office.”
12 CFR 748.1(b)final
USNCUAbusiness continuityNotify NCUA's designated point of contact of a reportable cyber incident as soon as possible but no later than 72 hours after the credit union reasonably believes it has experienced such an incident.
“The NCUA must receive this notification as soon as possible but no later than 72 hours after a federally insured credit union reasonably believes that it has experienced a reportable cyber incident.”
12 CFR 748.1(c)final
USNCUAbusiness continuityReport a cyber incident within 72 hours when a disruption of business operations or vital member services results from a cyberattack or exploitation of vulnerabilities.
“A disruption of business operations, vital member services, or a member information system resulting from a cyberattack or exploitation of vulnerabilities.”
12 CFR 748.1(c)(1)(i)(B)final
USNCUAbusiness continuityReport within 72 hours when a third-party (CUSO, cloud provider, or other data hosting provider) compromise causes a disruption of business operations or unauthorized access to sensitive data.
“A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”
12 CFR 748.1(c)(1)(i)(C)final
USNCUAbusiness continuityDevelop and implement a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to the credit union's size and complexity. [adjacent]
“A comprehensive written information security program includes administrative, technical, and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities.”
12 CFR Part 748, Appendix A, Section II.Afinal
USNCUAbusiness continuityHave the board of directors approve the written information security policy and program, and oversee its development, implementation, and maintenance including reviewing management reports. [adjacent]
“Approve the credit union's written information security policy and program; and oversee the development, implementation, and maintenance of the credit union's information security program.”
12 CFR Part 748, Appendix A, Section III.Afinal
USNCUAbusiness continuityAssess reasonably foreseeable internal and external threats to member information systems, evaluate likelihood and potential damage of threats, and assess sufficiency of existing controls.
“Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems.”
12 CFR Part 748, Appendix A, Section III.Bfinal
USNCUAbusiness continuityImplement response programs specifying actions when unauthorized access to member information systems is suspected or detected, including reports to regulatory and law enforcement agencies.
“Response programs that specify actions to be taken when the credit union suspects or detects that unauthorized individuals have gained access to member information systems, including appropriate reports to regulatory and law enforcement agencies.”
12 CFR Part 748, Appendix A, Section III.C.1.gfinal
USNCUAbusiness continuityImplement measures to protect member information against destruction, loss, or damage due to environmental hazards such as fire, water damage, or technical failures.
“Measures to protect against destruction, loss, or damage of member information due to potential environmental hazards, such as fire and water damage or technical failures.”
12 CFR Part 748, Appendix A, Section III.C.1.hfinal
USNCUAbusiness continuityImplement monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems. [adjacent]
“Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into member information systems.”
12 CFR Part 748, Appendix A, Section III.C.1.ffinal
USNCUAbusiness continuityRegularly test key controls, systems, and procedures of the information security program, with tests conducted or reviewed by independent parties, at a frequency determined by risk assessment. [adjacent]
“Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the credit union's risk assessment.”
12 CFR Part 748, Appendix A, Section III.C.3final
USNCUAbusiness continuityExercise due diligence in selecting service providers, require them by contract to implement appropriate information security measures, and monitor their compliance where indicated by risk assessment.
“Exercise appropriate due diligence in selecting its service providers; Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines.”
12 CFR Part 748, Appendix A, Section III.Dfinal
USNCUAbusiness continuityMonitor, evaluate, and adjust the information security program in response to relevant changes in technology, threat environment, member information sensitivity, and business arrangements including outsourcing. [adjacent]
“Monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its member information, internal or external threats to information, and the credit union's own changing business arrangements.”
12 CFR Part 748, Appendix A, Section III.Efinal
USNCUAbusiness continuityReport to the board or board committee at least annually on the overall status of the information security program, including risk assessment, risk management decisions, service provider arrangements, test results, and security breaches. [adjacent]
“Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines.”
12 CFR Part 748, Appendix A, Section III.Ffinal
USNCUAbusiness continuityDevelop and implement a risk-based response program to address incidents of unauthorized access to member information, as a key component of the information security program. [adjacent]
“Every credit union should also develop and implement a risk-based response program to address incidents of unauthorized access to member information in member information systems that occur nonetheless.”
12 CFR Part 748, Appendix B, Section IIfinal
USNCUAbusiness continuityInclude in the response program procedures to assess the nature and scope of an incident and identify which member information systems and information types were accessed or misused.
“Assessing the nature and scope of an incident, and identifying what member information systems and types of member information have been accessed or misused.”
12 CFR Part 748, Appendix B, Section II.A.1.afinal
USNCUAbusiness continuityNotify the appropriate NCUA Regional Director (and state supervisory authority for state-chartered CUs) as soon as possible upon discovering an incident involving unauthorized access to sensitive member information. [adjacent]
“Notifying the appropriate NCUA Regional Director, and, in the case of state-chartered credit unions, its applicable state supervisory authority, as soon as possible when the credit union becomes aware of an incident involving unauthorized access to or use of sensitive member info”
12 CFR Part 748, Appendix B, Section II.A.1.bfinal
USNCUAbusiness continuityTake appropriate steps to contain and control incidents of unauthorized access to prevent further unauthorized access, including monitoring, freezing, or closing affected accounts while preserving records and evidence.
“Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of member information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.”
12 CFR Part 748, Appendix B, Section II.A.1.dfinal
USNCUAbusiness continuityRequire service providers by contract to promptly notify the credit union of unauthorized access incidents to member information to enable timely implementation of the credit union's response program. [adjacent]
“A credit union's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to or use of the credit union's member information, including notification of the credit union as soon as possible of an”
12 CFR Part 748, Appendix B, Section II.iifinal
USNCUAbusiness continuityAnnually certify compliance with all requirements of 12 CFR Part 748 via the Credit Union Profile through NCUA's online information management system. [adjacent]
“The president or managing official of each federally insured credit union must certify compliance with the requirements of this part in its Credit Union Profile annually through NCUA's online information management system.”
12 CFR 748.1(a)final
USNCUAbusiness continuityDesign the information security program to control risks commensurate with information sensitivity and business complexity, considering and adopting appropriate controls including encryption, access controls, and modification procedures. [adjacent]
“Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the credit union's activities.”
12 CFR Part 748, Appendix A, Section III.C.1final
USNCUAotherCredit unions with assets >=$50M must establish and document a written Contingency Funding Plan (CFP) commensurate with complexity, risk profile, and scope of operations addressing liquidity shortfalls in emergencies. [adjacent]
“must establish and document a contingency funding plan (CFP) that meets the requirements of paragraph (d) of this section.”
12 CFR 741.12(b), 741.12(d)final
USNCUAotherThe CFP must include policies to manage a range of stress environments, identify possible stress events, and identify likely liquidity responses to such events. [adjacent]
“Policies to manage a range of stress environments, identification of some possible stress events, and identification of likely liquidity responses to such events;”
12 CFR 741.12(d)(3)final
USNCUAotherThe CFP must define lines of responsibility within the institution for responding to liquidity events. [adjacent]
“Lines of responsibility within the institution to respond to liquidity events;”
12 CFR 741.12(d)(4)final
USNCUAotherThe CFP must specify the frequency at which the institution will test and update the plan. [adjacent]
“The frequency that the institution will test and update the plan.”
12 CFR 741.12(d)(6)final
USNCUAbusiness continuityEstablish and maintain a written vital records preservation program to identify, store, and reconstruct vital records in the event records are destroyed.
“All credit unions must have a written program that includes plans for safeguarding records and reconstructing vital records.”
12 CFR 749.0(a); 12 CFR 749.2final
USNCUAbusiness continuityEstablish the vital records preservation program within 6 months after the credit union's insurance certificate is issued.
“The board of directors of a credit union is responsible for establishing a vital records preservation program within 6 months after its insurance certificate is issued.”
12 CFR 749.2final
USNCUAbusiness continuityInclude in the written program procedures for maintaining duplicate vital records at a vital records center.
“The program must be in writing and contain procedures for maintaining duplicate vital records at a vital records center.”
12 CFR 749.2final
USNCUAbusiness continuityDesignate staff responsible for vital records preservation within the written program.
“The procedures must include: designated staff responsible for vital records preservation, a schedule for the storage and destruction of records...”
12 CFR 749.2final
USNCUAbusiness continuityMaintain a records preservation log detailing each stored record's name, storage location, storage date, and name of the person sending the record for storage. [adjacent]
“a records preservation log detailing for each record stored, its name, storage location, storage date, and name of the person sending the record for storage.”
12 CFR 749.2final
USNCUAbusiness continuityMaintain or contract with a third party to maintain equipment or software at the vital records center necessary to access vital records.
“A credit union must maintain or contract with a third party to maintain any equipment or software for its vital records center necessary to access records.”
12 CFR 749.3final
USNCUAbusiness continuityLocate the vital records center far enough from credit union offices to avoid simultaneous loss of both sets of records in a catastrophic event.
“A vital records center is defined as a storage facility...at any location far enough from the credit union's offices to avoid the simultaneous loss of both sets of records in the event of a catastrophic act.”
12 CFR 749.3final
USNCUAbusiness continuityEnsure preserved vital records are in a format that accurately reflects original information, remains accessible to authorized persons, and is capable of reproduction.
“The format used must accurately reflect the information in the record, remain accessible to all persons entitled to access by statute, regulation or rule of law, and be capable of reproduction by transmission, printing, or otherwise.”
12 CFR 749.4final
USNCUAbusiness continuityWhere an off-site data processor maintains records, ensure the service agreement specifies the data processor safeguards against simultaneous destruction of production and back-up information.
“Credit unions which have some or all of their records maintained by an off-site data processor are considered to be in compliance...if the service agreement specifies the data processor safeguards against the simultaneous destruction of production and back-up information.”
12 CFR 749.2final
USNCUAbusiness continuityConduct a business impact analysis to evaluate potential threats as part of catastrophic act preparedness (recommended).
“(1) A business impact analysis to evaluate potential threats;”
12 CFR Part 749, Appendix B, element (1)final
USNCUAbusiness continuityConduct a risk assessment to determine critical systems and necessary resources as part of catastrophic act preparedness (recommended).
“(2) A risk assessment to determine critical systems and necessary resources;”
12 CFR Part 749, Appendix B, element (2)final
USNCUAbusiness continuityDevelop a written catastrophic act preparedness plan identifying persons with authority to enact the plan (recommended).
“A written plan addressing: i. Persons with authority to enact the plan;”
12 CFR Part 749, Appendix B, element (3)(i)final
USNCUAbusiness continuityAddress preservation and ability to restore vital records in the written catastrophic act preparedness plan (recommended).
“ii. Preservation and ability to restore vital records;”
12 CFR Part 749, Appendix B, element (3)(ii)final
USNCUAbusiness continuityInclude in the written plan a method for restoring vital member services through alternate operating locations or service mediums (recommended).
“iii. A method for restoring vital member services through identification of alternate operating location(s) or mediums to provide services, such as telephone centers, shared service centers, agreements with other credit unions, or other appropriate methods;”
12 CFR Part 749, Appendix B, element (3)(iii)final
USNCUAbusiness continuityInclude communication methods for employees and members in the written catastrophic act preparedness plan (recommended).
“iv. Communication methods for employees and members;”
12 CFR Part 749, Appendix B, element (3)(iv)final
USNCUAbusiness continuityInclude regulator notification procedures per 12 CFR 748.1(b) in the written catastrophic act preparedness plan (recommended).
“v. Notification of regulators as addressed in 12 CFR 748.1(b);”
12 CFR Part 749, Appendix B, element (3)(v)final
USNCUAbusiness continuityInclude training — and documentation of training — for all employees and volunteer officials on catastrophic act procedures in the written plan (recommended).
“vi. Training and documentation of training to ensure all employees and volunteer officials are aware of procedures to follow in the event of destruction of vital records or loss of vital member services;”
12 CFR Part 749, Appendix B, element (3)(vi)final
USNCUAbusiness continuityInclude testing procedures and a means for documenting testing results in the written catastrophic act preparedness plan (recommended).
“vii. Testing procedures, including a means for documenting the testing results.”
12 CFR Part 749, Appendix B, element (3)(vii)final
USNCUAbusiness continuityEstablish internal controls for reviewing the catastrophic act preparedness plan at least annually and revising it as circumstances warrant (recommended).
“(4) Internal controls for reviewing the plan at least annually and for revising the plan as circumstances warrant, for example, to address changes in the credit union's operations;”
12 CFR Part 749, Appendix B, element (4)final
USNCUAbusiness continuityConduct annual testing of the catastrophic act preparedness plan (recommended).
“(5) Annual testing.”
12 CFR Part 749, Appendix B, element (5)final
USOCCcrisis managementBanking organizations must notify their primary Federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after determining the incident occurred.
“a banking organization must notify its primary Federal regulator of any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.Afinal
USOCCcrisis managementBank service providers must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, c
“the final rule requires a bank service provider to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines it has experienced a computer-security incident that has caused, or”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.Afinal
USOCCcrisis managementBanking organizations must have sufficient understanding of their lines of business to determine which business lines, upon failure, would result in a material loss of revenue, profit, or franchise value, in order to identify notification incidents. [adjacent]
“all banking organizations must have a sufficient understanding of their lines of business to be able to determine which business lines would, upon failure, result in a material loss of revenue, profit, or franchise value to the banking organization, so that they can meet their no”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.B.ivfinal
USOCCcrisis managementBanking organizations must apply a 'reasonably likely' materiality standard when determining whether a computer-security incident constitutes a notification incident requiring regulator notification, covering incidents that have materially disrupted or degraded or are reasonably likely to do so.
“a banking organization will be required to notify its primary Federal regulator when it has suffered a computer-security incident that has a reasonable likelihood of materially disrupting or degrading the banking organization or its operations.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.B.ivfinal
USOCCcrisis managementBanking organizations must evaluate whether a material loss of revenue, profit, or franchise value resulting from a computer-security incident is material on an enterprise-wide basis when assessing notification incident status under the second prong of the definition.
“a banking organization should evaluate whether the loss is material to the organization as a whole.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.B.ivfinal
USOCCcrisis managementBank service providers must ensure their notification to banking organization customers is directed to a bank-designated point of contact rather than an arbitrary individual, requiring coordination with banking organization customers to establish and maintain those contact designations.
“requiring that notice be provided to a bank-designated point of contact, rather than to at least two individuals at each banking organization customer.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.A and III.D.iiifinal
USOCCcrisis managementBanking organizations and bank service providers must determine whether a computer-security incident has occurred based on a determination standard (not a subjective good-faith belief), requiring documented incident assessment processes.
“the agencies are replacing the 'good faith belief' standard with a banking organization's determination. The agencies agree with commenters who criticized the proposed 'believes in good faith' standard as too subjective and imprecise.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.B.ivfinal
USOCCcrisis managementBanking organizations must be capable of identifying computer-security incidents that materially disrupt or degrade (or are reasonably likely to do so) their ability to carry out banking operations or deliver products/services to a material portion of their customer base in the ordinary course of business.
“Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.B.ivfinal
USOCCcrisis managementBanking organizations must be capable of identifying notification incidents that impact operations whose failure or discontinuance would pose a threat to the financial stability of the United States (the third prong of the notification incident definition).
“operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.B.ivfinal
USOCCcrisis managementBanking organizations that provide sector-critical services and currently notify their primary Federal regulator of computer-security incidents on a same-day basis are encouraged to continue doing so (supervisory expectation).
“the agencies would encourage those banking organizations providing sector-critical services that currently notify their primary Federal regulator of these types of incidents on a same-day basis to continue to do so.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.A (footnote 19)final
USOCCcrisis managementBank service providers must have procedures to determine when a computer-security incident has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services to banking organization customers for four or more hours, triggering the notification obligation.
“when the bank service provider determines it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.D.iifinal
USOCCcrisis managementBanking organizations must assess whether a computer-security incident at a bank service provider has or is reasonably likely to have a material impact on the banking organization, potentially triggering the banking organization's own notification requirement to its regulator.
“prompt notification will allow the banking organization to assess whether the incident has or is reasonably likely to have a material impact on the banking organization and thus trigger the banking organization's own notification requirement.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule, Introduction and Section III.D.ifinal
USOCCcrisis managementBanking organizations and bank service providers must ensure that contracts with bank service providers address notification provisions consistent with the final rule, so that banking organizations receive prompt notification of computer-security incidents affecting covered services.
“while the agencies agree that incident notification is generally addressed by contract, we believe that this issue is important enough to warrant an independent regulatory requirement that ensures consistency and enforceability, without the necessity of revising contractual provi”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.D.ivfinal
USOCCcrisis managementBanking organizations must identify and monitor their critical dependence on bank service providers for essential services and ensure operational resilience by receiving timely notification of computer-security incidents at those providers that could disrupt covered services.
“banking organizations have become increasingly reliant on third parties to provide essential services. Such third parties may also experience computer-security incidents that could disrupt or degrade the provision of services to their banking organization customers.”
12 CFR Part 53 (OCC); 12 CFR Part 225 (Board); 12 CFR Part 304 (FDIC) — Final Rule Section III.D.ifinal
USOCCcrisis managementNotify the appropriate OCC supervisory office as soon as possible and no later than 36 hours after determining that a notification incident has occurred.
“The OCC must receive this notification from the banking organization as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred.”
12 CFR 53.3final
USOCCcrisis managementNotify the OCC via email, telephone, or other OCC-prescribed methods upon occurrence of a notification incident.
“A banking organization must notify the appropriate OCC supervisory office, or OCC-designated point of contact, about a notification incident through email, telephone, or other similar methods that the OCC may prescribe.”
12 CFR 53.3final
USOCCcrisis managementMonitor for and determine when a computer-security incident constitutes a 'notification incident' — i.e., one that has materially disrupted or is reasonably likely to materially disrupt banking operations, business lines, or critical operations.
“Notification incident is a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's— (i) Ability to carry out banking operations...in the ordinary course of business...”
12 CFR 53.2(b)(7)final
USOCCcrisis managementBank service providers must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when a computer-security incident has materially disrupted or degraded covered services for four or more hours.
“A bank service provider is required to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrup”
12 CFR 53.4(a)final
USOCCcrisis managementBank service providers must notify the CEO and CIO (or comparable individuals) of the banking organization customer when no bank-designated point of contact has been previously provided.
“If the banking organization customer has not previously provided a bank-designated point of contact, such notification shall be made to the Chief Executive Officer and Chief Information Officer of the banking organization customer, or two individuals of comparable responsibilitie”
12 CFR 53.4(a)(2)final
USOCCcrisis managementBanking organizations must provide bank service providers with a designated point of contact (email, phone, or other contact) to receive incident notifications.
“A bank-designated point of contact is an email address, phone number, or any other contact(s), previously provided to the bank service provider by the banking organization customer.”
12 CFR 53.4(a)(1)final
USOCCbusiness continuityMaintain a complete inventory of all third-party relationships and periodically conduct risk assessments for each to determine whether risks have changed and update risk management practices accordingly. [adjacent]
“Maintaining a complete inventory of its third-party relationships and periodically conducting risk assessments for each third-party relationship supports a banking organization's determination of whether risks have changed over time”
Interagency TPRM Guidance 2023, Section B (Risk Management)proposed
USOCCbusiness continuityApply more comprehensive and rigorous oversight and management to third-party relationships that support higher-risk or critical activities, including those that could cause significant operational disruption.
“banking organizations engage in more comprehensive and rigorous oversight and management of third-party relationships that support higher-risk activities, including critical activities.”
Interagency TPRM Guidance 2023, Section B (Risk Management)proposed
USOCCbusiness continuityDuring planning, identify and assess risks associated with a contemplated third-party relationship—including operational risks—before entering the relationship, with board approval for critical activities. [adjacent]
“effective planning allows a banking organization to evaluate and consider how to manage risks before entering into a third-party relationship... when critical activities are involved, plans may be presented to and approved by a banking organization's board of directors”
Interagency TPRM Guidance 2023, Section C.1 (Planning)proposed
USOCCbusiness continuityDuring due diligence, assess a third party's incident response and management capabilities, including how it handles and reports security or operational incidents.
“incident response and management, including the third party's ability to respond to and recover from incidents that could disrupt operations”
Interagency TPRM Guidance 2023, Section C.2 (Due Diligence and Third-Party Selection)proposed
USOCCbusiness continuityDuring due diligence, assess a third party's information security program, including controls protecting the confidentiality, integrity, and availability of systems and data critical to the banking organization's operations.
“information security, including the third party's information security program and its ability to protect the banking organization's systems, data, and customers”
Interagency TPRM Guidance 2023, Section C.2 (Due Diligence and Third-Party Selection)proposed
USOCCbusiness continuityDuring due diligence, evaluate a third party's operational resilience, including its ability to withstand and recover from disruptions to the services it provides.
“operational resilience, including the third party's ability to withstand and recover from disruptions”
Interagency TPRM Guidance 2023, Section C.2 (Due Diligence and Third-Party Selection)proposed
USOCCbusiness continuityInclude in contracts provisions for incident notification, requiring the third party to promptly notify the banking organization of disruptions or incidents affecting the services provided.
“incident notification, requiring the third party to promptly notify the banking organization of any incidents that may affect the third party's ability to provide the contracted services”
Interagency TPRM Guidance 2023, Section C.3 (Contract Negotiation)proposed
USOCCbusiness continuityInclude in contracts provisions that define service-level agreements (SLAs) for recovery time and availability, ensuring services can be restored within acceptable timeframes following a disruption.
“performance standards and service level agreements, including measurable standards for performance and consequences for failure to meet the standards”
Interagency TPRM Guidance 2023, Section C.3 (Contract Negotiation)proposed
USOCCbusiness continuityInclude in contracts provisions granting the banking organization rights to audit the third party's controls, including those related to business continuity and information security.
“audit and examination rights, including the right to conduct audits and examinations of the third party and its subcontractors”
Interagency TPRM Guidance 2023, Section C.3 (Contract Negotiation)proposed
USOCCbusiness continuityInclude in contracts provisions for orderly termination and business continuity, ensuring the banking organization can transition services or wind down the relationship without disruption to operations.
“default and termination rights, including the ability of the banking organization to terminate the contract and transition the activities to another third party or in-house”
Interagency TPRM Guidance 2023, Section C.3 (Contract Negotiation)proposed
USOCCbusiness continuityDuring ongoing monitoring, monitor a third party's business continuity and disaster recovery capabilities, including reviewing BCP/DR test results on a periodic basis.
“ongoing monitoring should include reviewing the third party's business continuity and disaster recovery capabilities, including test results”
Interagency TPRM Guidance 2023, Section C.4 (Ongoing Monitoring)proposed
USOCCbusiness continuityDuring ongoing monitoring, monitor a third party's information security and incident response capabilities and track incidents that could affect the banking organization's operations.
“information security, including monitoring changes to the third party's security controls and any security incidents that may affect the banking organization”
Interagency TPRM Guidance 2023, Section C.4 (Ongoing Monitoring)proposed
USOCCbusiness continuityDuring ongoing monitoring, assess changes in third-party concentration risk, including reliance on a single third party for critical services and potential impacts on operational continuity.
“concentration risk, including assessing the banking organization's reliance on a single third party for critical activities and the potential impact on the banking organization's operations”
Interagency TPRM Guidance 2023, Section C.4 (Ongoing Monitoring)proposed
USOCCbusiness continuityDevelop and maintain contingency plans for terminating a critical third-party relationship, ensuring the banking organization can continue operations if the third party fails or the relationship must be ended.
“maintaining contingency plans for terminating the relationship, including identifying and transitioning to alternative third parties or moving the activities in-house”
Interagency TPRM Guidance 2023, Section C.5 (Termination)proposed
USOCCbusiness continuityEvaluate a third party's use of subcontractors to determine whether subcontracting arrangements may heighten operational or resilience risks to the banking organization, and apply mitigating controls as appropriate.
“assessing whether a third party's use of subcontractors may heighten or raise additional risk to the banking organization and applying mitigating factors, as appropriate”
Interagency TPRM Guidance 2023, Section F (Subcontractors discussion / Section C.2)proposed
USOCCbusiness continuityEnsure third-party contracts include provisions requiring subcontractors to adhere to the same operational resilience and security standards as the primary third party.
“require the third party to bind its subcontractors to any obligations and standards of the third party”
Interagency TPRM Guidance 2023, Section C.3 (Contract Negotiation) / Subcontractorsproposed
USOCCbusiness continuityConduct independent reviews of third-party risk management processes, including effectiveness of controls related to operational resilience and business continuity for critical third-party relationships.
“independent reviews of the banking organization's third-party risk management processes and controls, including those related to critical activities”
Interagency TPRM Guidance 2023, Section D.2 (Independent Reviews)proposed
USOCCbusiness continuityEstablish board and senior management oversight of third-party risk management, including approval of policies addressing operational resilience risks from third-party relationships.
“the board has ultimate oversight responsibility to ensure that the banking organization operates in a safe and sound manner... senior management implements the board-approved policies”
Interagency TPRM Guidance 2023, Section D.1 (Oversight and Accountability)proposed
USOCCbusiness continuityMaintain documentation and reporting sufficient to demonstrate effective management of operational resilience risks across the third-party relationship life cycle, for review by examiners.
“documentation and reporting sufficient to support the banking organization's third-party risk management processes and to facilitate examination by the agencies”
Interagency TPRM Guidance 2023, Section D.3 (Documentation and Reporting)proposed
USOCCbusiness continuityWhen a banking organization cannot obtain adequate information to assess a third party's resilience capabilities, take steps to mitigate the resulting risk or determine whether residual risk is within the organization's risk appetite.
“banking organizations should consider taking steps to mitigate the risks or, if the risks cannot be mitigated, to determine whether the residual risks are acceptable”
Interagency TPRM Guidance 2023, Section C.2 (Due Diligence) / Section II.E.1proposed
USOCCbusiness continuityAssess concentration risk arising from reliance on a limited number of third-party providers in highly concentrated industries (e.g., cloud computing) and consider alternative arrangements to mitigate operational continuity risk.
“asked for additional flexibility for banking organizations to manage relationships with third parties in relatively concentrated industries, mentioning cloud computing as an example”
Interagency TPRM Guidance 2023, Section II.D / Section C.4 (Ongoing Monitoring)proposed
USOCCbusiness continuityEnsure that use of collaborative due diligence arrangements or third-party assessment utilities does not abrogate the banking organization's own responsibility to assess and manage operational resilience risks of critical third parties.
“use of any collaborative efforts does not abrogate the responsibility of banking organizations to manage third-party relationships in a safe and sound manner... evaluate the conclusions from such collaborative efforts based on the banking organization's own specific circumstances”
Interagency TPRM Guidance 2023, Section II.E.1 (Due Diligence / Collaborative Arrangements)proposed
USOCCbusiness continuityInvolve staff with requisite technical expertise—including technology, risk, and compliance specialists—at each stage of the third-party relationship life cycle to effectively assess and manage operational resilience risks.
“It is important to involve staff with the requisite knowledge and skills in each stage of the risk management life cycle... experts across disciplines, such as compliance, risk, or technology, as well as legal counsel”
Interagency TPRM Guidance 2023, Section C (Third-Party Relationship Life Cycle)proposed
USOCCbusiness continuityImplement a comprehensive written information security program with administrative, technical, and physical safeguards appropriate to the institution's size, complexity, and activities. [adjacent]
“Each national bank or Federal savings association shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity”
12 CFR 30 Appendix B, Section II.Afinal
USOCCbusiness continuityBoard of directors must approve the written information security program and oversee its development, implementation, and maintenance, including assigning specific responsibility. [adjacent]
“The board of directors or an appropriate committee of the board of each national bank or Federal savings association shall: 1. Approve the national bank's or Federal savings association's written information security program; and 2. Oversee the development, implementation, and ma”
12 CFR 30 Appendix B, Section III.Afinal
USOCCbusiness continuityIdentify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. [adjacent]
“Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.”
12 CFR 30 Appendix B, Section III.B.1final
USOCCbusiness continuityAssess the likelihood and potential damage of identified threats, taking into consideration the sensitivity of customer information.
“Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.”
12 CFR 30 Appendix B, Section III.B.2final
USOCCbusiness continuityDesign information security program controls commensurate with information sensitivity and the complexity and scope of the institution's activities, including monitoring for attacks and intrusions into customer information systems. [adjacent]
“Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;”
12 CFR 30 Appendix B, Section III.C.1.ffinal
USOCCbusiness continuityImplement response programs specifying actions to be taken when unauthorized access to customer information systems is suspected or detected, including reports to regulatory and law enforcement agencies.
“Response programs that specify actions to be taken when the national bank or Federal savings association suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies;”
12 CFR 30 Appendix B, Section III.C.1.gfinal
USOCCbusiness continuityImplement measures to protect customer information against destruction, loss, or damage due to environmental hazards such as fire, water damage, or technological failures.
“Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.”
12 CFR 30 Appendix B, Section III.C.1.hfinal
USOCCbusiness continuityRegularly test key controls, systems, and procedures of the information security program, with tests conducted or reviewed by independent third parties or independent staff. [adjacent]
“Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the national bank's or Federal savings association's risk assessment. Tests should be conducted or reviewed by independent t”
12 CFR 30 Appendix B, Section III.C.3final
USOCCbusiness continuityExercise appropriate due diligence in selecting service providers that handle customer information. [adjacent]
“Exercise appropriate due diligence in selecting its service providers;”
12 CFR 30 Appendix B, Section III.D.1final
USOCCbusiness continuityRequire service providers by contract to implement appropriate security measures meeting the objectives of the Information Security Guidelines. [adjacent]
“Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines;”
12 CFR 30 Appendix B, Section III.D.2final
USOCCbusiness continuityMonitor service providers, where indicated by risk assessment, to confirm they have satisfied their contractual security obligations, including reviewing audits, test summaries, or equivalent evaluations.
“Where indicated by the national bank's or Federal savings association's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by section D.2. As part of this monitoring, a national bank or Federal savings association shou”
12 CFR 30 Appendix B, Section III.D.3final
USOCCbusiness continuityMonitor, evaluate, and adjust the information security program in light of changes in technology, information sensitivity, internal/external threats, and changing business arrangements such as outsourcing. [adjacent]
“Each national bank or Federal savings association shall monitor, evaluate, and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information, and th”
12 CFR 30 Appendix B, Section III.Efinal
USOCCbusiness continuityReport to the board or appropriate committee at least annually on the overall status of the information security program, including risk assessment, control decisions, service provider arrangements, test results, security breaches, and program recommendations. [adjacent]
“Each national bank or Federal savings association shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program...risk assessment; risk management and control decisions; ser”
12 CFR 30 Appendix B, Section III.Ffinal
USOCCbusiness continuityDevelop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems, including systems maintained by service providers. [adjacent]
“every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems that occur nonetheless. A response program should be a key part of an institution's info”
12 CFR 30 Appendix B, Supplement A, Section IIfinal
USOCCbusiness continuityResponse program must include procedures to assess the nature and scope of an incident and identify which customer information systems and types of customer information have been accessed or misused.
“Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;”
12 CFR 30 Appendix B, Supplement A, Section II.A.1.afinal
USOCCbusiness continuityNotify the primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. [adjacent]
“Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;”
12 CFR 30 Appendix B, Supplement A, Section II.A.1.bfinal
USOCCbusiness continuityTake appropriate steps to contain and control an incident to prevent further unauthorized access, including monitoring, freezing, or closing affected accounts while preserving records and evidence.
“Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence;”
12 CFR 30 Appendix B, Supplement A, Section II.A.1.dfinal
USOCCbusiness continuityRequire service providers by contract to notify the institution as soon as possible of any incident of unauthorized access to the institution's customer information to enable expeditious implementation of the institution's response program.
“an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of an”
12 CFR 30 Appendix B, Supplement A, Section IIfinal
USOCCbusiness continuityRetain responsibility for notifying customers and the regulator when an unauthorized access incident involves customer information in service provider systems, even if the institution contracts the notification function to the service provider. [adjacent]
“Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator. However, an institut”
12 CFR 30 Appendix B, Supplement A, Section II.A.2final
USOCCbusiness continuityTrain staff to implement the institution's information security program. [adjacent]
“Train staff to implement the national bank's or Federal savings association's information security program.”
12 CFR 30 Appendix B, Section III.C.2final
USOCCbusiness continuityAssess the sufficiency of existing policies, procedures, customer information systems, and other arrangements in place to control identified risks.
“Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.”
12 CFR 30 Appendix B, Section III.B.3final
USOCCbusiness continuityEnsure trained personnel and reasonable policies and procedures are in place to respond appropriately to customer inquiries and requests for assistance following notification of a security incident.
“The institution should, therefore, ensure that it has reasonable policies and procedures in place, including trained personnel, to respond appropriately to customer inquiries and requests for assistance.”
12 CFR 30 Appendix B, Supplement A, Section III.B.1 (footnote 14)final
USSECcybersecurityDevelop, implement, and maintain written policies and procedures for an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.
“require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information”
17 CFR 248.30(a)(3)final
USSECcybersecurityInclude in the incident response program procedures to assess the nature and scope of any incident and identify customer information systems and types of customer information that may have been accessed or used without authorization.
“Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization”
17 CFR 248.30(a)(3)(i)final
USSECcybersecurityInclude in the incident response program procedures to take appropriate steps to contain and control an incident to prevent further unauthorized access to or use of customer information.
“Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information”
17 CFR 248.30(a)(3)(ii)final
USSECcybersecurityInclude incident response program procedures for notifying affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. [adjacent]
“Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in accordance with the notification obligations discussed below”
17 CFR 248.30(a)(3)(iii)final
USSECcybersecurityEstablish, maintain, and enforce written policies and procedures for oversight of service providers, including due diligence and monitoring, to ensure service providers safeguard customer information and that affected individuals receive required notices. [adjacent]
“covered institutions will be required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring of service providers, including to ensure that affected individuals receive any requi”
17 CFR 248.30(a)(5)final
USSECcybersecurityRequire service providers to notify the covered institution of a breach as soon as possible, but no later than 72 hours after the service provider becomes aware that an applicable breach has occurred.
“the final amendments require covered institutions to ensure that their service providers provide notification as soon as possible, but no later than 72 hours after becoming aware that an applicable breach has occurred”
17 CFR 248.30(a)(5)(i)final
USSECcybersecurityAdopt written policies and procedures with administrative, technical, and physical safeguards to protect customer records and information (safeguards rule), now extended to transfer agents. [adjacent]
“The safeguards rule requires brokers, dealers, investment companies, and registered investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information”
17 CFR 248.30(a)final
USSECcybersecurityPeriodically review and update incident response assessment and containment procedures to ensure they remain reasonably designed.
“covered institutions generally should consider reviewing and updating the assessment procedures periodically to ensure that the procedures remain reasonably designed”
17 CFR 248.30(a)(3)final
USSECcybersecurityDelay customer notification only upon receiving a written request from the Attorney General that notification poses a substantial risk to national security or public safety, consistent with the Public Company Cybersecurity Rules framework. [adjacent]
“the final amendments will permit covered institutions to delay providing notice after the Commission receives a written request from the Attorney General that this notice poses a substantial risk to national security or public safety”
17 CFR 248.30(a)(4)final
USSECcybersecurityDisclose any material cybersecurity incident on Form 8-K Item 1.05 within four business days of determining the incident is material, describing nature, scope, timing, and impact. [adjacent]
“An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material.”
17 CFR 249.308, Form 8-K Item 1.05; 17 CFR 240.13a-11final
USSECcybersecurityMake a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident. [adjacent]
“a registrant shall make a materiality determination regarding a cybersecurity incident as soon as reasonably practicable after discovery of the incident.”
Form 8-K Item 1.05, Instruction 1final
USSECcybersecurityDisclose in periodic reports (Form 10-K / Form 20-F) the registrant's processes for assessing, identifying, and managing material risks from cybersecurity threats. [adjacent]
“Registrants must describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats.”
17 CFR 229.106(b)final
USSECcybersecurityDisclose in periodic reports the board of directors' oversight of risks from cybersecurity threats. [adjacent]
“Describe the board's oversight of risks from cybersecurity threats.”
17 CFR 229.106(c); Form 20-Ffinal
USSECcybersecurityForeign Private Issuers must describe in Form 20-F management's role in assessing and managing material cybersecurity risks. [adjacent]
“FPIs must: Describe management's role in assessing and managing material risks from cybersecurity threats.”
17 CFR 249.220f; Form 20-Ffinal
USSECcybersecurityA registrant may delay an Item 1.05 Form 8-K filing only where the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. [adjacent]
“A registrant may delay filing as described below, if the United States Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety.”
Form 8-K Item 1.05; 17 CFR 240.13a-11final

Turning this into an operating plan?

Knowing which rules bind you is step one. WSquare Advisory builds the operating capability behind compliance — the continuity, third-party, and recovery disciplines these regimes expect. If that's your challenge, let's talk.

Start a Conversation →