U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Sharing of Threat and Vulnerability Information with Financial Institutions

View Summary Announcement

Report Information

Publish Date
Report sub-type
Evaluation Report
Report Number
EVAL-23-002
Video
Sharing of Threat and Vulnerability Information with Financial Institutions

Unimplemented Recommendations

Share threat and vulnerability information that is uniquely developed or summarized by the FDIC with financial institutions or other financial sector entities to further strengthen their threat intelligence activities. This includes results from the FDIC’s 2022 Ransomware Horizontal Review and relevant trending and analysis conducted by the Division of Risk Management Supervision.

Conduct training for examiners on the requirements for recording computer-security incidents, the information to include, and specific requirements for Notification Rule incidents.

Conduct a review of computer-security incidents reported since May 1, 2022 to ensure Virtual Supervisory Information on the Net system records are complete and accurate.

Ensure FDIC threat and vulnerability communication procedures facilitate the sharing of unclassified non-cyber related threat and vulnerability information.

Update the Division of Risk Management Supervision Threat and Vulnerability Communication Operating Procedures to:
(1) account for a more appropriate methodology for determining when to share threat and vulnerability information created internally and by other credible sources;
(2) formalize processes for (a) coordinating with the Intelligence and Threat Sharing Unit and accounting for threat and vulnerability information received from the Intelligence and Threat Sharing Unit, (b) coordinating with the Chief Information Officer Organization under the Vulnerability Disclosure Policy program, and (c) coordinating with other FDIC Divisions and Offices that may obtain relevant threat and vulnerability information that requires communication to financial institutions; and
(3) specify the key documents that should be retained to support the Division of Risk Management Supervision threat sharing decisions.

Develop and implement a feedback process for external threat sharing activities.

Develop performance measures to assess the effectiveness of its external threat and vulnerability information sharing activities.

Evaluate and, if necessary, obtain the resources needed for the timely implementation of the recommendations in this report to further mature the FDIC’s threat information sharing program.

Ensure that all data sets within the FDIC that contain relevant threat and vulnerability information are assessed and natural language processing or alternative technological capabilities are considered for enhancing threat and vulnerability information sharing operations.