Industry Letters

Reporting of Malicious Software Intrusions and Web Site Defacements

May 28, 2003

To the Institution Addressed

Attention of the Chief Executive Officer

In order to help ensure the continued safe and sound operation of the banking and financial services system in light of the increasing number of attempts to compromise data processing systems and Internet communications the New York State Banking Department is requesting your cooperation with the following request.

Specifically the Banking Department is requesting that all institutions under our supervision report successful, significant penetrations of their computer systems, including web site defacements, and virus, worm, and other malicious software intrusions. We also ask to be immediately notified if your firm notices an increased number of penetration attempts against its computer systems. For banking institutions, notification should normally be e-mailed to the portfolio manager assigned to your institution. For nonbanks, notification should be e-mailed to the deputy of the division that supervises your institution. For both bank and nonbank institutions, a cc to [email protected] should be included. You may also telephone the notification, in lieu of e-mail, if you wish.

It should be emphasized that if such system penetration results in the making of false entries, or the omission of true entries due to penetration of an institution’s automated systems, it may also require a filing under Part 300 of the Superintendent’s Regulations if a bank officer or employee was involved.

The Banking Department will forward these reports, without disclosing the name of the reporting institution, to the NYS Office of Cyber Security and Critical Infrastructure Coordination (CSCIC). CSCIC is the coordinating entity for cyber security for the State of New York and of a multi-state Information Sharing and Analysis Center. By pooling reports of uses of malicious software and hacking attempts patterns of attack may be discerned in time to take corrective action. CSCIC shares alerts and changes in the cyber threat level with the Banking Department. We at the Department will pass on these alerts to you.

Any questions regarding the aforementioned may be directed to the portfolio manager for your institution.

Very truly yours,

Barbara Kent
Acting Superintendent of Banks