Industry Letter

Reporting of Malicious Software Intrusions, Suspicious Websites, Phishing E-Mails and Lost or Stolen Data

July 10, 2008

TO: The Institution Addressed

RE: Reporting of Malicious Software Intrusions, Suspicious Websites, Phishing E-Mails and Lost or Stolen Data (update of Industry Letter dated May 28, 2003)

In order to help ensure the continued safe and sound operation of the banking and financial services system, the New York State Banking Department is asking your cooperation with the following request in light of the increasing number of attempts to access and compromise data by nefarious parties.

All institutions under our supervision are requested to report:

1. Successful penetrations of their computer systems, including website defacements, and virus, worm and other malicious software intrusions.
2. Websites or phishing e-mails that purport to act on behalf of your organization, or related parties.
3. Any lost and/or stolen data that may compromise proprietary information of your institution and your customers.

We also ask to be immediately notified if your firm notices any marked increases in the number of penetration attempts against its computer systems.

Notifications by e-mail, in writing or by phone should be as follows:

1. For banking and trust institutions, notification should be directed to either your on site Central Point of Contact (CPC), or the office portfolio manager assigned to your institution. If unknown, you can find out the name of your CPC or Portfolio Manager by calling either (212) 709-1590 for foreign and wholesale banks, or (212) 709-1510 for community and regional banks.
2. For nonbanks, notification should be directed to the Deputy of the division that supervises your institution. If unknown, you can find out the name of the Deputy of your division by calling either (212) 709-5507 for licensed financial organizations, or (212) 709-5576 for mortgage individuals/organizations.

For both bank and nonbank institutions, a copy of the notification should be e-mailed to [email protected].

It should be emphasized that if such system penetration results in the making of false entries, or the omission of true entries due to unauthorized access of an institution’s automated systems by directors or employees, or if there is an incident relating to a plan or scheme to improperly obtain information by outside parties, it may require a filing under Part 300 of the Superintendent’s Regulations. If the incident is of a serious nature law enforcement authorities should also be contacted.

The Banking Department may forward certain information in these reports to the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC). CSCIC is the coordinating entity for cyber security for the State of New York and for the Multi-State Information Sharing and Analysis Center. By pooling reports of hacking attempts/penetrations patterns of attack may be discerned in time to take corrective action. CSCIC shares alerts with the Banking Department and we in turn share these with our institutions.

Any questions regarding the aforementioned may be directed to the CPC, Portfolio Manager, or Deputy for your institution.

Very truly yours,

Richard H. Neiman
Superintendent of Banks