FSISEC12: How are you meeting your obligations for incident reporting to regulators?

Various regulations require that the banking organizations and managed service providers notify the regulators as soon as a cyber security incident has been discovered, such as the Final Issuances published by the Office of the Comptroller of the Currency (OCC), Security and Exchanges Commision (SEC) Cybersecurity Disclosure or the Network and Information Systems (NIS) regulation.

FSISEC12-BP01 Regularly review your incident response plan for regulatory compliance

Organizations that are operating in multiple Regions need to be aware the regulatory requirements of the regions they are operating in and any local data residency requirements (such as GDPR). With local data residency requirements, you cannot copy the data to a different Region for analysis purposes. In this case, you may need to consider the latency aspects if you have a global team that needs to access and analyze data from a different Region. Consider setting up a local incident response team that can act on the incident in a timely manner and report to local regulators as necessary.

As mentioned before, as part of your incident response plan, you should develop playbooks to standardize response process for cybersecurity incidents. With the ever-changing regulatory requirements of the financial industry and the dynamic nature of cloud environments, it is important to establish a process that reviews the playbooks in use to perform incident or recovery communications as required.

Prescriptive guidance

• Create your own playbooks to facilitate responses during cybersecurity incidents. Refer to building incident response playbooks for AWS for sample playbooks.

• Use AWS Compliance Center for information on regulatory responsibilities that can be related to incident responses.

Resources

Related documents:

• General Data Protection Regulation (GDPR) Center

Related videos:

• Introduction to AWS Compliance Center