WASHINGTON - Federal bank and thrift regulators released a final rule Thursday establishing guidance for computer security standards to safeguard customer records at financial institutions.
The rule said that each bank must implement a comprehensive written security program that includes administrative, technical, and physical safeguards for customer information. It requires the bank's board of directors to approve and oversee the development of the security program, and said that any program provided by a third party is ultimately the responsibility of the bank.
The rule also requires a bank to provide appropriate training to its staff, to regularly test its key control systems and procedures, and to periodically adjust its security program to account for new threats.
The guidelines enumerate safeguards that banks must consider when establishing computer security programs, including the encryption of electronic customer information, access controls and restrictions, monitoring systems to detect intrusions, and appropriate responses when a security breach is detected. However, banks are not required to implement any of these safeguards.
Regulators argued that it was "critically important" that banks implement these standards because once a problem is detected, it is often too late to avoid damage.
"This is one of those statues that is very important for people to pay attention to," Office of Thrift Supervision Director Ellen Seidman said last week. "People don't notice this stuff until it bites you, and when it bites you, it bites hard. This rule provides very reasonable and useful guidelines."
The rule was released by the Federal Deposit Insurance Corp., the OTS, the Office of the Comptroller of the Currency, and the Federal Reserve Board.