Expansion of the Federal Reserve's Emergency Communications System

Page 1 of 2 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C. 20551 DIVISION OF BANKING SUPERVISION AND REGULATION DIVISION OF CONSUMER AND COMMUNITY AFFAIRS SR 15-10 CA 15-8 October 13, 2015 TO: OFFICERS IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK AND TO INSTITUTIONS SUPERVISED BY THE FEDERAL RESERVE SUBJECT: Expansion of the Federal Reserve’s Emergency Communications System Applicability: This letter applies to all institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets. The Federal Reserve is issuing this letter to announce an expansion of its Emergency Communications System (ECS), a service which maintains a database of emergency contacts, to include contact information of employees at Federal Reserve-supervised financial institutions who are capable of receiving and acting upon cyber emergencies (referred to as “designated cyber emergency contacts”). The Federal Reserve has previously issued guidance to highlight the supervisory practices that the Federal Reserve can employ when financial institutions and their borrowers and other customers are affected by a major disaster or emergency.1 In response to heightened efforts by cyber criminals to penetrate financial institutions, the Federal Reserve has decided to enhance its communications capabilities by expanding the ECS database of emergency contact information, which is currently maintained by the Federal Reserve Bank of St. Louis. In the coming weeks, ECS staff will be working with representatives from each Reserve Bank to contact supervised financial institutions to identify and register designated cyber emergency contact(s). Emergency Communications System (ECS) Function In 2008, the Federal Reserve developed the ECS to maintain business contact information that could be used by the Federal Reserve to communicate with supervised institutions during a natural disaster or an operational outage emergency. By developing and maintaining the database of emergency contacts, ECS staff have facilitated communications between supervised institutions and federal and state regulators during emergencies such as ice storms, floods, hurricanes, blizzards, and a dam breach. When combined with standard communication tools, such as email, ZixMail (for secure communications), or telephone, the ECS enables the Federal 1 Refer to SR letter 13-6/CA letter 13-3, “Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency.”

Page 2 of 2 Reserve to establish and maintain communications with supervised institutions during natural disasters, infrastructure outages, or cyber emergencies. In response to a local or regional event, Reserve Banks may use the ECS to contact supervised institutions in their districts. The authority to issue a nationwide emergency message resides with the Directors in the Board’s Divisions of Banking Supervision and Regulation and Consumer and Community Affairs. ECS Registration Process Each Reserve Bank should designate a primary contact (referred to as the “Reserve Bank ECS contact”) who will work with ECS staff to obtain the cyber emergency contact data for the district’s supervised institutions. ECS staff will work with the Reserve Bank ECS contacts to notify supervised financial institutions and begin the registration of an institution’s designated cyber emergency contact(s).2 The registration process requires each designated emergency contact to create a secure user identification and password and provide his or her name and business email, address, and telephone number. Testing and Validation of An Institution’s Designated Cyber Emergency Contact ECS staff conducts periodic testing to ensure the validity of contact information stored with ECS. The routine testing of ECS includes verification of a contact’s business phone number(s) and email address and confirmation of the delivery of test messages to resolve any delivery issues. Reserve Bank Coordination ECS will be operated by staff at the Federal Reserve Bank of St. Louis. Federal Reserve Banks will be working with the ECS staff to obtain the necessary cyber emergency contact information for supervised institutions in their respective Districts. All questions concerning registration and operational matters should be directed to the ECS Support Line at ecs.support@stls.frb.org or 1-877-327-5333. In addition, institutions may send questions via the Board’s public website.3 Michael S. Gibson Director Division of Banking Supervision and Regulation Eric S. Belsky Director Division of Consumer and Community Affairs Cross references to: • SR letter 13-6/CA letter 13-3, “Supervisory Practices Regarding Banking Organizations and their Borrowers and Other Customers Affected by a Major Disaster or Emergency” 2 Board BS&R staff and ECS staff will develop internal guidelines to assist Reserve Banks in implementing the ECS registration process and messaging system. 3 See: http://www.federalreserve.gov/apps/contactus/feedback.aspx.