United States: House Committee Asks Federal Reserve About Reported Cyber Incidents

House Committee on Science, Space and Technology Chairs Lamar Smith (R-TX) and Barry Loudermilk (R-GA) ("Committee leadership") requested information and a briefing on "recent media reports" of over 50 cyber breaches between 2011 and 2015 detected by the Federal Reserve's National Incident Response Team ("NIRT").

Committee leadership voiced concern over a Reuters' report that "Federal Reserve officials suspected hackers or spies [were] responsible for multiple incidents" and that the NIRT's incident reports do not determine whether the hackers obtained sensitive information or stole money. Committee leadership seeks information as to whether the incidents that involved espionage could refer not only to "threats from foreign governments" but also to "spying by private individuals or companies."

Committee leadership asserted that the Federal Information Security Modernization Act of 2014 requires Executive Branch departments and agencies to report "major" security incidents to Congress within seven days. Further, they noted, on October 30, 2015, the Office of Management and Budget released guidelines for determining whether an incident should be classified as a "major" security breach. Committee leadership asked the Federal Reserve to provide the following information for the period from January 1, 2009 to the present in order to assist their oversight of the Federal Reserve's "cybersecurity posture and its response to the security incidents":

• all cybersecurity incident reports created by NIRT and local cybersecurity teams;
• a detailed description of all confirmed cybersecurity incidents;
• all documents and communications that refer or relate to higher-impact cases handled by NIRT or local cybersecurity teams;
• all documents and communications that relate to NIRT policies and procedures for responding to cybersecurity incidents, including the incident guide; and
• an organizational chart for the Office of the Chief Information Officer, the Office of the Chief Information Security Officer and NIRT.

Committee leadership asked the Federal Reserve to submit the information listed above by no later than 12:00 p.m. on June 17, 2016.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.