February 2022 July 21, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance regarding the MOVEit Transfer Critical Vulnerability. All financial institutions should be assessing the risk to their systems and implementing necessary remediation measures. Financial Institutions are encouraged to obtain updates and threat and vulnerability information from CISA at MOVEit Managed File Transfer - Support & Learning Resources | ProgressOpens In A New Window
2022 Annual Audit Reports Due
2023 Oaths and Rosters Due
September 30, 2022
2023 Bank Holidays (PDF)
- Cyber Hygiene Vulnerability Scanning
Apache Log4j Vulnerability
October 5, 2021
2022 Bank Holidays (PDF)
March 26, 2021
CISA has issued a new alert for detecting post-compromise threat activity using the CHIRP IOC Detection Tool. The tool to assist network defenders with detecting activity related to the supply chain compromises affecting SolarWinds and Active Directory/Microsoft 365. Access the alert here. https://us-cert.cisa.gov/ncas/alerts/aa21-077a
March 16, 2021
UPDATE: Microsoft Exchange Server Vulnerability
CISA has updated Alert AA21-0762A regarding the Microsoft Exchange Server Vulnerability with further guidance. The updated Alert may be found here: https://us-cert.cisa.gov/ncas/alerts/aa21-062a
March 12, 2021
Microsoft Exchange Server Vulnerability
CISA Emergency Directive 21-02: The Cybersecurity & Infrastructure Security Agency (CISA) has issued Emergency Directive 21-02 regarding Microsoft Exchange On-Premises Product Vulnerabilities. Additional information may be found here. https://www.cisa.gov/ed2102
Opens In A New Window
All institutions should be assessing their own and vendor exposure to the Microsoft Exchange vulnerability and taking necessary mitigation steps.
February 12, 2021
Electronic Crimes Taskforce (BECTF), State Bank Regulators and the United
States Secret Service has developed a Ransomware Self-Assessment Tool.
The tool was developed to help financial institutions assess their efforts to
mitigate risks associated with ransomware and identify gaps for increasing
security. This tool provides executive management and the board of directors
with an overview of the institution’s preparedness towards identifying,
protecting, detecting, responding, and recovering from a ransomware
December 21, 2020
Alert - SolarWinds Orion Platform Software IT Incident
On December 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding an active exploitation of SolarWinds Orion Platform. See https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software. All financial institutions should be assessing the risk to their systems and implementing necessary remediation measures.
Financial Institutions are encouraged to obtain updates and threat and vulnerability information from the Cybersecurity and Infrastructure Security Agency at http://www.cisa.gov or through the Financial Services Information Sharing and Analysis Center (FS-ISAC) at http://www.fsisac.com.
The below are links to additional resources financial institutions may refer to as they conduct their risk assessments and determine applicable remediation steps.
September 28, 2020
2021 Bank Holidays (PDF)
March 20, 2020
FDIC Coronavirus Information for Bankers and Consumers
Federal Reserve Resources for Coronavirus
March 16, 2020
Department Office Closure Communication
Please see attached .pdf or below instructions.
Advisory: The physical locations for the Department of Banking and Securities are currently closed. We are maintaining operations through electronic communication. Please review the below information for operational changes during this time.
Branch Operations: Notifications of temporary branch operations changes should follow the same procedures as severe weather incidents. An email indicating what locations are affected, what operations at each location are being changed/limited, the expected duration and any other relevant information should be sent to your assigned Case Manager or Exam Field Supervisor in the alternative.
Mail: Any document that will be mailed to the Bureau of Bank Supervision must also be sent electronically to the following email address: RA-BNBankSupervision@pa.gov. Any bank that sent documents via mail within the last three (3) days should re-send those documents electronically to the aforementioned email address. If you have a concern about documents mailed recently, please contact Sheila Hughes at (717) 783-8240 or email at email@example.com.
Filings/Applications: All checks should continue be sent to the Bureau of Bank Supervision through regular mail with the original filing. Electronic copies of the original filing and a copy of all applicable checks must be sent electronically to the following email address: RA-BNBankSupervision@pa.gov. General questions regarding filings should be addressed to Sheila Hughes at (717) 783-8240 or email at firstname.lastname@example.org. You may also contact your assigned Case Managers for specific questions:
Jessica Delaney, Case Manager: (717) 503-6179 or email@example.com
Alison Cestello, Case Manager: (412) 565-7519 or firstname.lastname@example.org
Donna Weller, Case Manager: (717) 783-2497 or email@example.com
Examinations: Questions regarding examinations should be directed to the assigned EIC or your Field Supervisor and/or Mary Rutkowski, Field Examinations Chief at (717) 503-5574 and firstname.lastname@example.org.
Jessica Kessock, Field Supervisor: (717) 412-8100 or email@example.com
Michael Goffredo, Field Supervisor: (717) 439-2194 or firstname.lastname@example.org
July 29, 2019
Secretary's Letter on LIBOR Transition (PDF)
The Department urges state-regulated banks, credit unions, and financial services companies to take action and prepare for the replacement of London Interbank Offered Rate (LIBOR).
February 9, 2018
Deputy Secretary’s Letter (PDF) regarding Internal Audit Programs for Financial Institutions (PDF)
November 13, 2017
Secretary's Letter on Cybersecurity (PDF)
The Department continues to work collaboratively with federal regulators, other states financial regulators, and other Commonwealth agencies to address cybersecurity challenges.
Federal Government Principles on Responding to Cyber Incidents
A Presidential Policy Directive (PPD-41) released on July 26, 2016, sets forth principles governing the federal government’s response to any cyber incident, whether involving government or private sector entities. For significant cyber incidents, PPD-41 also establishes lead federal agencies and an architecture for coordinating the broader federal government response. Learn more: http://bit.ly/2aeAUtZ
The Federal Financial Institutions Examination Council (FFIEC) members have issued a revised Management booklet, which is part of the FFIEC Information Technology Examination Handbook (IT Handbook). The IT Handbook is available here.
The department has issued a Deputy Secretary’s letter regarding Accumulated Other Comprehensive Income (AOCI) op-out election on your institution’s March 31, 2015, Call Report. An institution that is not an advanced approaches institution must choose to either opt out or not opt out of the requirement to include most components of AOCI in common equity tier 1 capital. The election is irrevocable. Please review the Deputy Secretary’s letter (PDF) for important information.