InfoBytes Blog
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Due to the potential financial loss and compliance risk associated with the unauthorized transactions, the statement reminds financial institutions to consider the following steps to ensure compliance with regulatory requirements and FFIEC guidance: (i) establish and maintain an information security risk assessment program that “considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks”; (ii) implement and maintain protection and detection systems, including antivirus protection and intrusion detection systems, and properly monitor system alerts; (iii) protect against unauthorized access to critical systems by, among other things, “limiting the number or credentials with elevated privileges across institutions” and establishing authentication rules; (iv) implement and regularly test controls around critical systems, and report test results to senior management, as well as the board of directors, if appropriate; (v) validate business continuity planning and ensure that the institution is able to “quickly recover and maintain payment processing operations”; (vi) strengthen information security awareness by conducting regular and mandatory training; and (vii) participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
In light of the FFIEC’s statement, the OCC simultaneously released Bulletin 2016-08, cautioning financial institutions that use interbank messaging and wholesale payment networks to take the aforementioned risk mitigation steps.