InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC Releases Statements on How Financial Institutions Can Identify and Mitigate Cyber Attacks
On March 30, the FFIEC announced two separate statements regarding cyber attacks at financial institutions: Statement on Destructive Malware and Statement on Compromising Credentials. The statements come in light of the growing number of attacks within the past two years and outline how financial institutions can ensure that the risk management processes and business continuity planning in place are sufficient for mitigating attacks and recovering from attacks that do occur. Noting the FFIEC’s existing guidelines for financial institutions, the report includes, but is not limited to, reminders to do the following: (i) securely configure systems and services; (ii) improve information security awareness and training programs; (iii) protect against unauthorized access to systems; (iv) participate in information-sharing forums; and (v) continually conduct information security risk assessments.
FFIEC Provides Overview of Cybersecurity Priorities
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.
FFIEC Releases Updated BSA/AML Examination Manual
On December 2, the FFIEC announced the release of its revised BSA/AML examination manual. The updated revisions address supervisory expectations and include regulatory changes since the manual’s last publication in 2010. Significantly modified sections of the examination include (i) Suspicious Activity Reporting, (ii) Currency Transaction Reporting, (iii) Foreign Bank and Financial Accounts Reporting, and (iv) Third-Party Payment Processors. The manual is available on the FFIEC BSA/AML InfoBase.
FFIEC Recommends Financial Institutions Join Information Sharing Forum to Mitigate Cyber Risks
On November 3, the FFIEC released its observations from a cybersecurity assessment of more than 500 institutions, and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a medium to “identify, respond to, and mitigate cybersecurity threats and vulnerabilities.” The FS-ISAC is a non-profit information sharing forum created by industry participants to share physical and cybersecurity threat information within the public and private sector. The assessment supplemented regularly scheduled bank examinations and built upon supervisory expectations contained within existing FFIEC information technology guidance.
FFIEC Announces Cybersecurity Preparedness Efforts
The Federal Financial Institutions Examination Council (FFIEC) recently announced a series of initiatives aimed at promoting cybersecurity preparedness for community financial institutions throughout the country. One such initiative is the creation of the Cybersecurity and Critical Infrastructure Working Group, which was launched in June 2013 in order to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. This announcement follows the FFIEC’s May 2013 press release that highlighted an emphasis on cybersecurity awareness. The FFIEC press release described a webinar that the FFIEC provided to 5,000 chief executive officers and senior managers from community financial institutions to raise awareness about the pervasiveness of cyber threats, and introduce new vulnerability and risk-mitigation assessments and regulatory self-assessments of supervisory policies and processes.
FFIEC Launches Cybersecurity Resources Web Page
On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.
FFIEC Advises Financial Institutions On "Heartbleed" Risks
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
FFIEC Advises Banks On Website, ATM Cyber Attacks
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
Banking Regulators Finalize Social Media Guidance
On December 11, the FFIEC, on behalf of the CFPB, the FDIC, the OCC, the Federal Reserve Board, the NCUA, and the State Liaison Committee, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions and nonbanks supervised by the CFPB. The guidance was finalized largely as proposed. However, in response to stakeholder comments, the regulators clarified certain provisions. For example, the final guidance clarifies that traditional emails and text messages, on their own, are not social media. The final guidance also explains that to the extent consistent with other applicable legal requirements, a financial institution may establish one or more specified channels that customers must use for submitting communications directly to the institution, and that a financial institution is not expected to monitor all Internet communications for complaints and inquiries, but should take into account the results of its own risk assessment in determining the appropriate approach regarding monitoring and responding to communications. The regulators also clarified that the guidance is not intended to provide a “one-size-fits-all” approach; rather financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships. The final guidance also contains further discussion regarding the application of certain laws and regulations to social media activities, such as the Community Reinvestment Act. Finally, consistent with other recent regulatory initiatives, the final guidance clarifies that prior to engaging with a prospective third party an institution should evaluate and perform due diligence appropriate to the risks posed.
Comptroller Highlights Emerging Cybersecurity Risks, Discusses OCC and Financial Institution Responses
On September 18, in remarks before the Exchequer Club, Comptroller of the Currency Thomas Curry highlighted the emerging operational risks for financial institutions posed by cyberattacks, one of several risk areas identified by the OCC in its recent semiannual report. Comptroller Curry bank cyberattacks have lead to only minor disruptions so far, but are evolving and growing with the development and implementation of new technologies. The Comptroller identified the OCC’s and other federal banking agencies’ attempts to address these risks, including through an FFIEC working group created earlier this year. The Comptroller hopes the working group will address cyber issues through changes to examination policy and by supporting increased information sharing and communication between regulated institutions and their regulators, as well as among regulators and other government entities. According to the Comptroller, the OCC currently is engaged in outreach on this issue to all of its regulated institutions, but is especially focused on assisting community banks and thrifts. The Comptroller urged financial institutions, their boards, and senior level management to be aware of and engaged on the risks posed by cyber threats, including, for example, by considering the potential for new products or strategic business decisions to create new vulnerabilities. He also implored institutions and their leaders to effectively share information, such as through industry cyber threat sharing organizations.