In The News

March 30, 2015

FFIEC Statement on Destructive Malware

Over the past two years, cyber attacks on businesses have increased in frequency and severity. In some cases, destructive malware used in these attacks successfully compromised large quantities of data and rendered supporting systems inoperable. Malware can be introduced into systems through a variety of mechanisms, including through employees downloading attachments in phishing or spear-phishing emails, connecting external devices (e.g., USB drives), or visiting compromised Web sites, or through unauthorized parties using stolen employee or third-party credentials to install malware directly on systems. Once introduced, destructive malware may be further distributed through compromised enterprise system management technologies.

Financial institutions should ensure that their risk management processes and business continuity planning address the risk from this type of cyber attack consistent with the risk management guidance contained in the FFIEC IT Examination Handbook, specifically the booklets on “Business Continuity Planning” and “Information Security” and their appendixes, such as Appendix J, Strengthening the Resilience of Outsourced Technology Services.

An institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber attack involving destructive malware. A financial institution should develop appropriate processes that enable recovery of data and business operations and that address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber attack. This should include the ability to protect offline data backups from destructive malware.

March 30, 2015

FFIEC Statement on Cyber Attacks Compromising Credentials

Recent reports indicate an ongoing and increasing trend of attacks by cyber criminals to obtain large volumes of credentials. These attacks include theft of users’ credentials—such as passwords, usernames, e-mail addresses—and other forms of identification used by customers, employees, and third parties to authenticate themselves to systems as well as theft of system credentials, such as certificates.

User credentials can be stolen in many ways, including phishing and spear-phishing, malvertising, watering holes, and web-based attacks. Stolen credentials are often sold in cyber-criminal forums and then used to commit fraud through account takeovers and identity theft. Users may significantly increase exposure by creating usernames and passwords that are easy to guess or using the same usernames and passwords to access accounts on multiple Web sites.

Financial institutions should design multiple layers of security controls to establish several lines of defense and ensure that their risk management processes also address the risk posed by compromised credentials, consistent with the risk management guidance contained in the FFIEC IT Examination Handbook, specifically the “Information Security, “Outsourcing Technology Services, and the “Retail Payment Systems” booklets.

March 17, 2015

FFIEC Focuses on Cybersecurity, Will Debut Self Assessment Tool

The priorities include seven workstreams that stem from last year’s pilot assessment of cybersecurity readiness at more than 500 financial institutions. The planned work includes the development and issuance of a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate and respond to cyber threats. The FFIEC also will enhance their incident analysis, crisis management, training, and policy development and expand their focus on technology service providers’ cybersecurity preparedness. Additionally, the FFIEC will continue to improve its collaboration with other agencies and communicate on the importance of cybersecurity awareness and best practices among financial industry participants and regulators.

Cybersecurity Self-Assessment Tool — The FFIEC plans to issue a self-assessment tool this year to assist institutions in evaluating their inherent cybersecurity risk and their risk management capabilities.

November 3, 2014

FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing And Analysis Center (FS-ISAC)

During the summer of 2014, FFIEC members piloted a cybersecurity assessment at more than 500 community institutions to evaluate the institutions’ preparedness to mitigate cybersecurity risks. The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance. The “FFIEC Cybersecurity Assessment General Observations,” released today, provides themes from the assessment and suggests questions that chief executive officers and boards of directors may consider when assessing their institutions’ cybersecurity preparedness.

FDIC Cyber Challenge: A Community Bank Cyber Exercise
The FDIC created “Cyber Challenge: A Community Bank Cyber Exercise” to encourage community financial institutions to discuss operational risk issues and the potential impact of information technology disruptions on common banking functions. The Cyber Challenge provides institutions with the materials necessary to conduct short exercises or facilitated discussions around four operational risk-related scenarios. The Cyber Challenge is not a regulatory requirement; it is a technical assistance product designed to assist with the assessment of operational readiness capabilities.

The Cyber Challenge exercise is designed to facilitate discussion between financial institution management and staff about operational risk issues. The exercise can provide valuable information about an institution’s current state of preparedness and identify opportunities to strengthen resilience to operational risk.

The Cyber Challenge consists of four short video vignettes and related challenge questions. Each video vignette depicts a unique scenario. The challenge questions for each vignette are designed to facilitate discussion about how the bank would respond to the scenario. Also included are lists of reference materials where participants can obtain additional information.

• Vignette 1 presents an item processing failure scenario. A new item processing service provider cannot process the volume of transactions generated by the bank.
• Vignette 2 presents a customer account takeover where unauthorized withdrawals occur from a corporate customer’s account.
• Vignette 3 presents a phishing and malware problem. A bank employee receives a phishing email that appears to come from the bank president. The employee opens the email, and the bank’s network is infected with malware.
• Vignette 4 presents a problem with the bank’s technology service provider. Problems occur after the financial institution’s service provider performs an update.