skip to navigation
skip to content

Financial Outsourcing Solutions

Online Banking

FOS Blog

13 Nov
2015

Cyber Alert: Extortion: FFIEC Puts Institutions On Notice

Cyber Alert: Extortion: FFIEC Puts Institutions On Notice

A rise in the frequency and severity of cyber attacks involving extortion has prompted the FFIEC (Federal Financial Institutions Examination Council) to put financial institutions on notice. The attacks are centered around distributed denial-of-service (DDoS), theft of sensitive information, and ransomware attacks. These attacks, dependent upon the nature and severity, can have a crippling effect an institution ability to operate and/or the loss of a significant amount of sensitive information. As a result, the institutions are urged to put into place programs to protect, identify, detect, respond and recover from such attacks.

To ensure proactive measures are being taken the FFIEC and other regulatory agencies are recommending institutions consider the following steps:

  1. Conduct Ongoing Information Security Risk Assessments – Participate in Industry Information-Sharing Forums

Assessing an institution’s risk is a critical phase in examining the viable threats and mitigation strategies, which an institution faces, while ensuring they are within their risk tolerance and appetite. Periodic and ongoing reviews should be performed on a regular and ongoing basis, as new threats emerge, and/or the frequency of threats increase. Participating within information sharing groups, such as FS-ISAC and Infragard, can assist in providing insight into the emerging threats, threats other institutions are experiencing, and mitigation strategies which are being used to combat the cyber criminals.

  1. Securely Configure Systems & Services – Protect Against Unauthorized AccessPerform Security Monitoring, Prevention, And Risk Mitigation

As institutions roll out new systems and services (both internally and externally), security of the systems should be of the upmost importance. Strong security controls around all systems should be in place to protect the institution and the sensitive information, which it maintains. The controls should be focused on the mitigation and prevention of cyber related attacks. These systems, along with the bank’s infrastructure, should also maintain appropriate monitoring tools to identify and detect anomalies which could result in a potential attack, unauthorized access, or compromise of a system, network, or unauthorized information.

  1. Update Information Security Awareness & Training Programs

Employees at all levels are an institution’s weakest link. The employees hold access to the sensitive information organizations are attempting to protect. While tools are put in place to protect the information, access to that information is required by employees to perform their job function. To combat the risk employees pose, institutions should ensure that they are adequately training their employees on regular and ongoing basis. Baseline assessments should be conducted to the test and ensure the effectiveness of the training. As the threats increase and evolve, the training should be tailored to those threats.

  1. Review, Update & Test Incident Response & Business Continuity Plans

Attacks are going to happen, it’s the nature of the world in which we live. Being prepared for such an event can greatly reduce the exposure and harm which is caused to an institution and its customer base. In order to be prepared, proper planning is critical. While having an incident response plan is the first hurdle, testing, training, and evolution of the plans are vital. Without proper knowledge and training, the plans, which have been established, are useless. On a regular basis, exercises, increasing in complexity, should be completed to ensure the validity of the established plans. Based on the results of the training, new threats, and risks, the plans should be updated accordingly.

These recommendations are the initial baseline steps institutions should consider when developing a global cyber security strategy. Global buy-in from the organization and top level support is critical to ensure the protection of the institution and the sensitive information, which it houses. Building an overall global strategy to address the evolving cyber threats will assist financial institutions in protecting its sensitive information.

FFIEC Release: https://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_Extortion_-_Interactive_Ve%20%20%20.pdf

For additional information contact the author Jeffrey J. Johns at jjohns@fosaudit.com.

Related posts:

  1. Ransomware Strikes Again
  2. Information Security’s Newest Financial Risk – The Federal Trade Commission
  3. Cyber Insurance: FFIEC Guidance and the Role in Risk Management
  4. Revised Act 6 / Act 91 Notice – Are You In Compliance?

|