Why it matters

In a pair of joint statements, the Federal Financial Institutions Examination Council (FFIEC) cautioned financial institutions about cyber attacks compromising credentials and destructive malware. The member agencies reiterated the importance of risk mitigation techniques such as ongoing information security risk assessments, security monitoring, the implementation and testing of controls around critical systems on a regular basis, and conducting awareness and training programs for employees. The FFIEC noted that the days of IT specialists exclusively handling cybersecurity concerns are over, with expectations that management take the necessary steps “to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber attack.” The regulators also encouraged participation in industry information sharing forums, which “can improve an institution’s ability to identify attack tactics and to successfully mitigate cyber attacks involving destructive malware on its systems.” While the joint statements did not establish new regulatory obligations, financial institutions should review the FFIEC’s alerts and ensure that their data security is in line with the best practices presented in the documents.

Detailed discussion

Financial institutions, take note: Cyber attacks compromising credentials and destructive malware are presenting serious risks, the Federal Financial Institutions Examination Council (FFIEC) warned in a pair of joint statements.

Alerting banks to cyber attacks compromising credentials, the member groups—the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee—noted “an ongoing and increasing trend” by cyber criminals to obtain large volumes of credentials.

Stealing passwords, user names, and e-mail addresses, criminals use the identification to authenticate themselves to systems or steal system credentials. The theft of each type of credential presents different risks, the FFIEC said, from fraud and identity theft using a customer’s account information to access to internal systems with employee credentials, with possibilities like system disruption or modification or the destruction or corruption of data.

How to mitigate risk?

While the statements did not purport to contain any new regulatory expectations (referring financial institutions to the FFIEC Information Technology Examination Handbook, the Interagency Guidelines Establishing Information Security Standard, and the Guidance and Supplement on Authentication in an Internet Banking Environment for specific guidance), the FFIEC did offer some best practices.

“Financial institutions should design multiple layers of security controls to establish several lines of defense,” the regular wrote, with consideration of additional steps such as:

  • Information security risk assessments. Assessments should be conducted on an ongoing basis to consider new and evolving threats, the FFIEC advised. “Identify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures.” Third-party service providers should also be subject to regular testing of their security controls and contractually obligated to provide security incident reports when issues arise.
  • Security monitoring, prevention, and risk mitigation. Financial institutions should first establish a baseline environment to enable the ability to detect anomalous behavior, with monitoring of protection and detection systems and firewalls to follow. Penetration testing and vulnerability scans should be conducted as necessary and vulnerabilities managed promptly.
  • Unauthorized access. To mitigate risk, the number of credentials—particularly those with elevated privileges—should be limited, with periodic reviews to ensure approvals are appropriate to job function. Stringent expiration periods for unused credentials should be established, as well as authentication rules with multifactor protocols for web-based control panels. Secure connections for remote access of systems and regular changes to the default password and settings for credentials will also help, the FFIEC said.
  • Controls for critical systems. Appropriate controls for critical systems (such as access control, segregation of duties, and fraud detection systems) should be reviewed and tested regularly, with results reported to senior management and the board of directors if necessary. Data in transit—and where appropriate, at rest—should be encrypted and the number of sign-on attempts for critical systems limited and locked after thresholds are exceeded.
  • Security awareness and training. “Conduct regular, mandatory information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts,” according to the FFIEC. “Ensure training reflects the functions performed by employees.”
  • Information sharing forums. Because threats and tactics can change rapidly, participation in forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) “can improve an institution’s ability to identify attack tactics and to successfully mitigate cyber attacks,” according to the statement.

A second joint statement warned institutions specifically about the dangers of destructive malware, which can be introduced into systems from employees downloading attachments, connecting external drives, or visiting compromised websites.

“An institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution’s operations after a cyber attack involving destructive malware,” the FFIEC said. “A financial institution should develop appropriate processes that enable recovery of data and business operations and that address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber attack. This should include the ability to protect offline data backups from destructive malware.”

Much of the advice presented in the cyber attack statement was reiterated by the FFIEC, including securely configuring systems and services; reviewing, updating, and testing incident response and business continuity plans; conducting ongoing information security risk assessments; performing security monitoring, prevention, and risk mitigation; protecting against unauthorized access; the implementation and regular testing of controls around critical systems; enhanced information security awareness and training programs; and participation in industry information-sharing forums.

To read the statement on Cyber Attacks Compromising Credentials, click here.

To read the FFIEC statement on Destructive Malware, click here.