The Federal Financial Institutions Examination Council (FFIED) warned financial institutions of the increasing frequency and severity of cyber attacks involving extortion resulting from ransomeware, denial of service attacks, and theft of sensitive business and customer information to extort payment and other concessions from victims.
The FFIEC recommends that financial institutions develop and implement programs to ensure that the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks, including:
- Conducting ongoing information security risk assessments
- Securely configuring systems and services
- Protecting against unauthorized intrusions
- Performing security monitoring, prevention, and risk mitigation
- Updating information security awareness and training programs, as necessary, to include cyber attacks involving extortion
- Implementing and regularly testing controls around critical systems
- Reviewing, updating, and testing incident response and business continuity plans periodically
- Participating in industry information sharing forums
FFIEC concluded that if an attack results in unauthorized access to sensitive customer information, the institution has the responsibility to notify its federal and state regulators in accordance with the Interagency Guidelines Establishing Information Security Standards implementing the Graham-Leach-Bliley Act and applicable state laws, and consider filing a Suspicious Activity Report if required.
The FFIEC’s statement was published on November 3, 2015.