The Federal Financial Institutions Examination Council (FFIEC) reiterated the importance of banks protecting themselves from cyber attacks in a newly issued statement, urging financial institutions to "actively manage the risks associated with interbank messaging and wholesale payment networks" in light of recent attacks.
This latest statement from the FFIEC, whose members include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, and the State Liaison Committee—is consistent with earlier versions: cybersecurity is important. In the wake of recent attacks against interbank networks and wholesale payment systems, including those that allowed hackers to nab almost $1 billion earlier this year, the FFIEC decided to issue this statement. It does not contain new regulatory expectations but appeals for more time and attention in protecting certain key areas of banking operations.
"Financial institutions should review their risk management practices and controls over information technology (IT) and wholesale payment systems networks, including authentication, authorization, fraud detection, and response management systems and processes," according to this latest statement. "The FFIEC members emphasize that participants in interbank messaging and wholesale payment networks should conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management."
What else can banks do to protect themselves? The FFIEC statement suggests that institutions review their risk management practices (including services provided to clients), refer to prior FFIEC guidance on regulatory expectations for IT risk management, and review and adhere to the technical guidance issued by payments and settlement networks for managing and controlling risks to critical systems.
The recent attacks have demonstrated the capacity to compromise a financial institution's wholesale payment origination environment, bypassing information security controls, as well as obtain and use valid operator credentials, utilize malware to disable security logging and reporting to conceal and delay detection of fraudulent transactions, and transfer stolen funds across multiple jurisdictions quickly to avoid recovery.
To avoid being the next victim, the FFIEC statement said institutions should use multiple layers of security controls to establish several lines of defense, including the following:
- Conduct ongoing information security risk assessments. Financial institutions should "[i]dentify, prioritize, and assess the risk to critical systems, including threats to applications that control various system parameters and other security and fraud prevention measures," as part of an ongoing information security risk assessment program. A close eye should be kept on third-party service providers, the Council noted, with effective risk management controls in place, regular testing of their security controls to stimulate risk scenarios, and a contractual obligation in place to provide security incident reports when issues arise that may affect the institution.
- Perform security monitoring, prevention, and risk mitigation. Intrusion detection systems and antivirus protection should be up-to-date, with firewalls properly configured and reviewed periodically. After a baseline environment has been established, system alerts should be monitored to detect anomalous behavior. Due diligence must be conducted on third-party software and services, with penetration testing and vulnerability scans performed as necessary, and vulnerabilities managed based on risk (such as implementing patches for applications or systems).
- Protect against unauthorized access. The FFIEC reminded banks to limit the number of credentials with elevated privileges, especially administrator accounts. Access rights should be reviewed periodically with "stringent" expiration periods for unused credentials and the prompt termination of unused or unwarranted credentials. Authentication rules or multifactor authentication protocols are important and financial institutions need to change default passwords and settings on a regular basis and ensure that secure connections are used when systems are remotely accessed.
- Implement and test controls around critical systems regularly. The FFIEC advised institutions to "[t]est the effectiveness and adequacy of controls periodically," with test results reported to senior management and—if appropriate—the Board of Directors. Other suggestions for controls included an adequate password policy, encrypting sensitive data in transit and in certain circumstances, at rest, and conducting backups of important files, with the backed-up data stored offline.
- Manage business continuity risk. Banks must validate that their business continuity planning "supports the institution's ability to quickly recover and maintain payment processing operations," the FFIEC said, with testing performed and coordination with other industry players.
- Enhance training and participate in information sharing. Regular, mandatory information security awareness training programs need to be held across the financial institution, the Council urged, including topics such as how to identify and prevent successful phishing attempts. Banks should also incorporate information sharing with other financial institutions and service providers into risk mitigation strategies, such as the Financial Services Information Sharing and Analysis Center.
To read the FFIEC statement, click here.
Why it matters
The FFIEC used this latest guidance to reemphasize the importance of continued risk mitigation techniques related to cyber attacks. Although some banks have already considered their risk management practices in light of the attacks earlier this year, the FFIEC outlined specific steps for financial institutions to consider when evaluating their interbank messaging and wholesale payment networks, including security monitoring and control testing, protection against unauthorized access, and participation in industry information sharing forums.