On January 16, 2020, the Federal Deposit Insurance Corporation (the “FDIC”) and the Office of the Comptroller of the Currency issued FIL-3-2020, Joint Statement on Heightened Cybersecurity Risk to remind supervised financial institutions of “sound cybersecurity risk management principles” (the “Joint Statement”).
The Joint Statement noted that there is a “heightened risk of cyber-attacks against U.S. targets because of increased geopolitical tension,” which appears to be a reference to recent uncertainty with respect to Iran. In fact, the Department of Homeland Security’s National Terrorism Advisory System recently issued a Bulletin, Summary of Iran-Related Terrorism Threat to the U.S. Homeland, which noted that, among other things, the financial services sector (among other sectors) was a “consistent priorit[y] for Tehran’s malicious operational planning.”
While the immediate impetus for the Joint Statement appears to have been related – at least in part – to current geopolitical concerns regarding Iran, the Joint Statement’s guidance is of general applicability at all times and to all FDIC-insured depository institutions.
The Joint Statement elaborates on existing standards, such as the Interagency Guidelines Establishing Information Security Standards and the FFIEC Statement on Destructive Malware. The Joint Statement emphasizes that cybersecurity risk mitigation tools should not only focus on preventing a cybersecurity risk, but also in promoting resilience in the wake of a realized cybersecurity risk, recognizing that the possibility of a cybersecurity attack is less a matter of “if,” but rather, “when”:
“While preventive controls are important, financial institution management should be prepared for a worst-case scenario and maintain sufficient business continuity planning processes for the rapid recovery, resumption, and maintenance of the institution’s operations.”
The Joint Statement focuses on several key controls to help protect financial institutions from malicious activity:
- Response, resilience and recovery capabilities.
Digitally segmenting or establishing physical “air gaps” between critical network components and services can reduce the risk that a cybersecurity threat will spread across the network. Banks should also maintain comprehensive and current business resilience plans that address recovery from cyberattacks, as well as have a comprehensive system and data backup strategy.
- Identity and access management.
To protect against “phishing” attacks or other compromises of login or other access management tools, banks should use and validate the effectiveness of identity and access management tools. Among other things, banks should use role-based access controls that limit privileges to those necessary for an individual’s job function. Assigned access should be reviewed regularly to ensure appropriate levels of access on an ongoing basis.
- Network configuration and system hardening.
Bank management should review the appropriateness of default system settings, change default user profiles, configure security settings, and implement security monitoring tools. Security updates and system patches are critical to maintaining secure systems and should be implemented in a timely manner.
- Employee training.
The Joint Statement emphasizes the risk of “social engineering,” or the use of human interactions to trick employees into making security mistakes or divulging sensitive information. Banks should conduct ongoing training on recognizing cyberthreats, phishing attempts and suspicious internet links and measure the effectiveness of such training programs.
- Security tools and monitoring.
Banks should deploy qualified cybersecurity staff, either in-house or through a third-party service provider, to actively monitor systems for network threat and vulnerability information available from industry sources. The Joint Statement also recommends regularly reviewing system and network audit logs for anomalous activity and implementing a penetration testing program that includes periodic internal and external testing of the bank’s ability to detect and respond to attacks.
- Data protection.
The Joint Statement notes that banks should maintain a data classification program to identify sensitive and critical data, and that such data should be encrypted or tokenized.