Amid the recent increase in hacker extortion cases, the Federal Financial Institutions Examination Council (“FFIEC”) issued a statement on November 3 (the “Statement”) describing steps financial institutions should take to mitigate the risks posed by such hacker attacks. The FFIEC, empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, did not create any new regulatory expectations in the Statement, which is intended instead to alert financial institutions to specific threats associated with cyber-attacks involving extortion.
The FFIEC reminded regulated financial institutions regarding prior FFIEC guidance on measures that should be taken to mitigate hacker risks. In addition to bolstering IT security and monitoring, the FFIEC recommends that financial institutions participate in industry information-sharing forums in order to keep abreast of evolving hacker threats. The Statement encourages institutions victimized by a cyber-attack to contact law enforcement authorities and to notify their primary regulators. When an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators under interagency guidelines implementing the Gramm-Leach-Bliley Act and may also be required or elect to file a Suspicious Activity Report.
A copy of the Statement is available here.