US Banks and financial institutions “must now monitor for”” DDoS (distributed denial-of-service) “attacks against their networks and have a plan in place to try and mitigate against such attacks” as reported by Infoweek. The Federal Financial Institutions Examination Council (FFIEC) issued a “Joint Statement – Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources” which includes these following 6 steps:
- Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
- Monitor Internet traffic to the institution’s website to detect attacks;
- Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
- Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
- Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
The FFIEC is comprised of the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.
Only time will tell if the FFIEC’s rules help avoid banking disasters and related cyber fraud.