By Daniel L. Farris
The Federal Financial Institutions Examination Council (“FFIEC”) issued a press release last week “alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.”
The FFIEC went on to say that “financial institutions should develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks.” The statement suggests that financial institutions should consider taking the following steps:
- Conduct ongoing information security risk assessments
- Securely configure systems and services
- Protect against unauthorized access
- Perform security monitoring, prevention, and risk mitigation
- Update information security awareness and training programs, as necessary, to include cyber attacks involving extortion
- Implement and regularly test controls around critical systems
- Review, update, and test incident response and business continuity plans periodically
- Participate in industry information-sharing forums
This advice, along with similar statements from the FFIEC in the past, indicates a shift in the FFIEC’s stance on combating cyber attacks in the financial services industry. Banks must be proactive, not reactive, in assessing their cyber defenses, as well as the maturity and efficacy of their risk mitigation plans. Training and education to narrow the cyber-skills gap between sophisticated cyber criminals and a bank’s employees and key contractors are also critical.
The FFIEC statement comes as ransomware attacks are increasing, and on the heels of recently reported distributed denial-of-service attacks tied to extortion, such as those by the group known as DD4BC. In its statement, the FFIEC urges banks to “ensure that their risk management processes and business continuity planning address the risks from these types of cyber attacks, consistent with the risk management practices identified in previous FFIEC joint statements and the FFIEC Information Technology Examination Handbook.”
The FFIEC – which is composed of the Federal Reserve’s Board of Governors, the Consumer Financial Protection Bureau, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, and National Credit Union Administration – indicated that regulators are observing more attacks in which hackers steal private data and ask for ransom, or demand payment to prevent a shutdown of a financial institution’s website.
Banks need to be worried about the rise in extortion-related attacks because cyber criminals typically install malware throughout a network before making it operational, fraud experts say. These exploits often hang around and are difficult to get rid of because they are so hard to pinpoint. What’s worse, once a cyber attack has been successfully inserted into a bank’s web servers or systems, it can be replicated and used to infect others who use the bank’s site or systems, like customers, vendors, partners, and other financial institutions. Risks from cyber attacks involving extortion include “liquidity, capital, operational, compliance and reputation risks, resulting from fraud, data loss, and disruption of customer service.” While a good cyber insurance policy will likely cover the costs associated with cyber-extortion, damage to the bank’s reputation and lost revenue may not be recoverable.
If you or your organization has questions or concerns about the FFIEC’s cyber guidance or the creation and/or implementation of a cybersecurity plan, contact the author or a Polsinelli Privacy and Data Security team member.