On April 2, 2014, the Federal Financial Institutions Examination Council (“FFIEC”) issued a press release, alerting that FFIEC members are issuing joint statements on the risks associated with cyber-attacks on Automated Teller Machine (“ATM”) and card authorization systems and the continued distributed denial of service (“DDoS”) attacks on websites.
These joint statements highlight the risks that financial institutions may face and outline steps that the FFIEC expects financial institutions to take to mitigate those risks. For example, the FFIEC comments that it is aware of a recent increase in cyber-attacks such as ATM cash-out fraud schemed which characterized as Unlimited Operations by the U.S. Secret Service. To mitigate risks posed by these cyber-attacks, the FFIEC emphasizes the need of strong risk management processes and describes that the following seven (7) steps be taken, as appropriate, by financial institutions: 1) conduct ongoing information security risk assessments; 2) perform security monitoring, prevention, and risk mitigation; 3) protect against unauthorized access; 4) implement and test controls around critical systems regularly; 5) conduct information security awareness and training program; 6) test incident response plans; and 7) participate in industry information sharing forums.
Similarly, the FFIEC highlights operational risks, reputational risks, as well as fraud losses and liquidity and capital risks associated with DDoS attacks and emphasizes that it expects financial institutions to address DDoS readiness as part of their ongoing information security and incident plans. The expected mitigation steps include: 1) maintaining an ongoing program to assess information security risk; 2) monitoring Internet traffic to the institution’s website to detect attacks; 3) activating incident response plans and notify service providers if the institution suspects a DDoS attack; 4) ensuring sufficient staffing for the duration of the DDoS attack and consider hiring precontracted third-party services for assistance; 5) considering sharing information with organizations; and 6) evaluating any gaps in the institution’s response following attacks and in its ongoing risk assessments and adjusting risk management control, accordingly.
The joint statements also describe resources financial institutions can use to help mitigate risks posed by these attacks and serve as a good reminder about the ongoing nature of cyber-threats and a need to implement and manage strong risk management processes and controls.
To read the press release, please access the FFIEC website at http://www.ffiec.gov/press/pr040214.htm.
Joint statements are available by accessing the following website:
- Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems at http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf.
- Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources at http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf.
Written by Maki DePalo, Associate, Privacy & Data Security | Alston & Bird LLP
