The Risk Advisory Services Team spends most of our time working with community banks. Occasionally when something in the banking environment needs discussing, we’ll discuss it here. Even if you’re not in banking, we presume you, your business, or your employer has a banking relationship with a financial institution. So here is some insight about how the banking industry works to keep your money safe.
FFIEC Releases a Number of Alerts on IT and Cybersecurity
The Federal Financial Institution Examination Council (FFIEC) has issued three Press Releases in 2014 on Cybersecurity and IT risks affecting financial institutions. In addition, on May 7 the FFIEC held a webinar for approximately 5,000 Community Bank CEO’s and Senior Managers to raise awareness about the pervasiveness of cybersecurity related threats, discuss the role of executive management in managing these threats, and to share the actions taken by the FFIEC.
In the webinar, the FFIEC outlined the following key focus areas and responsibilities of Senior Management and the Boards of Directors to assess their intuitions’ abilities to identify and mitigate cybersecurity risk:
- Setting the tone from the top and building a security culture;
- Identifying, measuring, mitigating, and monitoring risks;
- Developing risk management processes commensurate with the risks and complexity of the institutions;
- Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future;
- Creating a governance process to ensure ongoing awareness and accountability; and
- Ensuring timely reports to senior management that include meaningful information addressing the institution’s vulnerability to cyber risks
Other IT Security and Cybersecurity Issues
OpenSSL Heartbleed Vulnerability (April 10, 2014)
This alert notified financial intuitions of vulnerabilities in unpatched OpenSSL versions 1.0.1 through 1.0.1f. The vulnerability could allow an attacker to compromise individual user connections and obtain the server’s private key used to secure these communications. The FFIEC recommends financial intuitions upgrade their version of OpenSSL to a patched version. Financial institutions are also expected to monitor vendor efforts to remediate this vulnerability and should consider obtaining a new private key to secure future communications.
Cyberattack Alert on ATMs and Card Authorization Systems (April 2, 2014)
This alert was released to notify financial intuitions of large dollar value ATM cash-out frauds identified by the Secret Service. These frauds allowed criminals to withdraw funds beyond the cash balance in a customer’s account or beyond other control limits typically applied to ATM transactions. Phishing emails were identified as being sent to employees as a means of installing this malware and the malware grabbed credentials used to access these machines. The FFIEC recommends institutions review the FFIEC Information Technology Handbook and Retail Payment System Booklets.
Distributed Denial-of-Service Attacks (April 2, 2014)
This alert notified financial institutions of the risks associated with distributed denial-of-service (DDoS) attacks on public websites. Risk mitigation techniques were identified including maintaining an ongoing program to assess information security risk, monitoring of internet traffic to detect attacks, and incident response plans to remediate attacks.