Tuesday, November 24, 2015
The Federal Financial Institutions Examination Council (FFIEC) members issued a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion. The statement describes steps financial institutions should take to respond to these attacks and highlights resources institutions can use to mitigate the risks posed by such attacks.
Cyber attacks against financial institutions to extort payment in return for the release of sensitive information are increasing. Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems. In addition, financial institutions should have effective business continuity plans to respond to this type of cyber attack to ensure resiliency of operations.
Financial institutions are also encouraged to notify law enforcement and their primary regulator or regulators of a cyber attack involving extortion.
Cyber criminals and activists use a variety of tactics, such as ransomware, denial of service (DoS), and theft of sensitive business and customer information to extort payment or other
concessions from victims. In some cases, these attacks have caused significant impacts on a businesses’ access to data and ability to provide services. Other businesses have incurred serious damage through the release of sensitive information.
Financial institutions should ensure that their risk management processes and business continuity planning address the risks from these types of cyber attacks, consistent with the risk management practices identified in previous FFIEC joint statements and the FFIEC Information Technology Examination Handbook , specifically the “Business Continuity Planning” and “Information Security” booklets. Related FFIEC joint statements are titled “Destructive Malware,” “Cyber Attacks Compromising Credentials,” and “Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources.”
Consistent with FFIEC and member guidance, financial institutions should consider taking the following steps:
- Conduct ongoing information security risk assessments
- Securely configure systems and services.
- Protect against unauthorized access.
- Update information security awareness and training programs, as necessary, to include cyber attacks involving extortion.
- Review, update, and test incident response and business continuity plans periodically.
- Participate in industry information-sharing forums.
- Perform security monitoring, prevention, and risk mitigation.
- Implement and regularly test controls around critical systems.