November 9, 2015
The Federal Financial Institutions Examination Council (“FFIEC”) issued a press release last week “alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.”

The FFIEC went on to say that “financial institutions should develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks.” The statement suggests that financial institutions should consider taking the following steps:
  • Conduct ongoing information security risk assessments
  • Securely configure systems and services
  • Protect against unauthorized access
  • Perform security monitoring, prevention, and risk mitigation
  • Update information security awareness and training programs, as necessary, to include cyber attacks involving extortion
  • Implement and regularly test controls around critical systems
  • Review, update, and test incident response and business continuity plans periodically
  • Participate in industry information-sharing forums
This advice, along with similar statements from the FFIEC in the past, indicates a shift in the FFIEC’s stance on combating cyberattacks in the financial services industry. Banks must be proactive, not reactive, in assessing their cyber defenses, as well as the maturity and efficacy of their risk mitigation plans. Training and education to narrow the cyber-skills gap between sophisticated cyber criminals and a bank’s employees and key contractors are also critical.

For additional reporting, please click here.