In its recent press release, the Federal Financial Institutions Examination Council (FFIEC) issued two statements reiterating financial institutions' obligations to have measures in place to prevent and mitigate cybersecurity threats. Specifically, the FFIEC warns that financial institutions should implement policies, procedures, and security measures to mitigate threats posed by destructive malware and compromised user credentials (both customers' and employees' credentials). While the statements do not contain any new regulatory expectations or requirements, they do recommend ways financial institutions can prepare for and lessen these particular cybersecurity threats.

The FFIEC's first statement recommends that financial institutions ensure that their business continuity plans cover how the institution responds to a destructive malware cyberattack, where an institution's critical data is corrupted or destroyed. Malware attacks can be introduced through a wide range of methods, such as downloaded e-mail attachments during a phishing attack, compromised websites, or software installed by an attacker who accessed the network using stolen credentials. To recover from a destructive malware attack, financial institutions must ensure that their backup systems are not destroyed or corrupted. The FFIEC recommends that financial institutions and their service providers should ensure their recovery strategies address attacks on their backup systems.

The FFIEC’s second statement discusses compromised user credentials, such as user names, passwords, and e-mail addresses, which give cyberattackers easy access to customer accounts or critical business systems. The FFIEC points out that credentials can be stolen through phishing attacks, malvertising (infecting online advertisements with malware), or web-based attacks that target systems containing credentials. Each type of user credential, whether customer or employee credentials, poses a distinct risk. For example, stolen customer account credentials create the risk of account fraud and identity theft, while stolen employee or vendor credentials could enable attackers to access trusted systems and business information.

To mitigate the risks posed by destructive malware and compromised credentials, the FFIEC recommends that financial institutions have security controls and business continuity plans in place to authenticate users and ensure the rapid recovery and resumption of operations. These controls and procedures include:

• Securely configuring systems and services
• Reviewing, updating, and testing incident response and business continuity plans
• Conducting ongoing information security risk assessments
• Performing security monitoring, prevention, and risk mitigation
• Protecting against unauthorized access
• Implementing and testing controls around critical systems
• Enhancing information security awareness and training
• Participating in industry information sharing forums

While the FFIEC's statements do not contain any new requirements or identify any particular cyber threat, regulators already expect financial institutions to have policies, procedures, and security measures in place to address destructive malware and compromised credentials. The agency's statements may signal increased regulatory scrutiny of these aspects of financial institutions' information security and business recovery plans. Financial institutions should regularly review and test their information security policies and procedures to ensure they address the latest cybersecurity threats as well as incorporate regulatory guidance and warnings.