FFIEC Issues Joint Statements on DDoS Cyber-Attacks and Cyber-Attacks on ATM and Card Authorization Systems


On April 2, 2014 the members of the Federal Financial Institutions Examination Council (“FFIEC”) issued two joint statements: the first joint statement regards distributed denial-of-service (“DDoS”) attacks, and the second joint statement concerns cyber-attacks on ATM and card authorization systems.  The six members of the FFIEC are the FRB, FDIC, OCC, CFPB, NCUA and the State Liaison Committee, which is comprised of five state banking supervisors.

Joint Statement Regarding DDoS Cyber-Attacks

Citing an increased number of DDoS attacks in recent years whereby certain internet services are temporarily or indefinitely interrupted or suspended, the first FFIEC joint statement warns financial institutions about the risks associated with such attacks, including operational and reputation risks.  DDoS attacks also may be accompanied by attempted fraud, further exposing the institution to possible fraud losses and liquidity and capital risks.  The joint statement also outlines several ways to mitigate such attacks as part of an institution’s information security and incident response plans.  Risk mitigation steps outlined in the joint statement (that the FFIEC members expect financial institutions to take) include: (1) maintenance of an ongoing information security risk assessment program; (2) monitoring of the institution’s website; (3) activation of incident response plans and notification of service providers in the event of a suspected attack; (4) staffing during the attack so as to sufficiently manage web-based traffic; (5) sharing information with certain organizations, as appropriate, e.g., law enforcement authorities, and (6) evaluating deficiencies in the institution’s responses, risk assessments, and risk management controls.

Joint Statement Regarding Cyber-Attacks on ATM and Card Authorization Systems

The second FFIEC joint statement addresses cyber-attacks on the ATM and card authorization systems of financial institutions. Noting that there has been a recent increase in cyber-attacks launched in connection with “Unlimited Operations” (a type of large dollar value ATM cash-out fraud whereby funds are withdrawn in excess of cash balances or other account control limits), the FFIEC identifies certain related risks for financial institutions that issue debit, prepaid or ATM cards. Such risks include operational risks, fraud losses, liquidity and capital risks, and reputation risks. The FFIEC stated that institutions may be exposed to additional losses if they outsource their card issuing function. The joint statement outlines several actions that an institution is expected to take to mitigate the risks associated with such attacks, including: (1) maintenance of an ongoing information security risk assessment program; (2) engaging in security monitoring, prevention, and risk mitigation; (3) ensuring protections are in place to limit unauthorized access; (4) regularly implementing and testing controls around “critical systems”; (5) conducting regular information security awareness and training programs; (6) testing the effectiveness of incident response plans; and (7) participating in certain information sharing forums.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin | Attorney Advertising

Written by:


Goodwin on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.