FFIEC Warns Financial Institutions that Financial Regulators Expect Them to Address Risks from Widely Reported Material Computer Security Vulnerability

On April 10, 2014, the Federal Financial Institutions Examination Council (“FFIEC”), whose members are the FRB, FDIC, OCC, NCUA, CFPB and the State Liaison Committee (the “Financial Regulators”), issued an alert (the “Alert”) to financial institutions stating that the Financial Regulators expect institutions “to incorporate patches on systems and services, applications and appliances using OpenSSL and upgrade systems as soon as possible to address” the so-called “Heartbleed Vulnerability,” which is a widely-reported material security vulnerability that may have affected some banks’ computer networks.  Open SSL, stated the Alert, “is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols commonly used to protect data in transit.”  The Alert reported that the Heartbleed Vulnerability has existed since December 31, 2011 and may have allowed hackers “to access the private ‘keys’ to banks’ servers, allowing them to decrypt and view sensitive information.”  Specifically, the Alert states that financial institutions should take the following steps, as appropriate:

  • Ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps;
  • Monitor the status of their vendors’ efforts;
  • Identify and upgrade vulnerable internal systems and services; and
  • Follow appropriate patch management practices and test to ensure a secure configuration.

IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. tax advice contained in this informational piece (including any attachments) is not intended or written to be used, and may not be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Goodwin Procter LLP | Attorney Advertising

Written by:

more+
less-

Goodwin Procter LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
×
Loading...
×
×