Last week, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement warning of an “increasing frequency and severity of cyber attacks involving extortion.” The statement warned that criminals have been extorting financial institutions using a variety of tactics, including denial of service attacks, theft of sensitive information, and use of “ransomware,” which is software that prevents legitimate users from accessing company files unless a ransom is paid. To protect against these attacks, the FFIEC encouraged financial institutions to “develop and implement effective programs to ensure the institutions are able to identify, protect, detect, respond to, and recover from” extortion attacks.

The FFIEC outlined specific steps that institutions should take to combat the threat, including updating and testing incident response plans on a regular basis, ensuring that their risk management processes address risks related to extortion attacks, and updating security awareness and training programs to discuss extortion-related cyber attacks.  Financial institutions are also encouraged to participate in information sharing forums, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).  In the event that an institution is the victim of an extortion attack, the FFIEC recommends that the institution inform both law enforcement authorities and its primary regulator of the attack.  The statement also encourages victims to consider filing a Suspicious Activity Report (SAR), even when not required, to help protect the overall sector.

The FFIEC made it clear that the recommended practices are not “new regulatory expectations” but rather are “intended to alert financial institutions to specific risk mitigation” activities they should take.  The statement notes that financial institutions face a variety of risks related to extortion “including liquidity, capital, operational, compliance and reputation risks, resulting from fraud, data loss, and disruption of customer service.” In addition, if extortion attacks result in the unauthorized access to sensitive customer information institutions are responsible for complying with notification obligations under the Interagency Guidelines Establishing Information Security Standards (that implement the Gramm-Leach-Bliley Act), as well as applicable state notification laws.

The FFIEC is made up of principals from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau and State Liaison Committee.   The complete joint statement from the FFIEC is available here.