The six agencies which make up the Federal Financial Institutions Examination Council (“FFIEC”) have issued a joint statement cautioning financial institutions and their technology service providers regarding Microsoft’s decision to discontinue support for its venerable Windows XP system as of April 8, 2014.
Most institutions have switched to later Windows operating systems; however, some older purpose-built devices (ATM’s or document production platforms, for example) or some personal computers may still use Windows XP in some configuration.
While Windows XP may still function as an operating system after that date, a lack of support will translate into the absence of updated security patches and technical assistance. This in turn can increase compliance, reputation, and operational risks for a financial institution.
Financial institutions that are subject to the Payment Card Industry Data Security Standard should note that use of Windows XP after April 8, 2014 may also affect their overall compliance with that Standard.
Financial institutions and their service providers should consider the FFIEC statement in view of their own IT platforms and their risk management policies as well as other guidance issued by FFIEC over the years. Most approaches will include the familiar steps of performing risk assessments; applying appropriate mitigation for the identified risks; developing an implementation plan; and monitoring risk and its mitigation and reporting the results to management.