Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

by Davis Wright Tremaine LLP

For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere.… For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure Working Group to identify, assess, and mitigate cybersecurity risks to financial institutions and their critical service providers. In recognizing that cybersecurity is not just an information technology issue, but a serious problem that requires the engagement of chief executive officers at all financial institutions, the FFIEC Cybersecurity and Critical Infrastructure Working Group sponsored a cybersecurity webinar for executives. The webinar was held on May 7, 2014 and was purportedly attended by approximately 5,000 executive officers of community financial institutions. The webinar was entitled Executive Leadership of Cybersecurity: What Today’s CEO Needs to Know About the Threats They Don’t See. As indicated by its title, the webinar focused on why executives needed to be engaged to bolster cybersecurity risk management practices. The key takeaways from the webinar included the following:

• Chief executive officers must set the tone from the top and build a security culture within the financial institution

• Financial institution executive leadership must develop programs to identify, measure, mitigate and monitor cybersecurity risks

• Financial institution executive leadership must develop cybersecurity risk management processes commensurate with the scale of risk and complexity of the institution

• Financial institution executive leadership must align their information technology strategy with business strategy and account for how cybersecurity risks will be managed both now and in the future

• Financial institution executive leadership must create a governance process to ensure ongoing cybersecurity awareness and accountability

• Financial institution executive leadership must ensure that cybersecurity related reports to executive leadership and institutional board membership are meaningful and timely with metrics on the institution’s vulnerability to cybersecurity risks and potential business impacts

The May 7, 2014 cybersecurity webinar was part of a larger cybersecurity awareness initiative. As part of that initiative, on June 24, 2014 the FFIEC launched a webpage solely dedicated to cybersecurity issues. Another aspect of the initiative will begin next month, a pilot program in which over 500 community banking institutions will undergo cybersecurity assessments. These assessments will be conducted by state and federal regulators during regularly scheduled examinations. Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance, and examiner training.

The webinar, the launching of the cybersecurity webpage, and the community bank assessments, follow several advisories issued by FFIEC on cybersecurity risks. One advisory in April 2014 pertained to the “Heartbleed” vulnerability of financial institutions. Another advisory in April 2014 pertained to the continued distributed denial-of-service (DDoS) attacks on financial institution websites. Yet another advisory in April 2014 pertained to cyber-attacks on automatic teller machine (ATM) and card authorization systems. Although this last advisory was specific to ATM cybersecurity, it contained good advice for general cybersecurity risk mitigation:

Conduct ongoing information security risk assessments. Maintain an ongoing information security risk assessment program that identifies, prioritizes and assesses the risk to critical systems, including threats to applications that control ATM parameters and other security and fraud prevention systems.

Perform security monitoring, prevention, and risk mitigation. Ensure intrusion detection systems and antivirus protection are up-to-date, and firewall rules are configured properly. Monitor system reports to identify when attacks are attempted or are occurring, when data may be inappropriately leaving the network, and when anomalous behavior patterns occur inside the institution’s network (i.e., attempted simultaneous logins to control panels or login attempts during non-business hours). Monitor third-party processers as well as ATM transaction activity for unusual behavior or attempts to go beyond normal daily limits.

Protect against unauthorized access. Limit the number of elevated privileges across the institution, including administrator accounts, and the ability to assign elevated privileges to critical systems such as the systems to manage the institution’s card issuer authorization and ATM management systems. Consider updating all credentials and monitoring logs for use of old credentials. Consider establishing authentication rules, such as time-of-day controls, or implementing multifactor authentication protocols for web-based control panels.

Implement and test controls around critical systems regularly. Ensure appropriate controls are implemented for systems based on risk. Ensure that sign-on attempts for critical systems are limited and result in locking the account once limits are exceeded. Implement alerts to notify multiple employees when controls are changed on critical systems. Test the effectiveness of controls periodically. Report test results along with recommended risk mitigation strategies and progress to remediate findings to senior management or a committee of the board of directors.

Conduct information security awareness and training programs. Conduct regular information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts.

Test incident response plans. Test the effectiveness of incident response plans at the financial institution and with third-party processors to ensure that all employees understand their respective responsibilities and protocols, including individuals responsible for managing liquidity and reputation risk, information security, vendor management, fraud detection, and customer inquiries. Consider conducting an exercise at the financial institution that simulates this type of attack.

Participate in industry information sharing forums. Incorporate information sharing with other financial institutions and service providers into risk mitigation strategies. Since threats and tactics can change rapidly, participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), can facilitate more efficient information sharing. The FS-ISAC and the United States Computer Emergency Readiness Team (US-CERT) are good sources of information on the methods used to conduct attacks and on risk mitigation tactics to minimize their impact.

The takeaway of the FFIEC Cybersecurity and Critical Infrastructure Working Group initiatives and these advisories is that our digital infrastructure is vulnerable, under constant attack, and that financial institutions are a primary target – because they are “where the money is,” and “because of the vast amount of proprietary information banks have about their customers.” It is critical that financial institutions, from the executive leadership to its operational information technology personnel, work together to plan for cybersecurity incidents. Planning for a security incident should involve institutional self-assessments, constant monitoring, and each of the actions suggested above. While cybersecurity incidents are inevitable, a good incident response plan will mitigate the risk and the damage, and might help avert a crisis, rendering it a minor incident.

[1] The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms, and to promote uniformity in the supervision of financial institutions. The Council has six voting members: a Governor of the Board of Governors of the Federal Reserve System, designated by the Chairman of the Board; the Chairman of the Federal Deposit Insurance Corporation; the Chairman of the Board of the National Credit Union Administration; the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the Chairman of the State Liaison Committee. The Council’s activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.