“For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere.… For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure Working Group to identify, assess, and mitigate cybersecurity risks to financial institutions and their critical service providers. In recognizing that cybersecurity is not just an information technology issue, but a serious problem that requires the engagement of chief executive officers at all financial institutions, the FFIEC Cybersecurity and Critical Infrastructure Working Group sponsored a cybersecurity webinar for executives. The webinar was held on May 7, 2014 and was purportedly attended by approximately 5,000 executive officers of community financial institutions. The webinar was entitled Executive Leadership of Cybersecurity: What Today’s CEO Needs to Know About the Threats They Don’t See. As indicated by its title, the webinar focused on why executives needed to be engaged to bolster cybersecurity risk management practices. The key takeaways from the webinar included the following:

• Chief executive officers must set the tone from the top and build a security culture within the financial institution

• Financial institution executive leadership must develop programs to identify, measure, mitigate and monitor cybersecurity risks

• Financial institution executive leadership must develop cybersecurity risk management processes commensurate with the scale of risk and complexity of the institution

• Financial institution executive leadership must align their information technology strategy with business strategy and account for how cybersecurity risks will be managed both now and in the future

• Financial institution executive leadership must create a governance process to ensure ongoing cybersecurity awareness and accountability

• Financial institution executive leadership must ensure that cybersecurity related reports to executive leadership and institutional board membership are meaningful and timely with metrics on the institution’s vulnerability to cybersecurity risks and potential business impacts

The May 7, 2014 cybersecurity webinar was part of a larger cybersecurity awareness initiative. As part of that initiative, on June 24, 2014 the FFIEC launched a webpage solely dedicated to cybersecurity issues. Another aspect of the initiative will begin next month, a pilot program in which over 500 community banking institutions will undergo cybersecurity assessments. These assessments will be conducted by state and federal regulators during regularly scheduled examinations. Information from the pilot effort will assist regulators in assessing how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience. Another aim of the pilot is to help regulators make risk-informed decisions to enhance the effectiveness of supervisory programs, guidance, and examiner training.

The webinar, the launching of the cybersecurity webpage, and the community bank assessments, follow several advisories issued by FFIEC on cybersecurity risks. One advisory in April 2014 pertained to the “Heartbleed” vulnerability of financial institutions. Another advisory in April 2014 pertained to the continued distributed denial-of-service (DDoS) attacks on financial institution websites. Yet another advisory in April 2014 pertained to cyber-attacks on automatic teller machine (ATM) and card authorization systems. Although this last advisory was specific to ATM cybersecurity, it contained good advice for general cybersecurity risk mitigation:

• Conduct ongoing information security risk assessments. Maintain an ongoing information security risk assessment program that identifies, prioritizes and assesses the risk to critical systems, including threats to applications that control ATM parameters and other security and fraud prevention systems.

• Perform security monitoring, prevention, and risk mitigation. Ensure intrusion detection systems and antivirus protection are up-to-date, and firewall rules are configured properly. Monitor system reports to identify when attacks are attempted or are occurring, when data may be inappropriately leaving the network, and when anomalous behavior patterns occur inside the institution’s network (i.e., attempted simultaneous logins to control panels or login attempts during non-business hours). Monitor third-party processers as well as ATM transaction activity for unusual behavior or attempts to go beyond normal daily limits.

• Protect against unauthorized access. Limit the number of elevated privileges across the institution, including administrator accounts, and the ability to assign elevated privileges to critical systems such as the systems to manage the institution’s card issuer authorization and ATM management systems. Consider updating all credentials and monitoring logs for use of old credentials. Consider establishing authentication rules, such as time-of-day controls, or implementing multifactor authentication protocols for web-based control panels.

• Implement and test controls around critical systems regularly. Ensure appropriate controls are implemented for systems based on risk. Ensure that sign-on attempts for critical systems are limited and result in locking the account once limits are exceeded. Implement alerts to notify multiple employees when controls are changed on critical systems. Test the effectiveness of controls periodically. Report test results along with recommended risk mitigation strategies and progress to remediate findings to senior management or a committee of the board of directors.

• Conduct information security awareness and training programs. Conduct regular information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts.

• Test incident response plans. Test the effectiveness of incident response plans at the financial institution and with third-party processors to ensure that all employees understand their respective responsibilities and protocols, including individuals responsible for managing liquidity and reputation risk, information security, vendor management, fraud detection, and customer inquiries. Consider conducting an exercise at the financial institution that simulates this type of attack.

• Participate in industry information sharing forums. Incorporate information sharing with other financial institutions and service providers into risk mitigation strategies. Since threats and tactics can change rapidly, participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), can facilitate more efficient information sharing. The FS-ISAC and the United States Computer Emergency Readiness Team (US-CERT) are good sources of information on the methods used to conduct attacks and on risk mitigation tactics to minimize their impact.

The takeaway of the FFIEC Cybersecurity and Critical Infrastructure Working Group initiatives and these advisories is that our digital infrastructure is vulnerable, under constant attack, and that financial institutions are a primary target – because they are “where the money is,” and “because of the vast amount of proprietary information banks have about their customers.” It is critical that financial institutions, from the executive leadership to its operational information technology personnel, work together to plan for cybersecurity incidents. Planning for a security incident should involve institutional self-assessments, constant monitoring, and each of the actions suggested above. While cybersecurity incidents are inevitable, a good incident response plan will mitigate the risk and the damage, and might help avert a crisis, rendering it a minor incident.

[1] The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms, and to promote uniformity in the supervision of financial institutions. The Council has six voting members: a Governor of the Board of Governors of the Federal Reserve System, designated by the Chairman of the Board; the Chairman of the Federal Deposit Insurance Corporation; the Chairman of the Board of the National Credit Union Administration; the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the Chairman of the State Liaison Committee. The Council’s activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.