Alert April 08, 2014

FFIEC Issues Joint Statements on DDoS Cyber-Attacks and Cyber-Attacks on ATM and Card Authorization Systems

On April 2, 2014 the members of the Federal Financial Institutions Examination Council (“FFIEC”) issued two joint statements: the first joint statement regards distributed denial-of-service (“DDoS”) attacks, and the second joint statement concerns cyber-attacks on ATM and card authorization systems.  The six members of the FFIEC are the FRB, FDIC, OCC, CFPB, NCUA and the State Liaison Committee, which is comprised of five state banking supervisors.

Joint Statement Regarding DDoS Cyber-Attacks

Citing an increased number of DDoS attacks in recent years whereby certain internet services are temporarily or indefinitely interrupted or suspended, the first FFIEC joint statement warns financial institutions about the risks associated with such attacks, including operational and reputation risks.  DDoS attacks also may be accompanied by attempted fraud, further exposing the institution to possible fraud losses and liquidity and capital risks.  The joint statement also outlines several ways to mitigate such attacks as part of an institution’s information security and incident response plans.  Risk mitigation steps outlined in the joint statement (that the FFIEC members expect financial institutions to take) include: (1) maintenance of an ongoing information security risk assessment program; (2) monitoring of the institution’s website; (3) activation of incident response plans and notification of service providers in the event of a suspected attack; (4) staffing during the attack so as to sufficiently manage web-based traffic; (5) sharing information with certain organizations, as appropriate, e.g., law enforcement authorities, and (6) evaluating deficiencies in the institution’s responses, risk assessments, and risk management controls.

Joint Statement Regarding Cyber-Attacks on ATM and Card Authorization Systems

The second FFIEC joint statement addresses cyber-attacks on the ATM and card authorization systems of financial institutions. Noting that there has been a recent increase in cyber-attacks launched in connection with “Unlimited Operations” (a type of large dollar value ATM cash-out fraud whereby funds are withdrawn in excess of cash balances or other account control limits), the FFIEC identifies certain related risks for financial institutions that issue debit, prepaid or ATM cards. Such risks include operational risks, fraud losses, liquidity and capital risks, and reputation risks. The FFIEC stated that institutions may be exposed to additional losses if they outsource their card issuing function. The joint statement outlines several actions that an institution is expected to take to mitigate the risks associated with such attacks, including: (1) maintenance of an ongoing information security risk assessment program; (2) engaging in security monitoring, prevention, and risk mitigation; (3) ensuring protections are in place to limit unauthorized access; (4) regularly implementing and testing controls around “critical systems”; (5) conducting regular information security awareness and training programs; (6) testing the effectiveness of incident response plans; and (7) participating in certain information sharing forums.