Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, April 11, 2014

Financial regulators urge banks to address OpenSSL vulnerability

By Stephanie K. Mann, J.D.

Federal Financial Institutions Examination Council members are advising financial institutions of a material security vulnerability in the OpenSSL cryptographic library that may put systems that use this encryption method at risk. OpenSSL is a cryptographic software library used to authenticate services and encrypt sensitive information. According to a new report entitled “OpenSSL ‘Heartbleed’ Vulnerability Alert,” a significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption.

The regulators have urged that financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.

Cyber resources. Following the Federal Deposit Insurance Corporation’s alert on OpenSSL Vulnerability, the agency has urged financial institutions to actively utilize cyber resources to identify and help mitigate potential cyber-related risks. “Cyber threats have been widely covered in the national media, and we believe that financial institutions and their technology service providers have been managing system updates to mitigate potential vulnerabilities in an effective manner. As discussed in yesterday's meeting of the FDIC Advisory Committee on Community Banking, financial institutions may benefit from greater awareness of the resources available to identify cyber-related risks as quickly as possible,” said Doreen Eberley, Director of the FDIC Division of Risk Management Supervision.

Financial institutions should ensure that their Information Security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify cyber risks as they emerge. Government and government-sponsored resources that financial institutions should consider include the following organizations:

  • United States Computer Emergency Readiness Team;

  • U.S. Secret Service Electronic Crimes Task Force;

  • FBI InfraGard;

  • Regional Coalitions; and

  • Information Sharing and Analysis Centers.

MainStory: TopStory BankingOperations

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.