Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, March 30, 2015

Guidance on protecting against cyberattacks issued

Statements on how financial institutions can protect themselves from malware and other cyberattacks have been issued by the Federal Financial Institutions Examination Council. The two statements address different types of attacks: compromising or destroying data and rendering systems useless by implanting malware; and stealing credentials for use in fraud and identify theft. The FFIEC is calling for enhanced risk management and information security programs to address the threats (FIL-13-2015).

Each of the joint statements includes specific steps that financial institutions are advised to consider.

Malware. According to the FFIEC, malware can be introduced into a financial institution’s systems when employees download email attachments, connect external drives, or visit infected websites. Alternatively, a hacker can use stolen credentials to install malware on a system.

The focus of the malware statement is business continuity. Financial institutions need to be able to identify and respond to an attack and mitigate the resulting damage, which includes recovery data and restoring compromised operations. Appropriate steps include:

  • protecting systems through “air gaps” or other methods, maintaining hard backups, physically separating systems, and maintaining an inventory of authorized hardware and software;

  • updating and testing incident response and business continuity plans;

  • carrying out an ongoing risk assessment program that considers evolving threats and that addresses risk from third-party service providers;

  • maintaining up-to-date protection and detection systems, including using penetration testing;

  • limiting who has credentials that allow higher-level access, and periodically reviewing for and eliminating old credentials; and

  • ensuring that appropriate access controls are in place and testing all controls around critical systems on a regular basis.

Compromising credentials. The statement on attacks that compromise credentials cites reports of increased attempts by criminals to acquire large volumes of users’ credentials and other forms of identification. The credentials can be sold and then used to take over customer accounts or to engage in identity theft.

The risks that result from stolen credentials can vary depending on the type of information stolen, the statement continues. While fraud and identity theft are common results of stolen customer credentials, stealing credentials of employees or third-party service providers can give access to confidential internal data, the ability to interfere with an institution’s operations, or the opportunity to plant malware.

According to the statement, institutions should consider steps such as:

  • carrying out ongoing information security risk assessments, including assessments that cover third-party service providers;

  • ensuring that protection and detection systems, including antivirus protections, are up to date and that firewalls are effective and periodically reviewed;

  • limiting who has credentials that allow higher-level access, and periodically reviewing for and eliminating old credentials; and

  • ensuring that appropriate access controls are in place and testing all controls around critical systems on a regular basis.

MainStory: TopStory CrimesOffenses IdentityTheft

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.