On April 3, the members of the Federal Financial Institutions Examination Council (FFIEC), including the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the State Liaison Committee and the Consumer Financial Protection Bureau (the Members) issued a joint statement to notify financial institutions of the risks associated with the continued distributed denial-of-service (DDoS) attacks and the steps that institutions are expected to take to address these attacks. The joint statement refers institutions to resources to help them mitigate the risks posed by such attacks.The Members
expect financial institutions to address DDoS readiness as part of their ongoing information security and incident response plans. Each institution is expected to
-
monitor incoming traffic to its public Web site,
-
activate incident response plans if it suspects that a DDoS attack is occurring and
-
ensure sufficient staffing for the duration of the attack, including the use of previously contracted third-party services, if appropriate.
Community banks “should ensure that their in-house information technology units or their service providers are taking appropriate action to mitigate this risk.”
Further, the Members issued a joint statement to notify financial institutions of a large-dollar-value automated teller machine (ATM) cash-out fraud characterized as Unlimited Operations by the US Secret Service. The Members “are aware of a recent increase in cyber-attacks on financial institutions launched in connection with this fraud to gain access to, and alter the settings on, ATM Web-based control panels used by small-to-medium-sized financial institutions.”
The Members
expect financial institutions to take steps to mitigate this threat by ensuring that
-
each institution’s and service provider’s management of enterprise risk addresses this type of threat in its risk assessment process and
-
controls associated with institution’s information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes are reviewed for adequacy against this threat.
Community banks with ATMs “should work closely with their service providers and ensure that the providers are taking appropriate action to mitigate this risk.”