Compliance Blog

Nov 04, 2015

FFIEC Joint Statement on Cyber-Attacks Involving Extortion

Written by Eliott C. Ponte, Regulatory Compliance Counsel

FFIEC Joint Statement on Cyber-Attacks Involving Extortion

Yesterday, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement alerting financial institutions to the increasing frequency and severity of cyber-attacks involving extortion.  According to the FFIEC statement, activists have recently stolen sensitive business and consumer data.  After stealing the data, activists demand that a business take a particular action or the data would be publicly released.  FFIEC notes that the release of sensitive business and consumer data could affect an institutions reputation, as well as have other serious consequences. The statement describes steps financial institutions should take to respond to these attacks and highlights resources institutions can use to mitigate the risks posed by such attacks.  This statement does not contain any new regulatory expectations.

As consistent with prior statements issued on cybersecurity, FFIEC states that financial institutions should ensure that their risk management processes and business continuity planning address cybersecurity risks.  Specifically, the statement suggests financial institutions should consider the following steps:

  • Conduct ongoing information security risk assessments.
  • Securely configure systems and services.
  • Protect against unauthorized access.
  • Perform security monitoring, prevention, and risk mitigation.
  • Update information security awareness and training programs, as necessary, to include cyber-attacks involving extortion.
  • Implement and regularly test controls around critical systems.
  • Review, update, and test incident response and business continuity plans periodically.
  • Participate in industry information-sharing forums.

Credit unions looking to mitigate cyber-security risks should look to the following resources for guidance:

Another good resource is NAFCU's Compliance Cyber Caf Enewsletter.  NAFCU's Cyber Caf is published on an as-needed basis and is designed to provide specific compliance updates on cyber-security issues.  Our inaugural issue featured articles on business continuity planning and the cyber-security self-assessment tool.

***

Meet Mimi

In August, I posted pictures of my partially hairless cat, Miles (Devon Rex).  Yes, he is a unique looking cat.  And yes, he has a sister:  Mimi.

2014-06-08 09.15.50
 

She is a Cornish Rex (also partially hairless).

2014-12-17 21.58.00
 

Mimi is a former therapy cat.  She worked with people suffering from anorexia for several years.  Now retired, she sleeps all day.  She will be 16 years old on January 1st.


2012-11-26 11.18.55
 

Dog Lovers.... Coming Soon

If you prefer dogs to cats, don't worry, I have you covered.  My wife and I recently expanded our family.  Unfortunately, you will have to wait until my next blog post for more information.  For now, look at the teaser photo below:


Macie