Created on 2015-11-04 02:55
Published on 2015-11-04 03:18
Today, November 3rd, 2015, the FFIEC issued a joint statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion, along with a request that institutions develop and implement "effective programs to ensure [they] are able to identify, protect, detect, respond to, and recover from these types of attacks". See http://www.ffiec.gov/press/pr110315.htm for details.
One specific threat referenced in the statement is that of ransomeware, a type of malicious software (malware) that encrypts data on a computer system, making it difficult or impossible to recover. Ransomeware attackers offer to provide their victims a decryption key after a ransom (often Bitcoin) is paid. Other threats mentioned include Distributed Denial of Service (DDoS) attacks (i.e., availability attacks against websites, Domain Name Service (DNS), or other related Internet-facing systems); and, direct theft of sensitive business or customer information to extort payment or other concessions from victims.
The FFIEC states that, in some cases, these attacks have caused significant impact on businesses' access to data and ability to provide services. Other businesses have incurred serious damage through the release of sensitive information. Overall risks from such extortion include liquidity, capital, operational, compliance, and reputation risks, resulting from fraud, data loss, and disruption of customer service.
The FFIEC states that financial institutions should consider taking steps, outlined below, to mitigate this risk. If you are a financial institution, you may consider reviewing these steps--perform a risk assessment--to determine how your existing controls mitigate the risk, including any gaps. Outline your results in a report to your executive management and boards.
The steps outlined by the FFIEC, at a high level, are as follows:
Your applicable vendors and 3rd party service providers are also clearly required to perform each of the steps outlined above, commensurate with the inherent risk/nature of the system(s) managed by them for you. You might consider reaching out to those vendors/service providers--especially any on your 'mission critical' list--to ensure they have these controls in place.
None of these steps (controls) are really net-new; however, the combination goes to show that the layered approach works best to mitigate even the latest types of attacks.
Last, the FFIEC states, "Institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s). In the event that an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators in accordance with the Interagency Guidelines Establishing Information Security Standards implementing the Gramm–Leach–Bliley Act and applicable state laws. Additionally, institutions should determine if filing a Suspicious Activity Report (SAR) is required or appropriate, as in the case of an unauthorized electronic intrusion intended to damage, disable, or otherwise affect critical systems. In instances where filing is not required, institutions may file a SAR voluntarily to aid law enforcement in protecting the financial sector." To meet this guidance, it is recommended to review and update your institution's Incident Response Program policy and procedures, to ensure the relevant verbiage exists and applicable employees are trained when you are hit by this type of attack--God forbid.
The full FFIEC statement with details is here: https://www.ffiec.gov/press/PDF/FFIEC_Joint_Statement_Cyber_Attacks_Involving_Extortion.pdf