Increasing Regulatory Focus on Cybersecurity Risk at Community Banks

The increasing number of data security compromises at financial institutions has prompted regulatory agencies to increase scrutiny around how banks protect confidential client data. In March 2015, the Federal Financial Institutions Examination Council (FFIEC) released two joint statements, each highlighting a current threat used by third-party attackers to steal consumer information or impair a bank’s ability to serve its customers. The FFIEC notes that the statements are not designed to replace or supplement any specific regulatory requirements, which are already addressed in the Information Security booklet of the FFIEC IT Examination Handbook. Rather, the statements are intended to draw banks’ attention to key risks and provide a primer for risk mitigation steps.

The first statement addresses “destructive malware,” or software applications that allow an attacker to compromise a computer system and perform malicious activity. Malware is typically installed when an employee opens a malicious attachment from an unknown source, resulting in an infection that can spread across the network to critical systems and data. Malicious functionality can range from holding data “ransom” by encrypting it with a secret key to theft of customer data for sale on digital black markets.

The second statement describes a current trend of cyber attackers to collect large volumes of confidential user credentials, which can include email addresses, user names and account passwords. Similar to the installation of destructive malware, credential theft often involves a form of social engineering, misleading users to open a malicious attachment or click on a link to an infected website.

Both statements offer similar guidance for establishing risk mitigation procedures such as the performance of a cybersecurity risk assessment, security monitoring and prevention, strong access controls and security awareness training. DHG strongly recommends ongoing information security risk assessment and monitoring processes as part of the information security program, which begins with an information security risk assessment. A risk assessment should highlight the critical systems and processes of the institution, key vulnerabilities and threats, and an evaluation of the implementation and effectiveness of controls designed to minimize the likelihood of compromise.

Additionally, a comprehensive and tailored incident response plan is critical for preparing for a potential data breach. This plan captures the roles and responsibilities of an incident response team and outlines specific procedures for the investigation, reporting and remediation of a security incident.  Organizations that implement and follow a well-designed incident response plan can potentially reduce the scope and cost of a breach investigation and minimize the impact to operations.

By releasing the two joint statements, the FFIEC members are taking a number of initiatives to raise awareness and focus on reducing the likelihood of consumer data compromise within financial institutions. It is imperative that management within the industry take these alerts seriously and involve IT management and service providers to ensure critical controls are addressed and cyber risk is mitigated.

The cybersecurity statements issued by the FFIEC can be found here:

FFIEC Joint Statement on Destructive Malware

FFIEC Joint Statement on Compromising Credentials

DHG provides cutting edge cybersecurity advisory and assessment services to assist organizations with evaluating and enhancing information security programs. Our offerings include:

  • Cybersecurity Risk Assessments and Program Development
  • Network and Web Application Vulnerability Assessments and Penetration Testing
  • Social Engineering and Physical Site Assessments
  • Security Incident and Data Breach Response
  • Security and Privacy Compliance Assessments (Payment Card Industry [PCI] and HIPAA / HITECH)
  • Service Organization Controls (SOC 1 and 2) Reporting