In light of recent cyberattacks, the Federal Financial Institutions Examination Council is warning financial institutions of the need to actively manage risks associated with interbank messaging and wholesale payment networks.
The FFIEC posted a joint statement on its website urging financial institutions to conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity and third-party provider management.
The statement did not contain new regulatory expectations. It was intended to alert financial institutions to cyberattacks exploiting vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks. The FFIEC urged financial institutions to review their risk-management practices (including services provided to clients) and to refer to the appropriate FFIEC IT Examination Handbook booklets for guidance.
“Financial institutions should use multiple layers of security controls to establish several lines of defense,” according to the FFIEC statement. “Financial institutions should also ensure that their risk management processes address the risk posed by compromised credentials.”
To help mitigate risks, the FFIEC recommends financial institutions consider the following steps:
• Conduct ongoing information security risk assessments. Financial institutions should maintain an ongoing information security risk assessment program that considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks.
• Perform security monitoring, prevention and risk mitigation. Financial institutions need to ensure protection and detection systems, such as intrusion detection systems and antivirus protection, are up-to-date and firewall rules are configured properly and reviewed periodically.
• Protect against unauthorized access. The FFIEC said institutions should limit the number of credentials with elevated privileges, especially administrator accounts, and review access rights periodically to confirm approvals are still appropriate to the job function.
• Implement and test controls around critical systems regularly. Institutions should ensure appropriate controls — such as access control, segregation of duties, audit, and fraud detection and monitoring systems — are implemented for systems based on risk.
• Enhance information security awareness and training programs. The FFIEC said financial institutions should conduct regular, mandatory information security awareness training, including how to identify and prevent successful phishing attempts.
• Participate in industry information-sharing forums. Information-sharing organizations can improve an institution’s ability to identify threats and attack tactics and to mitigate cyberattacks involving destructive malware to its systems.
The FFIEC is made up of principals of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau and State Liaison Committee.
To read the full statement, visit https://www.ffiec.gov/press/PDF/Cybersecurity_of_IMWPN.pdf.