Skip to content

Bank Regulators Dial Up Concerns About Cyber-Attacks

November 6, 2015

    Because of the concern from banking regulators about the risk to financial institutions from the increasing frequency and severity of cyber-attacks involving extortion, the Federal Financial Institutions Examination Council (FFIEC)[1], on behalf of its members, has advised institutions that they should develop and implement effective programs to ensure that they are able to identify, protect, detect, respond to, and recover from these types of attacks.

    The statement from the FFIEC, and subsequently repeated by its members to institutions they regulate, does not establish new regulations or guidance relating to protection against cyber-attacks.  Rather, it is a strong reminder of the regulators' heightened concerns about cyber-attacks relating to extortion resulting from ransomware, denial of service and theft of sensitive business and customer information to extort payment or other concessions from victims.

    The FFIEC reminds financial institutions that they face a variety of risks from cyber-attacks involving extortion, including liquidity, capital, operational, compliance and reputation risks, resulting from fraud, data loss, and disruption of customer service.  It advises that financial institutions should ensure that their risk management processes and business continuity planning address the risks from these types of cyber-attacks.

    To protect against the increased frequency and severity of potential cyber-attacks involving extortion, the FFIEC recommends that financial institutions consider taking the following steps:

    • Conduct ongoing information security risk assessments.
    • Securely configure systems and services.
    • Protect against unauthorized access.
    • Perform security monitoring, prevention and risk mitigation.
    • Update information security awareness and training programs, as necessary, to include cyber-attacks involving extortion.
    • Implement and regularly test controls around critical systems.
    • Review, update and test incident response and business continuity plans periodically.
    • Participate in industry information-sharing programs.

    If a financial institution is a victim of a cyber-attack involving extortion, whether or not it results in unauthorized access to sensitive customer information, the FFIEC advises that the institution should report the event to law enforcement authorities as well as its primary regulator.  Whether or not a suspicious activity report is required to be filed, the institution should consider doing so in order to aid law enforcement authorities in protecting the financial sector.
    For more information regarding this issue, please contact Tom Brooks at tbrooks@clarkhill.com.

    [1] The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System,
    Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the
    Currency, Consumer Financial Protection Bureau, and State Liaison Committee.

    Related Practice Areas

    Subscribe For The Latest

    Subscribe

    Related

    Event

    Legal, Tax and Infrastructure Requirements for Fleet EV Charging

    Organizations that currently own or intend to acquire electric vehicles can gain insights into tax, legal, and infrastructure requirements by understanding best practices and common mistakes. The panel will also discuss new EV laws and charging technology.

    For companies considering a full or partial transition to EV fleets, the webinar will discuss how to maximize tax rebates, determine optimal legal contracts, and identify funding opportunities. The presentation will also cover infrastructure considerations with regard to electrical and cyber requirements.

    Explore more
    Event

    Recreational Windfall: How to Prepare for Outside Players in Montana’s Cannabis Industry

    Join national cannabis service providers Clark Hill, MGO, and eXp Commercial for a deep dive into the challenges and opportunities facing operators in Montana’s new adult-use cannabis industry.

    Explore more
    News

    Clark Hill Adds Ari Derman to Banking and Financial Services Practice

    Explore more

    The Clark Hill approach is equally pragmatic and growth-minded, which is why we understand our clients’ toughest business challenges. Our multidisciplinary, global team of advisors focuses on smart legal solutions, delivered simply.

    © 2023 Clark Hill PLC.