The Federal Financial Institutions Examination Council (FFIEC), today released advisory statements warning Financial Institutions of risks associated with cyber-attacks on ATM's, credit card authorization systems and the continued DDoS attacks against public-facing websites.
It is encouraging to see continued awareness and general guidance coming from a credited authority on cyber threat protection. This advisory statement brings reinforcement to guidelines outlined within the FFIEC Information Technology (IT) Handbook on Business Continuity Planning and Information Security booklets. The Council expects institutions to take the following steps, as appropriate:
"1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
2. Monitor Internet traffic to the institution’s website to detect attacks;
3. Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre contracted third-party servicers, as appropriate, that can assist in managing the Internet based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly."
With an increase in malicious attacks on Financial Institutions from cyber criminals, ideological hacktivists, nation states and even competitors, there is no foreseeable end in sight to the use of DDoS as a common method of intentional business disruption. It is for this reason that it is concerning to see the lack of preparedness of some businesses to a type of attack which has the potential to cause significant loss in revenues and serious brand degradation.
In a recent survey, conducted by the SANS Institute, representing various industries including Financial Services Institutions; indicates that 39% of respondents did not have, or did not know about a denial of service plan for their organization. "These organizations often neglected developing a mitigation plan until a disaster occurred."
The steps recommended by the FFIEC should be a minimal consideration for Financial Institutions, as they prepare more comprehensive business continuity and DDoS readiness plans.
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us