On November 3, the Federal Financial Institutions Examination Council (“FFIEC”), the federal agency that regulates the U.S. financial services industry, issued a warning to U.S. banks of a growing threat of cyberattacks involving extortion.  

The general threat of cyberattacks comes as no surprise in the wake of highly publicized data breaches.  Likewise, cyber security professionals have known of ransomware threats for years.  Ransomware traditionally involved malicious code which can either lock a computer or database until a ransom is paid to get the key.  With the infiltration of malicious code to extract company information, criminals have learned from data breaches such as Ashley Madison that the release of information can be harmful to a company.  Exploiting this fear, the criminals threaten to release damaging information unless a ransom is paid.  The FFIEC decision to highlight this attack vector confirms the increasing use of ransonware concepts criminals use to monetize their efforts.  Financial institutions face a variety of risks from these types of cyber attacks, including liquidity, capital, operational, compliance, and reputation risks.   

The FFIEC statement encourages financial institutions to conduct ongoing cybersecurity risk assessments and monitoring of controls and information systems.  The FFIEC also provides a Cybersecurity Assessment Tool, a two-part prevention measure designed to increase awareness of cybersecurity risks and to help financial institutions assess and mitigate cybersecurity risks facing their institutions.  This tool helps banks to identify factors contributing to cybersecurity risk, assess the institution’s overall cybersecurity risk and preparedness, and identify practices and controls that may need to be added or enhanced to reduce risks.  User training and education continues to be a key control – it is often an employee decision to open an email from an unknown sender, click on a link, or open an attachment from a spoofed known sender, which is the first step in the system compromise.  Sound disaster recovery and backup systems and controls likewise are important when ransomware is used to lock down and prevent access to key data. 

Troutman Sanders will continue to monitor these developing cybersecurity risks for financial institutions. 

 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Julie D. Hoffmeister Julie D. Hoffmeister

Julie is a partner primarily focusing on financial services litigation. She defends consumer-facing companies of all types in individual claims and class actions, including claims under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), and the Telephone Consumer Protection…

Julie is a partner primarily focusing on financial services litigation. She defends consumer-facing companies of all types in individual claims and class actions, including claims under the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), and the Telephone Consumer Protection Act (TCPA). Julie also applies her litigation knowledge in assisting businesses in developing compliance processes and procedures for the myriad federal consumer protection laws.

Read more about Julie D. HoffmeisterJulie's Linkedin Profile
Show more Show less
Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Read more about Ronald I. Raether, Jr.Ronald I.'s Linkedin Profile
Show more Show less
Related Posts
Cybersecurity, virus protection, Hand on laptop with holographic System warning and red alert icons. Symbolizes cyber threats, data security breaches, and IT system errors. digital risk management now
Fourth Circuit Finds Public Disclosure Required for Standing in Data Breach Case
October 27, 2025
Inside Shield. CPU Concept. Cybersecurity Technology
Important Guidance on Third-Party Service Provider Cyber Risk
October 22, 2025
Electronic quantum computer microchip with lock icon. Internet security and privacy network technology. Circuit board. 3d render
Shining the Light on a Recent Wave of Potential Privacy Claims
September 22, 2025