On November 3, the Federal Financial Institutions Examination Council (“FFIEC”), the federal agency that regulates the U.S. financial services industry, issued a warning to U.S. banks of a growing threat of cyberattacks involving extortion.
The general threat of cyberattacks comes as no surprise in the wake of highly publicized data breaches. Likewise, cyber security professionals have known of ransomware threats for years. Ransomware traditionally involved malicious code which can either lock a computer or database until a ransom is paid to get the key. With the infiltration of malicious code to extract company information, criminals have learned from data breaches such as Ashley Madison that the release of information can be harmful to a company. Exploiting this fear, the criminals threaten to release damaging information unless a ransom is paid. The FFIEC decision to highlight this attack vector confirms the increasing use of ransonware concepts criminals use to monetize their efforts. Financial institutions face a variety of risks from these types of cyber attacks, including liquidity, capital, operational, compliance, and reputation risks.
The FFIEC statement encourages financial institutions to conduct ongoing cybersecurity risk assessments and monitoring of controls and information systems. The FFIEC also provides a Cybersecurity Assessment Tool, a two-part prevention measure designed to increase awareness of cybersecurity risks and to help financial institutions assess and mitigate cybersecurity risks facing their institutions. This tool helps banks to identify factors contributing to cybersecurity risk, assess the institution’s overall cybersecurity risk and preparedness, and identify practices and controls that may need to be added or enhanced to reduce risks. User training and education continues to be a key control – it is often an employee decision to open an email from an unknown sender, click on a link, or open an attachment from a spoofed known sender, which is the first step in the system compromise. Sound disaster recovery and backup systems and controls likewise are important when ransomware is used to lock down and prevent access to key data.
Troutman Sanders will continue to monitor these developing cybersecurity risks for financial institutions.