FFIEC Releases Revised Management Booklet with Emphasis on Sound IT Governance

On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”

LinkedInFacebookTwitterGoogle+Share

FFIEC Issues Joint Statement Regarding Cyber Attacks Involving Extortion

On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.

The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.

LinkedInFacebookTwitterGoogle+Share

Cordray Submits Letter to Trade Associations Regarding TRID Compliance

On October 1, CFPB Director Richard Cordray, on behalf of the FFIEC, responded to correspondence from the American Bankers Association and other trade associations seeking guidance as to their compliance with the Bureau’s Know Before You Owe TILA-RESPA Integrated Disclosure Rule, which will become effective on October 3, 2015. Per Director Cordray’s letter, the FFIEC’s member agencies’ examiners “will expect supervised entities to make good faith efforts to comply with the Rule’s requirements in a timely manner.” Moreover, examiners will take a number of factors into consideration in determining compliance with the Rule, including (i) an institution’s implementation plan; (ii) an institution’s training of its staff; and (iii) how an institution handles any early technical problems or other implementation challenges.

LinkedInFacebookTwitterGoogle+Share
COMMENTS: Comments Off
TAGS: , ,
POSTED IN: Consumer Finance, Federal Issues

FFIEC Releases Cybersecurity Assessment Tool

As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.

LinkedInFacebookTwitterGoogle+Share

OCC Comptroller Discusses Emerging Payment Systems Technology and Cybersecurity, FFIEC Set to Release Cybersecurity Assessment Tool

On June 3, in prepared remarks delivered at the BITS Emerging Payments Forum, OCC Comptroller Thomas Curry advised that as financial institutions continue to develop payment systems, banks need better preparation for potential cyber-risks. Curry warned that “[c]yber criminals will also probe emerging payment systems for vulnerabilities that they can exploit to engage in money laundering[.]” In addition, Curry advocated for more regulatory oversight of digital currencies and non-bank mobile payment providers, such as ApplePay and Google Wallet. Addressing cybersecurity concerns, Curry called for increased information-sharing to promote best practices and strengthen cybersecurity readiness among the banking industry. In particular, he urged financial institutions – of all sizes – to participate in the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a non-profit founded by the banking industry to facilitate the sharing and dissemination of cybersecurity threat information.  Moreover, Curry confirmed that the FFIEC will soon be releasing a Cybersecurity Assessment Tool for financial institutions to use when evaluating their cybersecurity risks and risk management capabilities, observing that the tool will be particularly helpful to community banks as cybersecurity threats continue to increase.

LinkedInFacebookTwitterGoogle+Share

Federal Banking Regulators Expand Scope of EGRPRA Review

On April 6, the Federal Reserve, OCC, and FDIC (Agencies) revealed that their ongoing regulatory review under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (EGRPRA) will now be expanded to include recently issued regulations. The EGRPRA requires the Agencies and the FFIEC to review and identify outdated, burdensome, or unnecessary regulations at least every 10 years. The regulators have held two public outreach meetings with additional outreach sessions currently scheduled for May 4 in Boston, August 4 in Kansas City, October 19 in Chicago, and concluding on December 2 in Washington, D.C.

LinkedInFacebookTwitterGoogle+Share

FFIEC Releases Statements on How Financial Institutions Can Identify and Mitigate Cyber Attacks

On March 30, the FFIEC announced two separate statements regarding cyber attacks at financial institutions: Statement on Destructive Malware and Statement on Compromising Credentials. The statements come in light of the growing number of attacks within the past two years and outline how financial institutions can ensure that the risk management processes and business continuity planning in place are sufficient for mitigating attacks and recovering from attacks that do occur. Noting the FFIEC’s existing guidelines for financial institutions, the report includes, but is not limited to, reminders to do the following: (i) securely configure systems and services; (ii) improve information security awareness and training programs; (iii) protect against unauthorized access to systems; (iv) participate in information-sharing forums; and (v) continually conduct information security risk assessments.

LinkedInFacebookTwitterGoogle+Share

FFIEC Provides Overview of Cybersecurity Priorities

On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.

LinkedInFacebookTwitterGoogle+Share

FFIEC Releases Updated BSA/AML Examination Manual

On December 2, the FFIEC announced the release of its revised BSA/AML examination manual. The updated revisions address supervisory expectations and include regulatory changes since the manual’s last publication in 2010. Significantly modified sections of the examination include (i) Suspicious Activity Reporting, (ii) Currency Transaction Reporting, (iii) Foreign Bank and Financial Accounts Reporting, and (iv) Third-Party Payment Processors. The manual is available on the FFIEC BSA/AML InfoBase.

LinkedInFacebookTwitterGoogle+Share

FFIEC Recommends Financial Institutions Join Information Sharing Forum to Mitigate Cyber Risks

On November 3, the FFIEC released its observations from a cybersecurity assessment of more than 500 institutions, and recommended that all regulated financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a medium to “identify, respond to, and mitigate cybersecurity threats and vulnerabilities.”  The FS-ISAC is a non-profit information sharing forum created by industry participants to share physical and cybersecurity threat information within the public and private sector. The assessment supplemented regularly scheduled bank examinations and built upon supervisory expectations contained within existing FFIEC information technology guidance.

LinkedInFacebookTwitterGoogle+Share

FFIEC Announces Cybersecurity Preparedness Efforts

The Federal Financial Institutions Examination Council (FFIEC) recently announced a series of initiatives aimed at promoting cybersecurity preparedness for community financial institutions throughout the country. One such initiative is the creation of the Cybersecurity and Critical Infrastructure Working Group, which was launched in June 2013 in order to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. This announcement follows the FFIEC’s May 2013 press release that highlighted an emphasis on cybersecurity awareness. The FFIEC press release described a webinar that the FFIEC provided to 5,000 chief executive officers and senior managers from community financial institutions to raise awareness about the pervasiveness of cyber threats, and introduce new vulnerability and risk-mitigation assessments and regulatory self-assessments of supervisory policies and processes.

LinkedInFacebookTwitterGoogle+Share

FFIEC Launches Cybersecurity Resources Web Page

On June 24, the FFIEC unveiled a new web page that will serve as a central repository for current and future FFIEC-related materials on cybersecurity. Although the FFIEC did not release any new resources, the launch shows the continuing focus of banking regulators on emerging cybersecurity risks. The FFIEC noted that the launch coincided with a pilot program through which state and federal regulators will assess how community financial institutions manage cybersecurity and their preparedness to mitigate increasing cyber risks. Regulators are particularly focusing on risk management and oversight, threat intelligence and collaboration, cybersecurity controls, service provider and vendor risk management, and cyber incident management and resilience.

LinkedInFacebookTwitterGoogle+Share
COMMENTS: Comments Off
TAGS: ,
POSTED IN: Banking, Federal Issues

FFIEC Advises Financial Institutions On “Heartbleed” Risks

On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.

LinkedInFacebookTwitterGoogle+Share

FFIEC Advises Banks On Website, ATM Cyber Attacks

On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.

LinkedInFacebookTwitterGoogle+Share

Banking Regulators Finalize Social Media Guidance

On December 11, the FFIEC, on behalf of the CFPB, the FDIC, the OCC, the Federal Reserve Board, the NCUA, and the State Liaison Committee, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions and nonbanks supervised by the CFPB. The guidance was finalized largely as proposed. However, in response to stakeholder comments, the regulators clarified certain provisions. For example, the final guidance clarifies that traditional emails and text messages, on their own, are not social media. The final guidance also explains that to the extent consistent with other applicable legal requirements, a financial institution may establish one or more specified channels that customers must use for submitting communications directly to the institution, and that a financial institution is not expected to monitor all Internet communications for complaints and inquiries, but should take into account the results of its own risk assessment in determining the appropriate approach regarding monitoring and responding to communications. The regulators also clarified that the guidance is not intended to provide a “one-size-fits-all” approach; rather financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships. The final guidance also contains further discussion regarding the application of certain laws and regulations to social media activities, such as the Community Reinvestment Act. Finally, consistent with other recent regulatory initiatives, the final guidance clarifies that prior to engaging with a prospective third party an institution should evaluate and perform due diligence appropriate to the risks posed.

LinkedInFacebookTwitterGoogle+Share