FFIEC to FIs: Brace for Extortion Cyber Attacks.
Byline: Roy Urrico
The Federal Financial Institutions Examination Council issued a statement, "Cyber Attacks Involving Extortion," Tuesday alerting financial institutions of the increasing frequency and severity of this particular breed of cyber attacks.
Cyber attacks against financial institutions to extort payment in return for the release of sensitive information are increasing, the FFIEC said.
"Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems," the statement read. In addition, the council said financial institutions should implement effective business continuity plans for responding to this type of cyber attack to ensure the resiliency of their operations.
Cybercriminals and activists use a variety of strategies, including ransomware, distributed denial of service, and theft of sensitive business and customer information, to extort payment or other concessions from victims, according to the alert. In some cases, these attacks have had significant effects on businesses' access to data and ability to provide services. Some businesses have suffered serious damages through the release of sensitive information.
The statement described how financial institutions should respond to these attacks and highlighted resources institutions can access to mitigate the risks they pose.
The FFIEC recommended financial institutions consider the following steps:
* Conduct ongoing information security risk assessments.
* Securely configure systems and services.
* Protect against unauthorized access.
* Perform security monitoring, prevention and risk mitigation.
* Update information security awareness and training programs, as necessary, to include cyberattacks involving extortion.
* Implement and regularly test controls around critical systems.
* Review, update and test incident response and business continuity plans periodically.
* Participate in industry information-sharing forums.
The FFIEC statement also said institutions that are victims of cyber attacks involving extortion are encouraged to inform law enforcement authorities and notify their primary regulator(s). In the event an attack results in unauthorized access to sensitive customer information, the institution has responsibility to notify its federal and state regulators in accordance with the Interagency Guidelines.