FFIEC Cybersecurity Statement: Shielding Banks from Theft

One of the largest financial cybercrime events in history happened in early 2016. Hackers successfully breached Bangladesh Bank’s systems and attempted to steal nearly $1 billion from its account at the Federal Reserve Bank of New York. By the time it was uncovered, the heist had netted hackers more than $80 million.

Following the event, the FBI released a statement warning U.S. banks of a malicious cyber group targeting foreign banks, saying that, "The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system."

To date, no perpetrator has been identified. Blame for the loss has yet to be determined. Nonetheless, the attacks demonstrated a host of significant issues for banks.

• An ability to compromise a wholesale payment origination environment, bypassing information security controls
• A capability for hackers to use valid operator credentials to create, approve and submit messages
• A sophisticated understanding of funds transfer operations and operational controls
• The use of highly customized malware to disable security logging and reporting, as well as other operational controls to hide fraudulent transactions
• The capacity to transfer stolen funds rapidly across multiple jurisdictions to avoid recovery

FFIEC Statement Regarding Cybersecurity of Interbank Messaging and Wholesale Payment[1]

On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued a follow-up statement reminding financial institutions—including community banks—about the vital importance to manage all risks associated with interbank messaging and wholesale payment networks.  

They recommend that banks take a systematic approach to risk management practices and controls associated with information technology (IT) and wholesale payment systems networks. To address threats related to information security, business continuity and third-party provider management, ongoing wholesale risk assessments should include authentication, authorization, fraud detection and response management systems and processes:

1. Conduct ongoing information security risk assessments
2. Perform security monitoring, prevention and risk mitigation
3. Protect against unauthorized access
4. Implement and test controls around critical systems regularly
5. Manage business continuity risk
6. Enhance information security awareness and training programs
7. Participate in industry information-sharing forums

The HORNE Cyber team continues to closely monitor regulations and recommendations. 

Their most important piece of advice for banks is to stay on the offense to secure your network. Combining an adversarial mindset and advanced penetration testing is the most effective way to protect your data, network, and reputation.

While the FFIEC requirements and regulations must be addressed, compliance is insufficient to securing your institution. Replace the perimeter security mindset with a habit of considering what it looks like if an attacker gains access to your system, whether through someone else’s credentials or a compromised node on your network.

In addition, keep in mind that the combination of proper network segmentation, firewalls, strong authentication and patching is likely to provide a more secure environment than any single control alone. Conduct penetration testing and risk assessments on a routine basis.

Banks spent centuries perfecting the secure handling of tangible wealth. Every step of progress criminals made in stealing that wealth was addressed by improvements in physical security and the practices surrounding storing and transferring wealth.

Wealth is no longer directly tied to tangible assets, as it once was. As we saw with the Bangladesh Bank, cyber criminals can steal with an almost unimaginable level of skill and efficiency.

Your bank must evolve security measures to address these new threats. Investing in cybersecurity and a team of trusted partners that can test your security with a hacker mindset is a no-lose proposition. The same can’t be said for the alternative.

Join the conversation and receive updates of new posts:

[1] FFIEC Highlights