Written by Brandy Bruyere, Regulatory Compliance Counsel
Cybersecurity continues to be a hot issue from both a compliance and risk-management standpoint. Given the variety of cyber-attacks that can impact credit unions, last week FFIEC released two statements relating to some specific issues. The first statement addresses cyber-attacks on ATMs and card authorization systems. The second statement discusses the continued problem of distributed denial of service (DDoS) attacks on websites. FFIEC’s statements detail the steps regulators expect credit unions to take with regards to these cyber-threats.
Cyber-attacks on ATMs and Card Authorization Systems
Recently, hackers have targeted ATMs by installing malware programs on a bank or credit union’s network that will allow for “unlimited” withdrawals or “Unlimited Operations.” This means that the hacker could extract money from an account beyond the available balance. FFIEC notes a case where this kind of attack caused over $40 million in fraud using only twelve stolen debit accounts. In other words, these attacks do not have to be broad in nature to cause serious consequences.
FFIEC warns that these kinds of attacks often stem from phishing emails sent to employees in order to gain access to the credit union’s network and install the malware needed to manipulate the ATM’s controls. To mitigate against the risks of these attacks, FFIEC outlines steps credit unions are expected to take:
- Conduct ongoing information security risk assessments.
- Perform security monitoring, prevention, and risk mitigation.
- Protect against unauthorized access.
- Implement and test controls around critical systems regularly.
- Conduct information security awareness and training programs.
- Test incident response plans.
- Participate in industry information sharing forums.
These points are discussed in further detail in the FFIEC statement and are worth reviewing, especially as these kinds of cyber-attacks can impact credit unions of all sizes.
DDos attacks continue to be a problem and can prevent members from accessing the credit union’s web-based services, disrupt employees’ work, generally slow down a website, and even be accompanied by fraud. This means that these attacks can impact several areas of risk such as reputation risk, operational risk, and capital risk. Credit unions’ security programs should address DDoS cyber-attacks. According to FFIEC, this includes:
- Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
- Monitor Internet traffic to the institution’s website to detect attacks;
- Activate incident response plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;
- Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
- Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In addition to these FFIEC statements, NCUA has a Cybersecurity Resources webpage to help credit unions navigate these issues. The FFIEC IT Handbook can also be a useful tool when assessing your credit union’s cybersecurity program. Finally, NAFCU members can access a Regulatory Alert summarizing NIST’s Voluntary Cybersecurity Framework which was just released by our Regulatory Affairs team.