Cybersecurity: Cyber Attacks Compromising Credentials Joint Statement

Summary

The Federal Financial Institutions Examination Council (FFIEC), ¹ on behalf of its members, has issued a statement to notify financial institutions of the growing trend of cyber attacks for the purpose of obtaining online credentials for theft, fraud, or business disruption and to recommend risk mitigation techniques. These attacks include theft of users’ credentials—such as passwords, user names, and email addresses—and other forms of identification that customers, employees, and third parties use to authenticate themselves to systems. Attacks also include theft of system credentials, such as certificates. Financial institutions should address this threat by reviewing their risk management and controls over information technology networks and authentication, authorization, fraud detection, and response management systems and processes.

Highlights

In accordance with regulatory requirements and FFIEC guidance, national banks and federal savings associations (collectively, banks) should take appropriate risk mitigation steps, including the following:

• Conduct ongoing information security risk assessments.
• Perform security monitoring, prevention, and risk mitigation.
• Protect against unauthorized access.
• Implement and test controls around critical systems regularly.
• Enhance information security awareness and training programs.
• Participate in industry information-sharing forums.

Further Information

Please contact Valerie Abend, Senior Critical Infrastructure Officer, Operational Risk Division, at (202) 649-6550.

Bethany A. Dugan
Deputy Comptroller for Operational Risk

Related Links

• FFIEC Press Release
• FFIEC Statement (PDF)
• OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance"