FFIEC Joint Statements on Destructive Malware and Compromised Credentials

Summary:

The Federal Financial Institutions Examination Council (FFIEC) has issued two joint statements to alert financial institutions to specific risk mitigation techniques related to destructive malware and cyber attacks that compromise credentials.

Statement of Applicability to Institutions With Total Assets Under $1 Billion: This Financial Institution Letter applies to all FDIC-supervised financial institutions.

Highlights:

• The joint statement on Cyber Attacks Compromising Credentials discusses the growing trend of cyber attacks designed to obtain online credentials for theft, fraud, or business disruption and recommends risk mitigation techniques. Financial institutions should address this threat by reviewing their risk management practices and controls related to information technology networks and authentication, authorization, fraud detection, and response management systems and processes.
• The joint statement on Destructive Malware discusses the increasing threat of cyber attacks involving destructive malware. Financial institutions and technology service providers should enhance their information security programs to ensure they are able to identify, mitigate, and respond to this type of attack. In addition, business continuity planning and testing activities should incorporate response and recovery capabilities and test resilience against cyber attacks involving destructive malware.
• Both statements reference applicable sections of the FFIEC Information Technology Examination Handbook.

Distribution:

• FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:

• Chief Executive Officer
• Chief Information Officer
• Chief Information Security Officer

Paper copies may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562-2200).