FFIEC: New Threats to Banks?Experts Weigh Reasons for New Regulatory Warnings
Two new cyberthreat alerts from the Federal Financial Institutions Examination Council are primarily designed to make sure that smaller banks and credit unions are taking action to mitigate ongoing threats, several financial security specialists say.
While these observers say the alerts are not necessarily an indicator of a looming increase in attacks, Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite, says the alerts could suggest that regulators are aware of new threats that have not yet been made public.
"The federal government monitors a lot of chatter, and it makes me speculate that there could be some upcoming attacks financial institutions need to prepare for quickly," she says. "Most banks would not be prepared for an attack like the one mounted against Sony Pictures, and having one or more banks unable to operationally withstand such attacks could have a very detrimental effect against the affected payment systems. Depending on how many banks were affected, the result could be catastrophic to our economy."
The Office of the Comptroller of the Currency, the lead agency for the FFIEC, did not immediately respond to Information Security Media Group's request for comment about the catalyst for the alerts.
The Latest Regulatory Alerts
On March 30, the FFIEC issued alerts about the theft of credentials used to perpetrate fraud, steal intellectual property or disrupt business, and new threats posed by wiper malware, which removes data from systems and devices (see FFIEC Issues Malware, Attack Alerts).
This week's alerts are designed primarily to reiterate the FFIEC's earlier advice on threat mitigation, several observers say (see FFIEC Issues Cyber-Resilience Guidance and FFIEC to Prepare New Cyber-Risk Policy).
"I think everybody knows these breaches are becoming so frequent and prevalent that this is just a reminder," says one compliance executive with a leading U.S. bank, who asked not to be named.
Focus on Smaller Institutions
Financial fraud expert Avivah Litan, an analyst for the consultancy Gartner, says that while most top-tier institutions are well-prepared to defend against and detect the types of attacks about which FFIEC has issued warnings, smaller institutions, because of budget constraints and limited staff, are not. The FFIEC will continue to issue updates to make sure institutions of all sizes are paying attention to the latest threats, she says.
"The volume of attacks against financial institutions has noticeably risen in the past year," Litan says. "The range of attackers against banks is wide - and includes cybercriminals, insiders, cyber spies, nation-states and terrorists. It's not getting any better. In fact, the situation is getting much worse, and only the most diligent and security-aware FIs will come out of this period unscathed."
What's more, Litan says most of the ongoing attacks striking the financial sector are not disclosed to the public. And even though most of these types of attacks, which don't result in a significant loss of data, are seen by institutions as being relatively harmless, "the relentless nature of the attacks is cause for concern" for regulators, she says.
The mass quantities of usernames and passwords, as well as email addresses, that have been stolen by hackers from various business sectors are putting consumers at risk, Litan says. "This stolen data isn't just sitting around. It's being actively sold and used by the buyers to commit fraud and malicious, destructive activities."
Federal banking regulators are concerned about what how hackers might use these compromised credentials, Litan says.
"Some attacks are 'mass production' attacks," where criminals are testing them different institutions to see which credentials work, she says. "Other attacks are targeted. They start with phishing emails sent to select employees, and end with the criminals getting access to highly sensitive systems that are only accessible via privileged accounts."
One significant area of risk regulators have repeatedly highlighted is the threat posed by third parties (see OCC Expands on Third-Party Cyber-Risks).
In both of its latest alerts, the FFIEC points out once again why banking institutions must be diligent when it comes to continually ensuring the security of the third parties and service providers with which they work.
By stealing third-party credentials, for example, hackers can gain access to a financial institution's internal systems, the FFIEC notes. As a result, institutions are responsible for testing the effectiveness of all third-parties' security plans, the FFIEC states.
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says regulators are focused on third-party risks because of the known vulnerabilities they pose to consumer and banking data.
"There have been a handful of significant breaches which were leveraged via island hopping through the porous networks of shared and managed service providers," Kellermann says. "The guilds of thieves who target FIs have developed their acumen per the complex ecosystems in the financial sector and are exploiting them. These cybercriminals have conducted lengthy recon [reconnaissance] against the managed service provider community."