US FDIC and Office of Comptroller sound cybersecurity alarm for banks

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

U.S. financial institutions should prepare for a “worst-case scenario” cyberattack by foreign nation-state actors and take steps now to reduce their vulnerabilities and improve their resilience, federal agencies recently advised. Here’s a quick test to see how well your financial institution can withstand heightened cyber risk.

The U.S. Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller (OCC) on Jan. 16 2020 issued a joint bulletin alerting the financial services (FS) sector of the heightened threats amid rising geo-political tensions, and advising them to mitigate risks to systems, networks, data, and critical business functions.

The bulletin, unprecedented from regulatory agencies in its level of urgency with respect to cybersecurity, follows the revelation early in 2020 of critical vulnerabilities in three widely used business software products—vulnerabilities that could be exploited for geopolitical interests.

These vulnerabilities provide portals through which malevolent actors might access and wreak devastating damage to individual banks and, by extension, the entire U.S. economy. The threat to U.S. critical infrastructure in financial services has never been higher.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Jan. 6 detailed the escalated foreign threat to U.S. targets and interests at home and abroad, warning of the potential for “retaliatory aggression” including disruptive and destructive cyber attacks, cyber-enabled espionage and theft of intellectual property, and disinformation campaigns against the US.

An attack on the financial system could have an immense destabilizing effect on consumer confidence. Theft of their credit card or bank information, identity theft, loss of their data, and being locked out of their financial accounts are among consumers’ greatest privacy and security concerns, according to a forthcoming PwC Consumer Intelligence Series survey on trust in technology.

“When financial institutions apply these (sound cybersecurity risk management) principles and risk mitigation techniques, they reduce the risk of a cyber attack’s success and minimize the negative impacts of a disruptive and destructive cyber attack,” the joint release states.

A three-pronged approach

To help financial institutions prepare for and resist these attacks, the FDIC and OCC recommend a three-pronged approach focusing on cyber risk management’s “three R’s”— response, resilience, and recovery — as well as systems configuration and authentication.

Malware is a particularly nefarious culprit that can cripple financial institutions’ ability to provide services and could even lock customers out of their accounts, the bulletin points out. System backups are crucial, but real-time techniques such as systems mirroring and data replication run the risk of replicating the malware used in the attack, corrupting backup systems irreversibly.

To diminish the damage that malware can wreak, banks should segment their networks and backups, and retain copies offline.

“Uninfected backup data is essential to recovery capabilities in scenarios where destructive malware corrupts not only the primary data but also backup systems,” the bulletin states.

Ready for a time of heightened cyber risk? The three questions you must ask now

1. How fast can my organization come back from a cyber attack?

Response, resilience, recovery

The agencies recommend that FS institutions maintain business resilience plans that address response to and recovery from a destructive cyberattack, have relationships with law enforcement and forensic experts, test their resilience periodically, and consider insuring themselves against the costs of an attack.

A “comprehensive system and data backup strategy” is key, the agencies suggest, including routine, periodic backups; secure off-site storage; periodic tests of the ability to reconstruct data; and measurement of practices against industry standards and frameworks such as Sheltered Harbor.

The bulletin comes amid a shift to resilience-based thinking in the financial sector at large.

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) on Jan. 28 released “Cybersecurity and Resiliency Observations,” guidance for cybersecurity and operational resilience based on thousands of financial sector examinations.

The OCIE report reinforces an ongoing shift among bank regulators, who are expanding the old business continuity planning and disaster recovery (BCP/DR) model to encompass all aspects of resilience (ie. operational and cyber) and effectively setting a new bar for regulated entities.

Regulators already have been issuing resilience-focused Matters Requiring Attention (MRA) supervisory letters directly to financial institutions—even before the Federal Financial Institutions Examination Council (FFIEC) published its new Business Continuity Management guidebook for bank examiners. The updated FFIEC guide emphasizes resilience and timely recovery of critical business functions.

View more

2. How well does my organization keep cyber intruders out?

Network and system configurations

Fine-tuning network and system configurations can do much to stymie a would-be intruder. The FDIC/OCC bulletin admonishes banks to review their settings including default system settings, default user profiles, and security settings, and to make changes where necessary for tighter security. Applying software patches and upgrades as soon as possible is “critical,” the agencies add.

Network configurations should allow only approved ports, protocols, and services, and disable unnecessary ones, the bulletin recommends. It suggests reviewing default user accounts and settings; limiting removable media access; scanning all hardware, network components, firmware, and operating systems to ensure that critical patches have been installed; using and updating anti-malware; configuring email systems to detect and block spoofing, phishing, and other malicious email types; and continuously monitoring networks that connect to third-party service providers.

View more

3. How do I know we’re dealing with legitimate users only?

Identity and access management

Authenticating the identity of internal and external system users and restricting access to systems so that only authorized entities can enter and use systems are important practices for preventing successful phishing attacks and false logins. Leading controls include multi-factor authentication, risk-based authentication, role-based access controls on user privileges and limits according to need, limits on administrator and other privileged-user accounts, and regular access reviews.

The bulletin also highlights the need for employee security-awareness training, security staff and tools including penetration testing and continuous monitoring, and encryption of sensitive and critical data.

View more

It’s time to up your resilience game

Regulatory focus on resilience in the financial sector is not new. The FFIEC and, in the UK, the Bank of England, for several months have been urging banks to improve their ability to recover in a timely manner from disruptions in their most critical business functions. Even before the FFIEC guidance emerged, it was issuing “Matters Requiring Attention” (MRA) notices to banks alerting them to the need for greater operational resilience.

Clearly, regulators recognize that, in this era of increasing digital connections and interconnections, no institution is an island; nor, when it comes to security, is any business function. All hands must be on deck, working together to ensure that, in the event of a cyberattack, resilience plans are up-to-date to reflect current technologies, ever-more-sophisticated capabilities, and rising stakes that threaten increasingly devastating loss.

Contact us

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Shawn Connors

Principal, Cybersecurity and Privacy, PwC US

Michael Hodges

Managing Director, Cybersecurity and Privacy, PwC US

Follow us

Required fields are marked with an asterisk(*)

How can we help you?

Check all that apply

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide