FDIC, OCC, DFS Warn Financial Industry About Cyberattacks

Financial Services Law

In new alerts, both state and federal regulators are cautioning the financial services industry about heightened cybersecurity risk amid a climate of increased geopolitical tensions.

The Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) issued a joint statement warning financial institutions about the dangers of cyber risks, and a similar alert came from the New York Department of Financial Services (DFS), which also referenced the specific threat of Iranian cyberattacks. This follows on the Securities and Exchange Commission’s recent focus on cybersecurity and risks that public companies (including public financial institutions) must be aware of and identify to their investors.

What happened

The Department of Homeland Security has indicated a “heightened risk of cyber-attack against U.S. targets because of increased geopolitical tension,” the FDIC and OCC explained in their Joint Statement, providing an opportunity for banks to re-evaluate the adequacy of their safeguards to protect against various types of cybersecurity risk.

Elaborating on standards articulated in existing guidance and resources provided by the Federal Financial Institutions Examination Council, the regulators emphasized that implementing and maintaining effective cybersecurity controls are critical to protecting financial institutions from malicious activity—especially during periods of heightened risk.

“When financial institutions apply these principles and risk mitigation techniques, they reduce the risk of a cyber attack’s success and minimize the negative impacts of a disruptive and destructive cyber attack,” according to the Joint Statement. “While preventative controls are important, financial institution management should be prepared for a worst-case scenario and maintain sufficient business continuity planning processes for the rapid recovery, resumption and maintenance of the institution’s operations.”

Sound risk management for cybersecurity includes response and resilience capabilities, authentication, and system configuration, the FDIC and OCC said.

Under the heading of network configuration and system hardening, the regulators reminded financial institutions to review the appropriateness of default system settings, change default user profiles, configure security settings and implement security monitoring tools. Security updates and system patches are key to maintaining secure systems, the FDIC and OCC added.

An important control point for a financial institution’s cybersecurity program its employees. Ongoing employee training on recognizing cyber threats, phishing and suspicious links will help reduce the ability of malicious actors to gain entry to systems, according to the Joint Statement.

As for security tools and monitoring, financial institutions should employ qualified cybersecurity staff in-house or a qualified managed security service provider firm to actively monitor its systems for network threats and vulnerability. A review system and network audit logs of anomalous activity—with regular review by qualified personnel—and a sufficient penetration testing program should also be implemented, the regulators said.

Finally, the FDIC and OCC recommended that banks maintain a data classification program to identify sensitive and critical data, as well as encrypt or tokenize sensitive and critical data in transit and at rest.

In a similar alert, the DFS got even more specific, citing a vow from the Iranian government to retaliate against the United States for the death of Qassem Soleimani. Given Iranian capabilities and history (including Iranian-sponsored denial-of-service attacks on major banks in 2012 and 2013), “U.S. entities should prepare for the possibility of cyber attacks,” the state regulatory body said.

“DFS therefore strongly recommends that all regulated entities heighten their vigilance against cyber attacks,” the DFS wrote. “While currently there are no specific, credible reports of new Iranian-sponsored cyber attacks in the past few days, all regulated entities should be prepared to respond quickly to any suspected cyber incidents.”

Historically, Iranian-sponsored hacks have relied on common tactics such as email phishing, credential stuffing, password spraying and targeting unpatched devices, according to the alert.

The DFS advised all regulated entities to ensure that vulnerabilities are patched/remediated (especially those that have been publicly disclosed), employees are adequately trained to deal with phishing attacks, full implementation of multifactor authentication has been completed, and disaster recovery plans have been reviewed and updated, with the ability to respond quickly to further alerts.

Don’t forget about nonbusiness hours, the alert noted, as “Iranian hackers are known to prefer hacking over the weekends and at night precisely because they know that weekday staff may not be available to respond immediately.”

Regulated entities should promptly notify DFS of any significant or noteworthy cyberattack, the regulator added, reminding financial institutions that the relevant statute mandates notification “as promptly as possible but in no event later than 72 hours” after a material cybersecurity event.

To read the Joint Statement on Heightened Cybersecurity Risk, click here.

To read the DFS alert, click here.

Why it matters

Investments required for increased network security and breach prevention remain significantly less than the potential cost of a data security incident. Given the warnings from both federal and state regulators, financial institutions would be well served to take another look at their cybersecurity efforts. As the FDIC and OCC noted, the heightened risk offers banks an opportunity to review their existing safeguards with an eye toward mitigating cyber risk.