News

FFIEC releases statements, resources to combat cyberthreats

Documents from the Federal Financial Institutions Examination Council are meant to help financial institutions identify and mitigate cyberattacks.

April 3, 2015

The Federal Financial Institutions Examination Council has published two statements intended to help financial institutions identify and mitigate cyberattacks intended to compromise user credentials or introduce malware to a computer system.

Attacks often involve the theft of credentials used by customers, employees, and third parties to authenticate themselves on business applications and systems. Cybercriminals use these stolen credentials to commit fraud and identity theft, modify and disrupt information systems, and obtain, destroy, or corrupt data.

Additionally, cybercriminals might seek to introduce malware into business systems through e-mail attachments and external devices such as USB drives, or through the use of compromised credentials.

In accordance with FFIEC guidance, institutions should:

securely configure systems and services;
review, update, and test incident response and business continuity plans;
conduct ongoing information security risk assessments;
perform security monitoring, prevention, and risk mitigation;
protect against unauthorized access;
implement and regularly test controls around critical systems;
enhance information security awareness and training programs; and
participate in industry information-sharing forums such as the Financial Services Information Sharing and Analysis Center.

Download a PDF file of the FFIEC Statement on Destructive Malware

Download a PDF file of the FFIEC Statement on Compromising Credentials

Additional resources to help raise user awareness about safe online practices: