The FFIEC’s recent joint statement to financial institutions is clear: fighting DDoS attacks is no longer a choice.
In April of this year, the FFIEC statement set out to “notify financial institutions of the risks associated with cyber-attacks on Automated Teller Machines and card authorization systems and the continued distributed denial of service attacks on public-facing websites.”
Citing as an example the frenzy of DDoS attacks on major banks in late 2012, the notice points out that “financial institutions of all sizes that experience DDoS attacks may face a variety of risks, including operational risks and reputation risks. If the attack is coupled with attempted fraud,” the statement continues, “a financial institution may also experience fraud losses as well as liquidity and capital risks.”
The potential impacts of a DDoS attack are widely known in the financial industry, and the FFIEC statement makes no question of what banks or financial institutions should do to prevent them. In the statement, the inter-agency body (which includes the FDIC, Federal Reserve and the Consumer Financial Protection Board, among others) has outlined six specific steps it expects financial institutions to take in accordance with regulatory requirements.
The six steps are as follows:
1) Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts.
2) Monitor internet traffic to the institution’s website to detect attacks.
3) Activate incident response plans and notify service providers if the institution suspects a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts.
4) Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers that can assist in managing the internet-based traffic flow.
5) Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and/or law enforcement, as attacks can change rapidly and sharing information can help other institutions identify and mitigate new threats and attacks.
6) Evaluate any gaps in the institution’s response following attacks and in ongoing risk assessments, and adjust risk management controls accordingly.
In short, banks and financial institutions are now required to monitor for and mitigate against DDoS attacks, and the FFIEC expects that these institutions will address DDoS readiness as a part of their ongoing information security and incident plans.
With sustained DDoS attacks exceeding 10 Gbps in 2014, the guidelines couldn’t come soon enough for financial institutions, who are counted among the ranks of the most likely to be targeted by cyber attacks.