Recently, the Federal Financial Institutions Examinations Council (FFIEC) provided a new joint statement notifying financial institutions of the increasing frequency of and severity of cyberattacks involving extortion. Rather than providing specific guidance on potential new regulatory expectations, that statement is intended to alert financial institutions to specific risk mitigation related to the threats associated with cyber attacks involving extortion.
In the statement, the FFIEC recommends that financial institutions take the following steps to mitigate the risk of extortion attacks. These recommendations include:
- Conduct ongoing information security risk assessments. Implement an ongoing information security risk assessment program which can be used to proactively respond to new threats;
- Securely configure systems and services. Evaluate best practices around network security and systems management to mitigate ransomware attacks;
- Protect against unauthorized access. Limit the number of administrator accounts across your organization and only assign elevated privileges to a limited subset of authorized users;.
- Perform security monitoring, prevention, and risk mitigation. Ensure protection and detection systems are current and firewall rules are properly configured and audited on a regular basis;
- Update information security awareness and training programs to include cyber attacks involving extortion. Conduct regular, mandatory training to better identify, prevent, and report phishing attempts and other potential security incidents;
- Review, update, and test incident response and business continuity plans periodically. Test the effectiveness of incident response to ensure all constituents understand their respective responsibilities and appropriate protocols; and
- Participate in industry information-sharing forums. Share information with other financial institutions and service providers into risk mitigation strategies.
To help companies better prepare themselves for these types of attacks, the FFIEC released a cybersecurity assessment tool (CAT) this past summer. The objective of this tool is to help institutions identify the risks and determine their cybersecurity maturity level. The assessment was also designed to provide these organizations with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness.
Their assessment tool consists of two parts: an Internet Risk Profile and a Cybersecurity Maturity Model. The Risk Profile measures an organization’s intrinsic risk based on its products, services and infrastructure alone, before any extra security controls are considered. The amount of built-in risk is then ranked on a five-point scale from Least to Most in five different categories that make up the Inherent Risk Profile. The Cybersecurity Maturity portion of the assessment tool is meant to help financial institutions measure risk and choose the right controls that match the amount of risk they are exposed to. It includes evaluation factors and declarative statements that are used to identify specific security practices that are currently in place across five different domains.
How Easy Solutions Can Improve Cybersecurity Maturity
Easy Solutions Total Fraud Protection platform can help bring your institution’s CAT assessment to an advanced or innovative level of cybersecurity maturity. Like the FFIEC CAT assessment, our fraud prevention team likewise believes that it is critical to establish a process for identifying fraud and regularly testing it to ensure potential points of weakness are mitigated. These steps include:
- Fraud Gap Analysis: A fraud gap analysis helps provide a current “fraud state” which serves to validate the effectiveness of the anti-fraud program in place;
- Process Modeling & Analysis: Evaluate all existing processes (i.e., opening a new account) and estimate the relative probability of risk for each process;
- Fraud Risk Assessment: Identify and measure fraud risks before they become real threats
- Define an Oversight Process: Employ defined metrics to help stakeholders measure and benchmark actual incidents of fraud
- Hire a Certified Fraud Specialist: Consider supplementing your team with a fraud specialist who possesses a unique skill set that combines knowledge of complex financial transactions with the understanding of howand why fraud incidents occur.
In addition to these steps, the Easy Solutions Total Fraud Protection platform can help improve your cybersecurity maturity level across all three stated FFEIC domains. You can find more about Total Fraud Protection, here.