FFIEC Statement on Risk Assessment and Controls for Interbank Messaging and Wholesale Payment Networks
Written by Elizabeth M. Young LaBerge, Regulatory Compliance Counsel
It is the first day of NAFCU's Annual Conference and Solutions Expo, and I hope some of you are reading this from Nashville, Tennessee. For those of you who are, enjoy!
Cybersecurity continues to be the dark, scary cloud building on the horizon. On June 7, the FFIEC members (including NCUA) issued a statement stressing the importance of risk-management practices and controls related to information technology systems and wholesale payment networks. The statement specifically referenced recent cyber attacks on interbank messaging and wholesale payment networks. In February of this year, hackers used the credentials of the central bank of Bangladesh to access a messaging system and wholesale payment network established by the Society for Worldwide Interbank Financial Telecommunication (the SWIFT system). The hackers then transferred over $80 million dollars in funds from Bangladesh's account with the Federal Reserve Bank of New York to accounts in the Philippines. More recently, a similar attack using the SWIFT system was made on an unidentified commercial bank.
While the statement does not contain any new guidance, it highlights the need to ensure that proper controls are in place in light of the very real threats presented by these attacks. So what is a credit union to do?
Steps to Managing the Risk Posed by Compromised Credentials
The FFIEC's statement includes seven steps to mitigating the risk posed by compromised credentials.
- Conduct ongoing information security risk assessments. The statement discusses that a risk assessment program should be living, i.e., consistently adjusting to respond to new and evolving threats. This includes altering authentication, security systems and controls in response to threats as they manifest and mutate. This also includes performing ongoing due diligence and monitoring of third-party service providers.
- Perform security monitoring, prevention and risk mitigation. The statement also discusses the importance of establishing, maintaining and monitoring cybersecurity controls for intrusion detection and antivirus protection. This could include updating software, conducting penetration testing and regularly reviewing reports of monitoring systems.
- Protect against unauthorized access. Limiting credentials and access privileges, reviewing access rights periodically, and monitoring logs for unusual behavior and/or the use of stale information are critical to preventing the use of compromised credentials. The statement discusses possible protocols and controls, like expiration periods and geolocation, to prevent unauthorized access.
- Implement and test controls around critical systems regularly. Adequate monitoring, testing, audits and reporting are necessary to ensure controls are effective and functioning. Further, these should be implemented on the basis of the risk assessed. The statement suggestions limiting the number of sign-on attempts, locking accounts and implementing alerts to ensure that baseline protections are not altered.
- Manage business continuity risk. Coordinating business continuity development and testing with third parties can assist a credit union in determining whether its planning actually supports its ability to recover and maintain payment processing operations in the event of a network attack.
- Enhance information security awareness and training programs. The statement recommends regular, mandatory training for employees, which is tailored to their function, and covers the identification and prevention of phishing attempts or other efforts to compromise credentials.
- Participate in industry information-sharing forums. Because the nature and threat of attacks changes so quickly, participating in information sharing regarding threats and incidents can help a credit union stay abreast of the newest information, and how to identify, prevent and mitigate these attacks and their damage. The statement suggested joining FS-IAC or receiving alerts and reporting vulnerabilities to US-CERT.
The statement contains further discussion on each of these points, and specific recommendations for implementing the steps. It also provides citations and references to various booklets in the FFIEC IT Examination Handbook, from which these steps were created. Lastly, it contains additional resources, which credit unions may find helpful.
Hope we see you in Music City!