October 07, 2013

FFIEC: Plan now for change in XP support

Financial institutions should start working now to address the risk and service implications of Microsoft's plan to discontinue extended support for Windows XP next April, the Federal Financial Institutions Examination Council agencies said in a statement Monday.

NAFCU raised this issue with NCUA last month, noting the potential impact this discontinuation would have on credit unions.

PJHoffman125PJ Hoffman

"We will continue to make sure NCUA is aware of any of our members' concerns with this or other changes relative to technology," NAFCU Regulatory Affairs Counsel PJ Hoffman said.

The FFIEC statement said Microsoft will discontinue extended support for XP April 8, 2014. The agencies warned that XP used in computers, servers and possibly even ATMs could be exposed to increased risk. Furthermore, the agencies noted that financial institutions required to abide by the Payment Card Industry Data Security Standard and that continue to use XP after April 8 may no longer be in compliance.

Regulators said financial institutions – including credit unions – should evaluate their risk management processes if they choose to continue using XP. They said important actions to consider include:

  • identifying and measuring the risk from the continued use of XP;
  • considering costs and potential risks in selecting a mitigation strategy;
  • conducting appropriate planning to address priorities for changes; and
  • monitoring the risk mitigation to ensure an acceptable level of risk.

Last month, NAFCU Vice President of Information Technology Eric Miller pointed out that discontinued operating system support of XP doesn't mean the system won't work anymore. "However, Microsoft is unlikely to release any new patches to fix new vulnerabilities in XP," he said.

Monday's FFIEC statement was sent by the Federal Reserve Board, FDIC, NCUA, the Office of the Comptroller of the Currency, CFPB and the State Liaison Committee.