The Federal Financial Institutions Examination Council (FFIEC) agencies issued joint statements in April to notify financial institutions of the risks associated with cyber-attacks on ATM and card authorization systems, and the continued distributed denial of service (DDoS) attacks on public websites.

The statements describe steps the regulators expect institutions to take to address these attacks and highlight resources they can use to help mitigate the risks posed by such attacks.

‘Unlimited Operations’

The agencies warned institutions of a type of ATM cash-out fraud the U.S. Secret Service characterizes as “Unlimited Operations.”

The is a category of ATM cash-out fraud where criminals withdraw funds beyond the cash balance in consumers’ accounts or beyond other control limits typically applied to ATM withdrawals.

Criminals perpetrate the fraud by initiating cyberattacks to gain access to Web-based ATM control panels, which enables them to withdraw funds from ATMs using stolen debit, prepaid, or ATM card account information.

“Unlimited Operations” may cause financial institutions to incur large dollar losses. Therefore, regulators expect institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.

DDoS attacks

Regulators expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans. In accordance with regulatory requirements and the FFIEC Information Technology Handbook on Business Continuity Planning and Information Security, regulators expect institutions to take these steps:

• Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
• Monitor Internet traffic to the institution’s website to detect attacks;
• Activate incident response plans and notify service providers as appropriate if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
• Ensure sufficient staffing for the duration of the DDoS attack and consider hiring precontracted third-party servicers that can assist in managing the Internet-based traffic flow. Identify how the institution’s Internet service provider can assist in responding to and mitigating an attack;
• Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement. Attacks can change rapidly, and sharing information can help institutions identify and mitigate new threats and tactics; and
• Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments. Adjust risk management controls accordingly.