Extortion-Based Cyber Attacks: How Financial Institutions Can Mitigate Risk and Business Interruption

November 2015

Extortion-based cyber attacks against financial institutions are on the rise, according to the Federal Financial Institutions Examination Council (“FFIEC”). Issuing a statement earlier this month “Cyber Attacks Involving Extortion,” the FFIEC alerted financial institutions to the increasing frequency and severity of this breed of cyber attack. The guidance is intended to help financial institutions mitigate the significant risks posed by cyber attacks involving extortion, which include damage to an institution's liquidity, capital, operations, access to data and ability to provide services to customers and employees.
 

Summary

According to the FFIEC guidance, cyber attacks involving extortion take a variety of forms, including: (a) ransomware attacks; (b) denial of service (DoS) attacks; and (c) attacks involving theft of sensitive business or customer information, with perpetrators threatening companies with the information's public release.
 
To defend against these attacks, the FFIEC recommends that financial institutions consider the following risk management processes and best practices:
 
  • Conduct ongoing information security risk assessments.
  • Securely configure systems and services.
  • Protect against unauthorized access.
  • Perform security monitoring, prevention and risk mitigation.
  • Update information security awareness and training programs, as necessary, to include cyber attacks involving extortion.
  • Implement and regularly test controls around critical systems.
  • Review, update and test incident response and business continuity plans periodically.
  • Participate in industry information-sharing forums.
 

BDO Insights

The steps laid out by the FFIEC provide an effective roadmap for mitigating the risk and potential impact related to extortion-based cyber attacks. In fact, similar guidance was released in September by the Office of Compliance Inspections and Examinations (“OCIE”) in the National Exam Program Risk Alert, which is applicable to financial institutions governed by the U.S. Securities and Exchange Commission. The guidance is intended to ensure that financial institutions take proactive and ongoing steps to address cyber extortion risks through the implementation of risk management processes and business continuity planning.
 
Financial institutions are well-advised to seek assistance from consultants and technology specialists experienced in developing risk management frameworks and strategies to navigate complex security and compliance issues. BDO assists financial institutions in conducting security risk assessments, testing controls, conducting security monitoring and developing business continuity plans, in addition to implementing cybersecurity risk management programs, strategy and governance.
 
For more information about how financial institutions can safeguard their organizations against cyber extortion, please contact Shahryar Shaghaghi, BDO Consulting Technology Advisory Services National Practice Leader at sshaghaghi@bdo.com.