WASHINGTON–The Federal Financial Institutions Examination Council has issued a warning to financial institutions to be on high alert regarding the frequency and severity cyber of attacks involving extortion, according to an FFIEC joint statement. Credit unions should evaluate their cybersecurity risk management practices, including business continuity planning, to ensure they are prepared to defend against these threats.
The warning was included in a Risk Alert from CUNA Mutual Group.
The FFIEC said that cyber criminals and activists have used ransomware and the threat of denial of service (DoS) attacks to extort hefty payment from victims. The attacks have caused significant impacts on business’ access to data and the ability to provide services.
Meanwhile, the FBI is also reporting that the use of ransomware is on the rise. Financial institutions, businesses, government agencies, educational institutions, and other organizations have been targeted. This has resulted in loss of sensitive data, disruption of services, financial losses incurred to restore systems and data, and reputational harm.
These ransomware scams involve malware that infects computer systems and restricts users’ access to files or threatens permanent destruction of their information unless a ransom is paid. The ransoms have ranged from hundreds to thousands of dollars, typically payable in bitcoins.
In addition, an increase in email extortion campaigns threatening distributed denial of service (DDoS) attacks to organizational websites unless a ransom is paid has also been reported by the FBI.
Recommendations Made
According to CUNA Mutual, credit unions should ensure that their risk management processes and business continuity planning address these specific risks. Specifically, the FFIEC recommends financial institutions:
- Conduct ongoing information security risk assessments;
- Securely configure systems and services;
- Protect against unauthorized access;
- Perform security monitoring, prevention and risk mitigation;
- Update information security awareness and training programs to include cyber attacks involving extortion;
- Implement and regularly test controls around critical systems;
- Review, update and test incident response and business continuity plans periodically.
- Participate in industry information-sharing forums.