Bank Regulators Warn About Cyber-Attacks
On April 2, 2014, the FDIC issued a Financial Institution Letter notifying banks of recent “large dollar” ATM fraud and related cyber-attacks aimed at tapping into web-based control panels for ATMs. The FDIC highlighted a recent $40 million theft involving the use of 12 debit card accounts. The FIL included guidance for financial institutions related to reducing financial and other risks associated with cyber-attacks.
According to the FDIC, ATM “cash-out” fraud occurs when cyber criminals withdraw funds in excess of legitimate bank customer accounts or in excess of other typical ATM withdrawal limits. They do this by hacking banks’ web-based ATM control panels and stealing account information. This often involves “phishing” emails, the installation of malware and “skimming.” Then the criminals use fraudulently made bank cards to simultaneously withdraw funds from multiple ATMs in a short time period.
The FDIC highlighted the risks to financial institutions from these cyber-attacks, which include liquidity and capital risks, fraud losses, operational risks and, depending on the institution’s size, reputational risks. Banks may be liable for these losses, even where a bank outsources its card issuing function to a card processor and the breach occurs with the processor.
To reduce the risk, the FFIEC recommended that financial institutions ensure that their risk management processes address the following steps:
- conduct ongoing information security risk assessments;
- perform security monitoring, prevention, and risk mitigation;
- protect against unauthorized access;
- implement and test controls around critical systems regularly;
- conduct information security awareness and training programs;
- test incident response plans; and
- participate in industry information sharing forums.
Helpful resources for institutions include:
- FFIEC Information Security handbook;
- Outsourcing Technology Services handbook; and
- Retail Payment Systems handbook.
A complete copy of the Joint Statement regarding Cyber-Attacks on Financial Institutions can be found here.