On November 3rd, 2015, the Federal Financial Institutions Examination Council (FFIEC) issued a statement warning financial institutions of the increasing number of cyber-attacks used to extort money and other allowances from victims, a trend that is seen around the world. For example, news came out in September that several large financial organizations in the United Kingdom were being targeted by extortion cybercriminals in the DD4BC group for bitcoins. According to the report, 58% of the extortion ring’s targets were financial organizations (banks and credit unions, currency exchangers, and payment processors), and their monthly attacks increased 400% between September, 2014, and June, 2015. Likewise, representatives from Interpol expressed concern over the growing number of sophisticated cyber-attacks against banks in Russia, Eastern Europe, and other former Soviet states. One very active form of sophisticated attack referenced was cyber extortion.
The FFIEC recently added the “Strengthening hackerimagethe Resilience of Outsourced Technology Services” appendix to its Business Continuity Planning IT Booklet, which details for the first time ways financial institutions (FIs) can increase their cyber-resilience as it relates to technology service providers (TSPs).
JPMorgan Chase and up to four other banks were victims of malicious software cyber-attacks, better known as malware. Malware are programs or applications that disrupt or damage the normal operation of a computer or electronic file system. The intent is to access confidential data or other valuable information for the cyber criminals that created it.
Most financial services firms have developed business continuity and disaster recovery plans to satisfy the minimum standards required for regulatory compliance and recommendations. However, clients depend on a firm’s ability to keep the business running and deliver services despite any disruptions which is why firms should evolve from simply “checking-the-box” to a implementing full BC programs.
Banks must not only “check the box” when it comes to a variety of business continuity compliance requirements, but clients depend on a bank’s ability to continue the delivery of services regardless of an interruption – including pandemic events.
The guidelines known as Service Organization Controls (SOC) established by the American Institute of Certified Public Accountants are a collective effort to mitigate financial, operational, and compliance risks through adherence to Trust Service Principles.