All Things FinReg


The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement warning financial institutions of the increasing frequency and severity of cyber attacks involving extortion, including ransomware, denial of service, and theft of sensitive customer information that is used to extort victims. In turn, financial institutions are advised to develop and implement effective programs to identify, protect, detect, respond to, and recover from these types of cyber attacks. Actions to be taken include conducting ongoing risk assessments, assuring the security of systems and services, protecting against unauthorized access, and a number of other specific measures. In addition, financial institutions that are victims of cyber extortion are advised to notify law enforcement agencies and their primary regulatory agencies, especially if sensitive customer information is accessed, and consider filing Suspicious Activity Reports.

While the joint statement specifically states that it does not purport to create any new regulatory expectations, in fact it recommends a series of specific measures that should be taken in cyber-extortion situations, and reminds financial institutions of their prudential and compliance obligations under current regulatory guidance. More generally, the joint statement underscores the financial agencies’ continuing – and perhaps increasing – concerns over cybersecurity and data breaches.

Financial institutions therefore should treat the joint statement as a regulatory directive on appropriate preventative and response strategies for cyber breaches involving extortion, as well as a reminder to make cybersecurity and data protection a top governance and operational priority that their regulators will regularly test during the examination and supervision process. The FFIEC statement contains links and references to existing guidance and resources from the FFIEC, FBI, and other agencies that, as a threshold manner, financial institutions should review and ensure have been incorporated into their compliance and risk management processes, as appropriate.