New guidance from the Federal Deposit Insurance Corporation (FDIC) addresses specific risks relating to malware and cyber-attacks that banks should consider in their risk assessments. The FDIC notes the threats aren’t new, but the pace and frequency of cyber-attacks designed to obtain credentials for theft, fraud or business disruption are increasing. In addition, the guidance says banks should review the destructive malware used in cyber-attacks and take steps to identify, mitigate and respond to these types of attacks.
One industry watcher, Brian Krebs, reported on February 15 that the FBI had announced a $3 million award for information leading to the arrest and/or conviction of a Russian hacker believed to be the architect of the ZeuS banking Trojan, a piece of malware suspected of being used to steal hundreds of millions of dollars from bank accounts at small to midsize businesses in the U.S. and Europe. Reports indicate the base malware code was sold to other cyber criminals for several thousand dollars and could be customized for additional exploits.
Banks should review their risk assessments, evaluate their mitigation strategies, consider additional information security training for their employees and work with vendors under their vendor management programs to evaluate the threats and strategies throughout their IT infrastructure chain.
For more information, feel free to contact us.