The guidance – which included no new regulatory expectations – emphasized conducting ongoing information security risk assessments and monitoring, protecting against unauthorized access, implementing and testing controls, managing business continuity risk, enhancing employee cybersecurity awareness and sharing information within the industry. For example, to prevent unauthorized access, the agencies recommended limiting the number of network credentials and reviewing access rights frequently.
The agencies said:
Financial institutions should review their risk management practices and controls over information technology and wholesale payment systems networks, including authentication, authorization, fraud detection, and response management systems and processes. The FFIEC members emphasize that participants in interbank messaging and wholesale payment networks should conduct ongoing assessments of their ability to mitigate risks related to information security, business continuity, and third-party provider management.
The guidance came after a widely reported sequence of hacks that used malware to issue unauthorized payment orders through the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, network. SWIFT is used to verify the authenticity of transfer requests. Banks in the Philippines, Bangladesh, Vietnam, Ecuador and other countries are reported to have been hit by fraudulent SWIFT messages.
View the guidance.