An official website of the United States government
OCC Bulletin 2015-19
March 30, 2015
Share This Page:
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC), 1 on behalf of its members, has issued a statement to notify financial institutions of the growing trend of cyber attacks for the purpose of obtaining online credentials for theft, fraud, or business disruption and to recommend risk mitigation techniques. These attacks include theft of users’ credentials—such as passwords, user names, and email addresses—and other forms of identification that customers, employees, and third parties use to authenticate themselves to systems. Attacks also include theft of system credentials, such as certificates. Financial institutions should address this threat by reviewing their risk management and controls over information technology networks and authentication, authorization, fraud detection, and response management systems and processes.
Community banks should test their incident response and business continuity plans and understand their responsibilities in the event of cyber attacks at their institutions or involving their third-party service providers.
In accordance with regulatory requirements and FFIEC guidance, national banks and federal savings associations (collectively, banks) should take appropriate risk mitigation steps, including the following:
Please contact Valerie Abend, Senior Critical Infrastructure Officer, Operational Risk Division, at (202) 649-6550.
Bethany A. Dugan
Deputy Comptroller for Operational Risk
1 The FFIEC comprises the principals of the following: Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.