Home / Insights / Banking Regulators Warn on Technology Risks

Insight Banking Regulators Warn on Technology Risks

The “Heartbleed” bug in the OpenSSL protocol compromised the security of much of Internet from late 2011 until its discovery on April 7 of this year. The disclosure of the Heartbleed bug and the related news coverage has reminded us all of the importance of sound cybersecurity practices, such as not using the same password for multiple Web sites.

In apparent coincidence, simultaneous with or prior to the Heartbleed announcement, federal banking issued two statements focused on technology risks for regulated financial institutions.

The first, on April 2nd, is from the Financial Institutions Examinations Council (FFIEC) and focuses on (i) cyber-attacks on automated teller machines (ATMs) and card authorization systems and (ii)continued distributed denial of service attacks on public-facing Web sites. In substance, this release discusses the cyber-risks and summarizes regulators’ expectations for financial institution’s risk mitigation efforts. Although unstated, the timing of this release likely relates more to the publicity regarding ATMs that rely on Microsoft’s recently defunct Windows XP operating system.

The second, on April 7th, is from the FDIC and focus on technology-outsourcing guidance for community banks. The FDIC’s April 7 release, technical Financial Institution Letters FIL-13-2014, re-issues three documents from 2011 “as an informational resource to community banks on how to select providers, draft contract terms, and oversee multiple service providers when outsourcing for technology products and services.”

The three documents are “Effective Practices for Selecting a Service Provider,” “Tools to Manage Technology Providers’ Performance Risk: Service Levels Agreements,” and “Techniques for Managing Multiple Service Providers.” FIL-13-2014 provides hyperlinks to all three along with links to the FFIEC’s examination guidance related to technology outsourcing.

Of course, following disclosure of Heartbleed on April 7, the banking regulators quickly released additional statements specific to the Heartbleed risk. For example, the FFIEC’s April 10 statement on Heartbleed is available here: https://www.ffiec.gov/press/pr041014.htm.

If you have questions, please contact our banking group  or call 208.344.6000.

Related Insights

When a Personal Privilege... Isn't (Liquor License Security Interests and Liens in Idaho)

Recent legislation has substantially changed the landscape of the use, purchase, sale and leasing of liquor licenses since 2023. One area not (yet) touched in…

Read

Denial of the Debtor's Access to the Online Payment Portal Transports the Creditor to an Automatic Stay Violation

The automatic stay is the powerful, self-executing stop sign for all creditors upon their debtor’s bankruptcy filing. Actions in violation of the automatic stay are…

Read

Current Status of the Idaho Charitable Assets Protection Act

This article gives a brief summary of the Idaho Charitable Assets Protection Act (ICAPA) and provides an update on its impact.

Read

IRS Form 5500 Reminders for Employer Plan Sponsors

The July 31, 2024 un-extended Form 5500 due date for calendar year employee benefit plans is fast approaching. Careful review of the Form 5500 with…

Read