On March 30th, the Federal Financial Institutions Examination Council (FFIEC) issued two Joint Statements1 on behalf of its members2 to warn financial institutions about the threats posed to various credentials by cyberattacks involving “destructive malware.”
Malware is malicious software- code (“malicious” + “software”) used to disrupt computer operation, gather sensitive information (such as online banking credentials), or gain access to computer systems. Cyberattacks involving malware often seek to steal users’ credentials- like passwords, usernames, email addresses – for use in theft, fraud, and business disruption.
As such, malware is a particularly challenging threat because it is often introduced into an enterprise by human error- a mistake that cannot be prevented even using the most sophisticated technology.
Malware threatens financial institutions (and indeed all businesses) because of how much disruption and damage it can cause, because of the sheer volume of malware being deployed, and because of the increasing sophistication of malware purveyors.
Steps to Mitigate the Risks of Destructive Malware
The Joint Statements suggest a number of steps for financial institutions to take in order to address risk associated with destructive malware:
Financial institutions must consider and address the risks posed by cyberattacks, including the threats posed by destructive malware, in the same way they assess other threats to critical information assets, systems, and infrastructure. The failure to do so may have severe financial and regulatory consequences.
2 The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.