Skip to Content

On March 30th, the Federal Financial Institutions Examination Council (FFIEC) issued two Joint Statements1 on behalf of its members2 to warn financial institutions about the threats posed to various credentials by cyberattacks involving “destructive malware.”

The Joint Statements should be a wake-up call to any enterprise not aware of the dangers of malware. The FFIEC has put financial institutions on notice of their obligation to identify and mitigate the risks posed by destructive malware. Should sensitive data be lost, fraudulent transfers processed, or critical systems disrupted due to destructive malware, financial institutions can expect heavy scrutiny from their regulators.


Malware is malicious software- code (“malicious” + “software”) used to disrupt computer operation, gather sensitive information (such as online banking credentials), or gain access to computer systems. Cyberattacks involving malware often seek to steal users’ credentials- like passwords, usernames, email addresses – for use in theft, fraud, and business disruption.

The challenging (and infuriating) aspect of malware is that unlike other computer system threats, malware counts on being “invited in.”

Financial institutions and their customers face many different types of malware, including:

  • “Phishing” or “spear-phishing” email messages. These are attacks that use emails disguised as legitimate messages: tricking users into disclosing names and passwords, or payment card information; or clicking on links or attachments that deliver malware to their computers.
  • “Malvertising”. These attacks inject malware into legitimate online advertising and download the malware to the computer of any person who visits the website containing the advertisement.
  • “Water Holes”. Malware is injected into a vulnerable website visited by targeted victims. The compromised site facilitates the download of malware to the computer of any person who visits the website.
  • External devices such as USB drives.

As such, malware is a particularly challenging threat because it is often introduced into an enterprise by human error- a mistake that cannot be prevented even using the most sophisticated technology.


Malware threatens financial institutions (and indeed all businesses) because of how much disruption and damage it can cause, because of the sheer volume of malware being deployed, and because of the increasing sophistication of malware purveyors.

For example, as described in a recent article in the New York Times, the “Carbanak cybergang” cybergang (so named for the “Cybernak” malware it deployed), stole at least $300 million (and up to $1 billion) from financial institutions worldwide (including those in the United States).

Steps to Mitigate the Risks of Destructive Malware

The Joint Statements suggest a number of steps for financial institutions to take in order to address risk associated with destructive malware:

  • Conduct ongoing information security risk assessments;
  • Perform security monitoring, prevention, and risk mitigation;
  • Protect against unauthorized access;
  • Implement and test controls around critical systems regularly;
  • Enhance information security awareness and training programs; and
  • Participate in industry information-sharing forums.


Financial institutions must consider and address the risks posed by cyberattacks, including the threats posed by destructive malware, in the same way they assess other threats to critical information assets, systems, and infrastructure. The failure to do so may have severe financial and regulatory consequences.

2 The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.