The Federal Financial Institutions Examination Council (FFIEC) issued a statement on April 10, 2014 indicating it expects financial institutions to incorporate patches on systems and applicaitons using OpenSSL, and that such institutions upgrade systems as soon as possible to address the vulnerability.
FFIEC Offers Technical Guidance
The FFIEC specifically suggests implementing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL. FFIEC further suggests that financial institutions consider reminding customers to change passwords. Financial institutions that have a third-party service providing their IT services should ensure those providers are taking appropriate mitigation action.
Beware ATM Attacks
The FDIC, along with FFIEC, expects financial institutions to take steps to address ATM threat by reviewing the adequacy of their controls over IT networks. The FDIC issued a statement with FFIEC describing risks related to recent cyber-attacks on ATMs and other card authorization systems. Cyber-attacks that alter ATM settings, that allow criminals to extract more than account balances and on prepaid and debit cards have all been noted.