Businesses and financial entities continue to grapple with the increasing frequency and sophistication of hacking, displayed by the recent botnet attack that affected numerous websites on October 21, 2016, as well as the recent SWIFT hack which was used to steal $81 million dollars from the Bangladeshi central bank. On October 11, 2016, G-7
FFIEC Issues FAQs on the Cybersecurity Assessment Tool
On October 18, 2016, the Federal Financial Institutions Examination Council (FFIEC) issued answers to frequently asked questions (FAQs) to clarify points in FFEIC’s Cybersecurity Assessment Tool (Assessment). FFIEC released the Assessment in June 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness. The Assessment incorporates cybersecurity principles from the FFIEC Information Technology (IT) Examination Handbook (the IT Handbook) and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the NIST Framework). While FFIEC’s Assessment is a good tool for banks to evaluate their cybersecurity standards, some banks experienced challenges mapping processes to the NIST Framework and interpreting FFIEC’s IT Handbook. FFIEC’s FAQs should resolve these common issues, but they also raise other questions.
Continue Reading FFIEC Issues FAQs on the Cybersecurity Assessment Tool
FFIEC to Host Webinars on Mobile Financial Services and the FS-ISAC to Promote Bank Cybersecurity Preparedness
On October 6, 2013, the Federal Financial Institutions Examination Council (FFIEC) announced that it will host two webinars with the goal of increasing cybersecurity preparedness by its member financial institutions. FFIEC’s webinars are in recognition and observance of National Cybersecurity Awareness Month.
FFIEC’s first webinar will cover Mobile Financial Services – Appendix E of
FFIEC IT Security Booklet Revised
On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here). In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information
New York Raises the Bar – Will Other States Follow?
On September 13, 2016, the New York Department of Financial Services (DFS) proposed new first-in-the-nation cybersecurity regulations (Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the regulations are consistent with existing Federal Financial Institutions Examination Council (FFIEC) cybersecurity guidelines and FFEIC’s Information Technology (IT) Examination Handbook
FFIEC Provides Banks with Guidance Following the SWIFT Hacks
On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81
Dude, Where’s My Bitcoin?
Somewhere in a lavish Mediterranean villa a drug lord wearing an off-white suit had a heart attack. Elsewhere a tech whiz in Silicon Valley refreshed his browser multiple times as his heart sank further with each reloaded page. And a banker in New York put a hold on an equity trade and cursed louder than he ever had before. Like the beginning of a classic joke, the drug lord, the tech whiz and the banker had all been fooled. Through each of their minds, the question raced: “Dude, where’s my bitcoin?”
In early August, hackers stole almost 120,000 bitcoins (worth approximately $72 million at the time) from client accounts of a high-profile Bitcoin exchange, Bitfinex, based out of Hong Kong. This caused Bitcoin prices to briefly plummet and followed a similar attack in 2014 on Mt. Gox, which was then the world’s largest Bitcoin exchange (of note, Mt. Gox subsequently went bankrupt).
This latest heist comes on the heels of Bitfinex CFO Giancarlo Devasini’s very forward-thinking proclamation, “With our BitGo wallet solution it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.” With such a bold statement, combined with the impervious view of hindsight, one must carefully ponder the future tenure of the CFO, or the future of Bitfinex, or even that of Bitcoin itself.
The theft is obviously a problem for those customers whose precious cryptocoins were stolen, fans of digital currency generally, operators of Bitcoin exchanges and various Bitcoin “banks” or “wallets.” Bitfinex’s response to the hack is unlikely to resonate with its clients after they indicated that losses would be spread across all customer accounts, amounting to an approximately 36% generalized loss. Despite attempting to assure their clients that they would be made whole at some point in the future, a potential investor might be prone to pause at this juncture in any bitcoin venture.
CFPB Issues Proposed Revisions to GLBA Annual Privacy Notice Requirement
Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued its proposed rule amending the Gramm-Leach-Bliley Act’s annual privacy notice requirement set forth in Regulation P.
The rule is in response to Congress’ December 2015 amendment to the act, which eliminated the need for certain companies to provide annual privacy disclosures to consumers. Under the
A Storm Brews: Retailers Push Back Against Payment Card Industry Data Security Standards
As businesses and financial institutions grapple with data security in the wake of high profile breaches, tensions between retailers and the credit card industry over the creation and implementation of security standards appear to be growing. The disagreements between these two groups manifested themselves on June 2, when the National Retail Federation (“NRF”), the world’s
Home Depot Alleges Visa, MasterCard Colluded To Delay Chip-and-PIN Implementation; Exposed Retailers, Consumers to Data Breach Risks
A recent bombshell lawsuit by The Home Depot alleges patterns of antitrust violations, illegal collusion, and anti-competitive conduct by the Visa and MasterCard credit card networks. The suit arises in a climate in which the networks are increasingly under attack by retailers, and in which The Home Depot is embroiled in extensive litigation stemming from a massive 2014 breach of customer data. Finally, for consumers concerned with payment card security, the suit highlights potential weaknesses in some U.S. payment card technologies – particularly when compared to systems widely used overseas.
The Home Depot’s Lawsuit and Allegations
On Monday June 13, 2016, The Home Depot filed a 138-page complaint against Visa and MasterCard alleging the credit card behemoths engaged in collusion and price fixing to delay implementation of effective chip-and-PIN security technology in payment cards in the United States. As alleged in the Complaint, the use of Personal Identification Number (“PIN”) verification along with “EMV” chips (“chip-and-PIN”) has been used widely used in Europe since the mid-1990s “to make credit and debit card transactions safer and less prone to fraud.”