Screen Shot 2016-01-25 at 2.23.15 PMA wave of cyber extortion appears to be heading our way. The question is no longer if it might hit, but when.
The Federal Financial Institutions Examination Council released a statement warning financial institutions about the increasing frequency and severity of cyber attacks involving extortion. What do these attacks look like and what should you be doing about them now?

What is Cyber Extortion?

So what does cyber extortion look like? Your bank or credit union may get an email with a 48-hour deadline telling you that if you don’t pay 50 Bitcoin, they’ll knock down your website with a denial of service attack. That ransom doesn’t sound so bad until you look up the Bitcoin exchange rate and find out how much that really is (nearly $20,000). To show you they’re not bluffing, they do what’s called a “demo hack,” which takes down a small part of your infrastructure.
Another example: You’re working on your computer and an alert pops up on your screen telling you that your computer is locked and all your files have been encrypted. If you want to restore access, you’ll need to pay a $300 fine within 72 hours.
And yet another example: You receive an email that the attacker has pulled from your network a database of sensitive business and customer information, and that if you don’t pay them some set amount of money, or if you don’t make some other type of unreasonable concession, it will make the information public or sell it to the highest bidder.
You do an internet search on these tactics and the cryptic name of the sender and discover that it looks like your attacker isn’t joking and can actually follow through on its threats.
So, should you pay? Industry experts advise financial institutions to never pay the criminals, not just for moral and ethical reasons, but because there’s nothing to stop the same attack from happening again tomorrow. What’s more, there’s nothing to force the bad guys to follow through with what they promised if the ransom were paid.
It comes back down to doing what you can to prevent such attacks, then being prepared with an appropriate response if they should happen. It’s important to note that the FFIEC’s latest statement doesn’t contain any new regulatory expectations. But it is calling upon financial institutions to be aware that these types of cyber extortion attacks are getting worse, and they’re getting more common.

8 Steps of Anticipation

So what should you be doing now? The FFIEC wants to remind financial institutions to take the following steps:

  • Conduct ongoing information security risk assessments.
  • Securely configure systems and services.
  • Protect against unauthorized access.
  • Perform security monitoring, prevention, and risk mitigation.
  • Update information security awareness and training programs, as necessary, to include cyber attacks involving extortion.
  • Implement and regularly test controls around critical systems.
  • Review, update, and test incident response and business continuity plans periodically.
  • And participate in industry information-sharing forums.

If you are a victim of a cyber extortion attempt, the FFIEC encourages you to inform law enforcement and notify your primary regulator. Of course, if the attack results in unauthorized access to sensitive customer information, you have a responsibility to notify your federal and state regulators under Gramm-Leach-Bliley. You should also determine if you should file a Suspicious Activity Report.
The FFIEC is mindful that a successful cyber extortion attack on any financial institution not only damages the reputation of that bank or credit union, it is harmful to the industry as a whole. The agencies want to remind financial institutions that the tools and resources they need to mitigate and address these risks are readily available, but do no good unless they are used.

Screen Shot 2015-10-12 at 3.51.52 PM
Dennis Agle, the firm’s Chief Information Officer, brings more 20 years of technological operations support.He has engineered the software-based applications conceptualized by the firm. With a background in communications, his application designs emphasize pragmatic, user-friendly solutions that are cost-effective and efficient. He has developed skills in media production and in SaaS product development. He oversees the creation and implementation of the firm’s technological tools. His writing skills promote materials that are both coherent as well as engaging to users. He graduated magna cum laude from the University of Utah, where he majored in Mass Communications