It may be a good time to review your Incident Response Plan and determine if additional clarification regarding the term “misuse” should be added to incorporate denial of access to information. The FFIEC Information Technology Examination Handbook for Information Security was published in September 2016 and refers to misuse as “attacks from within the organizations”. This definition comes from internal employees accessing unauthorized information through improperly configured (or lack thereof) security controls. Due to the availability of ransomware and DDoS attack services, denial of access to critical information is becoming a more common risk financial institutions are facing.
The IT Examination Handbook defines distributed denial of service (DDoS) as “A type of attack that makes a computer resource or resources unavailable to its intended users”. Financial institutions that experience DDoS attacks may face operational and reputation risks depending on which resources were targeted in the attack. The FFIEC expects financial institutions to address DDoS readiness as part of their Information Security Program and Incident Response Plan.
The FFIEC Information Technology Handbook on Business Continuity Planning and Information Security booklets provide the following steps that should be taken to improve DDoS readiness:
- Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts.
- Monitor Internet traffic to the institution’s website to detect attacks.
- Activate Incident Response Plans and notify service providers, including Internet service providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts.
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring precontracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack.
- Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics.
- Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly
The growing threat landscape and increased accessibility to ransomware and DDoS services encourage Information Security Programs and Incident Response Plans to constantly evolve to ensure financial institutions can effectively respond to these types of attacks. It’s important for your procedures to cover specific containment and remediation steps to quickly respond when your financial institution becomes the target of one of these attacks. We’re commonly seeing additional clarification in Incident Response Plans that moves the focus of misuse from internal threats, to a broader definition that includes the idea of denied access: “Misuse includes all unauthorized access to data, with or without data disclosure. It also includes unauthorized denial of access to data”.