The Federal Financial Institutions Examination Council (FFIEC) recently issued an alert warning financial institutions of a security vulnerability nicknamed “Shellshock” in software commonly used in servers and other computing devices. The FFIEC said regulators should "expect financial institutions to conduct a risk assessment and address the Shellshock vulnerability" in not only their own systems, but with their third-party service providers.

Consequently, a financial institution’s failure to address this high-profile security issue could be a violation of the Gramm-Leach-Bliley Act's (GLBA) Safeguards Rule, an unfair, deceptive, or abusive act or practice (UDAAP) violation under Dodd-Frank. For nonbanking organizations, such a failure could violate Section 5 of the FTC Act. Businesses should act quickly to assess their risks from Shellshock and mitigate their exposure.

This latest vulnerability, found in the Bourne-Again Shell (Bash) system software, mainly affects systems and websites using the open-source Unix and Linux operating systems, as well as Apple's MacOS X platform. These operating systems are widely used on servers that host websites and e-mail, on systems that manage back-office operations, and on systems that control facilities' physical security operations. These open-source platforms are also used by many companies to develop customized internal software solutions. The Bash aspect of the systems provides users with an interface to enter commands that execute programs.

The Shellshock vulnerability stems from a flaw in Bash through which remote users could execute commands to gain access to the system, bypassing other security controls. This flaw has existed for decades, but was only recently discovered. Within days of the discovery, security researchers identified criminals attempting to exploit this vulnerability, which could enable attackers to inject harmful scripts or malware, intercept encrypted communications, steal user credentials or data, or access an institution's internal networks. These attacks could lead to the loss of data, operational disruptions, or cases of fraud.

While multiple software patches have been released to address Shellshock, security researchers worry that because Bash is used across a wide variety of systems, these patches may not be applied to all affected systems. The ubiquitous use of Bash presents a challenge to ensure that all vulnerable systems are accounted for and updated.

In its alert, the FFIEC told financial institutions and other covered entities that it expects them to conduct risk assessments to identify systems vulnerable to Shellshock. This assessment should include:

  • Identifying all servers, systems, and appliances that use vulnerable versions of Bash, applying the necessary software patches, and testing to ensure the patches' effectiveness
  • Applying mechanisms to filter malicious traffic away from vulnerable websites and services
  • Monitoring systems for malicious or unusual activity and updating any detection and prevention systems
  • Ensuring all third-party service providers are taking appropriate actions to identify and mitigate risk and monitoring their efforts
  • Reviewing systems to see if the Shellshock vulnerability has been exploited, and if necessary, determining the potential effects of any breach

The FFIEC advises financial institutions to stay updated on cybersecurity threats through the U.S. Computer Emergency Readiness Team's (US-CERT) portal or through the Financial Services Information Sharing and Analysis Center. Financial institutions and businesses that collect consumers' personally identifiable information should incorporate security alerts from regulators and information-sharing organizations into their information security programs. Failing to respond to the latest security threats—especially those that a regulator warns against—not only puts corporate assets, reputation, and consumer information at higher risk of a costly data breach, but also increases the risk of regulatory action.

Members of Ballard Spahr’s Consumer Financial Services and Privacy and Data Security Groups regularly advise financial institutions on compliance with consumer financial services laws related to data security and privacy issues. Our attorneys conduct reviews of information security programs to help clients ensure that they and their third-party service providers are meeting regulatory standards and are prepared to assist clients when data breaches or regulatory infractions are identified.

If you have questions about the FFIEC’s alert or wish to receive information about any of the other privacy policy recommendations, please contact CFS Practice Leader Alan S. Kaplinsky at 215.864.8544 or

Copyright © 2014 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.


Related Practices

Consumer Financial Services
Privacy and Data Security


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >