In its recent press release, the Federal Financial Institutions Examination Council (FFIEC) issued two statements reiterating financial institutions' obligations to have measures in place to prevent and mitigate cybersecurity threats. Specifically, the FFIEC warns that financial institutions should implement policies, procedures, and security measures to mitigate threats posed by destructive malware and compromised user credentials (both customers' and employees' credentials). While the statements do not contain any new regulatory expectations or requirements, they do recommend ways financial institutions can prepare for and lessen these particular cybersecurity threats.

The FFIEC's first statement recommends that financial institutions ensure that their business continuity plans cover how the institution responds to a destructive malware cyberattack, where an institution's critical data is corrupted or destroyed. Malware attacks can be introduced through a wide range of methods, such as downloaded e-mail attachments during a phishing attack, compromised websites, or software installed by an attacker who accessed the network using stolen credentials. To recover from a destructive malware attack, financial institutions must ensure that their backup systems are not destroyed or corrupted. The FFIEC recommends that financial institutions and their service providers should ensure their recovery strategies address attacks on their backup systems.

The FFIEC’s second statement discusses compromised user credentials, such as user names, passwords, and e-mail addresses, which give cyberattackers easy access to customer accounts or critical business systems. The FFIEC points out that credentials can be stolen through phishing attacks, malvertising (infecting online advertisements with malware), or web-based attacks that target systems containing credentials. Each type of user credential, whether customer or employee credentials, poses a distinct risk. For example, stolen customer account credentials create the risk of account fraud and identity theft, while stolen employee or vendor credentials could enable attackers to access trusted systems and business information.

To mitigate the risks posed by destructive malware and compromised credentials, the FFIEC recommends that financial institutions have security controls and business continuity plans in place to authenticate users and ensure the rapid recovery and resumption of operations. These controls and procedures include:

  • Securely configuring systems and services
  • Reviewing, updating, and testing incident response and business continuity plans
  • Conducting ongoing information security risk assessments
  • Performing security monitoring, prevention, and risk mitigation
  • Protecting against unauthorized access
  • Implementing and testing controls around critical systems
  • Enhancing information security awareness and training
  • Participating in industry information sharing forums

While the FFIEC's statements do not contain any new requirements or identify any particular cyber threat, regulators already expect financial institutions to have policies, procedures, and security measures in place to address destructive malware and compromised credentials. The agency's statements may signal increased regulatory scrutiny of these aspects of financial institutions' information security and business recovery plans. Financial institutions should regularly review and test their information security policies and procedures to ensure they address the latest cybersecurity threats as well as incorporate regulatory guidance and warnings.

Members of Ballard Spahr’s Consumer Financial Services and Privacy and Data Security Groups regularly advise financial institutions on compliance with consumer financial services laws related to data security and privacy issues. Our attorneys conduct reviews of information security programs to help clients ensure that they and their third-party service providers are meeting regulatory standards and are prepared to assist clients when data breaches or regulatory infractions are identified.

If you have questions, please contact John L. Culhane, Jr., at 215.864.8535 or, or Daniel JT McKenna at 215.864.8321 or

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Privacy and Data Security
Consumer Financial Services
Transactional Finance