A federal agency that regulates the U.S. financial services industry issued a warning Tuesday to U.S. banks of the growing threat of cyberattacks involving extortion.
The Federal Financial Institutions Examination Council (FFIEC) said in a statement that cyberattacks against financial institutions to extort payment in return for the release of sensitive information are increasing.
“Financial institutions should address this threat by conducting ongoing cybersecurity risk assessments and monitoring of controls and information systems,” the FFIEC said.
In perhaps the highest profile cyberattack on a large U.S. bank, hackers last year breached JPMorgan’s (NYSE:JPM) vast computer network comprising the accounts of 76 million households and seven million small businesses.
According to a Verizon 2015 Data Breach Investigations Report, there were 642 information security incidents in the financial services industry last year, and 242 were confirmed data losses.
Target (NYSE:TGT) and Home Depot (NYSE:HD), while not financial institutions, have also seen their systems broken into by hackers.
The growing threat now, according the FFIEC, is cyberattackers breaching the system and then extorting the victimized company threatening to release damaging information unless a ransom is paid.
The FFIEC urged financial institution to notify law enforcement and their primary regulators immediately in the event of a cyberattack that involves extortion.
Earlier this year, in response to the growing of cyberattacks, the FFIEC developed the Cybersecurity Assessment Tool, a two-part prevention measure designed to increase awareness of cybersecurity risks and to help bank boards of directors and bank management assess and mitigate cybersecurity risks facing their institutions.
The tools, according to the FFIEC, are based on recognized IT and cybersecurity frameworks, including FFIEC IT handbooks and National Institute of Standards and Technology framework.
The FFIEC Cybersecurity Assessment Tool can assist banks in identifying factors contributing to cybersecurity risk; assessing the institution's overall cybersecurity risk; assessing the institution's cybersecurity preparedness; evaluating whether the institution's cybersecurity preparedness is aligned with its cybersecurity risks; identifying risk management practices and/or controls that may need to be added or enhanced and evaluating the maturity level of the institution's cybersecurity program.