Back to Blog

FDIC and OCC Joint Statement Key Takeaways – Part 2

By Finosec

May 25, 2021

Get notified on new insights from Finosec now!

Be the first to know about new Finosec blogs to grow your knowledge of the cybersecurity governance industry today!

The FDIC and OCC put out a joint statement on heightened cybersecurity risk concerns. This ‘heightened’ concern has bubbled up from the concerns in the Middle East and specifically, Iran. In our nation’s history, oceans have been one of our primary defenses, but in today’s interconnected world, barriers for state-sponsored cyberattacks have been removed. I spent some time discussing the 6 Questions to Answer in Part 1, and today I wanted to dive into Authentication.

Part 2 – Authentication

Here are three key points to understand on the joint statement specific to Authentication.

Two Factor Authentication

The regulators are aware of hackers getting around our password processes, and two-factor authentication (SMS or Application) makes getting around password risks more difficult. Credential stuffing is a real risk https://owasp.org/www-community/attacks/Credential_stuffing. Think about how many times have you reused a password or a similar password. How many times has your account password been compromised? (Remember this started years ago with your myspace account and yahoo account and continues to happen). Check out this website to see if your email address has been linked to passwords being compromised: https://haveibeenpwned.com/.

Regular User Reviews

A subtle change but a big impact – The regulators recommend to regularly review user access in the statement, but in previous guidance in the FFIEC Information Security Booklet and the Cybersecurity Assessment Toolkit, they have referenced periodic reviews. Focusing on more frequent user access reviews is the biggest change we found in our review.

Privileged Accounts

Limiting the number, restricting usage, and monitoring of privileged accounts is a critical step. “When” the bank is compromised, (I still like to say “if”, but it isn’t realistic today) hackers will target these privileged accounts.

Key Questions to Ask Your Team:

  1. When was the last time we performed our user review? How many systems do we have where we add employee access? What’s the process we have to go through to increase the frequency?
  2. How many administrator accounts do we have?
  3. Does each internal administrator have a regular user account and an administrator account?
  4. How do we manage and track our vendor accounts? Make sure to focus on vendors that have access (core, integration, managed services)
  5. Are there any systems that have the ability to implement two-factor authentication that we haven’t integrated?
  6. Does our managed services vendor leverage two-factor authentication for their access and support to the network and systems?

If you have six minutes more, I recorded a video summary on the statement as well:

FDIC FIL Joint Statement

More from Finosec

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

Integrating FFIEC Authentication Guidance: A Blueprint for Your Next Exam With Insights from Recent Regulatory Actions

The Federal Financial Institutions Examination Council (FFIEC) Authentication Guidance update in August 2021 has marked a significant step towards enhancing authentication and security access measures within financial institutions. This update expanded upon previous handbooks from 2005 and 2011, emphasizing a broader scope that now includes employees, third-party vendors, and system-to-system communications via APIs.

The Best Defense Against Ransomware

The Best Defense Against Ransomware

Beth Sumner, our VP of Customer Success, recently had the opportunity to discuss ransomware attacks and the importance of community bankers staying vigilant against these crimes in Independent Banker.  While the number of ransomware attacks continues to increase, so do the sums demanded by the attackers.

Succession Planning: Essential for Sustaining Information Security

Succession Planning: Essential for Sustaining Information Security

In today’s world where cyber threats evolve rapidly, the challenge of replacing an Information Security Officer (ISO) underscores a critical issue: the cybersecurity job market is scorching, yet talent is scarce. This gap has turned recruitment into a high-stakes game for financial institutions, where the departure of an ISO exposes vulnerabilities and regulatory risks. With remote work expanding the competition for skilled professionals, the importance of strategic succession planning has never been more acute, ensuring that institutions remain fortified even in the face of staffing changes.

Talk To An Expert Now
Talk To An Expert Now 770.268.2765