Resources

The Federal Financial Institutions Examination Council (FFIEC) members are taking a number of initiatives to raise the awareness of financial institutions and their critical third-party service providers with respect to cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.

Financial institutions are increasingly dependent on information technology and telecommunications to deliver services to consumers and business every day. Disruption, degradation, or unauthorized alteration of information and systems that support these services can affect operations, institutions, and their core processes, and undermine confidence in the nation's financial services sector.

In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators' examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.

The following resources can help management and directors of financial institutions to understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.

Cybersecurity Assessment Tool Sunset Date 08/31/2025

FFIEC Resources

• CAT Sunset Statement, August 2024 (PDF)
• FFIEC Cybersecurity Resource Guide for Financial Institutions, November 2022 (PDF)
• FFIEC Authentication and Access to Financial Institution Services and Systems Guidance, August 2021 (PDF)
• FFIEC Statement on Security in a Cloud Computing Environment (PDF)
• FFIEC Joint Statement – Office of Foreign Assets Control Cyber-Related Sanctions Program Risk Management (PDF)
• FFIEC Cybersecurity Resource Guide for Financial Institutions, October 2018 (PDF) - Update posted 11/2022
• FFIEC Statement on Cyber Insurance and Its Potential Role in Risk Management Programs (PDF)
• FFIEC Cybersecurity Assessment Tool Frequently Asked Questions (PDF)
• Cybersecurity of Interbank Messaging and Wholesale Payment Networks (PDF)
• FFIEC Joint Statement on Cyber Attacks Involving Extortion (PDF)
• FFIEC Statement on Destructive Malware (PDF)
• FFIEC Statement on Compromising Credentials (PDF)
• FFIEC IT Examination HandBook InfoBase
• Introduction to the FFIEC’s Cybersecurity Assessment
• May 7, 2014 - Webinar: Executive Leadership of Cybersecurity: What Today's CEOs Need to Know About the Threats They Don't See.
  View Slides | View Video
• FFIEC Cybersecurity Assessment General Observations (PDF)
• Cybersecurity Brochure (PDF)
• Cybersecurity of Interbank Messaging and Wholesale Payment Networks (PDF)
• FFIEC Joint Statement on Cyber Attacks Involving Extortion (PDF)

FFIEC Statements and Alerts Regarding Threats and Vulnerabilities

• April 30, 2020 – Press Release: The Federal Financial Institutions Examination Council, on behalf of its members, today issued a statement to address the use of cloud computing services and security risk management principles in the financial services sector
• August 28, 2019 – Press Release: The Federal Financial Institutions Examination Council (FFIEC) members today emphasized the benefits of using a standardized approach to assess and improve cybersecurity preparedness
• November 5, 2018 – Press Release: FFIEC Releases Statement on OFAC Cyber-Related Sanctions
• April 10, 2018 – Press Release: FFIEC Issues Joint Statement on Cyber Insurance and Its Potential Role in Risk Management Programs
• May 31, 2017 – Press Release: FFIEC Release Update to Cybersecurity Assessment Tool
• October 6, 2016 - Press Release: The Federal Financial Institutions Examination Council (FFIEC) Announces Webinars in Observance of Cybersecurity Awareness Month
• June 7, 2016 - Press Release: The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, is issuing this statement, in light of recent cyber attacks, to remind financial institutions of the need to actively manage the risks associated with interbank messaging and wholesale payment networks.
• November 3, 2015 - Press Release: The Federal Financial Institutions Examination Council (FFIEC) today issued a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.
• June 30, 2015 - Press Release: The FFIEC today released a Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness.
• March 30, 2015 - Press Release: The FFIEC released information regarding the release of two statements about ways that financial institutions can identify and mitigate cyber attacks that compromise user credentials or use destructive software, known as malware.
• March 17, 2015 - Press Release: The Federal Financial Institutions Examination Council (FFIEC) today provided an overview of its cybersecurity priorities for the remainder of 2015.
• November 3, 2014 - Press Release: FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing and Analysis Center
• September 26, 2014 - Press Release: State and Federal Regulators: Financial Institutions Should Move Quickly to Address Shellshock Vulnerability
• June 24, 2014 - Press Release: FFIEC Launches Cybersecurity Web Page and Commences Cybersecurity Assessment
• May 7, 2014 - Press Release: FFIEC Promotes Cybersecurity Preparedness for Community Financial Institutions
• April 10, 2014 - Press Release: Financial Regulators Expect Firms to Address OpenSSL "Heartbleed" Vulnerability
• April 2, 2014 - Press Release: Financial Regulators Release Statements on Cyber-Attacks on Automated Teller Machine and Card Authorization Systems and Distributed Denial of Service Attacks
• October 7, 2013 – Press Release: Financial Regulators Release Statement on End of Microsoft Support for Windows XP Operating System
• October 2, 2013 – Press Release: FFIEC Supports National Cybersecurity Awareness Month

Exercise Program Resources

• Federal Deposit Insurance Corporation’s Cyber Challenge
• FS-ISAC Global Events/Cyber-Attack Against Payment Systems (CAPS) Exercise

Other Resources

• Center for Internet Security Controls
• Financial Services Information Sharing and Analysis Center
• FBI Infragard
• FSSCC Cybersecurity Profile
• National Credit Union Administration’s Cyber Security Resources Page
• NIST Cybersecurity Framework
• U.S. Computer Emergency Readiness Team
• U.S. Secret Service Electronic Crimes Task Force (ECTF)