Layered Security Neccessary According to Latest FFIEC Banking Guidelines
A federal agency responsible for enforcing security rules for banks enhanced its guidelines in response to recent high-profile security breaches at financial institutions and other organizations.
Banks must adopt a layered approach to security in order to combat highly sophisticated cyber-attacks, the Federal Financial Institutions Examination Council said in a supplement released June 28. The new rules update the 2005 "Authentication in an Internet Banking Environment" guidance to reflect new security measures banks need to fend off increasingly sophisticated attacks.
The guidance applies to both large financial institutions and small to midsized banks. The FFIEC guidance defined layered security as using different controls at different points in a transaction process so that the failure of one defense is compensated by another mechanism in place.
Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high-risk transactions, said the FFIEC.
Options include implementing fraud detection and monitoring systems to flag suspicious activity, requiring multiple employees to sign off and authorize a transaction, out-of-band verification, or requiring customers to create a list of approved payees.
The FFIEC did a "really good job" telling banks that no single method can be relied upon and that layered security measures were a must, Avivah Litan, a vice president and distinguished analyst at Gartner said. The guidance called out the "need to control privileged user access to sensitive applications," and emphasized a risk-based approach in which controls are strengthened as risks increase, said Litan.
The supplement specifically addressed account takeovers or how cyber-criminals are initiating fraudulent wire transfers and ACH transactions to loot bank accounts. Small and midsized businesses at banks and credit unions have lost millions of dollars in recent years using these methods. A recent data breach at Citigroup compromised over 360,000 customer credit card accounts. Attackers looted $2.7 million in the Citi breach.
The supplement sets "clear minimum expectations" for a layered security program, said Terry Austin, CEO of Guardian Analytics. "We've seen how effective behavior-based anomaly detection and transaction monitoring can be and know the industry will benefit from the FFIEC expecting this approach from all institutions, Austin said.