News & Articles

Attorneys

Practice Areas

General Counsel Services

Guidance Issued on Safeguarding the Cybersecurity of Interbank Messaging and Payment Networks

July 22, 2016
Kevin Patterson
Garden City

The Federal Financial Institutions Examination Council (“FFIEC”) has issued guidance to financial institutions to “actively manage the risk associated with interbank messaging and wholesale payment networks (“Networks”)”[1] as a result of recent cyber-attacks. The expectation is for financial institutions to review, update and improve their IT risk management and cybersecurity practices in conjunction with an assessment of the risks associated with the Networks to avoid such attacks.

In April 2016, the Bangladesh central bank was the victim of a well-publicized attack in which it was reported that $81 million was stolen from an apparent hack into the software from the Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) financial platform.  In light of this incident and other recent cyber-attacks, which aim to exploit “vulnerabilities and unauthorized entry through trusted client terminals running messaging and payment networks,” the FFIEC is calling for financial institutions to follow the guidelines set forth in its IT Examination Handbook as well as the guidelines put forth by the Networks themselves.

Cybersecurity and the Networks

The National Institute of Standards and Technology defines cybersecurity as “the process of protecting information by preventing, detecting and responding to [cyber] attacks.” Most recently, cyber-attacks have been targeting these Networks and in doing so have demonstrated the capability to:

These Networks, such as Fedwire Funds Services (“Fedwire”) and Clearing House Interbank Payment Systems (“CHIPS”), are being targeted because of the immense value of the daily transactions associated with these systems. As a whole, these Networks are generally used to transfer the funds needed to purchase, sell or finance large value securities, settle real estate transactions, disburse or repay loans, and settle interbank purchases.[3] Since the Networks are used frequently by financial institutions for large value transactions, cyber-attacks are becoming more common and are putting financial institutions at risk of financial loss and regulatory non-compliance.

Risk Mitigation

In order to help mitigate the risks of cyber-attacks on the Networks, the FFIEC suggests that financial institutions “use multiple layers of security controls to establish lines of defense.” The FFIEC has proposed that financial institutions take the following steps in order to help prevent cyber-attacks and mitigate the risks when, and if, they do take place:

Additional Information:

The FFIEC guidance was issued on June 7, 2016 and may be accessed through the following link: http://www.ffiec.gov/press/PDF/Cybersecurity_of_IMWPN.pdf.

If you have any questions regarding the guidance, please feel free to contact Kevin Patterson at (516) 296-9196 or via email at kpatterson@cullenanddykman.com, Joseph D. Simon at (516) 357-3710 or via email at jsimon@cullenanddykman.com, or Jeff Fowler at (516) 296-9134 or via email at jfowler@cullenanddykman.com.


[1] http://www.ffiec.gov/press/pr060716.htm

[2] http://www.ffiec.gov/press/PDF/Cybersecurity_of_IMWPN.pdf   

[3] http://ithandbook.ffiec.gov/media/3093/whole_presntation.pdf