View original document

The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.


Ask a Question


Get answers from experts


About the FFIEC
Contact Us

Site Index


Enforcement Actions
What's New
Consumer Compliance
Computational Tools
Consumer Help Center
Financial Institution Info
Examiner Education
Supervisory Info
Federal Register
Freedom of Information
EGRPRA (Economic
Growth and Regulatory
Paperwork Reduction
Act of 1996)
Industry Outreach


Press Releases

Press Releases

Privacy Policy

Advisory Letter

Federal Financial Institutions Examination Council

April 2, 2014

For Immediate Release

Financial Regulators Release Statements on Cyber-Attacks on Automated Teller
Machine and Card Authorization Systems and Distributed Denial of Service Attacks
The Federal Financial Institutions Examination Council (FFIEC) members are issuing
statements to notify financial institutions of the risks associated with cyber-attacks on
Automated Teller Machine (ATM) and card authorization systems and the continued distributed
denial of service (DDoS) attacks on public-facing websites. The statements describe steps the
members expect institutions to take to address these attacks and highlight resources
institutions can use to help mitigate the risks posed by such attacks.
Cyber-attacks on financial institutions to gain access to, and alter the settings on, Web-based
ATM control panels used by small- to medium-sized institutions are on the rise. The members
expect financial institutions to take steps to address this threat by reviewing the adequacy of
their controls over information technology networks, card issuer authorization systems, ATM
usage parameters, and fraud detection processes. In addition, the members expect financial
institutions to have effective response programs to manage this type of incident.
The members also expect financial institutions to address DDoS readiness as part of their
ongoing information security and incident plans. More specifically, each institution is expected
to monitor incoming traffic to its public website, activate incident response plans if it suspects
that a DDoS attack is occurring, and ensure sufficient staffing for the duration of the attack,
including the use of pre-contracted third-party servicers, if appropriate.
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and
report forms, and to promote uniformity in the supervision of financial institutions. The Council
has six voting members: a Governor of the Board of Governors of the Federal Reserve System,
designated by the Chairman of the Board; the Chairman of the Federal Deposit Insurance
Corporation; the Chairman of the Board of the National Credit Union Administration; the
Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the
Chairman of the State Liaison Committee. The Council's activities are supported by interagency
task forces and by an advisory State Liaison Committee, comprised of five representatives of
state agencies that supervise financial institutions.
Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems (PDF)
Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources
Media Contacts:

Sam Gilford

(202) 435-7673


Greg Hernandez

(202) 898-6984

Federal Reserve

Susan Stawick

(202) 452-2955


John Fairbanks

(703) 518-6336


Stephanie Collins

(202) 649-6870


Catherine Woody

(202) 728-5733

Maintained by the FFIEC. For suggestions regarding this site, Contact Us.
Last Modified: 04/15/2020 11:10 AM