FDIC Warns Consumers About DDoS
Is Notice Precursor to More Regulatory Oversight?When online-banking sites are down, consumers get nervous. Streams of Facebook comments and Twitter feeds over the last seven months from consumers frustrated with intermittent online outages affecting numerous U.S. banks and credit unions prove that point.
See Also: When Every Identity is at Risk, Where Do You Begin?
We've linked back to some of those comments in our various reports about U.S. institutions' websites adversely affected by hacktivists' distributed-denial-of-service attacks.
Many of those affected institutions have responded to their customers by replying to social networking posts and feeds. Some also have posted information about why consumers are experiencing intermittent issues related to accessing their online-banking accounts, noting that DDoS attacks are to blame.
Banks and credit unions have pointed out that when online-banking is down, consumers have several other banking channels, such as mobile, call center and ATM, from which to choose. But are they doing enough to educate their customers? And do consumers really understand why their online access has been disrupted?
Those are questions federal banking regulators appear to be asking, and the tone of their questioning suggests they soon could be holding banking institutions to a higher DDoS-disclosure standard.
The Federal Deposit Insurance Corp., in its spring edition of FDIC Consumer News, specifically calls out DDoS attacks, noting that regulated banking institutions are required to notify the public if sensitive data is ever breached during these attacks.
The FDIC defines DDoS as an assault that occurs "when criminals deliberately inundate computers that handle Internet traffic (also called Web servers) with so many requests at the same time that they cause a financial institution's site to 'crash' for anywhere from a few minutes to several days." The FDIC notes that federal banking regulators are reviewing how individual banking institutions manage DDoS attacks and other cybersecurity threats.
"Part of that is making sure every bank has contingency plans for how to handle a prolonged service interruption," Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section, states in the FDIC consumer notice. "The motive behind most denial-of-service attacks to date has been to damage the targeted institution's reputation by keeping customers from accessing its Web site or online banking system and causing people to believe something is seriously wrong with the bank. In reality, denial-of-service attacks to date have done little more than temporarily inconvenience Internet banking customers. The financial industry has responded well to these attacks, and customer information and accounts have remained secure."
This is the first time we've seen a banking regulator directly address DDoS with the public, and the move likely foreshadows steps regulators will be taking to scrutinize how banks and credit unions address DDoS with the public.
While some banking institutions may balk at this, most will feel a sense of relief - they've been getting mixed messages from various banking associations, law enforcement and even regulators about exactly how much they should disclose about DDoS activity - and to whom.
Perhaps now they'll have some clarity - and that's a good thing. More regulatory oversight here is something the banks want and need.
DDoS Disclosure, So Far
Banking institutions have taken steps to conform to regulatory oversight - namely by reporting DDoS attacks and other cyber-activity in their filings with the Securities and Exchange Commission (see Top Banks Offer New DDoS Details).
Some contingency plans are noted in those filings, but most banks make it clear it's difficult to anticipate some of the risks that might accompany these attacks.
Citigroup, which filed its 10-K report March 1, points out that DDoS attacks in 2012 did result in unspecified losses, and preparing for future attacks will likely mean making unspecified investments in yet-to-be determined technologies and risk-mitigation strategies.
"While Citi's monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber-incidents," Citi states. "Citi's computer systems, software and networks are subject to ongoing cyber-incidents," including unavailability of service, the bank adds.
The FDIC is not the only federal banking regulator to acknowledge DDoS. In February, the National Credit Union Administration warned that the fraud risks that could be associated with DDoS attacks should be taken seriously. That warning came on the heels of a similar warning issued in late December by the Office of the Comptroller of the Currency, which also noted account takeover risks federal investigators had associated with DDoS.
But the FDIC's advisory stands out, because it sets an example for how banking institutions should be communicating more directly with consumers about how DDoS can affect them.