On September 29, 2014, the FDIC, on behalf of the Federal Financial Institutions Examination Council, issued an alert to banks on recently discovered material vulnerabilities in the security of the GNU Bourne-again shell system software -- nicknamed “Bash” -- commonly used by bank servers and computers. Researchers reported the newly discovered vulnerability -- nicknamed “Shellshock” -- in Bash versions 1.14 through 4.3 on September 24, 2014.
Entries in FFEIC (4)
On April 2, 2014, the FDIC issued a Financial Institution Letter notifying banks of recent “large dollar” ATM fraud and related cyber-attacks aimed at tapping into web-based control panels for ATMs. The FDIC highlighted a recent $40 million theft involving the use of 12 debit card accounts. The FIL included guidance for financial institutions related to reducing financial and other risks associated with cyber-attacks.
On November 6th, the FFEIC issued updated guidelines related to the supervision and examination of Technology Service Providers (TSPs), which are regulated under the Bank Service Corporation Act (BSCA). The updates were issued on behalf the Federal Reserve Board, the FDIC, and the OCC.
The new Supervision of Technology Service Providers booklet replaces the prior booklet from March 2003, and rescinds Supervisory Policy 1 (1991) and Supervisor Policy 11 (1995). The TSP Booklet is available here.
In addition, the agencies issued new Administrative Guidelines which summarize how the three agencies implement the TSP supervision program – including which TSP’s to supervise, the frequency examinations, and the process of examinations. The new Guidelines are available here.
The Financial Institution Letter announcing the new guidelines is available here.
Once again, the federal banking agencies have issued their annual definitions of a “small” or “intermediate small” sized financial institution for purposes of CRA examinations. The FDIC estimates that about 50 institutions will be affected by the change.