This post was written by Timothy J. Nagle.
On December 21, 2012, the Comptroller of the Currency issued Alert 2012-16 regarding “Distributed Denial of Service (DDoS) Attacks and Customer Account Fraud.” The Alert was in response to a recent series of attacks against national banks and federal savings associations by “various sophisticated groups.” It provides a general description of the attacks and recommendations for appropriate risk management measures. Financial institution clients should pay particular attention to comments in the Alert regarding staffing, vendor due diligence, reporting to law enforcement, and the need for effective communication with customers.
A DDoS attack does not, by itself, constitute a security breach. Rather, it interrupts or severely degrades Internet access, particularly to online banking sites. However, a DDoS attack is frequently accompanied by “account takeover” fraud while the bank is focused on responding to the DDoS event. The Alert emphasizes the need for “a heightened sense of awareness” to prepare for and respond to these attacks, which show no sign of diminishing in frequency or sophistication. Preparations may include reviewing staffing requirements, contracting with third-party servicers to assist in managing the Internet traffic flow, and conducting due diligence reviews of vendors – such as Internet Service Providers and website hosting companies – to ensure they have taken adequate steps to address this threat.
Another aspect of DDoS preparation and response is sharing information with other banks and service providers, either directly or by participating in organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Banks are also expected to report attacks to law enforcement and regulators, as well as file Suspicious Activity Reports if critical information or systems are impacted. Possibly the most important action during a DDoS event, as identified by the Comptroller of the Currency, is “timely and accurate communication to...customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs.” This admonition may have been in response to media reports of customers who expressed frustration with financial institutions for a perceived failure to notify them of the possibility that online banking and other websites may be impacted.