FFIEC's Recent Guidance on Mobile Financial Services: What it Means for InfoSec

External Threat Management

FFIEC’s Recent Guidance on Mobile Financial Services: What it Means for InfoSec

June 02, 2016

By Team RiskIQ

You are the CISO of a large financial institution. You spend tens of millions of dollars per year securing your organization’s network, firewall, and endpoints. Your castle walls are impenetrable.

You should be able to sleep well at night, but you can't. That's because you know that a vast majority of cyber threats originate from external sources outside the firewall—over 80% of them according to the latest Verizon Data Breach and Incident Report. But your organization is increasingly relying on digital channels (the web, mobile and social) for banking transactions and other customer interactions. These digital channels are the soft underbelly to your hardened defenses.

And your regulators share your concerns. Recent guidelines from the Federal Financial Institutions Examination Council (FFIEC) suggest that, if a financial institution is doing business outside its firewall, it may be responsible for the bad stuff that happens out there.

Latest FFIEC guidelines on mobile financial services – it’s a trend

This April, the FFIEC released a new appendix to its IT Handbook regarding “Mobile Financial Services” (MFS). The new appendix provides guidance that examiners will use in assessing the security programs of financial institutions that use MFS.

The FFIEC recognizes that mobile channels are a good thing; after all, they allow financial institutions to increase customer access to financial services. But at the same time, the FFIEC notes that MFS pose a unique and elevated set of risks related to device security, data security, application security, compliance, and third-party management. Customers are unlikely to activate security controls, virus protection, and personal firewalls on their mobile devices. Also, there are inherent vulnerabilities that exist in the mobile ecosystem i.e. the decentralized collection of carriers, networks, platforms, operating systems, and app stores.

That’s why the new appendix recommends that, when offering MFS, management should employ “effective enterprise-wide risk management” and implement “effective controls across the institution.” The FFIEC offers a laundry list of specific risk-mitigation techniques, including using threat-modeling when developing mobile apps, designing mobile-enabled websites that avoid using redirects and forwards, and establishing a process to deactivate older mobile apps.

This new appendix follows other recent guidance from the FFIEC that suggests that a financial institution’s security responsibilities extend beyond its network perimeter.

In June 2015, the FFIEC released its Cybersecurity Assessment Tool (CAT). The CAT states that any financial institution with a meaningful online and mobile presence should be assessed as having a high inherent risk level, and thereby should obtain the maximum level of cybersecurity maturity.

In December 2013, the FFIEC released guidance regarding financial institutions’ use of social media (“Social Media: Consumer Compliance Risk Management Guidelines”). These guidelines note that financial institutions are increasingly using social media as a tool to generate business and as a platform to interact with customers. The use of social media is associated with a unique set of risks, such as reputation risks as well as cybersecurity risks from malware, phishing, and other external threats. Accordingly, financial institutions should include social media in its existing risk management programs.

What does this all mean? Taken together, the recent string of FFIEC guidance signals a trend for financial institutions: as your businesses are increasingly extending beyond your firewall, your security responsibilities likewise extend outside the firewall—beyond merely fortifying your perimeter and securing your endpoints.

What to do?

You don’t control the internet, but you are responsible for what happens to your customers out in the wild. And the new FFIEC guidelines suggest that “not my problem” is not an option. So what, then, are your options?

Option #1 - Put the genie back in the bottle. You can tell management that the risks are too great; that the world is a scary place, and that's just the way it is. They should stop using digital channels, and the bank should go off the grid. Your organization will be low-risk for the purpose of the FFIEC guidelines, but you will be at high-risk of looking like an idiot.

Option #2 - Herd cats; whack moles. You can hire a team to create and maintain a monster spreadsheet to manually track your organization’s websites, mobile apps, and social media presence. The good news is that Excel now supports more than 65,536 rows. The bad news is that you may need more than 65,536 rows. And by the time you’ve created the spreadsheet, it’s outdated.

Option #3 – RiskIQ. You can do what many other large financial institutions already do: use RiskIQ to automatically and dynamically bring all of your organization’s digital assets (web, mobile and social) under management in one single pane of glass.

We suggest the third option.

RiskIQ – The leader in Security Outside the Firewall™

RiskIQ’s External Threat Management Platform is the only solution that was purpose-built to address security outside the firewall.

Our Enterprise Digital Footprint™ product automatically discovers and inventories your online digital assets (web, mobile, and social) that tie back to your organization, enabling your security team to manage assets outside your firewall, bring unknown assets under management, and survey your digital footprint from the view of the global adversary. This provides you with a holistic view of your external threat landscape.

RiskIQ’s External Threat Detection Suite™ allows an organization to proactively defend against cyber threats that target its websites, mobile apps, and social presence. Such cyber threats include phishing attacks, rogue mobile apps, social media impersonations, and domain infringement.

The FFIEC has sent a message to financial institutions: if you’re conducting business outside your firewall, then you may be responsible for the terrible things that happen outside your firewall. RiskIQ is the leader in enterprise security outside the firewall. Call us.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

5-Questions Security Intelligence Must Answer

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event