OCC Bulletin 2014-13| April 2, 2014
Cyber Attacks on Financial Institutions' Automated Teller Machine and Card Authorization Systems: Joint Statement
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
The members of the Federal Financial Institutions Examination Council (FFIEC)1 today issued a joint statement to notify financial institutions of a large-dollar-value automated teller machine (ATM) cash-out fraud characterized as Unlimited Operations by the U.S. Secret Service. The members are aware of a recent increase in cyber-attacks on financial institutions launched in connection with this fraud to gain access to, and alter the settings on, ATM Web-based control panels used by small-to-medium-sized financial institutions.
The members of the FFIEC expect financial institutions to take steps to mitigate this threat by ensuring that
- each institution’s and service provider’s management of enterprise risk addresses this type of threat in its risk assessment process, and
- controls associated with institution’s information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes are reviewed for adequacy against this threat.
Note for Community Banks
Community banks with ATMs should work closely with their service providers and ensure that the providers are taking appropriate action to mitigate this risk.
Questions regarding the FFIEC statement should be directed to the OCC’s Bank Information Technology Division at (202) 649-6340.
Carolyn G. DuChene
Deputy Comptroller for Operational Risk