OCC Bulletin 2014-14| April 3, 2014
Distributed Denial-of-Service Cyber Attacks, Risk Mitigation, and Additional Resources: Joint Statement
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
The members of the Federal Financial Institutions Examination Council (FFIEC)1 have issued the attached joint statement to notify financial institutions of the risks associated with the continued distributed denial-of-service (DDoS) attacks and the steps that institutions are expected to take to address these attacks. The joint statement refers institutions to resources to help them mitigate the risks posed by such attacks.
The members of the FFIEC expect financial institutions to address DDoS readiness as part of their ongoing information security and incident response plans. Each institution is expected to
- monitor incoming traffic to its public Website,
- activate incident response plans if it suspects that a DDoS attack is occurring, and
- ensure sufficient staffing for the duration of the attack, including the use of previously contracted third-party services, if appropriate.
Note for Community Banks
Community banks should ensure that their in-house information technology units or their service providers are taking appropriate action to mitigate this risk.
Questions regarding the FFIEC statement should be directed to the Office of the Comptroller of the Currency’s Bank Information Technology Division at (202) 649-6340.
Carolyn G. DuChene
Deputy Comptroller for Operational Risk