Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2015-20 | March 30, 2015

Cybersecurity: Destructive Malware Joint Statement


Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties


The Federal Financial Institutions Examination Council (FFIEC), 1 on behalf of its members, has issued a statement to notify financial institutions of the increasing threat of cyber attacks involving destructive malware and to recommend risk mitigation techniques. In some cases, destructive malware used in these attacks successfully compromised large quantities of data and rendered supporting systems inoperable. An institution's management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption, and maintenance of the institution's operations after a cyber attack involving destructive malware.

Note for Community Banks

Community banks should test their incident response and business continuity plans and understand their responsibilities in the event of cyber attacks at their institutions or involving their third-party service providers.


In accordance with regulatory requirements and FFIEC guidance, national banks and federal savings associations (collectively, banks) should take appropriate risk mitigation steps, including the following:

  • Securely configure systems and services.
  • Review, update, and test incident response and business continuity plans.
  • Conduct ongoing information security risk assessments.
  • Perform security monitoring, prevention, and risk mitigation.
  • Protect against unauthorized access.
  • Implement and test controls around critical systems regularly.
  • Enhance information security awareness and training programs.
  • Participate in industry information-sharing forums.

Further Information

Please contact Valerie Abend, Senior Critical Infrastructure Officer, Operational Risk Division, at (202) 649-6550.


Bethany A. Dugan
Deputy Comptroller for Operational Risk

Related Links

1 The FFIEC comprises the principals of the following: Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.