Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2015-40 | November 3, 2015

Cybersecurity: Joint Statement on Cyber Attacks Involving Extortion


Chief Executive Officers of All National Banks, Federal Branches and Agencies, and Federal Savings Associations; Technology Service Providers; Department and Division Heads; All Examining Personnel; and Other Interested Parties


The Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, has issued a statement to notify financial institutions of the increasing frequency and severity of cyber attacks involving extortion. Financial institutions face a variety of risks from cyber attacks involving extortion, including liquidity, capital, operational, compliance, and reputation risks, resulting from fraud, data loss, and disruption of service. The FFIEC statement reinforces the importance of maintaining effective programs to identify, protect against, detect, respond to, and recover from these types of attacks.

Note for Community Banks

This guidance is applicable to all OCC-supervised institutions.


Consistent with FFIEC and member guidance, financial institutions should consider taking the following steps.

  • Conduct ongoing information security risk assessments.
  • Securely configure systems and services.
  • Protect against unauthorized access.
  • Perform security monitoring, prevention, and risk mitigation.
  • Update information security awareness and training programs, as necessary, to include cyber attacks involving extortion.
  • Implement and regularly test controls around critical systems.
  • Review, update, and test incident response and business continuity plans periodically.
  • Participate in industry information-sharing forums

Further Information

Please contact Valerie Abend, Senior Critical Infrastructure Officer, Operational Risk Division, at (202) 649-6550.


Bethany A. Dugan
Deputy Comptroller for Operational Risk

Related Links

 1 The FFIEC comprises the principals of the following: The Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Consumer Financial Protection Bureau, and State Liaison Committee.