ARLINGTON, Va.--The Federal Financial Examination Council (FFIEC) is warning FIs that Microsoft Windows will discontinue support for its Windows XP operating system next year--a move that could have an adverse effect on institutions still relying on XP.
Effective April 8, 2014, Microsoft will discontinue extended support for XP, after which regular security patches, technical assistance and support for XP will no longer be provided by Microsoft. The FFIEC warns that after that date, FIs, technology service providers and other third parties that use XP in PCs, servers and other purpose-built devices (such as ATMs) could be exposed to increased operational risk.
“Potential problems include degradation in the delivery of various prodcuts and services, application incompatibilities, and increased potential for data theft and unauthorizied additions, deletions and changes of data,” the FFIEC sad in a statement. It also warned that FIs are also subject to requirements as part of the Payment Card Industry Data Security Standard, and continued XP usage after April 8, 2014, may no longer be compliant.
The FFIEC is advising FIs to follow their own risk management procedures to address the risk from any continued XP usage beyond April 8, consistent with the FFIEC’s own risk-management guidance. The council also outlined the following guidelines:
- Perform risk assessments to identify and measure the risk from continued use of XP throughout the organization and at third parties, including business continuity and disaster recovery situation.
- Select appropriate mitigations, including potentially replacing XP with a current operating system.
- Monitor the risk mitigation implementation to ensure an acceptable level of risk. Effectiveness of controls should be tested periodically and results reported to senior management or a board committee, as appropriate, to ensure that risk continues to be managed.
To see the release from the FFIEC, visit:
