Regulators Issue Tougher Cyber-Security Requirements

WASHINGTON — Federal regulators on Tuesday released updated guidance on how banks should guard against cyber-security threats.

The 12-page document, released by the Federal Financial Institutions Examination Council, establishes certain minimum expectations for how banks will protect customer information online. It notes that the nature and scope of threats has changed since 2005, when the agencies last released guidance on the subject, and provides examples of how banks should respond to these evolving challenges.

The guidelines appear to toughen requirements since their last release six years ago. For example, regulators said that in response to the 2005 release, many banks implemented "simple device identification," which typically uses a cookie on a customer's PC to identify the computer during a later transaction. But regulators said that is no longer acceptable, noting that fraudsters can copy the cookie and impersonate a customer.

"Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique," regulators said.

Similarly, regulators said several banks use relatively weak challenge questions designed to verify a customer's identity. The agencies said banks should not use questions that could be answered by searching public data. Instead, the regulators recommended banks use "out of wallet" questions that do not rely on publicly obtainable data. They also suggested sophisticated systems that rely on "red herring" questions that could trick a fraudster but which a legitimate customer would readily identify.

The "agencies have also found that the number of challenge questions employed has a significant impact on the effectiveness of this control," the regulators said. "Solutions that use multiple challenge questions, without exposing all the questions in one session, are more effective."

The guidance also reiterates the expectations on cyber-security that regulators laid out six years ago, and it identifies certain minimum elements for banks' customer awareness and education programs.

The guidance comes in the wake of recent news of a data breach at Citigroup in which $2.7 million being stolen from 3,400 customers.

In 2005, the regulators' guidance on cyber-security sparked confusion about what the agencies were expecting as well as complaints from banks about the additional costs they would have to bear.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER