The Federal Financial Institutions Examination Council (FFIEC) members are taking a number of initiatives to raise the awareness of financial institutions and their critical third-party service providers with respect to cybersecurity risks and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats.

Financial institutions are increasingly dependent on information technology and telecommunications to deliver services to consumers and business every day. Disruption, degradation, or unauthorized alteration of information and systems that support these services can affect operations, institutions, and their core processes, and undermine confidence in the nation's financial services sector.

In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators' examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.

The following resources can help management and directors of financial institutions to understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.

Cybersecurity Assessment Tool

FFIEC Resources



• FFIEC Cybersecurity Assessment Tool Frequently Asked Questions (PDF)
• Cybersecurity of Interbank Messaging and Wholesale Payment Networks (PDF)
• FFIEC Joint Statement on Cyber Attacks Involving Extortion (PDF)
• FFIEC Cybersecurity Assessment Tool Presentation
• FFIEC Statement on Destructive Malware (PDF)
• FFIEC Statement on Compromising Credentials (PDF)
• FFIEC IT Examination HandBook InfoBase
• Introduction to the FFIEC’s Cybersecurity Assessment
• May 7, 2014 - Webinar: Executive Leadership of Cybersecurity: What Today's CEOs Need to Know About the Threats They Don't See.
  View Slides | View Video
• FFIEC Cybersecurity Assessment General Observations (PDF)
• Cybersecurity Brochure (PDF)


FFIEC Statements and Alerts Regarding Threats and Vulnerabilities



• October 6, 2016 - Press Release: The Federal Financial Institutions Examination Council (FFIEC) Announces Webinars in Observance of Cybersecurity Awareness Month
• June 7, 2016 - Press Release: The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, is issuing this statement, in light of recent cyber attacks, to remind financial institutions of the need to actively manage the risks associated with interbank messaging and wholesale payment networks.
• November 3, 2015 - Press Release: The Federal Financial Institutions Examination Council (FFIEC) today issued a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion.
• June 30, 2015 - Press Release: The FFIEC today released a Cybersecurity Assessment Tool to help institutions identify their risks and assess their cybersecurity preparedness.
• March 30, 2015 - Press Release: The FFIEC released information regarding the release of two statements about ways that financial institutions can identify and mitigate cyber attacks that compromise user credentials or use destructive software, known as malware.
• March 17, 2015 - Press Release: The Federal Financial Institutions Examination Council (FFIEC) today provided an overview of its cybersecurity priorities for the remainder of 2015.
• November 3, 2014 - Press Release: FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing and Analysis Center
• September 26, 2014 - Press Release: State and Federal Regulators: Financial Institutions Should Move Quickly to Address Shellshock Vulnerability
• June 24, 2014 - Press Release: FFIEC Launches Cybersecurity Web Page and Commences Cybersecurity Assessment
• May 7, 2014 - Press Release: FFIEC Promotes Cybersecurity Preparedness for Community Financial Institutions
• April 10, 2014 - Press Release: Financial Regulators Expect Firms to Address OpenSSL "Heartbleed" Vunerability
• April 2, 2014 - Press Release: Financial Regulators Release Statements on Cyber-Attacks on Automated Teller Machine and Card Authorization Systems and Distributed Denial of Service Attacks
• October 7, 2013 – Press Release: Financial Regulators Release Statement on End of Microsoft Support for Windows XP Operating System
• October 2, 2013 – Press Release: FFIEC Supports National Cybersecurity Awareness Month




Exercise Program Resources



• Federal Deposit Insurance Corporation’s Cyber Challenge
• FS-ISAC Global Events/Cyber-Attack Against Payment Systems (CAPS) Exercise




Other Resources



• Financial Services Information Sharing and Analysis Center
• FBI Infragard
• National Credit Union Administration’s Cyber Security Resources Page
• U.S. Computer Emergency Readiness Team
• U.S. Secret Service Electronic Crimes Task Force (ECTF)