June 29, 2023

What is the FFIEC DDoS Mandate for their Members?


The Federal Financial Institutions Examination Council(FFIEC) is a U.S. government interagency body consisting of banking regulators who have the authority to establish uniform principles, standards, and report forms to ensure consistency in the oversight of financial institutions.

On April 2, 2014, the FFIEC released a joint statement requiring all voting members to develop a DDoS strategy. "All voting members, including all financial institution members, must address their DDoS readiness as part of their ongoing information security, risk assessments, and incident response plans."

Each voting council member has several options for penalizing their members for failure to comply with FFIEC. These penalties or sanctions could include the following:

  • Cease & desist and restitution orders
  • Fines and court fees
  • Prohibition orders

Who are the Members of the FFIEC Council?

The FFIEC has six voting members. Each member also has members within their charter.

The Council has six voting board members, including:

  • Board of Governors of the Federal Reserve Board (FRB)
  • Chairperson of the Federal Deposit Insurance Corporation (FDIC)
  • Chairperson of the Board of the National Credit Union Administration (NCUA)
  • Officer Comptroller of the Currency (OCC)
  • Director of the Consumer Financial Protection Bureau (CFPB)
  • Chairperson of the State Liaison Committee (SLC)

FFIEC voting members also released similar FIL guidelines for their respective members.


FDIC's Filing Institution Letter (Fil) Regarding DDoS

The FDIC issued the FIL-11-2014 described the importance of the FDIC members and all member financial institutions to enable distributed denial-of-service (DDoS) monitoring capabilities to address the growing attacks.

The document outlined several guidelines all members should include in the members' DDoS plan. These guidelines include the following:

  • Monitor all inbound and outbound Internet traffic connections supporting external websites for denial of service attacks.

  • Develop a Community Emergency Response Team (CERT) to include internal resources, an managed security service provider (MSSP) partner, ISP an CSP escalation teams, and Local/State/Federal Law Enforcement Partners.

  • Ensure the security operations have sufficient staffing to manage a DDoS attack and develop overflow resources with your MSSP partner to help capture vital attack details and abnormalities in traffic.

  • Develop industry peering relationships to share information about recent cyber attacks and trends, including filing a suspicious activity report (SAR) with the Financial Crimes Enforcement Network (FinCEN).

  • Develop a continuous risk management plan incorporating a scoring method, risk prioritization strategy, and deploying risk management controls, including DDoS protection and mitigation.

Like the FDIC, the Financial Crimes Enforcement Network(FinCEN) also released a similar FIL guideline to all financial institutions around cybersecurity readiness.


What is the Role of FinCEN?

The Financial Crimes Enforcement Network(FinCEN) is part of the Federal government embedded within the U.S. Department of the Treasury Bureau. The agency aims to protect the financial system from unlawful activities and prevent money laundering, terrorism, and other related crimes. It also promotes national security through strategic monetary authorities and the analysis and sharing of financial intelligence captured detailed threat analysis by banks, credit union systems, money transfers, and information-sharing partners like FFIEC.


FinCEN is one of many agencies that promote cybersecurity information sharing between organizations to develop more comprehensive cases against cybercriminals and global terrorist organizations. Many of the voting members of the FFIEC encourage their members to report cybersecurity attacks, mainly if a data breach occurs. 


This report format is called a suspicious activity report (SAR). The SAR helps develop an artifact from attacks on depository institutions that becomes forwarded to the FBI, DHS, and other federal agencies for further investigations.


All financial institutions must report suspicious or potentially suspicious activity through a Suspicious Activity Report (SAR) or Suspicious Transaction Report (SAT) to help combat money laundering, terrorism financing, and other financial crimes.


Voluntary Reporting of Cyber Events

FinCEN encourages financial institutions to report cyber events and cyber-enabled crimes deemed significant or damaging, even if a SAR is not required. 


Use Case: A financial institution's website is attacked by a DDoSer, leaving its online banking services disabled for a significant time.


After investigating, they discovered no transactions were affected. While the institution isn't required to report the attack, FinCEN encourages filing a SAR.


Why? Because the attack caused significant damage to the institution. Remember, even if a cyber event doesn't meet mandatory filing requirements, reporting it can be a real game-changer for law enforcement investigations.


What are the FinCEN DDoS Guidelines for Financial Institutions?


In 2016, FinCEN released the FIN-2016-A005 guideline that helped outline critical points for organizations regarding a DDoS attack and prevention strategy.


FinCEN recommends an ongoing program to assess information security risk that identifies, prioritizes, and considers the risk to critical systems, similar to the FDIC FIL-11-2014 letter.”


Under FinCEN, should financial institutions file a SAR if a DDoS attack affects an organization?


Case Example: FinCEN- October 25, 2016, Advisory


A Money Services Business should file a single SAR if it suspects a DDoS attack prevented it from stopping an unauthorized $2,000 wire transfer. “


The report should include both the unauthorized transfer and the related DDoS attack. The financial institution should report the transaction because it was unauthorized and meets the filing threshold. The DDoS attack should also be reported because it was used as a cover-up for the unauthorized transfer.


Nexusguard Partnership with Financial Institutions to Meeting FFIEC DDoS Guidelines


Creating a comprehensive DDoS strategy requires more than deploying hardware or leveraging cloud-based protection solutions. FFIEC voting board and their respective members need a comprehensive DDoS strategy that addresses the most critical areas of risk within their financial services, including data and applications instances in the cloud and on-premise.


Nexusguard solutions are not one-size-fits-all models. Each client has unique requirements and mandates requiring DDoS as part of the cybersecurity strategy. Nexusguard worked with their clients and other third-party technology companies to ensure interoperability, integration, and centralized alerting exceeded client expectations.


The information captured within the various Nexusguard tools helped organizations with the data collection for their SAR filings to FinCEN.


Working with some of the largest Cloud Service Providers, governments, healthcare, and financial institutions, the team at Nexusguard understands the need for DDoS protection with solid mitigation, reporting, and ongoing monitoring. 


For more information, contact our security experts.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.