FFIEC Compliance: The API Security Reckoning for Financial Institutions

FFIEC Compliance: The API Security Reckoning for Financial Institutions

What is FFIEC Compliance?

The FFIEC (Federal Financial Institutions Examination Council) is an interagency body of the U.S. government, made up of several financial regulatory agencies. It was originally created on March 10, 1979, and is responsible for creating uniform regulatory standards and reporting systems for all federally supervised financial institutions, as well as their holding companies and subsidiaries. Any institution that is regulated by one of the FFIEC member agencies is effectively subject to FFIEC rules.

On October 3, 2022, the FFIEC announced a significant update to its 2018 Cybersecurity Resource Guide for Financial Institutions. The Guidance highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program. Highly regulated industries, especially financial services organizations, are known to be heavily targeted by hackers, as these organizations store and use unprecedented amounts of sensitive data. 

The FFIEC specifically created these guidelines for financial institutions, and warns that many of the techniques they rely on, have been rendered obsolete and inadequate for today’s threat landscape.

As the FFIEC states:

• Virtually every authentication technique can be compromised.
• Emphasize a risk-based approach where controls are strengthened as risk increases, and highlights the need to control privileged user access to sensitive applications.
• Clearly distinguishes between the risks associated with consumer and business banking, which will dispel any remaining confusion regarding whether the guidance is primarily directed at consumer accounts.
• Outlines process changes such as dual authorization on payments and other nontechnical measures that help mitigate risk.

What’s so Important about FFIEC Compliance?

The most recent update to the FFIEC, as of October 2022, adds API Security as an important component of an organization’s inventory of information systems and risk management initiatives. 

The October 2022 update explicitly calls out APIs as a separate attack surface in regulatory guidelines that represents a significant shift in compliance trajectories, and highlights the increased threats that APIs pose to data, systems and people.

Threat Landscape

The system entry or access points (known as the attack surface) where an attacker can compromise a financial institution have expanded with the evolution of new technologies and broadly-used remote access points. For example, the number of digital banking services and information system access points have exponentially expanded with mobile computing, smartphone applications, “bring your own” devices, voice-activated capabilities, and cellular communications. These technologies and new access points provide attackers with more opportunities to obtain unauthorized access, commit fraud and account takeover, or exfiltrate data. 

Authentication risks may arise from: (a) expanded remote access to information systems; (b) the types of devices and third parties accessing information systems; (c) the use of application programming interfaces (APIs); and (d) financial institutions’ increased connectivity to third parties, such as cloud service providers.

Multiple data breaches at financial institutions, their service providers, and non-banks, such as credit bureaus, have exposed information and credentials of their customers and employees. Attackers often use technologies, such as automated password cracking tools, and these compromised credentials in their attacks against financial institutions. In addition, older or unsupported information systems are especially vulnerable to attacks because security patches and upgrades for authentication controls can be more difficult to obtain.

Topics of FFIEC Compliance Include:

1. Conducting a risk assessment for access and authentication to digital banking and information systems.
2. Identifying all users and customers for which authentication and access controls are needed, and identifying those users and customers who may warrant enhanced authentication controls, such as MFA.
3. Periodically evaluating the effectiveness of user and customer authentication controls.
4. Implementing layered security to protect against unauthorized access.
5. Monitoring, logging, and reporting of activities to identify and track unauthorized access.
6. Identifying risks from, and implementing mitigating controls for, email systems, Internet access, customer call centers, and internal IT help desks.
7. Identifying risks from, and implementing mitigating controls for, a customer-permissioned entity’s access to a financial institution’s information systems.
8. Maintaining awareness and education programs on authentication risks for users and customers.
9. Verifying the identity of users and customers.

API Security and FFIEC Compliance: What’s the big deal?

APIs seem to be everywhere, because they are!  The use of APIs have boomed over the past decade, with the rise of microservices and distributed applications.

However, despite being around more than a decade:

• APIs have been developed and deployed with little to no security framework
• Limited API monitoring and security tooling creates a void of security intelligence that is  now required to remain compliant with the updated FFIEC guidelines.
• API Sprawl is the biggest security concern; with the use of APIs being deep and wide, and with so little in the way of security, APIs are creating vulnerabilities that open your organization up to malicious attacks and exploitation.

Traceable has a unique approach to help financial services organizations address these new requirements. In this webinar, our resident expert, Richard Bird, Chief Security Officer at Traceable, explains:

1. What is FFIEC? What’s changed with this recent update?
2. The regulatory trajectory of FFIEC compliance and its new directive on the inventory of APIs.
3. How CISOs, CIOs, and Governance, Risk and Compliance (GRC) leaders in all FDIC-insured financial institutions, can align with the latest API security component of FFIEC compliance mandates.

You can view the on-demand webinar here.

The Reckoning is upon us: Financial Institutions are now required to create API Inventories. And More Will Come.

Clearly, the FFIEC is not going to simply stop at API Catalog and Inventory.  There will be an expectation for proof that APIs are secured based upon a risk formula that mitigates problems related to data privacy, financial risk, and operation risk. Risk assessment and authorization and authentication components will be demanded.

We are virtualizing all the way up to layer 7, and APIs are a natural avenue for bad actors to exploit. Banks with heavy online presence have suffered ATO and fraudulent account creation borne of APIs.  API attacks are now specifically poised to bring down applications: application based DoS.

All of these vulnerabilities lead to not only potential attacks, but the unfortunate outcome of you not meeting the demands of the FFIEC.  In such a reactionary environment, you are not in control – only mitigating and remediating in order to meet obligations rather than dictating your own terms on how you meet these security obligations.

Most organizations do not have a formalized API security program with a discrete budget for API security. Essentially, organizations aren’t doing anything about API security.

About Traceable API Security

Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.