October 2014 A Regulatory & Legislative Advisory for Compliance Professionals
Inside . . .
Cybersecurity
2 Chip & Pin Ordered
for Federal Benefit
Cards
3 Exemption Sought
from Limits on Mobile
Security Alerts
3 ABA to Launch New
Center on Payments
and Security
3 Cybercrime Costs
Doubled in Past Five
Years
4 Disgruntled
Employees Pose
Significant Cyber
Threat
CFPB News
4 ABA Wins Changes
to TILA-RESPA
Disclosures
5 ABA Releases Free
Comprehensive
Mortgage Origination
Deskbook
6 GAO: Government
Dominance of
Housing is "High
Risk" Area
6 Privacy Notice Rule
Finalized
6 Scrutinizing
Checking Account
History Databases
ABA, FS-ISAC, FFIEC OFFER RESOURCES
ON SHELLSHOCK VULNERABILITY
As businesses and customers respond to the Bash Shellshock bug – a security
vulnerability affecting Unix-based operating systems, such as Linux and Mac OS X –
ABA, the Financial Services Information Analysis and Sharing Center (FS-ISAC) and
the Federal Financial Institutions Examination Council offered resources for bankers
and their customers. Known as Bash/Shellshock, this bug may pose a significant
threat to systems and network by allowing a remote attacker to execute arbitrary code
on an affected system to further compromise the system and any data
stored/processed by it, or to cause a loss of service.
FS-ISAC labeled it a “significant threat to systems and networks” and urged banks and
their vendors and service providers to “identify and remediate vulnerable systems
using a prioritized, risk-based approach.” FS-ISAC also warned about “cross-sector
exposure” due to the pervasiveness of Unix-based systems.
In addition, the FS-ISAC noted that, based on inaccurate reporting by media on other
recent vulnerabilities, there is potential for misinformation and over speculation about
the potential impact of this vulnerability. To help communicate the facts of this issue, a
member has developed and provided templates of sample communications developed
to educate several stakeholders on this issue; specifically CEOs; Chief Operating and
Chief Risk Officers; employees; and externally hosted vendors. The full FS-ISAC
statement and sample memos for use by bank risk officers are available exclusively
for ABA members at aba.com/cybersecurity. ABA encourages banks to become
members of FS-ISAC in order to share and receive up-to-date information about
emerging cyber threats.
In addition, to help communicate with staff and customers on this issue, ABA has
issued an FAQ for bankers to use in explaining Shellshock, emphasizing that bank
customers are always protected from unauthorized transactions and reminding
customers to update their passwords regularly to keep themselves safe online. View
ABA’s FAQ. View the FFIEC advisory. Access the Cybersecurity/Fraud page.
FDIC CHAIRMAN ON CYBERSECURITY
In a September 22 speech before the American Banker Regulatory Symposium in
Arlington, VA, Martin Gruenberg, chairman of the Federal Deposit Insurance
Corporation, spoke to the growing importance of cybersecurity in the management of
operational risks by both large and small banks alike and highlighted recent FDIC
efforts, including:
The development of a framework for conducting IT examinations that covers a
broad spectrum of technology, operational, and information security risks,
