The Office of the Comptroller of the Currency (OCC) issued an alert today warning banks of a recent spate of distributed denial of service (DDoS) attacks directed at several U.S. banks, and reiterating its expectation that banks have risk management programs in place to identity and mitigate the “new and evolving threats” to online customer accounts. The alert – which is directed at the CEOs of all national banks and their technology service providers, among others – states that DDoS attacks are often deployed to divert bank resources while other cyberattacks are launched to fraudulently obtain funds from customer accounts and steal proprietary information.
The alert directs banks to “have a heightened sense of awareness” and to “employ appropriate resources to identify and mitigate” the risk posed by DDoS attacks, including by having appropriate personnel and external partners involved in incident response and by conducting due diligence reviews of third-party service providers (e.g., Internet service providers). Additionally, the alert calls on banks to share information with other banks, third-party service providers, and the government, and to be prepared to communicate with their customers in a “timely and accurate” manner in the event of an attack. The alert also states that the OCC expects banks to report DDoS attacks to law enforcement authorities and their supervisory office and to file a Suspicious Activity Report if the attack affects either critical information – such as customer account information – or critical systems.