FFIEC header image
Press Releases
Image of FFIEC logo.
Federal Financial Institutions Examination Council
Press Release
For Immediate Release April 10, 2014

Financial Regulators Expect Firms to Address OpenSSL “Heartbleed” Vulnerability


The Federal Financial Institutions Examination Council (FFIEC) members expect financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability. Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.

OpenSSL is a cryptographic software library used to authenticate services and encrypt sensitive information. A significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption.

The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms, and to promote uniformity in the supervision of financial institutions. The Council has six voting members: a Governor of the Board of Governors of the Federal Reserve System, designated by the Chairman of the Board; the Chairman of the Federal Deposit Insurance Corporation; the Chairman of the Board of the National Credit Union Administration; the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the Chairman of the State Liaison Committee. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.

###

Attachment:

OpenSSL Vulnerability Alert (PDF)

References:

US-CERT OpenSSL”Heartbleed” Vulnerability  CVE-2014-0160
https://www.us-cert.gov/ncas/alerts/TA14-098A

FFIEC IT Examination Handbook, Devleopment and Acquisition
http://ithandbook.ffiec.gov/it-booklets/development-and-acquisition.aspx

FFIEC IT Examination Handbook, Information Security
http://ithandbook.ffiec.gov/it-booklets/information-security.aspx

FFIEC IT Examination Handbook, Operations
http://ithandbook.ffiec.gov/it-booklets/operations.aspx


Media Contacts:

CFPB Sam Gilford (202) 435-7673
FDIC Greg Hernandez (202) 898-6984
Federal Reserve Barbara Hagenbaugh (202) 452-2955
NCUA Ben Hardaway (703) 518-6333
OCC Stephanie Collins (202) 649-6870
SLC Catherine Woody (202) 728-5733