Federal Financial Institutions Examination Council
|For Immediate Release||November 19, 1999|
Information Security Precautions During the Century Rollover Period
To: The Board of Directors and Chief Executive Officers of all federally supervised financial institutions, service providers, software vendors, federal branches and agencies, senior management of each FFIEC agency, and all examining personnel.
The Federal Financial Institutions Examination Council (FFIEC) believes that financial institutions may be exposed to higher levels of fraudulent and malicious attempts to exploit information systems during the century date change. Hackers and developers of malicious software may step up their activities at a time when it may be difficult, without adequate safeguards, to detect or distinguish among a routine software or operations problem, a Year 2000-related problem, and fraudulent or malicious activity.
Much of the guidance contained in this statement has been included in various parts of several previously issued FFIEC advisories. This statement is meant to compile that information for ease of reference and to encourage the industry to focus attention on information security as the century date change rapidly approaches. The FFIEC strongly encourages financial institutions to review their security procedures, consistent with the institution's size, reliance on automated systems and risk profile, and where necessary, enhance internal controls and security procedures to deter and detect unauthorized intrusions in late 1999 and early 2000.
Effective Information Security and Steps to be Considered
An effective information security framework is key to maintaining the confidentiality, integrity and availability of information resources. Major components of a framework include information security policies, authentication methods and access controls. Financial institutions should review their information security framework in light of the potential for fraudulent or malicious activity during the rollover period. Financial institutions should consider the following:
International and Domestic Coordination
It is intended that a similar advisory statement will be issued by the Joint Year 2000 Council, Basel, Switzerland, to international supervisors of banks, securities, insurance activities, and payment systems. In some countries, National Y2K Coordinators are also sponsoring programs to educate public and private sector firms regarding information security threats and vulnerabilities during the century rollover period. In the United States, the FFIEC agencies are working closely with the President's Council on Year 2000 Conversion to address this issue.