February 13, 2000
OCC ALERT- Internet Security: Distributed Denial of Service Attacks
In recent days, many high profile Internet-based electronic commerce Web sites have been victims of attacks. The attacks have interrupted customer access to Internet Web sites by flooding these targeted sites with more information than their computers can handle. This flooding of information may force the Web site to suspend normal service, and is commonly referred to as a "distributed denial of service" attack (DDoS). DDoS attacks represent a new and significant threat to Internet Web site availability and merit close scrutiny by management.
FYI - DDoS attacks prevent your customers from performing banking services that Your Bank has advertised the customer can perform online. I believe that it is important that your "Terms and Conditions" statement and your Internet banking agreement with the customer indicate that the online services may not always be available because of circumstances beyond the control of Your Bank. You may want to have your attorney prepare an appropriate disclaimer.
FYI - Key Bank USA, National Association may lawfully acquire and hold a non-controlling, minority interest in Econex LLC, a limited liability company that will provide certain Internet-related services to merchants, and that it is legally permissible for Key Merchant Services, LLC, a limited liability company in which the Bank holds a non-controlling, minority interest, to expand its activities to include the Internet- related services to merchants.
FYI - The OTS granted a federal thrift charter to 1st Virtual, Inc., Palm Beach Gardens, Fla., a company that will operate as a full-service Internet bank. VirtualBank will be the sixth Internet bank under OTS supervision.
INTERNET SECURITY - Potential Threats To Consider - comments from FDIC
Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage pose a potential threat to an institution's computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat.
Many break-ins or insider misuses of information occur due to poor security programs. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper setup of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep up to date on the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor Web sites contain much of this information.
FYI - While the above refers to external attacks, the same deficiencies in IS security allow employees to create problems. Remember that unauthorized intrusion to your computer systems is more likely to come from your employees that from outside sources.
INTERNET RISKS - Internet banking creates new risk control challenges. Last week we shared the OCC's comments on Credit Risk. This week is Interest Rate Risk.
Interest rate risk is the risk to earnings or capital arising from movements in interest rates. From an economic perspective, a bank focuses on the sensitivity of the value of its assets, liabilities and revenues to changes in interest rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (repricing risk); from changing rate relationships among different yield curves affecting bank activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from interest-related options embedded in bank products (options risk). Evaluation of interest rate risk must consider the impact of complex, illiquid hedging strategies or products, and also the potential impact that changes in interest rates will have on fee income. In those situations where trading is separately managed, this refers to structural positions and not trading portfolios.
Internet banking can attract deposits, loans, and other relationships from a larger pool of possible customers than other forms of marketing. Greater access to customers who primarily seek the best rate or term reinforces the need for managers to maintain appropriate asset/liability management systems, including the ability to react quickly to changing market conditions.
INTERNET COMPLIANCE - Expedited Funds Availability Act (Regulation CC)
Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary states that a financial institution satisfies the written exception hold notice requirement, and that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.