When the Financial Industry Regulatory Authority (FINRA) issued a recent alert on a group of cybercriminals targeting broker-dealers online, it seemed to have almost all the elements for a good mystery story: cybersecurity, regulators, organized crime and even Bitcoin.

In a notice it posted late in June, FINRA described the tactics used by DD4BC, the cyber-criminal group it said has recently turned its sights on the financial services industry. First, the attacker sends its selected target an email, warning the firm that it will be the target of a DDoS attack, which basically breaks a website or network by overwhelming the site with incoming messages. The firm can avoid the attack, however, by paying a ransom in Bitcoin, the criminals will warn. DD4BC then conducts a short demonstration attack, which typically lasts about an hour, and threatens more attacks if the ransom is not paid.

“These DDoS attacks are nothing new. In fact, financial regulators – state and federal – have been looking at these and other types of cybersecurity risks for a while now,” said Massachusetts Banking Commissioner David Cotney.

According to a recent report out of the Burlington-based software company Arbor Networks, the group or person that calls itself DD4BC (short for DDoS For Bitcoin) has been perpetrating these kinds of attacks since at least July of last year and originally began by targeting online casinos and Bitcoin exchanges. Only more recently has DD4BC targeted financial services companies, and Arbor suggested in its report that that person or group may also have targeted higher education, as well.

New Threats, New Responses
It only makes sense that financial institutions – which are daily trusted with not just customers’ money but also hordes of sensitive personal information – would be held to a higher standard than many other industries that may have been hit by DD4BC or any number of other cybercriminal groups.

In talking about the issue, Cotney, who described cybersecurity as one of financial regulators’ highest priorities right now, also sought to draw attention to a new cybersecurity risk assessment tool developed by the Federal Financial Institutions Examination Council (FFIEC).
Ben Craigie, the Massachusetts Bankers Association’s director of compliance, echoed Cotney’s recommendation and said that the FFIEC’s new tool is also particularly helpful for developing an individual financial institution’s own cybersecurity plan and for elevating that conversation to the board of directors.

“If you pore through this document, you can create a working risk assessment document that will be able to map the bank’s cybersecurity program,” he said. “This will eventually allow you to supplement your own documentation that you would then hand to the board or hand to the regulators. … And you would tweak it on a regular basis and use it to inform your policies and procedures throughout the rest of the year.”

Cotney said he anticipated most of the financial institutions his office regulates would find upon completing the assessment that they have some of the least amount of risk for cyberattacks.
Of course, the particular DDoS scheme that FINRA recently warned institutions about is not the only security threat keeping bankers up at night. Such threats can take the shape of data breaches, fraud in payments or even social engineering, which could mean a miscreant gaining physical access to a financial institution’s facilities and making off with customer information that way, Craigie said.
“When we have conversations with the commissioner and with other regulators,” he said. “Cybersecurity is this overarching push, and DDOS is just one of the many heads of the hydra.”
Regulators have likewise had to tweak their approach to cybersecurity.

“I think there was a recognition – certainly something my office pushed – that the traditional model, the minute you put out a notice these days, it’ll be out of date before the ink is dry,” Cotney said. “Regulators are looking at a different approach, to try to create these helpful tools for the industry to be able to prepare themselves for these types of attacks.”

He said the fast-evolving nature of cyberthreats has also spurred a push for banks and credit unions to join information-sharing efforts, like the Financial Services Information Sharing and Analysis Center (FS-ISAC).

“The traditional approach is, you compete on a daily basis, so you don’t necessarily want to share what may be happening to you with your competitors,” Cotney said. “But we think this is an important enough issue that we can be sure if one bank is experiencing some type of attacks, other banks may be experiencing the same attack or shortly thereafter will. The more information institutions can share, the better prepared they’ll all be.”