An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
OCC Bulletin 2014-17 | April 25, 2014
Share This Page:
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
On April 10, 2014, the members of the Federal Financial Institutions Examination Council (FFIEC)1 issued the attached alert to notify financial institutions of a material security vulnerability in OpenSSL, a widely used encryption tool. The alert outlined the risks associated with this vulnerability (also known as Heartbleed) and the risk mitigation steps that financial institutions are expected to take to address those risks. It also refers institutions to additional resources to help them mitigate the risks.
Banks should address the vulnerability resulting from OpenSSL by taking the following risk mitigation steps, as appropriate:
Community banks should ensure that their in-house information technology unit and their service providers are taking appropriate action to mitigate this risk.
Since the FFIEC alert, additional information regarding the OpenSSL vulnerability has emerged, indicating that it may affect a range of technologies including, but not limited to, internally and externally facing servers, network devices, printers, applications, and mobile devices. Given the evolving information about the scope and nature of this vulnerability, banks should remain vigilant and continue their ongoing risk assessments and monitoring to detect and prevent against unauthorized access to customer information. The resources listed below are available to financial institutions and provide additional guidance on risk and vulnerability identification, and implementation of appropriate risk mitigation and management practices.
Questions regarding the FFIEC statement should be directed to the Office of the Comptroller of the Currency’s Bank Information Technology Division at (202) 649-6340.
Carolyn G. DuChene Deputy Comptroller for Operational Risk
1 The FFIEC members include the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, the State Liaison Committee, and the Consumer Financial Protection Bureau.