FFIEC and DDoS Testing

DDoS has now secured itself a top 5 spot on most financial institutions’ list of security risks. With a few exceptions out there, the question is no longer whether you have DDoS mitigation in place, but rather how mature your DDoS defense strategy needs to be.

The FFIEC recently released a Cybersecurity Assessment Tool to help financial institutions identify the maturity level that they should be striving for across various cybersecurity domains. In this article, we’ll focus on what the FFIEC has to say about DDoS, and specifically DDoS testing.

First, identify your organization’s Inherent Risk Level. There are a number of factors that determine the risk level of your organization, but from a DDoS perspective:

1. Moderate = you have experienced at least one DDoS attack in the last year
2. Significant = you have experienced multiple DDoS attacks in the last year
3. Most = you are frequently targeted for DDoS attacks

Next, use the table below to identify what maturity level you should be striving for, given your specific Inherent Risk Level:

Table of Inherent Risk Level

For example, if you identified yourself to fall under the Most Inherent Risk Level, you should be striving for an Advanced maturity level or higher.

The FFIEC tool clearly defines the activities required under various Cybersecurity domains. DDoS falls under Domain 5 (Cyber Incident Management and Resilience) and DDoS testing is mentioned in Subsection Testing, maturity level Intermediate:

“The critical online systems and processes are tested to withstand stresses for extended periods (e.g., DDoS).”

In other words, according to FFIEC, financial institutions of Inherent Risk Level Minimal or above should consider DDoS testing (Intermediate maturity level) and financial institutions of Inherent Risk Level Significant or higher MUST conduct DDoS testing (Intermediate maturity level).

Whether you’re regulated or not, this is definitely worth paying attention to. A sound DDoS defense strategy is a combination of people, process, and technology, all of which must come together in perfect harmony. Regularly testing the effectiveness of your DDoS controls is a best practice in cyber resiliency.