OCC's Hsu Urges Multifactor AuthenticationMFA Plus Patch Management and Backups Can Prevent Cyber Incidents
A top federal regulatory official urged financial institutions to implement multifactor authentication for all nonpublic systems, telling an audience of financial executives that a majority of breaches could be avoided or mitigated through basic cybersecurity controls.
The frequency and severity of attacks against financial institutions have mounted over the past years, said Michael Hsu, acting comptroller for the currency, before a Beltway-area audience on Tuesday. A majority of financial system breaches observed by the Office of the Comptroller of Currency boil down to failures in strong authentication, unpatched systems and poor response or resilience, said Hsu.
Security practitioners have long touted multifactor authentication - in which anyone logging onto a system must present additional evidence of legitimacy besides a password, such as a one-time code - as an essential element of cybersecurity. Especially when tied to a hardware fob, multifactor makes it significantly harder for hackers to penetrate systems.
A pan-federal financial sector regulatory agency group last August published guidance emphasizing the importance of multifactor authentication.
Hsu also told the audience that unpatched or misconfigured systems follow compromised credentials as the most common contributing factor to data breaches. "Malicious actors are very familiar with the security settings of commonly used software products," he said.
Financial institutions should also be prepared to respond to an attack, including through systems for backed up data that are kept offline.
"Even relatively unsophisticated attacks can cause significant damage and disruption under the right conditions," he said.