6 Patch Management Best Practices for Financial Services Institutions from the FFIEC

Wealth attracts bad actors

Financial services organizations are no strangers to cybersecurity threats. The sector is among the most attractive to bad actors due to its literal and figurative wealth of information, with valuable data ranging from employee login credentials to tax filing details to debit and credit card accounts to personal stats like addresses, phone numbers, birthdays, and social security numbers.

Attackers hit financial institutions hard and often and don’t limit themselves to big banks. Smaller businesses including credit unions, mortgage and loan brokers, investment firms and more face consistent, damaging threats - and can suffer devastating consequences. Companies with fewer than 500 employees suffer average losses of more than US $2.5 million per data breach. That’s a big deal for small businesses that typically earn $50 million or less in annual revenue.

Beefing up your endpoint management

With so many endpoints and such valuable data, financial services (FinServ) orgs require a robust cybersecurity strategy. Hackers continuously evolve their tactics and their targets must do their best to keep up. But frequently the costliest breaches come not from the most sophisticated attacks but from a lack of routine cyber hygiene. The Equifax breach, which impacted 143 million U.S. accounts, was caused by an unpatched Apache Struts vulnerability. The Apache Software Foundation released the patch for the hole on March 7, 2017, but Equifax had failed to apply it by the time the attack took place on July 29 that year.

Scenarios like the Equifax breach clearly demonstrate the importance of strong cyber hygiene, especially in the financial services industry. For many FinServ firms, however, patch management is easier said than done. Why?

  • As cybercriminals increase the speed and volume of their attacks, technology providers release patches more and more frequently, which makes it harder for their customers to keep up.
  • The responsibility for patch management often straddles the IT Ops and SecOps departments, resulting in communication and operational breakdowns.
  • Organizations face a shortage of skilled cybersecurity talent, leading 74% of companies to believe that they can’t patch fast enough because they don’t have enough staff.
  • Traditional processes can’t handle the firehose of threats and patches, yet more than half of companies still use spreadsheets and emails to track and assign patching tasks.

6 patch management best practices from the FFIEC

While the facts and figures above paint a challenging picture for financial services organizations, there are a variety of ways to improve and streamline patch management. The Federal Financial Institutions Examination Council (FFIEC) summarizes several of these in their guidance on patch management, which offers recommendations on “procedures for identifying, evaluating, approving, testing, installing, and documenting patches.”

At a high level, the FFIEC recommends that “Management should implement automated patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) are appropriately updated.”

Additional best practices for financial services institutions include:

1. Subscribe to automated notifications from vendors

Whether that means signing up for emails from software vendors or creating Google alerts for keywords specific to your infrastructure (“Sophos patch update”, for example), put procedures in place so that critical information comes to you. That includes management - not just the lowest folks on the IT totem pole.

2. Create a paper trail of how you evaluate each patch

The FFIEC recommends evaluating “the impact of installing the patch by assessing technical, business, and security implications” - which is relatively obvious. Their more salient point is to thoroughly document that process so that if you decide not to install it, you can easily demonstrate why.

3. Build a prioritization process

Like the evaluation process, a prioritization process not only makes it simpler to determine which patches to deploy in what order, it provides a structure for documenting why you made those decisions. Additionally, the FFIEC suggests a separate exception process with appropriate documentation for any patches that management chooses to delay or not apply.

4. Ensure that patches installed on production are also installed in the disaster recovery environment

Also, make sure that any inventories and DR plans are appropriately updated.

5. Minimize business impact

Strategies here include backing up the production system, defining reasonable patch windows, and restricting the implementation of patches to defined time frames to minimize potential down time when possible.

6. Mitigate unintended consequences

Any patch comes with risk, from degrading system performance to introducing new vulnerabilities. The FFIEC recommends a series of actions to mitigate unintended consequences including verifying the integrity of the patch, protecting and monitoring the systems used to distribute patches, and extensive testing of each patch on a test system before implementation.

From local credit unions to the world’s biggest banks, cyberattacks and data breaches are a constant and serious threat. Strategic patch management, including the right tools and the right processes, can play a significant role in combating attack vectors and ensuring that FinServ orgs can protect their data, their customers, and their brand.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic