FFIEC’s Rear-View Mirror

By Mike Rothman

You have to love compliance mandates, especially when they are anywhere from 18 months to 3 years behind the threat. Recently the FFIEC (the body that regulates financial institutions) published some guidance for financials to defend against DDoS attacks. Hat tip to Techworld.

Hindsight is right, but the impact is from looking at the beauty in front of you

It’s not like the guidance is bad. Assessing risk, monitoring inbound traffic, and having a plan to move traffic to a scrubber is all good. And I guess some organizations still don’t know that they should even perform that simple level of diligence. But a statement in the FFIEC guidance sums up rear-view mirror compliance:

“In the latter half of 2012, an increased number of DDoS attacks were launched against financial institutions by politically motivated groups,” the FFIEC statement says. “These DDoS attacks continued periodically and increased in sophistication and intensity. These attacks caused slow website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations.”

Uh, right on time. 18 months later. It’s not that DDoS is going away, but to mandate such obvious stuff at this point is a beautiful illustration of solving yesterday’s problem tomorrow. Which I guess is what most compliance mandates are about.


Photo credit: “mtcook” originally uploaded by Jim Howard

No Related Posts

I guess that’s why solely letting compliance define your security program and priorities is a bad idea ...

By Marco Tietz

Agree with your post.

Picture what it took to get even this done.  I wonder how many man-hours went into that 2 page Joint Statement?  It took 18 months…. I’m guessing at least an hour per word.

By Kate Brew

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.