By Richard Bird, Chief Security Officer, Traceable AI

Recent guidance from the Federal Financial Institutions Examination Council (FFIEC) has caught many financial institutions by surprise. As an interagency body of the U.S. government, the FFIEC prescribes uniform principles, standards, and report forms for the federal examination of financial institutions. It also speaks with one voice on behalf of numerous federal organizations overseeing the U.S. financial system, which includes the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Consumer Financial Protection Bureau. 

API adoption has exploded with banks, fintech, insurers, and other institutions to connect applications, exchange financial data with partners, and enable new business models and services. 

In August 2021, the FFIEC’s authentication and access update mentioned the growing role of APIs in creating authentication risks and recommended adopting an API inventory as a best practice. On October 3, 2022, however, the FFIEC explicitly called out APIs as a separate attack surface in its new resource guide. Thus, as financial institutions work to strengthen authentication and access controls, they will also need to inventory, remediate, and secure the myriad API connections they use to enable business operations and fuel growth. 

Given the FFIEC’s rapidly increasing interest in API security, CISOs, CIOs, and governance, risk, and compliance (GRC) executives will want to make API security a top priority for 2023. 

These leaders will seek to accurately understand the scope of business risk they face; choose the right tools, processes, and frameworks they need to mitigate security and other risks; and develop the team expertise needed to lead on API security. By doing so, financial institutions can move ahead of mandates, improving API security and increasing business flexibility and agility. 

FFIEC API security requirements will ultimately impact all FDIC-insured financial institutions. To get ready for forthcoming compliance requirements, financial instructions should consider the following steps. These will ultimately protect your business and customers.

WHAT YOU NEED TO KNOW: FFIEC Requirements 

Step #1: Inventory Your APIs 

What you don’t know can hurt you and your customers.

API responsibility has been fragmented across financial institutions. While APIs are designed, built, and integrated by developers, other teams are often responsible for evolving API best practices, integrating them into complicated subsystems, and developing and maintaining an inventory. 

In addition, many financial institutions may suffer from API sprawl, due to the adoption of hybrid cloud IT networks, microservices architectures, and Agile processes. As a result, IT leaders may not know how many APIs they have, where they reside, and what their APIs are doing. That makes these unknown, unmanaged digital connections vulnerable to exploitation by bad actors, which can result in data exfiltration, account takeover, attacks by malicious bots, and more. This is a scary situation for any organization.

To develop a holistic, up-to-date, API inventory, teams need to be able to automatically and continuously discover all of their APIs across distributed networks. A next-generation, API security and observability platform can help discover all on-premises, hybrid, multi-cloud, partner, and hosted APIs, including shadow and orphaned APIs and any real-time changes. 

Step #2: Conduct a Risk Assessment 

Understand your risk internally and externally for you and your customers.

With a comprehensive API inventory in hand, teams can then conduct a risk assessment. This process will identify sensitive data flows, assign every API a risk score, and identify targets for remediation. The good news is that there are many solutions that can handle this task even on a massive scale. 

Companies need to make sure that their API security solution can enable them to see sensitive data flows end-to-end, as they traverse internal applications and APIs and connect to third-party tools and conform to your development specifications.  These elements will enable you to identify exposed APIs and ultimately prevent a future attack.

Step #3: Quantify and Reduce Access and Authentication Risks 

Creating secure and lower-risk environments for your business is key.

APIs have emerged as a major security risk over the past several years. Data breaches due to APIs have ensnared leading companies including John Deere, Microsoft, T-Mobile, Peloton, and Yahoo. Security leaders know that API-related data breaches are especially dangerous because they can involve millions of customers and torrents of sensitive consumer and business data. 

Why risk becoming an API security casualty, when it’s possible to secure these digital connections today? With an API inventory, risk scores, and insights into data flows, IT and security teams can gain an excellent understanding of the current state of their API security and how well current controls are working or not working. 

Teams can use this information to immediately remediate the highest-risk APIs. Financial institutions can then harden security by applying an API risk framework that considers data privacy regulations, processing requirements, and best practices. Developers and other teams can use this framework moving forward as they build, deploy, monitor, and manage APIs. Thus, it’s possible to effect major change and significantly improve API security in weeks and months. 

The Net-net: Secure Your APIs 

The FFIEC’s recent guidance and growing data breaches should encourage financial institution leaders to move forward with API security. IT and security teams can use next-generation API security and observability platforms to understand and gain control over all API holdings, reduce risks, and implement better governance and management practices. By doing so, financial institutions can protect their customers, business, and future growth prospects. 

About the Author

Richard Bird is the Chief Security Officer for Traceable.ai. A multi-time C-level executive in both the corporate and start-up worlds, Richard is internationally recognized for his expert insights, work, and views on cybersecurity, data privacy, digital consumer rights, and next-generation security topics. Richard delivers keynote presentations around the world and is a highly sought-after speaker, particularly when he is translating cybersecurity and risk realities into business language and imperatives. He is a Senior Fellow with the CyberTheory Zero Trust Institute, a Forbes Tech council member and has been interviewed frequently by media outlets including the Wall Street Journal, CNBC, Bloomberg, The Financial Times, Business Insider, CNN, NBC Nightly News, and TechRepublic. https://www.traceable.ai/