By now you’ve likely heard that Microsoft is ending its support for Windows XP. As of April 8, 2014, there will no longer be any new patches, bug fixes or first party support beyond basic antivirus. For those who haven’t already replaced old machines or upgraded operating systems, now is a good time to start planning a move to Windows 7 or Windows 8. Or at the very least, assessing the risks associated with staying on XP as mandated by the FFIEC.
There’s been a good deal of conversation about XP in the media since late last year. The end of XP brought forth stories commemorating the old operating system, discussing paths to upgrading and even warning about the potential harm keeping an outdated operating system on your institution’s workstations, ATMs and other networked devices. While it’s all useful information, Tom Hinkel writes on The Compliance Guru that there’s one potential weakness no one seems to be talking about: your customers.
According to some estimates, as many as 30-40% of your business customers may still be using Windows XP. Since Microsoft will discontinue support for WinXP after April 8th of this year, leaving these devices potentially exposed, what is your obligation to your high-risk Internet banking and RDC customers? What do the regulators expect of you in this situation and better yet, what do your customers expect of you? Would knowingly allowing your e-banking and RDC software to run on potentially insecure systems be considered “commercially reasonable” security? (READ THE FULL POST HERE)
It’s not an easy question to answer. The rise of remote and electronic banking over the past decade has empowered many customers to basically become their own branches, depositing checks or managing their accounts on their own PCs wherever and whenever they have an Internet connection. It’s a great convenience for customers, but it doesn’t necessarily transfer risk away from the institution.
It is the institution’s responsibility to understand and manage the risks associated with electronic banking, Hinkel writes, citing the FFIEC E-Banking Handbook. “Similarly, Remote Deposit Capture guidance makes it clear that institutions are required to understand how the risks of using the customer’s systems to engage in RDC impacts your legal, compliance, and operational risks.”
The general consensus seems to be that keeping XP installed several days or weeks after support ends doesn’t mean that systems will stop working or become instantly vulnerable. However, as time goes on the likelihood of new vulnerabilities will increase, and Microsoft won’t be there to help mitigate those vulnerabilities through security patches. The company has stated that unsupported and unpatched environments are vulnerable to security risks, and that it “may result in an officially recognized control failure by an internal or external audit body….” Indeed, we are aware of a couple of IT auditors that will be checking to see if you have assessed the risk of WinXP customer devices.
As you plan for the April 8 deadline on XP support, this is worth consideration – especially for your commercial electronic banking and RDC customers.
One thing is certain: inaction on this is not an option. Hinkel states that “when the FFIEC deems it necessary to issue special guidance on something, you can bet examiners will be looking for it next time around.”
If you still haven’t upgraded from XP, Safe Systems’ professional services teams might be able to help your institution get up and running on Windows 7 or Windows 8. Speak to an account manager or contact us at firstname.lastname@example.org for more information.
Here are some additional resources for those who are considering an operating system upgrade: