Community Bank Operations: Risk Related to End of Support for Microsoft Windows XP
by Christopher Olson, Supervisory Financial Analyst, Board of Governors
Are community banks prepared to manage the risk associated with the end of support for Microsoft Windows XP (XP) effective April 8, 2014? Community banks are being targeted by cybercriminals through corporate account takeovers and ATM cash-out and other fraud schemes. The increasing complexity, sophistication, and frequency of cyberattacks require that banks remain attentive to elevated and evolving information security risks. Community bankers should engage their user groups and have direct discussions with their technology service providers to ensure that they are properly addressing cybersecurity risks, including "end of life" for XP support.
Because XP was developed before Microsoft instituted a secure development process, XP systems are six times more likely than other Microsoft operating systems to fall victim to malicious software.1 Gartner, Inc., an information technology research and advisory firm, estimates that between 10 and 15 percent of enterprise computers will still be running XP when Microsoft officially ends support on April 8.2 This has implications for community banks that run XP and for service providers that deploy applications using XP on the bank's behalf.
If a community bank decides to continue running XP after Microsoft ends support, bank staff members should be prepared to articulate to bank examiners how they plan to patch the system, implement mitigating controls, and eventually migrate to a supported operating system. While most banks intend to migrate their applications to run on a supported operating system, the reality is that some may miss the deadline. As a result, these banks will run on unpatched systems.
Given the shrinking window of opportunity to address XP risk, bank staff should notify its board of directors and senior management in the event of potential exposure. Support from the highest level within the organization is needed in order to develop and implement a plan that minimizes risk; it is not sufficient to wait until April to develop a plan. The Board of Governors of the Federal Reserve System issued a supervisory letter,3 and the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement4 emphasizing the risk associated with Windows XP and expectations regarding risk management.
Cost to Maintain XP Support
Some community banks have ignored aging XP systems and deferred the decision to switch operating systems, perhaps because they were unaware of how critical these systems are to business operations or because they were focused on higher-priority projects. Whatever the reason, these banks are now faced with running applications using an operating system that will be very expensive to maintain.
There are two options for banks continuing to run XP after April 8, although both are expensive:
- Purchase an annual custom support plan license.5 This option typically costs several hundred thousand dollars and is intended for banks that have a large number of computers running XP.
- Purchase a "per-seat" license. This option typically costs several hundred dollars per computer annually and may appeal to banks that have a small number of computers running XP.
Either way, community banks or their service providers could incur substantial costs if they elect to pay Microsoft for support. A community bank could be found negligent, however, if an unpatched XP system leads to customer loss.
XP Risk to Community Banks
There are two significant risks associated with running unsupported XP. The first is that in-house computers may go unpatched and create a target for cybercriminals. Effective patch management programs require discipline and persistence. Without an accurate inventory, it is unlikely that all bank computers running XP are being patched, and thus the bank may be operating in a less-than-secure manner.6
The second risk involves service providers' use of XP. Community bankers should engage service providers to discuss what measures they have taken to mitigate XP risk. Antivirus and antimalware vendors have announced that they will maintain versions of their products that protect XP through 2014 and beyond. However, attackers are targeting the underlying operating system, and thus mitigating controls have to be maintained carefully. Examiners will seek to confirm that community banks have had appropriate discussions with their service providers to ensure that they have an XP migration strategy and that they are taking the appropriate steps, including implementing layered security, to mitigate XP risks on the bank's behalf. Ideally, service providers and community banks that have in-house XP systems should obtain and deploy XP patches and use mitigating controls to achieve layered security consistent with guidelines outlined in the FFIEC Interagency Supplement to Authentication in an Internet Banking Environment.7
Mitigating XP Risk
Community banks that plan to have in-house systems running XP after April 8 should take the following steps to mitigate risk:
- Risk-assess the criticality of applications running on XP systems;
- Obtain an accurate inventory of XP systems;
- Develop a migration strategy that includes mitigating controls, patching, and/or operating system updates;
- Validate the efficacy of mitigating controls; and
- Apply patches.
Community banks should confirm that their service providers have followed these same steps.
The accuracy of both the risk assessment and the inventory can be boosted by engaging third-party firms that monitor network traffic for evidence of isolated XP systems. Internal and third-party audit reports can be used to confirm that patches have been applied to these systems. Mitigating controls that protect or "harden" an XP system are beyond the scope of this article, but examples of such controls include end-point protection, application whitelisting, network segregation, and restricted administrator access.
If a community bank chooses not to migrate its computers to a supported operating system or elects not to pay for Microsoft support, it is critical that the bank implement mitigating controls to achieve information security consistent with the guidelines outlined in the FFIEC Interagency Supplement to Authentication in an Internet Banking Environment. Examiners will assess the capability of the institution's information technology department to ensure that banks are taking the appropriate steps to mitigate risks associated with the use of XP after April 8, 2014.
Back to top
- 1 See Microsoft Security Intelligence Report, SIR, Volume 15, January–June 2013, available at www.microsoft.com/security/sir/default.aspx.
- 2 Michael A. Silver and Stephen Kleynhans, "Prepare Now for the End of Windows XP and Office 2003 Support in Less Than a Year," Gartner Research Note (G00251895), April 8, 2013.
- 3 See Supervision & Regulation (SR) Letter 13-16, "End of Microsoft Support for Windows XP Operating System," at www.federalreserve.gov/bankinforeg/srletters/sr1316.htm.
- 4 See FFIEC joint statement, "End of Microsoft Support for Windows XP Operating System," at ithandbook.ffiec.gov/media/154161/final_ffiec_statement_on_windows_xp.pdf.
- 5 Microsoft offers a custom support plan for products that reach "end of life" and are no longer supported.
- 6 The Verizon 2012 Data Breach Investigations Report indicated that 97 percent of breaches are avoidable by implementing simple or intermediate controls. Applying Microsoft patches to all Windows systems is a simple yet essential mitigation against breaches. See www.verizonenterprise.com/DBIR/2012/.
- 7 See SR Letter 11-9, "Interagency Supplement to Authentication in an Internet Banking Environment," at www.federalreserve.gov/bankinforeg/srletters/sr1109.htm.