FFIEC Releases Statement on End of Microsoft Support for Windows XP Operating System

The Federal Financial Institutions Examination Council (FFIEC) has issued a statement regarding Microsoft’s discontinuation of support for its Windows XP operating system.

After April 8, 2014, Microsoft will no longer provide regular security patches, technical assistance or support for XP. Financial institutions, TSPs and other third parties that use XP on personal computers, servers and purpose-built devices such as automated teller machines (ATM) — or are dependent on applications that require use of XP — could be exposed to increased operational risk.

FFIEC agencies expect financial institutions and their technology service providers to identify, assess and manage the potential operational risks associated with the discontinuation of XP support to ensure that safety and soundness and the ability to deliver products and services are not compromised.

Credit unions should follow their risk-management processes to address the risk and consider:

  • Performing risk assessments: Identify and measure the risk from the continued use of XP throughout the organization and at third parties, including business continuity and disaster recovery situations.
  • Selecting appropriate mitigations: Consider costs and potential risks, including compatibility with other systems and applications, in selecting a mitigation strategy.
  • Conducting appropriate planning: Develop an implementation plan addressing priorities for changes, ensuring appropriate change management procedures, and monitoring related third parties’ mitigation and migration activities, as warranted.
  • Monitoring and reporting: Monitor the risk-mitigation implementation to ensure that the level of risk is acceptable. The effectiveness of controls should be tested periodically and results reported to senior management or a committee of the board of directors, as appropriate, to ensure risk continues to be managed.

Questions? Contact the Compliance Hotline: 1.800.546.4465, compliance@nwcua.org.

Posted in Compliance.