Saar here, resident engineer at Myriad Supply. Today I’ll be discussing DDoS ammunition.
The FFIEC gives “recommendations” to banking institutions. This is a non-binding recommendation, and there is no law per say that says you must have DDoS protection. However, if someone suffers financial damages due to a DDoS attack on a bank, that person can hire an attorney who can then prove that the bank handled itself without due diligence in spite of government recommendations. So a reasonable judge will find the bank at fault and it would have to pay. Add a class action, and you’re looking at a pretty hefty sum. In this article for example, http://www.scmagazine.com/banks-file-class-action-against-target-and-trustwave-over-massive-breach/article/339760/, the banks are suing Target for failing to have decent security, which cost them millions replacing stolen payment cards.