Tag: Information Security

29 Sep 2023
Using Conditional Access Policies and MFA to Enhance Azure AD Security

Using Conditional Access Policies and MFA to Enhance Azure AD Security

Using Conditional Access Policies and MFA to Enhance Azure AD Security

Earlier this year, we saw a large influx of successful phishing campaigns, primarily due to attackers being able to circumvent multifactor authentication (MFA). Their schemes worked because they were able to trick users into clicking on a link and giving away their security token—essentially bypassing MFA. The human-error factor highlights the need for phishing simulation training to ensure users are more aware of security threats. With phishing attacks still running rampant—and becoming more complex and harder to detect—it’s imperative that financial institutions use multiple strategies and technologies to optimize security.

The implications of MFA-resistant phishing are huge; the attacks have the potential to affect numerous organizations that depend on Microsoft Entra ID (formerly Azure AD) and Microsoft Office/M365 services to support their operations. However, institutions can minimize account compromises by combining a variety of tactics to prevent cyberattacks from happening. For instance, conditional access policies (CAPs) are a key proactive measure that banks and credit unions can implement to enhance security.

CAPs—which are quickly becoming the baseline of security—are the cornerstone of protecting identities within Microsoft Entra ID. These policies protect the very first step of the identification chain, the sign in attempt. They govern the conditions for users to access Azure services and will grant or deny access based on configured logic. At a high level, this logic can be far reaching but even so, organizations will not rely on only a single CAP. No CAP can provide complete protection. Instead, financial institutions should stack multiple CAPs together to produce better overall coverage and security. For example, requiring MFA, denying sign ins form outside of the USA, and requiring device compliance or specific join status.

Not only will organizations look to stack multiple CAPs, but they will also look to utilize telemetry from multiple Azure services for their logic. Combining services means institutions must have the appropriate licensing for each respective Azure service. For example, to obtain device compliance information, organizations will be required to implement and license for Intune.

Additionally, when designing CAP logic, it can be helpful to take as broad of an approach as possible to the scope of the CAP. The objective is to try to affect as many areas as possible with a single stroke to maximize coverage and reduce gaps in logic. Gaps, or logic bugs, are the result of incorrect scope definitions which will leave an organization vulnerable or at risk when they believe otherwise. A good example of a logic bug is when an organization implements a CAP requiring MFA but not for all users. This leaves a subset of the user base at risk.

Generally, when it comes to creating gaps in logic for CAPs, the rule of thumb is to always create compensating controls. This is how organizations can create complex webs of conditions and still allow for business continuity while simultaneously reducing risk. The trade-off is the more complex an organization’s CAPs are, the harder they will be to design, assess at a glance, and to maintain.

By blending various security tactics and technologies, financial institutions can implement a layered approach to enhance their security posture. They can also partner with a third-party expert like Safe Systems to improve their ability to proactively detect and respond to phishing attacks and other threats. Our CloudInsight™ M365 Security Basics solution offers critical reporting and alerting to help institutions better gauge their security awareness. M365 Security Basics provides visibility into security settings for Azure AD and M365, making it easier for institutions to mitigate the impact of potential cyberattacks.

For more information about how to employ CAPS and modern MFA to minimize security risks, view our recorded webinar on “Securing Azure AD with Conditional Access Policies.

09 Nov 2022
Best Practices for Ransomware Prevention and Recovery

Best Practices for Ransomware Prevention and Recovery

Best Practices for Ransomware Prevention and Recovery

In the world of cybersecurity, an ounce of prevention is worth a pound of cure—especially when it comes to ransomware. Ransomware attacks hit a new target every 14 seconds, disrupting operations, stealing information, and exploiting businesses, according to the Cybersecurity and Infrastructure Security Agency (CISA). As a result of ransomware attacks, US Banks paid out nearly $1.2 billion in 2021, which is up by 188% from 2020 according to the Financial Trend Analysis report [PDF] on ransomware from the US Treasury’s Financial Crimes Enforcement Network (FinCEN). But banks and credit unions that consistently implement best practices can effectively prevent and recover from ransomware attacks.

Prevention Strategies

The ideal strategy is to keep ransomware assaults from happening in the first place, but prevention can be tedious and challenging. As a general practice, institutions should identify and address known security gaps that can enable a ransomware infection. (If there is a loophole, hackers will eventually find it.) Since human mistakes are the root cause of most security breaches, providing ransomware training for employees is a crucial step that institutions can take to reduce their cybersecurity risk. Ransomware awareness training can help staff identify, respond to, and circumvent attacks as well as test their knowledge in a safe environment. Institutions can also limit their security risk by adhering to the principle of “least access” to grant employees the minimum levels of access or permission needed for their job.

As another best practice, institutions can also take a stricter stance on the technical aspects of cybersecurity. They can employ intelligent network design and network segmentation to limit risk by restricting ransomware intrusions to a portion of the network instead of the whole system. Institutions should also have overlapping security solutions to provide layered protection for their systems and networks. Then if a single security element fails, another layer will be in place to compensate.

Response and Recovery Tactics

Even with multiple protective measures in place, there is only so much financial institutions can do to avert a ransomware attack. When a breach happens, the institution must respond immediately to mitigate the impact. This includes implementing pre-established processes for incident response, vendor management, business continuity, and other key areas. Bank management, for example, should have an incident response program to minimize damage to the institution and its customers, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet.

Having pre-defined procedures to declare and respond to an incident can be essential to effectively containing and recovering from a ransomware infection. While incident containment strategies can vary between different entities, they typically include the isolation of compromised systems or enhanced monitoring of intruder activities; search for additional compromised systems; collection and preservation of evidence; and communication with affected parties and often the primary regulator, information-sharing organizations, or law enforcement, according to the FFIEC.

In addition, restoration and follow-up strategies for incidents should address the:

  • elimination of the intruder’s means of access
  • restoration of systems, programs, and data to a “known good state” (using available offline or offsite backups)
  • the initiation of customer notification and assistance activities consistent with laws, regulations, and interagency guidance
  • monitoring to detect similar or further incidents

Another step in the recovery process might involve notifying an insurance carrier—if the institution has ransomware coverage. However, cyber insurance might not prove to be the ultimate remedy: A policy exclusion could keep the carrier from paying the claim. Or the settlement amount may not fully compensate for the institution’s intellectual property losses, revenue reduction, tarnished reputation, and other damages.

Augmenting Internal Resources

With the growing complexity of ransomware, it can be challenging for institutions to react to and recover from a cyberattack. However, those with limited internal resources can get help from a third-party cybersecurity expert to manage the process. Safe Systems, for instance, offers multi-layered security services that make it easier for community banks and credit unions to enhance their cybersecurity posture, so they can be better equipped to prevent, respond to, and recover from a ransomware attack. For more information about this critical topic, read our white paper on “The Changing Traits, Tactics, and Trends of Ransomware.”

27 Oct 2022
Social Engineering Scams - It Could Happen to You

Social Engineering Scams – It Could Happen to You!

Social Engineering Scams - It Could Happen to You

Many of us have heard the story about the fake printer repair person who shows up at the office to fix an issue with the intent to gain access to a secure area and collect confidential information. In reality, these things don’t really happen, right? At least not to small businesses or individuals…maybe this happened once to a large corporation and received a lot of press? This level of social engineering doesn’t really happen to someone like me, or does it?

Here’s What Happened to Me

My personal story involves a person visiting my house, a letter in the mail “from the government”, and a friend request on a popular social media platform from someone I knew 20 years ago. Each incident seemed innocent enough at the time, and on its own, did not raise any red flags. But as the events unfolded, I recognized a few mistakes that were made and realized that this was a coordinated effort and a scam!

It started with my doorbell ringing and my six-year-old yelling “Dad, someone’s at the door.” I answered the door to a well-dressed, very professional, middle-aged female with a smile and a government-issued badge around her neck. She promptly showed me the badge and explained she was there to ensure I had received a survey from the Department of Health and Human Services (DHHS). She explained it was important that I fill out the survey to provide the data needed for them to make decisions to properly serve their constituents.

I conduct many surveys at Safe Systems, so I empathized with her need for information and the effort it requires to get people to fill out surveys. I informed her that I had not received the survey she was inquiring about. She then handed me a sample copy of the survey and said that my actual form would have a randomly generated code to help them track when each family had filled out the survey. Even though the survey was anonymous, they used the code to track completion. When I stated again that I had not received the survey, she politely asked me to keep an eye out for it. She said she would check back next week to confirm I had received it. She complimented me on my house and walked away. Although I found the personal stop at my house odd, I didn’t notice any red flags at first. I simply thought this was similar to how they knock on doors for the census every 10 years.

Two days later, when checking the mail, I found a letter addressed to my wife and me. When I opened it, it included a survey that looked like the sample the lady had shown me a few days earlier, but this survey also had the randomly generated code that she told me about. I was still a little suspicious but planned on doing some research online to see if everything checked out.

A few days later, I received a friend invite on Facebook from someone I had not spoken to in 20 years. I’m not a big social media person but I do have a few accounts to keep up with different family affairs. Once I accepted the invite, this person started asking me about life and family. He didn’t ask anything personal, just general questions about how everyone is doing, jobs, etc. He seemed chattier than I remember him from 20 years ago, but we all change over time. I was cordial with my responses but not overly responsive. Over a few days, I got several short messages from him, then I get hit with this question, “have you filled out the DHHS survey?” He said he had seen my name on a list of people who had not completed it, and since he knew me, he thought he would reach out. RED FLAG!

The last I knew he didn’t work for the DHHS so how would he see my name on a DHHS survey list? And how could he be sure I was the same guy he knew 20 years ago living in a different town? Everyone who knows me, knows I go by my nickname. Very few people know my official birth certificate name, which is what was used on the DHHS survey. So, the odds of my name jumping off the page at him is unlikely. RED FLAG! I was curious about where this was going so, I continued the conversation, but guardedly. I admitted I had the survey but had not had a chance to fill it out yet.

Not wanting to let on that I was suspicious of him and the survey, I lied and said I would get around to it at some point. His response was the clincher for me that this was a scam. He said, “Great, just don’t want you to miss out on all the money I got from doing it.” Suddenly, there is money involved with filling out this survey which had not been mentioned anywhere. BIG RED FLAG! Also, it is very unlikely that someone filling out the survey would see a list of others who had received it, especially if it was supposed to be anonymous. RED FLAG!

I decided at this point, I wanted to know how far they would take this scam. I started chatting with him about some trip we went on years ago and how great it would be to do it again (but the truth was we never went on any trip). I never heard from him again, and his Facebook account was deleted and removed 2 days later.

It is important to discuss his Facebook page, as it not only had pictures of him and his family but also indicated that we had a single “mutual friend.” This was meant to convince me of his authenticity but should have also raised a RED FLAG considering how much overlap there was in the people we knew. Apparently, someone had stolen the pictures from his Facebook page and created a new account. I later recalled I was already friends with him on Facebook and compared his actual page to what I had seen on the fake account. They were identical if you just looked at the profile picture and the last post or two. There was almost no history on the fake account, but I had not paid attention to this RED FLAG at the time.

Social Engineering Can Happen to Anyone

In the grand scheme of things, I’m your average American stereotype. I live in a small neighborhood in suburbia with a minimal presence on the internet. Why would anyone have any interest in me? Yet, with no reason to target me, someone came to my house, mailed me a letter, set up a fake profile of someone I knew 20 years ago, and created an elaborate scheme to get me to fill out a survey that asked for personal information.

The moral of the story is if it can happen to me, it can happen to you, your family, and your business! Don’t assume these things only happen to others or large corporations. Social engineering schemes are very real, and they can work if you don’t have your guard up!

As we reach the end of Cybersecurity Awareness Month 2022, I thought this would be an appropriate story to share. As you can see from my story, social engineering can be very elaborate and can use means that are outside of the internet to deceive you into providing access to confidential or personal information and/or your computer systems. So, awareness is key. In the spirit of this month, I hope my story serves as a reminder to talk to your employees and customers about recognizing red flags and staying safe online.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Security Awareness Training: Safe Systems has partnered with KnowBe4, a market leader who is in the business of training employees to make smarter security
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

20 Oct 2022
Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

  • The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
  • The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

08 Sep 2022
What to Budget for in 2023

What to Budget for in 2023

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

  • Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
  • Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

05 Aug 2022
The Importance of Succession Planning

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

  • Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
  • Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
  • Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

27 Jul 2022
Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

  • BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
  • CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
  • Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
  • Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
  • Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
  • NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
  • Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
  • V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

14 Jul 2022
How to Always Be Prepared for a Cyberattack

How to Always Be Prepared for a Cyberattack

How to Always Be Prepared for a Cyberattack

Cybersecurity attacks have been ramping up nationwide, and the FBI expects the trend to continue. Americans reported 847,376 complaints in 2021, a 7-percent increase from 2020, according to the FBI’s Internet Crime Complaint Center’s 2021 Internet Crime Report. Many of the complaints filed in 2021 involved ransomware, phishing, data breach, and business email compromise. Financial services is one of the critical infrastructure sectors that are most frequently targeted by ransomware attacks.

However, here are five best practices that if effectively implemented, managed, and monitored can ensure that your financial institution is always prepared for a cyberattack:

1. Authentication

Passwords have become more complicated to create, remember, and maintain. Twenty years ago, passwords consisted of a simple string of characters. Now they are more complex, requiring a combination of numbers, symbols, and upper- and lower-case letters. Increasingly, user management tools allow institutions to take advantage of robust authentication options like multifactor authentication (MFA). MFA adds extra elements and more security to the sign-on process, which is why users should employ it whenever possible to log in to any network or system at your institution. This is especially important for higher-risk situations that involve network administrator accounts, virtual private network access, and critical management applications.

MFA is one of the most important cybersecurity practices to reduce the risk of intrusions. Users who enable MFA are up to 99 percent less likely to have an account compromised, according to a joint advisory issued by the FBI and Cybersecurity and Infrastructure Security Agency. “Every organization should enforce MFA for all employees and customers, and every user should sign up for MFA when available,” the advisory states.

2. Patch Management

Patching can be a constant and tedious process as it requires keeping up with updates from numerous sources and applications. This can entail patching a plethora of Microsoft products, along with banking and lending applications, PDF readers, virtualization applications, database applications, ATM software, and more. Not patching a security hole in any of these could lead to a massive security breach with catastrophic implications for institutions. It’s imperative to maintain a list of all approved applications and monitoring software on the network as well as have an update policy and a clearly defined process for each application. Major breaches have happened because a single patch was missing on a single device. Patch management cannot be ignored or treated as an afterthought.

3. Email Security and End User Best Practices

Understanding email, specifically phishing techniques, is one of the most critical aspects of being prepared for a cyberattack. While financial institutions are frequently targeted by phishing attacks, following these best practices can help to prevent business email compromise:

  • Augment your email solution with effective scanning software. This can help identify SPAM and phishing emails before they reach employees.
  • Train employees to recognize phony phishing emails, so they can “think before they click.” These bogus emails can be difficult to spot unless you know what you are looking for; e.g., poor grammar and spelling, links that don’t match the domain, unsolicited attachments, etc.
  • Test employees to see how well they respond to a realistic phishing attempt. Invest in a program that lets you send fake phishing messages and track which employees fail the test, so you can offer additional training to those who need it.

4. Backups

Backups play a crucial role in file recovery, disaster recovery, and ransomware attacks. To successfully bounce back from a cyberattack, institutions need to have all backup scenarios sufficiently covered, including file-level backups, disaster recovery backups, Veeam backups (for virtual servers), and SQL/database backups. While most institutions use a combination of different backup solutions, the key objective is to back up files offline or in the cloud, so they are not connected to your network. Then if a ransomware attack strikes the network, your offline and cloud backups will not be affected.

5. Vendor Risk Management

Vendor management can have a dramatic impact on the overall success of your information security plan. If you outsource to a vendor with inadequate security protocols, their weakness essentially becomes your weakness. The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified to achieve a level of residual risk that is within your risk appetite.

There’s no silver bullet when it comes to resisting a cyberattack but focusing on the five areas above can significantly increase your institution’s cyber resiliency. Safe Systems offers a range of technology, compliance, and security solutions that are exclusively designed for community banks and credit unions. Contact us to learn how we can help you implement these five and other best practices.

23 Jun 2022
Tips for the Latest Microsoft Windows 10 Feature Update

Tips for the Latest Microsoft Windows 10 Feature Update

Tips for the Latest Microsoft Windows 10 Feature Update

Microsoft recently released the latest feature update for Windows 10, and financial institutions should upgrade the operating system as soon as possible. Installing the new update—Windows 10, version 21H2—sooner than later will give institutions access to important benefits, with a key advantage being enhanced security. The update will enable them to keep receiving security patches against malware and other vulnerabilities, so they can continue operating with the same level of safety and convenience. In addition, upgrading now will enable institutions to extract more longevity and functionality from the system, which will save them money in the long run. Implementing the current update will also keep them ahead of the curve and better prepared to meet the Windows 10 end-of-life date: Oct. 14, 2025.

Safe Systems Makes the Process Easy

Safe Systems can complete the upgrade for their network management, NetComply® One, customers using a proprietary solution designed by in-house technology experts. This advanced, automated method lessens the time and effort involved with installing version 21H2. We typically make one download per location instead of going from machine to machine—which can each take several hours to update. We can also employ file sourcing to reduce the amount of bandwidth consumed during the update. These streamlined tactics significantly minimize downtime, which can have a major impact on daily operations, personnel productivity, and other network utilization issues. If a machine has a problem with our automated process, customers will receive an email from Safe Systems notifying them that several failed attempts have occurred. At that point, they can decide whether to upgrade the machine themselves or submit a ticket requesting us to remediate the issue.

In addition, customers can run reports to gain insights, enhance decision-making, and optimize the upgrade process. For instance, they can:

  • identify which version of Windows 10 is currently running on their machines;
  • review results from the previous upgrade;
  • determine time of the next attempted upgrade;
  • detect which machines are excluded from upgrades; and
  • confirm that machines scheduled for the update are turned on and online.

By leveraging our network management solution and custom technology for feature upgrades, guesswork and human intervention are removed from the update process. This not only leaves financial institutions with more time to focus on other important issues, but it results in a more successful upgrade project. So, our customers get the best of two worlds: an efficient, computerized upgrade and support from technology experts.

A Specialized Network Management Solution

Completing Windows 10 21H2 updates for our customers means they will have one less thing to worry about. This supports our ultimate objective—to give financial institutions of all sizes a cost-effective way to leverage the best technology, compliance, and security solutions to serve the financial needs of their community. Our network monitoring and management platform, NetComply One, is designed exclusively for community banks and credit unions and provides them with a unique blend of services: automated ticketing, patch management, qualified alerting, custom reports, and quarterly advisement—all from an industry leader with more than 25 years of banking and IT experience.

So why run the security risk of not installing the new Windows update now when we’re making the process easy? Contact us today for questions about the upgrade or more information about NetComply One.

16 Jun 2022
Choosing a Virtual ISO (VISO)

Choosing a Virtual ISO (VISO)

The ISO’s role is becoming increasingly more complex and challenging due to growing cyber security threats, the ever-changing technology environment, and expanding regulatory expectations. It can be difficult for banks and credit unions to stay on top of information security issues. That’s why today even the smallest institutions often engage a trusted third party for help. A virtual information security officer (VISO) service can help institutions effectively manage information security so that nothing gets missed or falls through the cracks.

Common Types of VISO

The most common types of virtual ISO solutions available to institutions are the “do-it-yourself” (DIY), “hybrid,” and “offload” models. The DIY option is designed for institutions that have a solid grasp of the ISO’s job functions and just need some basic tools and limited consultation to enhance their efforts. This model is the least expensive but also requires more of a time commitment from your internal resources. The hybrid model may typically include an assortment of apps, templates, pre-configured reports, and other tools, along with a broader and deeper level of consultation. Resource requirements from the institution side are greatly reduced compared to DIY, but typically greater than offload. Accordingly, costs for a hybrid approach are somewhere between the two other models. The hybrid model also tends to be the most flexible and is designed to evolve with the changing needs of the institution. Finally, the offload approach attempts to provide a “turn-key” solution wherein the virtual ISO partner effectively assumes most or all the responsibilities of your internal ISO. This approach requires the least involvement from your institution (which could introduce other challenges…see the “Examiner Support” section below), but it is usually also the most expensive. As this model is the most inclusive, the knowledge and experience of the third-party provider are your most important consideration. The offload approach typically includes unlimited consultation, on-demand reporting, participation in committee meetings, etc.

Key Factors to Consider

When choosing a virtual ISO, there are some important aspects to consider to ensure your institution selects the best option. Keep in mind that each virtual ISO model comes with a certain level of flexibility and engagement for a specific price. The key is to carefully balance the service and costs against your specific internal resource gaps to determine the best solution for your situation. Ideally, whatever solution you choose should have the flexibility to dial up or down the level of service, depending on how your situation may change in the future.

Whatever virtual ISO solution you opt for, it should provide documentation and reporting in a form that the various stakeholders can understand. Each one of the many ISO responsibilities has one or more reports or documents that support the requirement to hold the ISO accountable for its responsibilities. The board of directors, the steering committee, the IT auditors, and examiners, all have different perspectives and comprehension levels and may require different degrees of detail for the same information. For instance, boards and examiners might require higher-level data, whereas steering committees and IT auditors might require more detailed documentation for their purposes. You should have access to on-demand reporting with relevant, actionable, up-to-date information that matches the level of engagement for the various stakeholder groups.

The regulatory guidance on ISO responsibilities includes terms such as “engaging with” and “working with” management in the individual lines of business to understand the risks of various initiatives. They also expect the ISO to “implement” the information security strategy as defined by the board, and to periodically “inform” the board and senior management on the status of the program. In the case of a virtual ISO, your hybrid or offload third-party partner needs to have an excellent understanding of enterprise-wide strategic objectives, and a good working relationship with management in all lines of business and within the different departments within your organization.

Remember, as with all outsourced activities, even though you can delegate some (or even most) of the heavy lifting to a virtual ISO, you cannot outsource responsibility. Your institution still must maintain a strong oversight effort to ensure that all ISO duties are completed, documented, and reported appropriately. Higher levels of third-party reliance require correspondingly higher levels of oversight. According to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services booklet you are obligated to oversee all activities, whether you perform them, or a third-party performs them on your behalf.

Examiner Support

The examiner feedback we have seen to date strongly supports the idea of financial institutions implementing a virtual ISO solution “…as long as it’s done correctly.” That means focusing on all the responsibilities and accountabilities of the role and making sure sufficient documentation and appropriate oversight and reporting are built-in. Doing it correctly also means making sure the in-house ISO is not so detached from the processes and procedures that they cannot authoritatively explain them to a stakeholder, which can be the primary downside of the “offload” model. The decision-making process is the most important concern for regulators. Your solution should allow you to offload enough to make the ISO’s job easier and more organized, but not so much that they become disconnected and lose operational awareness of their current threat and control environment.

In conclusion, choosing the right type of virtual ISO service allows institutions to provide the appropriate level of insight and oversight for their in-house ISO. This can help them to be better equipped to manage information security activities, meet evolving industry standards, and adjust to tightening regulatory requirements, all in an increasing cyber threat environment.

At Safe Systems, we offer a virtual ISO service based on the above-described hybrid model. ISOversight™, is a VISO service that is flexible to accommodate the changing needs of community banks and credit unions. The ISOversight service includes a full suite of applications to manage everything from vendors to business continuity, along with all associated information security policies and risk assessments. This is a cost-effective, comprehensive, and flexible solution that makes information security management much more efficient. For more insight about the most common virtual ISO models and how to determine which one may be right for you, view our webinar on “Is a Virtual ISO Right for You?”

09 Jun 2022
Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

With the rise in cybercrimes and increased regulatory scrutiny, having a board-approved IT Strategic Plan is often not enough to ensure cyber resiliency. It’s essential for financial institutions to develop a robust IT management and information security infrastructure. The following excerpts from our recent white paper on “Building IT and Information Security Resiliency in Chaotic Times,” show how institutions can strengthen and support these key management roles to make better technology and security decisions, improve visibility, and reduce vulnerability. In addition, institutions can use strategic partners and risk management solutions to bolster resources they already have in place and enhance their overall cyber resilience.

1. Separating ISO Duties

Examiners have a strong interest in the IT administrator and ISO roles, which are interconnected and integral to an institution’s safety and soundness. However, many community banks and credit units still struggle with meeting the FFIEC requirements for segregating these positions. The importance of separating ISO duties relates to creating additional oversight to verify activities and maintain accountability to management and the board. Separating these functions also helps to build a clear audit trail to ensure risk is being accurately assessed and reported to senior management. While the ISO functions in an oversight capacity of the IT administrator, the ISO also relies heavily on the administrator to share data that can be used to recommend steps to improve the institution’s security posture. Therefore, the IT admin-ISO relationship must also be cooperative to ensure their daily activities support the organization’s policies and procedures.

2. Being Proactive about Succession Planning

Regulators expect financial institutions to have a formal succession plan for the ISO, IT administrator, and other key leadership roles, as indicated by the uptick in exam findings related to this issue. Depending on their size, type, and goals, institutions may employ different approaches for succession planning. They can identify and train someone to serve as an alternate or “backup” for various IT or ISO responsibilities, incorporate an internal committee or team approach for managing IT and information security, or use the support of a trusted third party to maintain IT and information security standards.

3. Partnering with a Trusted Third Party

An outside expert can provide an objective perspective that can help institutions think beyond the day-to-day issues and consider risk more proactively and strategically. Bringing in a technology partner on the front end—when things are going well—can also position institutions to be stronger and more successful in the future. For instance, a virtual information security officer (VISO) can expand an internal ISO’s capabilities and increase the likelihood that all ISO-related tasks are completed in a timely and efficient manner. A VISO can also provide an external layer of oversight to enable the required separation of duties.

ISOversight®, our virtual ISO service, makes it easier for financial institutions to master information security and manage compliance online. ISOversight is a comprehensive solution with a full suite of applications and resources, cyber risk reporting, and dedicated compliance specialists. It’s uniquely designed to help banking institutions enhance their strategies to improve IT management, information security, and compliance. With ISOversight, community banks and credit unions can ensure that no information security issues fall through the cracks—especially during challenging times.

For more information about how to enhance your institution’s security posture, read the full white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

19 May 2022
The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.

ISO Responsibilities

ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.

ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.

For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices

IT Admin Responsibilities

IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:

“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”

The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.

ISO and IT Admin Cooperation

It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.

Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.

Obtaining Third-Party Support

Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.

A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.

Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.

30 Mar 2022
Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

As of April 1st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)

Understanding the Regulations

To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:

  1. The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incidentthat rises to the level of a “notification incident.”
  2. The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.

  • A computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
  • A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
  • its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
  • its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
  • its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.

Recognizing the Gray Areas

The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.

In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.

Preparing for the Unknowns

At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:

FDIC institutions:

  • Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at: incident@fdic.gov.

OCC Institutions:

  • Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email (BankNet@occ.treas.gov) or phone (800) 641-5925.

Federal Reserve Institutions:

  • Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to incident@frb.gov or by telephone to (866) 364-0096.

Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.

Steps to Take Now

There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.

  • Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
  • Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
  • Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.

For more information about this important topic, access our webinar on “New Cyber Incident Notification rules: How to Get Prepared”, or this recent blog post from Compliance Guru.

02 Feb 2022
Compliance Review and Tactics

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”

19 Jan 2022
Balancing Strategy and Compliance

Balancing Strategy and Compliance: Addressing the Strategic Needs of Your Institution While Remaining Compliant

Balancing Strategy and Compliance

Banks and credit unions require a complex interconnected infrastructure to support their employees, serve customers, and maintain their operations. This entails an array of owned and outsourced elements: hardware, software, controls, processes, and evolving technologies such as cloud, artificial intelligence (AI), machine learning, and more. In addition, effective data governance and data management are fundamental to maintaining the confidentiality, integrity, and availability of information. The data management process is highly regulated and financial institutions are under increasing pressure when trying to balance the strategic needs of their organization with the increased demands for remote employees and online customers.

Evolving Remote Workforce and Customer Base

Over the past couple of decades, advancements in communication and technologies have allowed for a more mobile workforce and customer base, and the ongoing COVID-19 pandemic quickly intensified this trend. During the first year of the pandemic, Gartner conducted a survey that found 82% of businesses intended to allow remote work at least part of the time, with 47% of companies allowing it full time. Although 2o20 represented a significant increase in remote work and digital engagement, the trend seems to be continuing for the foreseeable future. According to Upwork’s Future Workforce Report 2021, 40.7 million American professionals, nearly 28% of respondents, will be fully remote in the next five years, up from 22.9% from the last survey conducted in November 2020.

This trend requires adding more technology and devices to enable online access to financial services, and to enable secure access to the information and other resources needed for remote workers to perform their duties away from the office. Banking customers want convenient access to financial services, whether through a physical location, the internet, or a mobile app, and institutions need the tools and techniques to keep them secure. With more devices in the hands of employees and customers, there are many more vectors for cyberattacks and way more endpoints to secure. Even institutions that have been trying to avoid the risks that come with enabling remote engagement are forced to reevaluate the costs and benefits.

Increasing Regulatory Requirements

Privacy and data security have become key compliance issues for financial institutions as they adapt to accommodate employees and customers who prefer to work and bank remotely. From a regulatory standpoint, the Federal Financial Institution Examination Council (FFIEC) has always expected financial institutions to have data management controls in place to protect data in physical and digital forms wherever the data is stored, processed, or transmitted. This includes any data relating to the organization, its employees, and its customers. “The data management process involves the development and execution of policies, standards, and procedures to acquire, validate, store, protect, and process data,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet. “Effective data management ensures that the required data are accessible, reliable, and timely to meet user needs.”

The FFIEC requires institutions to follow a wide range of other guidelines and procedures, which are reflected in various FFIEC booklets and include:

  • Governance – Management should promote effective IT governance by establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.
  • Know-your-customer – Financial institution management should choose the level of e-banking services provided to various customer segments based on customer needs and the institution’s risk assessment considerations.
  • Resilience – Financial institutions are responsible for business continuity management (BCM), which is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

Strategic Compliance Solutions

With so many compliance issues to address, it can be difficult to balance the needs of your financial institution, your remote workers, and your customers. Safe Systems has a team of compliance experts and a broad range of compliance solutions to help you manage government regulations, information security, and reporting efficiently. Our team of compliance experts are trained in banking regulations, hold numerous certifications, and are laser-focused on delivering the tools and knowledge to give you compliance peace of mind.

30 Dec 2021
Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

Subscribe to our blog

 

08 Dec 2021
5 Compliance Lessons Learned in 2021 to Bring into the New Year

5 Compliance Lessons Learned in 2021 to Bring into the New Year

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

  • Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
  • Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
  • Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site, ComplianceGuru.com, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

06 Dec 2021
How Layered Security Can Address Growing Cyberthreats

How Layered Security Can Address Growing Cyberthreats

How Layered Security Can Address Growing Cyberthreats

With the increasing complexity of cyberattacks, financial institutions need to implement more effective—and comprehensive—security measures. They need a variety of elements to create a layered approach to secure their data, infrastructure, and other resources from potential cyberthreats.

Many organizations rely on a castle-and-moat network security model where everyone inside the network is trusted by default. (Think of the network as the castle and the network perimeter as the moat.) No one outside the network is able to access data on the inside, but everyone inside the network can. However, security gaps may still exist in this model and others. The best approach to compensate for gaps is to surround the network with layers of security.

The basic “table stakes” for a layered security approach include a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process. Banks and credit unions could also invest in additional and more sophisticated layers but each one will have associated acquisition and management costs, along with ongoing maintenance. So, it’s prudent for institutions to invest only in the number of layers/solutions they can competently manage.

Key Concerns

Today the top IT security concern for many organizations is ransomware. Due to the proactive measures many financial institutions have taken, the banking industry has fewer security breaches than health care and some other industries thus far. However, when a breach does happen to a financial institution, the impact is more costly than breaches occurring in other industries.

Four-Layer Security Formula

With these concerns in mind, here’s a four-layer “recipe” organizations can employ to improve their security posture:

  • Training and Testing: Using email phishing tests can serve as a good foundation for minimizing BEC and other social engineering threats.
  • Network Design: Institutions should refresh older networks to segment their components into different zones. It’s no longer sufficient to have servers, workstations, and printers sitting in one IP space together.
  • Domain Name System (DNS) filtering: DNS filtering prevents potentially damaging traffic from ever reaching the network. Because it proactively blocks threats, this makes it one of the most effective and affordable security layers institutions can apply.
  • Endpoint Protection: Institutions should have this type of protection on each of their endpoints, and the best endpoint protection tools have built-in ransomware solutions.

Other Important Considerations

It’s important to back up data regularly and ensure that those backups are well beyond the reach of ransomware and other threats. (Backups done to a local server that’s on-site and are still on the network may be susceptible to ransomware.) One way to address this issue is to have immutable backups, which are backup files that can’t be altered in any way and can deploy to production servers immediately in case of ransomware attacks or other data loss. Another option is to send backups to a cloud solution like Microsoft Azure Storage, which is affordable and easy to integrate because there are no servers to manage.

Another crucial element in security is Transport Layer Security/Secure Sockets Layer (TLS/SSL) encryption protocol, which can be somewhat of a double-edged sword. About 80 percent of website traffic is encrypted to protect it from unauthorized users during transmission. Traditional firewalls don’t have the ability to scrutinize traffic against a content filtering engine, which means savvy hackers can hide ransomware and other dangerous content inside. But firewalls with advanced features are capable of TLS/SSL inspection; they can decrypt content, analyze it for threats, and then re-encrypt the traffic before entering or leaving the network.

There’s an array of security solutions that institutions can implement to establish layered protection against cyber threats. For more insights about this topic, listen to our webinar on “Cyber Threats, Why You Need a Layered Approach.”

21 Oct 2021
The Importance of Cybersecurity, not Just in October—but All Year Long

The Importance of Cybersecurity, not Just in October—but All Year Long

The Importance of Cybersecurity, not Just in October—but All Year Long

Do Your Part. #BeCyberSmart.

With October being Cybersecurity Awareness Month, it’s the opportune time for everyone to focus on online safety and to become more cyber savvy. This month, the Cybersecurity & Infrastructure Security Agency (CISA) and National Cyber Security Alliance (NCSA) are encouraging all Americans to do their part and be cyber smart. This means organizations and individuals need to own their role in protecting cyberspace, which requires taking personal accountability and proactive steps to enhance cybersecurity.

The first step to increasing cybersecurity is to understand its importance. Cybersecurity, according to the CISA, is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring the confidentiality, integrity, and availability of information. And the importance of applying effective strategies to keep computer systems and electronic data secure is growing as cybercrime rises. But the key to enhancing cybersecurity is to recognize the hazards that can threaten online safety: malware erasing an entire computer system; a hacker breaking into a system and altering files; someone using another person’s computer to attack others; or an intruder stealing credit card information and making unauthorized purchases.

To minimize the risk of cyberattacks, organizations should consider implementing these best practices from the CISA:

  • Keep software up to date by installing software patches to prevent hackers from taking advantage of known problems or vulnerabilities.
  • Run up-to-date antivirus software to automatically detect, quarantine, and remove various types of malware.
  • Install a firewall to prevent cyberattacks by blocking malicious traffic before it can enter a computer system.
  • Employ multi-factor authentication (MFA) to validate users’ identity.
  • Change default usernames and passwords, which are readily available and can be used by malicious actors.
  • Select strong passwords that will be difficult for attackers to guess and use different passwords for different programs and devices.
  • Beware of suspicious emails that may be engineered to steal information and money or install malware on devices. 

While taking precautions cannot guarantee complete protection against hackers, improving cybersecurity practices can certainly help. It’s also important to become more knowledgeable about effective strategies for reducing cybersecurity risks, which is a major goal of Cybersecurity Awareness Month. In addition, Cybersecurity Awareness Month, formerly called National Cybersecurity Awareness Month, strives to ensure that individuals and organizations have the resources they need to be safer online. People can take advantage of the CISA’s cybersecurity tips, cyber essentials, and other information to become more cyber smart—not just this month, but throughout the year.

Safe Systems also offers a wide range of resources to help financial institutions enhance their cybersecurity and protect the confidentiality, integrity and availability of their information. Our multi-layered security suite, which is designed to protect vulnerability points inside and outside the network, includes DNS filtering, endpoint protection, next-generation firewall, security event log monitoring, and vulnerability monitoring. Community banks and credit unions can implement these security services to improve their cybersecurity posture, prevent cyberattacks and keep their operations running smoothly.

11 Oct 2021
What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

  • Employee training to ensure adequate, effective, and safe practices
  • Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
  • Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

09 Aug 2021
Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Implementing a technology-enhanced information security program doesn’t have to be a daunting task. Working with a third-party expert can make the process easier and smoother than managing all the requirements completely in house.

Effective information security (InfoSec) allows organizations to safeguard key IT assets, business processes and data from potential threats. It involves the broad measures that ensure the confidentiality, integrity and availability of the information being processed and stored by computer systems. Most financial institutions, especially those with limited IT resources, can benefit from having an outside vendor provide additional technical expertise and solutions to enhance their existing InfoSec program.

First State Bank Improves InfoSec with Safe Systems

First State Bank of Blakely, Ga. is a prime example of how a financial institution was able to tap external resources to expand its InfoSec program. The bank, which has about 100 employees and 10 branches, was handling most of its InfoSec requirements in house. But when First State Bank’s InfoSec consultant retired, the bank opted to expand its vendor management relationship with Safe Systems to include information security.

Safe Systems made the implementation quick and easy, recommending strategic tweaks that significantly streamlined the process. Consequently, First State Bank was able to avoid “reinventing the wheel” by importing some of its existing information. And since the program elements are web-based and accessible through any internet browser, it will be easy for the bank to make future edits.

First State Bank’s IT Manager, William Barnes, specifically references Safe Systems’ expertise, saying: “The knowledge and experience of the experts I worked with during implementation were very helpful. It is good to know they are there to consult with. I think overall, we are in a good place with the new information security program.”

In addition, the program provides an easy-to-follow guide for securing the First State Bank’s operations and processes. The program is reviewed at least annually, which serves as a reminder of important security requirements. “It helps us stay on top of the risks within the bank and has all the available forms that we need for most policies and procedures,” Barnes says.

Benefits of Technology-Enabled InfoSec

Having a technology-enabled InfoSec program offers a host of benefits for institutions like First State Bank. In general, an automated security program can help banks better support the hardware, software, policies, procedures, and information assets needed to accomplish their business objectives. More specifically, incorporating technology can simplify an InfoSec program; it can streamline the process of identifying and classifying the vast number of assets institutions often have scattered across multiple branches and geographic locations. And a built-in risk assessment tool can provide pre-determined default risks for different assets based on commonly known threats and vulnerabilities.

All of this can reduce the need to create huge spreadsheets to maintain the amount of data typically required for an InfoSec program. As a result, financial institutions can have more accurate security-related information, enhanced board reporting, and better decision making and governance.

Consulting with a trusted vendor like Safe Systems allows institutions to immediately expand their information security expertise and resources. Safe Systems includes three applications in their service including Risk Assessment, Policy Manager, and Enterprise Modeling, to help banks and credit unions centralize and automate their InfoSec program. These powerful applications can make it easier for institutions to enhance their processes for assessments, notifications, reporting, policy/procedure updates and regulatory compliance so they can optimize their security posture.

04 Aug 2021
Technical Advances in Firewalls and How FIs Can Make The Most of Them

Technical Advances in Firewalls and How FIs Can Make The Most of Them

Technical Advances in Firewalls and How FIs Can Make The Most of Them

Firewalls have been a critical first line of defense in network security for decades. Over the years, they have evolved beyond simply filtering traffic between internal and external networks to offering more advanced features. Today banks and credit unions can capitalize on the technical innovations of next-generation firewalls (NGFW) to significantly enhance their network security.

NGFW Features

NGFWs offer a combination of advanced elements that can help financial institutions better manage incoming and outgoing traffic. Encryption is one example and is a key defensive weapon—but it can be a two-edged sword. While encryption is designed to ensure that only the intended audience can see the data being sent, a network’s security system may not be able to properly view, examine, and identify the encrypted traffic.

When a firewall receives encrypted traffic, it has to unscramble it into readable, usable, plain text. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) inspection are required to allow this unscrambling. Without these next-gen inspection features, it is estimated that more than 80% of internet traffic will traverse the firewall uninspected. This means encrypted web traffic can deliver malware to the client without the firewall ever knowing it. Additionally, many advanced firewalls employ “sandboxing,” which ensures suspicious traffic is processed in a secure alternative environment without posing risks to the production network.

Many NGFWs also use what are known as “dynamic” and “static” threat feeds. These lists of potential and current threats enable the firewall to determine whether certain traffic will be passed through or denied. Suspicious traffic gets flagged and remains in the database to support future evaluations.

With threat feeds, a static list is generally used for a small number of IP addresses – in part because it requires more manual labor for maintenance and updating. A dynamic list is typically automated from the cloud, which makes it less user-intensive, easier to keep updated, and more effective than a static list. Geo IP filtering, for example, is just one type of dynamic feed that institutions can use to block certain countries from accessing their outbound or inbound traffic.

Website whitelisting and cross-site hosting are additional tactics for managing and troubleshooting firewalls. Whitelisting allows access to websites that have been blocked by the firewall, and cross-site hosting comes into play when a different but related site is requested.

When it comes to advanced firewall devices, logs and log analysis are especially critical. Logs provide records of every action and event that happens on a network and provide valuable insight into identifying issues that impact performance, compliance, and security. As data logs can surpass millions of lines from just a single 24-hour period, manually analyzing this data is an overwhelming undertaking. With NGFW features such as automated log collection and analysis, institutions can improve data gathering and log management to detect and address potential security problems more effectively.

So which NGFW features are the most important? All of them are important. They’re intended to complement each other and work together toward a common goal: enhancing network security.

There are a few additional, important aspects to consider when implementing a firewall, such as ingress vs. egress rules, cloud services, or content delivery networks, protecting a remote workforce, and ongoing employee training. To learn more about these and all the advanced firewall features, listen to our webinar, “Firewall Chat: A Panel Discussion on the Technical Advances in Firewalls.”

29 Jul 2021
2021 Hot Topics in Compliance

2021 Hot Topics in Compliance: Mid-Year Update

2021 Hot Topics in Compliance

While the COVID-19 pandemic certainly isn’t over, financial institutions have learned valuable lessons so far. In retrospect, the pandemic’s impact on community banks and credit unions hasn’t been as catastrophic as examiners had initially feared—at least not financially. Key impacts have been mostly operational, involving risk related to temporary measures taken to weather the crisis. For instance, examiners will want to know what modifications institutions have made to their operational processes to accommodate an increasingly mobile customer and member base and remote employees, and whether they accounted for additional fraud, cyber threats, or other risks as a consequence. If institutions implemented new products or services, they would need to also account for the operational risk associated with these changes—especially if additional third-party providers were involved. That said, throughout the pandemic, the overall industry demonstrated a very high level of resilience.

In addition to the post-Pandemic lessons, there are other important compliance trends and new regulatory guidance that institutions should anticipate as we approach the rest of the year:

Emphasis on Ransomware Cybersecurity

Recently, ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely ramp up going forward. This will be reflected, in part, by the number of (and types of) assessments that they may expect financial institutions to perform on an annual basis, including the familiar Cybersecurity Assessment Tool (CAT) and newer, non-compulsory Ransomware Self-Assessment Tool (R-SAT) developed partly by the State regulatory bodies.

In addition, at the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) has recently developed its Cyber Security Evaluation Tool. This tool is not specific to the financial industry but rather designed to apply to multiple industries. And the National Credit Union Association (NCUA) decided earlier this year to move away from using its version of the CAT, known as the Automated Cybersecurity Evaluation Toolbox (ACET). It’s now prioritizing a modified InTREx for Credit Unions (InTREx-CU), which is designed to enable credit unions to identify and remediate potential high-risk areas, including within the cybersecurity controls domain.

Changes with Cyber Insurance

Major shifts are also happening with cyber insurance. Because of excessive losses by the insurance industry, there will very likely be increased deductibles, increased exclusions, and decreased limits for covering cyber losses. Cyber insurance coverage—which is not an absolute requirement by regulatory agencies—is going to be more difficult and expensive to obtain. So, the lesson is: As insurance policies come due, don’t automatically renew before you assess what has changed in terms of the coverages, exclusions, and limitations, and make sure you’ve documented your cost-benefit decision.

New Guidance on Architecture, Infrastructure, and Operations

In June, the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. The updated guidance, which replaces the “Operations” booklet issued in July 2004, acknowledges the inextricable link between an institution’s operations, architecture, and infrastructure. Or as a recent FFIEC press release states:

“The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers, along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet provides a fresh take on several concepts: It recognizes different treatments for smaller or less complex institutions and adopts a different approach to data classification by factoring in value with criticality and sensitivity. All entities—not just credit unions and banks but also non-financial, third-party service providers—are expected to adhere to the guidance.

In addition, there are also pending new rules for incident notifications for banks, service providers, and core providers, which isn’t surprising with all the recent cybersecurity attacks. Finally, examiners are also expecting more detailed board reporting, such as showing how an institution’s business continuity management plan, business strategy, and risk appetite are all aligned.

For more information about the latest expectations, compliance trends, and regulatory guidance, listen to our “2021 Hot Topics in Compliance: Mid-Year Update” webinar.

22 Jul 2021
How Financial Institutions Can Enhance Board Reporting and Governance with Technology

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

As financial institutions face greater expectations for corporate accountability from regulators, effective board reporting and governance are becoming even more essential in the banking sector. While board members aren’t generally involved in the day-to-day operations, they are ultimately responsible for the success of their institution. Proper reporting can enable the board to make decisions without having to be involved in routine activities, and technology can help institutions enhance their board reporting and, in the process, help directors exercise the care, skill, and diligence required for good governance.

Five Essential Elements of Reporting

Board members need access to a range of financial and non-financial information relating to their organization’s products and services. In order to function effectively as a feedback tool for the board and senior management, the FFIEC Management Handbook states that information systems reporting should meet five essential elements:

  • Timeliness: To facilitate prompt decision-making, an institution’s information systems should be capable of providing and distributing current information to appropriate management or staff
  • Accuracy: A sound system of automated and manual internal controls should exist to ensure the validity of the information and should include appropriate editing, balancing, and internal control checks
  • Consistency: To be reliable, data should be processed and compiled uniformly. Variations in data collection and reporting methods can distort information and trend analysis
  • Completeness: Reports should contain the necessary information to inform decision-makers without voluminous detail
  • Relevance: Information systems should provide current, applicable, and actionable information

Reporting that contains the essential elements above can provide decision-makers with facts that support and enhance the overall decision-making process and can also “…improve job performance throughout an institution.” At the board and senior management level, information systems reporting provides the data and information to help the board and management make strategic decisions. At other levels, information systems reporting allows management to monitor the institution’s activities and distribute information to staff, customers, and members of management.

Applying Technology

Advances in technology have increased the volume of data and information available to management and directors for planning and decision-making. Converting that data into actionable knowledge is essential for the board to provide a “credible challenge” to management, which involves being actively engaged, asking thoughtful questions, and exercising independent judgment. Integrating technology into their InfoSec efforts, institutions can create a comprehensive system to generate, collect, and analyze data to support a more effective process for board reporting and a more knowledgeable board.

Heather Helms, CFO and Information Security Officer of Mount Vernon Bank, knows firsthand the importance of having an application that supports board reporting. “Before we started our partnership with Safe Systems, we were not up to par with the industry standards of reporting. Since redoing our Information Security Program and moving away from a paper-based model to automated applications, we’ve seen noticeably better results in our board reporting and regulatory updates,” said Helms. “When trying to wear numerous hats within a small community bank and stay on top of a topic so huge in a regulatory world, solutions like Safe Systems’ Information Security Program makes all of the difference.”

There are several advantages to financial institutions using technology solutions to automate and optimize board reporting and governance. The primary advantage is the ability to generate on-demand reporting on all aspects of information security management; from managing projects, to risk assessments (including risk appetite), to managing critical vendors, to mitigating operational risk through business continuity planning. Reporting should allow just enough detail to enable the board to fulfill their responsibilities, but not be so detailed that they struggle to comprehend. Ideally, technology should support high-level reporting, with the ability to “drill down” as necessary. The emphasis should be on quality, not quantity.

Another potential advantage of technology in reporting is the ability to aggregate business intelligence from multiple sources enterprise-wide. This not only gives the board a more complete picture of risk but can also stimulate internal collaboration and deeper insights, giving directors more meaningful information for analysis. The importance of timely, accurate, relevant, complete, and consistent information cannot be overstated, as the success or failure of management is often defined by the decisions they make. As the FDIC states, “The extreme importance of a bank director’s position is clearly emphasized by the fact that bank directors can, in certain instances, be held personally liable.” By having a comprehensive system in place for optimal decision-making, institutions can improve the quality of the information flowing from management to the board, and then from the board to other internal and external stakeholders—helping directors not only improve governance, but also enhance regulatory compliance and possibly even reduce lawsuits, monetary fines, and other negative consequences from inadequate board reporting.

Technology not only optimizes board reporting and decision-making but also makes it easier for directors to access the information they need to perform their due diligence and oversight obligations. It all boils down to implementing technology to exercise better accountability—ensuring sound policies are in place to promote strategic objectives and regulatory compliance.

Safe Systems offers a wide range of compliance-centric, innovative solutions that can help financial institutions take advantage of technology to improve their board reporting and governance.

15 Jul 2021
Cybersecurity Shouldn’t Be Keeping You Up at Night

Cybersecurity Shouldn’t Be Keeping You Up at Night

Cybersecurity Shouldn’t Be Keeping You Up at Night

There’s been a notable uptick in cyberattacks in recent years, some of which have drastically impacted institutions’ overall security. At Safe Systems, we believe that proactively protecting customer data will always be more cost effective than falling victim to malicious activity.

From malware and ransomware to managing security needs, we’ve got you covered on how best to protect your financial institution against any type of cybersecurity threat. After all, that’s why we’re here, right?

Make sure cybersecurity isn’t your institution’s weakest link by taking a look at our original blog post on the matter here.

01 Jul 2021
Benefits of Integrating Technology into Your InfoSec Program

Benefits of Integrating Technology into Your InfoSec Program

Benefits of Integrating Technology into Your InfoSec Program

Information security (InfoSec) is a critical aspect of keeping an organization’s computers, networks, sensitive information, and users safe from potential threats. Integrating technology into a financial institution’s InfoSec program can make it easier to manage risk and protect their information and infrastructure assets. Institutions can utilize automation to capitalize on a variety of other benefits, including:

Simplicity

Banking is a complex business. Banks and credit unions maintain a wide assortment of information technology devices, systems, and applications to support their operations. They also have multiple personnel, partners, and third-party providers spread across different geographic areas. The interconnectivity of their operations can make it even harder for institutions to protect the hundreds (and in some cases, thousands) of assets they must maintain. An automated system can make it easier for institutions to inventory and classify their assets—without having to create enormous, time-consuming spreadsheets. It provides a centralized solution for tracking the criticality, location, and risk exposure level of each asset. Identifying the source of risk is the essential first step to effective risk management. Technology and various Software as a Service (SaaS) applications can greatly simplify the process of inventorying assets, assessing the risk, and selecting controls. Technology can also create automatic updates to ensure that all policies and procedures are current and based on industry standards and regulatory requirements. Additionally, on-demand stakeholder reporting can be generated to provide the requisite documentation to management committees, board of directors, and regulatory authorities, respectively.

Completeness and Transparency

Integrating technology can help financial institutions get a clearer sense of their security posture, so they can develop a more complete InfoSec program. Automation makes it easier to identify and categorize each asset, along with its related risks, threats, and controls. This can enable institutions to make a more accurate assessment of where their security risks actually lie. With enhanced transparency, institutions can determine the most appropriate level of protection for each of their assets. As a result, they can more effectively use, manage, and secure these assets. Proactively identifying risks, threats and controls can also better position them to minimize the impact of security incidents in the future.

Better Intelligence and Insights

Some financial institutions rely on manual spreadsheets to manage the vast amount of information and other assets in their InfoSec program. But manual spreadsheets are not always the most effective tracking and reporting mechanism. People can inadvertently feed the wrong data into spreadsheets and produce unreliable results (“garbage in, garbage out”). Plus, since creating spreadsheets is such a repetitive and time-consuming process, information may be infrequently updated—which can make it less timely and thus less useful. However, integrating technology can help institutions enhance the accuracy of the intelligence that supports their InfoSec program. In turn, their board and management can have better insights into the important issues that impact the information security of their organization, which in turn empowers them to make better decisions.

Enhanced Reporting

To make the best decisions for their institution and perform their fiduciary oversight duties, boards and management committees need accurate, relevant, and timely information. By incorporating technology in their InfoSec program, institutions can put an efficient process in place to generate, collect, and analyze data to support board and committee reporting. This can enhance the overall quality of the information being reported to the board, shareholders, and auditors, and regulators. Optimized, on-demand reporting can improve governance, foster compliance, and potentially reduce negative consequences from inadequate board reporting.

Resource Collaboration and Augmentation

InfoSec resources are limited at many financial institutions, and most community banks and credit unions do not have a dedicated InfoSec specialist in-house. Additionally, information security officers (ISOs) tend to wear multiple hats and are often stretched thin by their broad range of responsibilities. An automated application can create a centralized solution that creates a multi-user approach to allow the ISO to leverage internal resources wherever and whenever possible. For example, a department head or process owner can be a valuable internal resource for assessing vendors impacting the department’s functionality. Similarly, the process owner (and not necessarily the ISO) would be the most logical choice to perform the process Business Impact Analysis. In this way, InfoSec becomes an “all hands on deck” operation, with all personnel sharing ownership of the process. Outsourcing additional aspects of InfoSec via a virtual ISO solution can provide an institution with additional subject matter expertise and solutions to further support their designated ISO and the overall security of their systems and information.

Read more about the benefits of integrating technology into your information security. Download our white paper on “How Financial Institutions Can Use Technology to Build an Automated, FFIEC-compliant Information Security Program.”

24 Jun 2021
Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program: How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.

There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.

These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:

“… both the CAMELS composite and Management component ratings have significant predictive power for features of the distribution of banks’ return on assets (ROA), non-performing loans (NPL), stock returns, stock return volatilities, and market-to-book ratios.”

Advantages of Automation

Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.

As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.

Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.

Our Unique Approach

At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!

Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.

Positive Feedback

Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.

For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”

02 Apr 2021
Is Cybersecurity Your Weakest Link

Is Cybersecurity Your Weakest Link?

Is Cybersecurity Your Weakest Link

Is Cybersecurity Your Weakest Link?

The financial landscape has changed drastically in the last 20 years, one of the most notable changes being the variety of financial services now being offered online. Although the wide-spread use of internet has made it possible to receive financial guidance from anywhere in the world, it has also created an environment where sensitive information and data could potentially be compromised by cybercriminals.

Today, professional hackers are spending more time and money than ever before to gain access to personal information for both monetary gain and “professional” recognition. The sensitive information that the financial services industry has access to continues to make them a prime target for hackers and other cybercriminals. Attacks can range from malware threats, DDOS attacks, phishing attempts and data breaches – all of which bad actors can use to commit fraud themselves or sell to a third-party.

Importance of Being Secure

 

Cybercrime continues to be a growing problem for banks and credit unions across the country. The impact of a cybercrime can be very costly for a financial institution, both financially and from a reputational standpoint. The main risks include theft or unauthorized access to sensitive customer information along with the disruption of normal business operations.

In addition, as the number of security threats continues to increase in the financial services industry, regulators are taking a closer look at financial institutions’ policies and procedures to ensure that they can effectively safeguard confidential and non-public information. As an example, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) is designed to ensure financial institutions are prepared in the event of a cybersecurity attack. The FFIEC CAT is now the guide regulators are using to examine institutions and determine their level of cybersecurity preparedness.

Some of the most common security threats financial institutions face today include:

Malware and Ransomware

 

Ransomware has established itself as one of the leading cyber threats for many organizations, but especially financial institutions. Using ransomware technologies, hackers can gain complete access and control over legitimate websites, often by encrypting data or programs, and extort ransom payments from victims in exchange for restoring access to the individual or business. Malicious software, or “malware”, is no longer characterized by simple aggravating popups and sluggish computer performance, but rather the encryption of all data on a machine, rendering it unusable.

Internet of Things (IoT) Attacks

 

Unsecured Internet of Things (IoT) devices such as DVRs, home routers, printers and IP cameras are vulnerable to attack since they are not required to have the same level of security as computers. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Unsecure IoT devices are also used to launch distributed denial-of-service attacks (DDoS) against institutions. These DDoS attacks prevent legitimate users from accessing computer systems, devices or other online resources. The perpetrator floods the victim’s machine or network with false requests from various sources to overload the system and prevent legitimate access. A well-executed attack can interrupt a host of banking services including website access, ATM networks, and online banking platforms, in addition to internal systems and functions.

Phishing Scams

 

Phishing scams that specifically target financial institutions’ employees, attempting to obtain sensitive information such as usernames and passwords, have become increasingly common within the last few years. The goal of phishing is to direct employees to a fraudulent website where they are asked to share login credentials and other personal information. The information that employees are tricked into providing then allow for cybercriminals to read a bank or credit union’s critical information, hack into the employee’s bank and social media accounts, send emails on an employees’ behalf, and gain access to internal documents and customer financial information.

Lack of Third-Party Vendor Security

 

While a financial institution might have the right security systems and policies in place to protect itself and its customers from a cyber-attack, its third-party providers may not have the same level of security and diligence. This creates a major vulnerability for the financial institution. Without a proactive approach to vendor management, financial institutions are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers. Federal regulators have issued guidelines to help institutions better understand and manage the risks associated with outsourcing a bank activity to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks to properly establish and maintain effective vendor and third-party management programs.

Insider Threats

 

Often, all it takes is a disgruntled employee or ex-employee to release valuable security information and compromise system and data security. Additionally, cybercriminals are increasingly realizing success through bribery as a means to entice bank employees to give up their login credentials or other security information, allowing direct access to internal systems.

Lack of Employee Training and Security Expertise

 

The COVID-19 pandemic has certainly brought its share of challenges to the financial sector of business, including increased network vulnerability and internal threats as employees transitioned to a remote work environment. These changes required cybersecurity personnel to change their online security baseline and continuously adapt to the changing IT security landscape. With the increased popularity of remote work, company IT staff are encouraging employees to take charge of their own online security through testing and training. The training includes topics like the importance of password security and multi-factor authentication and helps employees understand their roles and responsibilities in protecting against security threats. Until this learning gap is resolved, financial institutions will continue to struggle to efficiently manage cybersecurity threats.

Combating Security Threats and Ensuring Institution Security

 

While cybersecurity has become a major point of discussion among professionals within the financial industry, the truth is that many financial institutions are too complacent when it comes to protecting themselves. With hackers using advanced technology, the “bare minimum protection” is no longer enough to keep sensitive information safe. To adequately protect against security threats, financial institutions must ensure that every device on the network has up-to-date antivirus software, adequate firewall protections and that all patches are up-to-date as a minimum requirement. In addition, financial institutions should also employ a layered security strategy, from the end-user to the internet to establish a secure IT environment. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation.

A uniquely tailored layered security approach enables financial institutions to:

  • Monitor antivirus for servers, workstations, and off-site laptops
  • Use services that evaluate site lookups to avoid exposure to compromised websites
  • Scan the network for vulnerabilities and detect unusual activity against hackers and rogue employees
  • Block access to all external ports while also monitoring the access of various machines
  • Meet government regulations and requirements
  • Counter extortion threats by preventing a hacker from holding your customer’s personal data for ransom with special customized software for stopping ransomware
  • Patch machines, encrypt laptops, and install alerts on new devices plugged into the network

The security landscape is constantly evolving, and it is imperative to have a solid security plan in place that accounts for this evolution. It should be a fluid document that is frequently reviewed, updated and that specifically outlines administrative, technical, and physical controls that mitigate evolving risks. It is also important to test the full plan on a regular basis to ensure all procedures can be executed successfully and verify that all regulatory requirements are met.

Managing Security Needs

 

Many community banks and credit unions find that managing the security needs of their organization can be a time-consuming and challenging task. To help augment the security responsibilities, these institutions are turning to financial industry-specific IT and security service providers to act as an extension of their organization, provide timely support, and help the financial institution successfully design and execute a comprehensive security strategy. The right solution provider couples security measures with an understanding of and support for the unique security and compliance demands of the financial industry.

At Safe Systems, we believe that proactively protecting customer data will always be more cost effective than falling victim to malicious activity. To that end, we have the unique expertise to ensure that financial institutions employ the right combination of both broad and specific security products to create an ecosystem of protection. Safe Systems helps secure an organization’s endpoints, devices, and users by assessing vulnerabilities, detecting unwanted network activity, safeguarding against data loss, and preventing known threats while staying ahead of developing ones.

01 Apr 2021
The Security Evolution Featured Blog Image

The Security Evolution: The Integration of Security and Technology in Your Bank’s Infrastructure

The Security Evolution Featured Blog Image

Financial institutions and other organizations face a head-spinning number of information security risks—and the threats are becoming more complex and difficult to detect. In 2020, the FBI’s Internet Crime Complaint Center received a record number of complaints: 791,790, with reported losses exceeding $4.1 billion. The complaints—many of which included sophisticated phishing emails, business email compromise, and ransomware—represented a 69-percent increase in total from 2019, according to the FBI 2020 Internet Crime Report. In almost every case, a financial institution was involved; either as the direct target, a payment intermediary, or the account holder (victims) source of funds.

Importance of Resilience

With IT security, one of the primary goals for financial institutions is to minimize operational risk by limiting downtime; a process also referred to as “resilience”. Formally defined as the “…ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions…”, resilience also includes the ability to withstand and recover from deliberate attacks or naturally occurring disasters.

Resilience extends beyond after-the-fact recovery capabilities to incorporate proactive measures for mitigating the risk of a reasonably anticipated disruptive event in the overall design of operations and processes, including IT infrastructure. Resilience strategies, including maintaining security standards, should extend across the entire business, including outsourced activities. Because of the constantly changing threat environment, banks and credit unions should be regularly refining their security strategies. But it can be challenging for institutions to effectively manage the resources required to create a resilient infrastructure, including the staff, hardware, software, facilities, utilities, and other resources required to support operations. This monumental task encompasses everything from technology and telecommunications infrastructure to the critical dependencies provided by third-party service providers.

With so much complexity, having integrated security controls that coordinate and communicate with each other can make it easier for institutions to detect and prevent an incident before it happens, and to respond and recover afterward. Integration involves blending separate technology and controls into a single system that simplifies the work of short-staffed, time-strapped IT departments. The integration of security technology can ensure that financial institutions have a more manageable—and sustainable—approach to addressing the increasing volume and sophistication of security threats that they encounter.

Compliance and IT Security Integration

Of course, the rationale for integrating security and technology goes beyond the practical need to safeguard an institution’s information, infrastructure, and other assets, as it’s also a matter of compliance.

Information security should be embedded within the institution’s culture, according to the Federal Financial Institution Examination Council (FFIEC), and an institution’s security culture contributes to the effectiveness of its information security program. In fact, the FFIEC IT Handbook’s Information Security booklet indicates that “an institution with a stronger security culture generally integrates information security into new initiatives from the outset and throughout the life cycles of services and applications.”

Financial institutions should have a robust and effective information security program that supports their IT risk management process, according to FFIEC guidelines. Based on the FFIEC IT Handbook’s Information Security booklet, an effective IT program should:

  • Identify threats, measure risk, define information security requirements, and implementing control
  • Integrate with lines of business and support functions in which risk decisions are made
  • Integrate third-party service provider activities with the information security program

Third-party Management

Integrating third-parties into your security program is not just accepted by the regulators, it’s expected. According to the FFIEC, “In many situations, outsourcing offers the institution a cost-effective alternative to in-house capabilities…without the various expenses involved in owning the required technology or maintaining the human capital required to deploy and operate it.” However, the FFIEC goes on to recommend that institutions who elect to outsource technology, line of business activities, and support functions, ensure the integration of these activities with their information security program through an effective third-party service provider (vendor) management program. The FFIEC IT Handbook’s Information Security booklet asserts that: “Effective integration of these programs is evident when the institution creates and enforces expectations that align with the internal information security program in such a way that the combined activities of the institution and its third-party service providers result in an acceptable level of risk.”

Security threats will always be a constant challenge, but successfully integrating security and technology within an institution’s banking infrastructure can help institutions win the fight. Safe Systems provides banks and credit unions with an array of compliance-focused IT services to help them improve their overall security posture. Our proven experience, paired with our compliance-focused technology and security solutions, enables financial institutions to significantly strengthen their resilience by seamlessly aligning compliance and security.

25 Mar 2021
The ISO in 2021 Featured Image

The ISO in 2021: New Challenges and Expectations Require a New Approach

The ISO in 2021 Featured Image

One of the key lessons financial institutions learned from the COVID-19 pandemic is that regardless of new challenges and seemingly constant change, they were expected to ensure their customers and members continued to receive products and services uninterrupted. The past 13 months (and counting) have been a live exercise in operational resilience.

The current crisis—perhaps more than any even prior—has underscored the true scope of the Information Security Officer’s job. Technically, there are only eight broad areas of responsibility for ISOs outlined in the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Management booklet. But the actual scope of ISO accountability spans at least 36 elements. One of the key challenges and responsibilities of the ISO is stakeholder reporting, which is intricately linked to accountability. The relationship between responsibility and accountability is that while the ISO is responsible for making sure critical InfoSec tasks are completed, they are also accountable to the various stakeholder groups, which requires providing documentation that a task is being completed a certain way, with a certain group, or with a certain frequency.

To meet their accountability obligations, because information security is pervasive, ISOs must be engaged at all levels across the enterprise and in all lines of business. This requires understanding every place that data is stored, processed, or transmitted—whether it involves a customer or member, employee, or vendor. The ISO also needs to be aware of the latest emerging risks and be able to implement an effective mitigation strategy. Ultimately, ISOs need to be effective at translating information to the board, management committee, and IT auditors and examiners, in a manner in which these various stakeholders are best able to consume and comprehend it.

The expectations for ISOs also extend beyond the traditional area of ensuring the confidentiality, integrity, and availability of data. ISOs are also responsible for minimizing the disruption or degradation of critical services—which has emerged as the more urgent necessity during recent pandemic and cyber events.

Some of the early challenges ISOs faced during the pandemic ranged from the technical, such as securing virtual private network access, to the administrative, such as ensuring that employees have signed acceptable-use policies and remote-access agreements. Fortunately, we’ve found that most institutions adjusted well to the initial hiccups, resulting in minimal degradation in their services. However, cybersecurity promises to keep that pressure on for the foreseeable future, even post-pandemic.

Predictably, financial institutions are now seeing more exam scrutiny in three areas.

Business Continuity Management (BCM)

When the FFIEC implemented a BCM update in 2019, it created new terminology and new expectations that are finally beginning to emerge in exam findings.

Strategic Planning

The expectation for additional strategic planning is calling for more formal project management procedures. On the IT examination side, FIs are receiving requests for “pre-initiative” risk assessments, meaning that ISOs are expected to assess the risks of a project or initiative before they even agree to move forward and select a vendor. The FFIEC’s Development and Acquisition Handbook states that “Poor planning often contributes to projects failing to meet expectations.” This early stage is referred to as the “initiation” or “feasibility” phase of the project. Once the project clears this phase and moves forward, a vendor or vendors are selected, and vendor due diligence and on-going management can proceed. As the project proceeds to completion, management should be kept informed.

Board and Committee Reporting

Which is now focusing on not just what gets reported, but the frequency of the reporting as well. Suffice to say that the traditional annual updates won’t get it done going forward.

A New Approach to Virtual ISO Services

With ISOs being forced to wear multiple hats, some institutions are choosing to leverage a virtual ISO solution. Whether outsourced, insourced, or a hybrid virtual ISO model, each offers varying levels of service, flexibility, and support. Further still, several FIs are leveraging technology in tandem with security expertise to support their ISOs.

Safe Systems’ ISOversight is a proven risk management solution that provides complete and comprehensive accountability for the responsibilities of the ISO position. This third-party solution assigns a dedicated ISO oversight lead who understands the details of the institution’s environment and provides institutions with expert guidance and access to additional resources. ISOversight is an ideal asset for new (or frankly, overwhelmed) ISOs that may be struggling to keep up with the complex responsibilities of their position. And now with federal and state examiners tightening their level of scrutiny, ISOversight is proving even more crucial for institutions that need to enhance their information security expertise.

To learn more about how Safe Systems is supporting ISOs in the industry, listen to our webinar on “The ISO in 2021: A New Approach to New Challenges and Expectations.”

11 Mar 2021
Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s essential that banks and credit unions maintain segregation of duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the overall health of their operations.

From a regulatory standpoint, the separation (or segregation) of the ISO’s duties is the corrective action to a concentration of duties finding. Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet. The booklet states: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The FFIEC also provides guidance on this matter in the IT Handbook’s Management booklet. “The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution’s security policy,” the booklet explains. “Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls.”

Oversight Is the Key Issue

The importance of isolating the ISO’s duties comes down to oversight as separating the functions of the ISO and network administrator helps to create a clear audit trail and ensures that risk is being accurately assessed and reported to senior management. Without proper oversight reporting, financial institutions and their Boards lack a clear picture of their information security posture and can face other negative repercussions, such as downgrades in their Management IT component.

If, for instance, the ISO shares administrative duties and an administrator account, oversight dynamics can be undermined. As an example, the admin may have day-to-day responsibility for patch deployment, but the ISO is ideally suited to monitor and validate the overall patch management program—not the network administrator. The ISO has a higher-level, enterprise perspective of the impact of day-to-day activities; whereas the admin is at the ground level and may not always be capable of accurately assessing the full impact of performing, or not performing, a particular task. In addition, the definition of “oversight” is basically having another set of eyes validate the actions of someone else.

Understanding the Role and Duties of the ISO

The ISO’s oversight role primarily serves to ensure the integrity of a financial institution’s information security program. In essence, by segregating the admin/ISO duties, ISOs are the “other set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders.

The responsibilities of the ISO are clearly outlined in the FFIEC’s Information Security and IT Management booklets. Some of the ISO’s key duties include responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

However, in fulfilling these obligations, ISOs are expected to continually meet a high standard of information privacy and security. It’s imperative for institutions to not only assign the proper responsibilities to the ISO but to also select the right individual to assume the role.

Banks and credit unions often have difficulty designating an ISO with the appropriate technical and regulatory compliance expertise. Institutions in rural or small communities—where the talent pool is meager—might even have their chief financial officer or chief operations officer wear the hat for this “part-time” job. Regardless of these challenges, community institutions are expected to maintain the same level of segregation of duties as larger institutions. Size and complexity considerations may allow for some leeway in the timing of the separation, but not the ultimate outcome.

Leveraging a Virtual ISO

For every responsibility, there is an associated piece or set of documentation that must be provided to demonstrate adherence to and alignment with your formal written procedures. Not having an ISO with the requisite knowledge and/or time to effectively manage the assigned responsibilities of the position can result in control failures—and possibly policy or procedure non-compliance. In some cases, financial institutions may have a separation of duties “on paper”, but not so in practice. Again, the absence or presence of oversight is the key.

In fact, feedback from examiners indicates that because of the lack of oversight, there is a certain level of concentration of duties that cannot be adequately addressed internally. But institutions can remedy this problem by engaging a third-party, virtual ISO to add assurance that all responsibilities are being successfully addressed. A virtual ISO can provide another set of eyes and an independent layer of oversight on top of what the institution already has in place internally.

Virtual ISO services from Safe Systems, a national provider of fully compliant IT and security services, can be the ideal solution for community banks and credit unions. Safe Systems has proven experience in providing institutions with dependable technical expertise to ensure there is adequate separation of ISO-related duties within their organization—enhancing network security and significantly increasing regulatory compliance.

04 Mar 2021
5 ISO Duties that Can Be Automated for FIs

5 ISO Duties that Can Be Automated for FIs

5 ISO Duties that Can Be Automated for FIs

Information security officers (ISOs) at financial institutions typically have myriad responsibilities on their plates, and each of those responsibilities comes with one or more forms of documentation to verify the actions taken. While these duties relate to the main categories of network security and regulatory compliance, there are a host of functions that fall under the ISO’s oversight role.

Fortunately, many ISO responsibilities can be automated in some areas to facilitate the management of the institution’s information security program. Here are five of them:

1. Business Continuity Management (BCM)

ISOs are responsible for overseeing and coordinating BCM, providing detailed guidance on how to recover from a business interruption, and ensuring that the appropriate people, processes, and technology components that make up the network of interdependencies are also restored. Automation can make it easier for the ISO to identify the interdependencies, complete the annual updates, and conduct the training exercises and testing required. Automation can also enable alerts for tasks due by process owners, and generate reminders for annual plan board approval, and report the test results to the board. While the tests for BCP cannot be automated, the documentation and reporting of the tests can—something that can significantly streamline the ISO’s oversight responsibilities and make it much easier to locate these documents at audit and examination time.

2. Updates to the Information Security Program and Information Security Risk Assessment

Automation can provide alerts to help ISOs keep abreast of updates from regulators. Then the ISO can easily pull reports on the revised areas to present them for board approval. Essentially, it’s plan maintenance that can be automated—although some interpretation is needed to support the process. Automation can prevent an institution’s information security program from becoming out-of-date (which can happen easily when an ISO is relying on manual processes for management) as failing to make an important update can have significant, negative consequences. For instance, if management misses a major BCP update, or an annual test, or board reporting, auditors may construe this as a general weakness in management, and scrutinize other areas more closely, such as lending practices or financial reporting. Automation can help institutions avoid inadvertent missteps and resulting hassles within their information security program.

In addition, many recent examination findings relate to inconsistencies between the institution’s policies (what they say they do) and their procedures (how they say they will do them). Automation, when combined with integration between applications, can greatly reduce this probability by easily propagating policy and procedural changes throughout all elements of your information security program. For example, sometimes financial institutions will update their BCM plan but might be lax with other policies—something that can result in a disconnect between different policies. In this case, one policy may refer to a process that is no longer being used; or a policy may contain conflicting references for a process that has been updated. These and other kinds of inconsistencies are virtually impossible to catch without automation and integration.

3. Tracking Audit Exam Findings

Unresolved, or “repeat” findings are usually treated very harshly by regulators. Making sure that all audit and exam issues are resolved in a timely manner is crucial. Automation can rate the severity, assign them to a responsible party, assign a due date for resolution, and sending “ticklers” and reminders as the dates come due. At the end of the process, the ISO can quickly generate reports to provide to the institution’s board, examiners, and other stakeholders. Alerts and on-demand reporting can enhance accountability for addressing each of the findings to improve internal controls and other areas.

4. Managing Third-party Relationships

Financial institutions are required to manage the risks of their third-party vendors and the responsibility to assure this is done falls squarely on the shoulders of the ISO. Institutions can use automation in every aspect of their vendor relationship management, including alerting and tracking of periodic updates to the risk assessments, annual updates to the control reviews, contracts, and contract renewals. With automation, the ISO can instantly identify required tasks and produce the necessary documentation related to its vendor management activities.

5. Cybersecurity

Cybersecurity is an important sub-component of information security, and automation can significantly enhance the ISO’s multiple oversight efforts in this area. An automated system can remind ISOs to verify that crucial assessments are completed, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Alerts can be scheduled to prompt ISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. And on-demand reporting can keep all stakeholders informed on the progress of your cybersecurity efforts.

One final thought about automation; when the application is combined with a provider familiar with, and dedicated to, the regulatory environment of the financial institution, you do not have to worry about a non-compliant policy or procedure. All necessary regulatory and best practice updates are built-in to the automation.

As a national provider of fully compliant IT and security services, Safe Systems offers a variety of innovative solutions that can help financial institutions automate some of the important responsibilities of their ISO.

25 Feb 2021
Key Areas of Focus for Your Regulatory IT Exam

Five Key Areas of Focus for Your Regulatory IT Exam

Key Areas of Focus for Your Regulatory IT Exam

We’re back with part two of our IT Exam Prep blog series.

Picking up where we left off, there are five key areas where we expect you’ll likely be scrutinized closely at your next exam cycle:

  • Cybersecurity
  • Business continuity management
  • Outsourcing and third-party vendors
  • Governance and management engagement
  • Strategic planning

Of these, the most challenging, and most important, for smaller institutions might be governance and management engagement; the CAMELS “M”. This is true because often smaller institutions may have a more informal reporting structure.

For example, relevant issues may be discussed in committees and may even be reported upstream—but they may not be sufficiently documented. The issue is not just a matter of how you engage and report to senior management and the board, but rather, how you document that the necessary practices are in place. This is important when discussing day-to-day operational matters, but even more important when addressing issues of long-term strategic significance.

Although documenting management engagement can be particularly challenging, institutions must focus on all areas when prepping for an exam. You may not have time to rigorously prepare for every aspect, but you cannot afford to be lax in any one area, as examiners expect all areas of information security to be addressed. However, even if you are not where you need (or want) to be in any particular area, knowing where you are will often buy you additional time.

Our experience is that examiners will often give you additional time to address an issue if they know A) you are aware of it, and B) you have a plan in place (including a timeline) to address it. In short, if you haven’t had the opportunity to conduct a BCM exercise in the past 12 months, at least acknowledge it and have one on the calendar for the near future.

Ransomware on The Rise

As we discussed here and here, both the pandemic and cybersecurity will continue to dominate the infosec landscape for the foreseeable future, and because of that, are sure to receive special consideration during your next exam cycle. In particular, ransomware is a hot-button issue for examiners as attacks have been accelerating and cybercriminals capitalize on the security vulnerabilities and disruption caused by more employees working from home.

These malicious destructive malware attacks are becoming more targeted, more sophisticated and more costly, according to the FBI. Even more disconcerting is the fact that modern ransomware variants can not only lock data in place so that it’s no longer available to the institution but also exfiltrate data, making a secondary data disclosure attack much more likely. Another recent variant locks your data and initiates a distributed denial of service (DDoS) attack against your website if you don’t respond.

Resiliency

One common denominator between all five areas of focus is the concept of “resiliency”, which is the ability to withstand and recover from unplanned and unanticipated events. Examiners increasingly want to see a proactive approach to resilience, and when institutions implement the proper measures ahead of time, this can reduce their risk of operational downtime during a cyberattack, pandemic, natural disaster or another event.

Simply put, once ingrained into your practices and procedures, the reactive measures taken today become the proactive measures of tomorrow. Also, don’t forget to build resiliency into all future initiatives. If the initiative is important enough to implement and maintain, it’s important enough to protect from downtime.

Today, banks and credit unions are taking advantage of a host of resources to mitigate ransomware and other IT security issues, including the Cybersecurity Assessment Tool (CAT), the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and the Ransomware Self-Assessment Tool (R-SAT). In addition, consulting with a third-party IT expert can help institutions better prepare for assessments and respond to difficult questions from examiners.

The bottom line is that regardless of the format regulators require for an examination, you can expect them to address a wide variety of areas. So, focus on the areas outlined here and in part one of this series, but be prepared to discuss all the relevant actions your institution is undertaking.

23 Feb 2021
Part 1 - Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

Part 1 - Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

While sometimes the IT examination is separate, most of the time it’s incorporated into the Safety & Soundness exam. Regulatory examinations like Safety & Soundness are designed to assess the financial health and risk management practices of a financial institution, and the results are expressed as a number “grade” from 1 (highest) to 5 (lowest). An information technology (IT) exam is narrower in scope and utilizes four components to assess information management maturity: Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).

With the twin challenges of the Pandemic and cybersecurity continuing into 2021, on top of an already full plate of regulatory expectations, it’s critical for institutions to be prepared to address all IT issues to meet regulator expectations and ensure their safety and soundness.

So exactly what should financial institutions expect at their next IT regulatory exam? We’ll break it down in a two-part IT Exam Prep blog series.

The Pre-examination Questionnaire

On one hand, anticipating the exam elements is relatively straightforward, as the examiner will provide a pre-exam questionnaire. This is somewhat akin to an open-book test where the questions are provided ahead of time.

However, there is no single standardized questionnaire that all regulators adopt—and there likely won’t be in the foreseeable future. (The InTREx was an attempt by the FDIC a couple of years ago to standardize the process, but it is not yet caught on universally.) So, when the examiner sends his or her pre-exam questionnaire, that essentially provides the framework you should follow to prepare for your examination.

Nevertheless, bankers should expect a certain amount of the unexpected. While you should expect examiners to closely adhere to the pre-examination questionnaire, there will most likely be “curveball(s)” included. Curveballs are deviations from the questionnaire that could trip you up if you’ve followed it too strictly.

But if you’ve done your job correctly and addressed all infosec matters adequately since your last exam, you are better positioned to pivot when you need to during the exam. In other words, treat the pre-exam questionnaire more as a starting point than a checklist. And if you find yourself presented with a difficult question, do not respond with anything you are not 100 percent sure of, and that you know you can document. It is perfectly acceptable – and advisable — to wait and answer the question later when you have the appropriate information available.

One final point about examiner interaction: we strongly advise that your ISO be the primary point-person for the exam.

In most institutions, the ISO has the broadest and deepest knowledge of your information security procedures and practices. The ISO can bring in others as needed (network admin, internal audit, external providers, etc.), but they should still stay very close to the conversation. We’ve seen many situations where someone other than the ISO is interviewed by the examiner, and because of the person’s comparative lack of knowledge, it has resulted in exam findings that otherwise could have been avoided.

To ensure your financial institution’s next regulatory IT exam is a success, stay tuned for part two of our IT Exam Prep blog series, where we will dive into the key areas of focus you can expect to be evaluated on.

11 Feb 2021
Using Advanced Firewall Features and Other Technologies to Strengthen Network Security

Using Advanced Firewall Features and Other Technologies to Strengthen Network Security

Using Advanced Firewall Features and Other Technologies to Strengthen Network Security

A traditional firewall can only do so much to protect a network against the invasive security threats that financial institutions are facing. Add to that, cybercriminals are becoming more sophisticated and creative with their schemes, meaning banks and credit unions need more advanced defensive measures in place.

Malware and other cyber threats have been steadily increasing—especially against financial institutions, which are 300 times more likely than other companies to be targeted by a cyberattack, according to research by Boston Consulting Group. Institutions can capitalize on next-generation firewall (NGFW) features and other advanced technologies to increase the likelihood of warding off attacks, including:

Antimalware Scanning

Malware is intentionally designed for a perverse purpose: to damage a computer, server, client, or computer network. To keep malware at bay, banks and credit unions can use antimalware to thoroughly scan their computer network and detect and remove malicious ransomware, spyware, and other software that might be lurking on the system. Taking this proactive step can help institutions keep their network from being damaged, disrupted or compromised and overall improve the delivery of their services in a safe and secure manner.

Dynamic Threat Feeds

Threat intelligence data feeds can provide institutions with constantly updated information about potential sources of attack. Industry-specific feeds deliver up-to-date information on the latest security threats in the banking industry. Dynamic threat feeds make it easy for institutions to permit “good” network traffic in and “bad” traffic out while ensuring critical processes continue to work.

Dynamic threat feeds, essentially, take valuable parts of the information related to establishing connections and find similarities within them to act on potential or current threats. A key type of threat intelligence feed that institutions can implement are GEO-IP threat feeds. With this technology, a bank can map an IP address to the geographic location of an Internet-connected computing device. Then, they can analyze the Geo-IP data to detect threats from high-risk locations to improve their security posture. This analysis can be accomplished with processing times equal to less than a few milliseconds.

Another effective threat feed that institutions can use is IBM X-Force Exchange. This cloud-based threat intelligence platform allows banks to consume, share, and act on a variety of threat intelligences. IBM X-Force enables users to quickly research the latest security threats, gather actionable intelligence, consult with experts, and collaborate with peers. They can also integrate other tools to facilitate configuring feeds, providing a major benefit for smaller institutions with fewer resources. With dynamic threat feeds, banks and credit unions can have greater peace of mind with their firewall and security posture.

TLS/SSL Inspection

NGFWs offer capabilities that go beyond traditional firewalls, including inspecting TLS/SSL encrypted traffic. TLS/SSL technology helps protect online traffic; it creates an encrypted link between a web server and browser, ensuring the privacy of the data being transmitted. TLS/SSL inspection is important because it allows firewalls to scrutinize this encrypted web traffic and close holes in security. These security gaps could be exploited by would-be cybercriminals who attempt to use encrypted traffic for malware to circumvent the firewall’s inspections.

TLS/SSL traffic inspection allows institutions to decrypt traffic, inspect the decrypted payload for threats, then re-encrypt the traffic before it enters or leaves the network. Such deep content inspection can better protect institutions from internal and external risks. This makes TLS/SSL inspection the ideal defensive weapon against menacing malware and other security issues.

Sandboxing

Sandboxing can also help institutions augment their network security efforts. Traditional firewalls evaluate traffic based on static factors like where it originated, it is destination going, and the port being used. However, these are no longer sufficient for combating modern security threats. Sandboxing—physically or virtually segmenting a system, network, or entire environment—creates a secure location to test and neutralize potential hazards. Having a safe space to “detonate” payloads for analysis results in less risk and damage to the production environment, and, ultimately, enhances network security.

For more information about using advanced firewall features and other technology to strengthen network security, read our “Improving Security Posture Through Next-Generation Firewall Features” white paper.

04 Feb 2021
Does Your Financial Institution Have the Right Security Layers in Place to Combat Today’s Threats?

Does Your Financial Institution Have the Right Security Layers in Place to Combat Today’s Threats?

Does Your Financial Institution Have the Right Security Layers in Place to Combat Today’s Threats?

In 2020, 80 percent of firms experienced an increase in cyberattacks, and the pandemic was at the root of a 238-percent spike in attacks on banks, according to Fintech News. In a world of ever-increasing cyberattacks, does your bank or credit union have the appropriate security layers in place to effectively thwart these threats?

There are some proven, preemptive measures that financial institutions should take, including:

Effective Log Analysis

Logs record every activity and event that occurs on a network, providing valuable clues about potential performance, compliance, and security issues. But it can be challenging for an institution to analyze, manage, and tailor all the log data that it receives—which can exceed millions of lines in just a 24-hour period. Without sufficient data analysis tools, information technology (IT) professionals are severely limited. They have to depend on their own processing capabilities to manually analyze data, which can be a labor-intensive, mistake-prone task.

Effectively managing log analysis has become more problematic with shifts in the security landscape: the expansion of security features, increase in firewall complexity, rapid emergence of new security threats, and constant growth in endpoints. This creates a situation that no security team can effectively manage on its own without some level of automated log collection and analysis.

With this technology, firewall logs are sent to a device that deftly collects and interprets the data. Information is then displayed in a format that is more readable, searchable, and useful for security engineers. While this process can go a long way toward improving the gathering of raw data, institutions can do even more to enhance their log management by building in additional security layers through the automated threat identification.

Log analysis automation equips security professionals to more effectively receive alerts about current and possible threats. Many banks and credit unions have limited personnel and expertise available to analyze their vast amount of traffic logs manually. But automated log analysis allows institutions to maximize their resources by leveraging more advanced technologies, like artificial intelligence (AI), cloud-based computing, and big data to collect alerts more efficiently.

Improved Education and Continuous Improvement

Staff training and education are also an important aspect of solidifying an institution’s security posture, and institutions can employ a variety of tactics to ensure their employees are better able to interpret and respond to alerts. Bank tellers, loan officers, and administrative staff all benefit from informative seminars, brochures, and other learning opportunities. Information security operations personnel can improve simply by calling on experienced colleagues to share their expertise in a more informal exchange of information. These combined efforts can help institutions minimize the number of threats and manage their operations more efficiently on a daily basis.

Financial institutions must also commit to continuous improvement in regard to their firewall security. While enhancing log analysis is not an exact science, there is value in institutions asking targeted questions to help determine the need for specific enhancements to help ensure that the most actionable and best information is being presented to the individuals who need to review it.

Integrating Advanced Technologies

Additionally, banks and credit unions should leverage next-generation firewall (NGFW) features and other advanced technologies – like dynamic threat feeds – to optimize their security initiatives, helping ensure they allow “good” traffic in and keep “bad” traffic out while maintaining critical processes.

NGFWs also enable financial institutions to perform functions beyond that of a traditional firewall, including deeper inspections of transport layer security (TLS) and secure socket layer (SSL) encrypted traffic. The practice of “sandboxing” to physically or virtually segment a system, network, or entire environment creates a secure location to test and neutralize potential threats.

Learn more about how your institution can incorporate the right security layers to combat today’s threats by downloading our “Improving Security Posture Through Next-Generation Firewall Features” white paper.

14 Jan 2021
Looking Ahead to 2021: A Regulatory Compliance Update

Looking Ahead to 2021: A Regulatory Compliance Update

Looking Ahead to 2021: A Regulatory Compliance Update

As we mentioned in our previous blog, the Pandemic dominated the regulatory landscape early in 2020, and cybersecurity dominated the last few months of the year. This double-whammy forced financial institutions to quickly make operational adjustments to their procedures and practices. In the previous post, we explored the Pandemic. In this post, we’ll summarize the regulatory focus on cybersecurity in 2020, and look ahead to 2021.

Focus on Ransomware

The escalation of ransomware attacks (also referred to as destructive malware) has prompted a greater focus on addressing this aspect of cybersecurity. On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies about possible sanctions for facilitating ransomware payments. Financial institutions should be aware that they (and their cybersecurity insurance provider) could be in violation of OFAC regulations should they decide to pay a ransom to anyone on the Specially Designated Nationals (SDN) list. This would place the institution on the hook for payments made by themselves, or by any third-party on their behalf. Institutions should address this issue during incident response testing by including their cyber insurance company and making sure they know that paying a ransom could trigger penalties or sanctions.

The heightened emphasis on ransomware also led to the release of a new Ransomware Self-Assessment Tool (R-SAT) in October 2020. Developed by the Bankers Electronic Crimes Taskforce (BECTF), the U.S. Secret Service, and state bank regulatory agencies, the R-SAT follows established best practices to help financial institutions reduce their risk of ransomware. We have reports from several banks around the country that their State examiners are requesting completion of the R-SAT prior to their examination. Unlike the CAT, the 16-question tool only allows “Yes” or “No” responses, it does not give users the option to answer “Yes with compensating controls”. This lack of flexibility does not work in the favor of smaller, less complex financial institutions, which may have informal practices in place that still accomplish the same objectives as the more formal practices of the larger institutions.

Nonetheless, the yes/no response format should not be an issue if institutions have already taken steps to address ransomware and, more broadly, cybersecurity. They can simply point regulators to relevant supporting details, (completed CAT assessments and incident response plans and tests for example) and that should be sufficient to demonstrate compliance. It’s also important to note that what we’ve heard from state regulators is that they are not strictly requiring institutions to employ the R-SAT, only that they intend to use the assessment as a starting point for further discussion. Increased discussion surrounding shared cyber threats facing financial institutions is never a bad thing!

Finally, the OCC released their semi-annual Risk Perspective in November and singled out cybersecurity as a key operational risk. While they point out that overall banks have adequate cybersecurity systems, they have seen some weaknesses related to IT, change management, and information security. We can expect increased scrutiny in these areas, and cybersecurity generally, for the foreseeable future.

What to Expect in 2021

One common denominator between the Pandemic and cybersecurity is the concept of resilience. Resilience, or the ability to withstand and recover from unplanned and unanticipated events, is all about proactive as opposed to reactive measures. It equates to implementing procedures ahead of time—rather than just responding to past events—to reduce the risk of operational downtime. Granted, the impromptu procedures established during the COVID-19 pandemic, or following a cyber-attack, are reactive in nature. But, once firmly in place and tested in the real world, they become the proactive resilience measures ready for when the next event occurs.

One additional factor common to both Pandemic and cybersecurity is proper management and oversight of third-parties. We expect that examiners will scrutinize how institutions manage the third-party lifecycle; from the initial decision to engage the third-party, to assessing and controlling on-going risk, to disengagement at the end of the relationship. Among the elements attracting attention are whether you are tracking the complementary user entity controls for critical vendors. These are found in the SOC 2 reports and list the controls expected of you by the vendor. Be aware of these vendor expectations, and document how you’ve addressed them.

In summary, take extra precautions in 2021 relating to cybersecurity (particularly ransomware), another potential Pandemic event, and third-party management. Document everything you’ve done or plan to do (e.g., resilience measures), and most of all stay flexible. If we’ve learned anything from 2020, it’s to expect the unexpected!

08 Jan 2021
2020 in the Rearview: A Regulatory Compliance Update

2020 in the Rearview: A Regulatory Compliance Update

2020 in the Rearview: A Regulatory Compliance Update

The COVID-19 pandemic dominated the regulatory landscape early in 2020, with cybersecurity dominating the last couple of months. Here is a look back at important regulatory changes and trends in 2020 and a look ahead at what to anticipate for 2021.

Characterizing Causes of Weakness

When it became obvious that the pandemic would have a pervasive and wide-ranging effect, the Federal Financial Institution Examination Council’s (FFIEC) issued several statements to address the situation. The FFIEC outlined some of the adjustments and accommodations that regulators expect bankers to make concerning lending, operational risks, and other areas. For instance, if an exam results in downgrading component or composite ratings for an institution, a distinction will be made between any weakness caused by the pandemic vs. management and governance issues.

Essentially, examiners will differentiate between a weakness resulting from an external event versus an internal systemic issue—even if the event is beyond management’s control.

The statement issued in June 2020, states, “Examiners will consider whether institution management has managed risk appropriately, including taking appropriate actions in response to financial and operational stresses caused by COVID-19 impacts.”

It is uncertain exactly how this issue will be interpreted in a post-pandemic world. After all, pandemic should be a part of all financial institutions’ business continuity planning, and as such, not completely outside the realm of a reasonably anticipated threat. So ideally management should have anticipated such an event, and have been prepared to respond. The only unanticipated aspect of the current Covid 19 event is the extreme extended duration compared to a standard Pandemic. It will be interesting to see how the agencies square the concepts of a “reasonably anticipated threat” vs. “external factors beyond management’s control”. Aren’t most threats both reasonably anticipated, and also beyond management’s control? We’ll let you know if and when we get any clarification on that.

Regardless of the scenario, documentation is crucial and often overlooked. Most folks are laser-focused on just getting past this and back to “normal” business, but memories fade over time, and documenting what adjustments you’ve made (or plan to make) during the pandemic will make the post-pandemic adjustments easier to explain to management and justify to examiners. Documentation can also help establish your increased ability to anticipate and respond to the next threat, also referred to as “resilience”. Institutions should make every attempt to document all management decisions, such as the minutes from management meetings, communications with third-parties, and any strategic or procedural changes you may have made or need to make. For example, if you’ve implemented technology to enable an increased mobile workforce (a strategic change), have you updated the remote access procedures and best practices in your employee Acceptable Use Policy accordingly (a procedural change)? Have all remote employees signed the updated AUP?

In our next blog post, we will dive into the focus on ransomware mitigation, how best to address cybersecurity, and what to expect heading into 2021.

31 Dec 2020
Best Practices in Leveraging Firewalls and Encryption

The Importance of a Layered Approach to Financial Institution Security: Best Practices in Leveraging Firewalls and Encryption

What You Need to Know About Securing Azure AD

Over the last decade, we have seen major advances in the world of online security, mainly with the development of firewalls and encrypted data options.

Safe Systems hosted a live webinar earlier this month discussing how firewalls, encryption and other online security measures work; why a layered security approach is best in all situations; possible threats to each security measure; and what your financial institution can do to keep your information secure and uncompromised. In case you missed it, here are a few key points from the webinar.

What are firewalls and how did we get to where we are today?

Firewalls became a necessity when banks and credit unions started connecting all of their computers to the same network that was then connected to the internet. Firewalls functioned as the first line of defense – but were nowhere near the caliber of defense we have available today.

When attacks started to occur, it put company computers and the data stored on them in a compromised position. A need arose to come up with appliances that were either in line with the firewall or were an additive to the firewall’s system. The new appliances included IDS/IPS systems, AV Gateways and Web filters – all of which added new layers of security to the firewall.

Today, the latest generation of firewalls, known as Next Generation Firewalls, combines earlier firewall models and offers multiple layers of protection as part of the firewall service. However, some of the additional layers may be included by default and some require extra licensing to take advantage of specific features.

What is the layered security approach and how do today’s firewalls implement that strategy?

What we have learned over the last several years is that security solutions may be incredibly strong in some regards but have gaping holes in others. A layered security approach assists in closing those gaps and lessens the potential risks for an online attack.

What is encryption, how does it work and what can we do better?

Encryption is another aspect of the layered security approach. The two encryption types highlighted in the webinar are Secure Socket Layer (SSL) and Transport Layer Security (TLS), and while they use different nomenclature, the two encryption types are essentially the same – TLS is just a slightly new version.

The goals of TLS:

  1. Encrypt Data
  2. Authentication
  3. Data Integrity

In the last 5 years, there has been major growth in website encryption. It has expanded from being used only when a user types in their username and password to include approximately 90% of the most visited websites today encrypting all of their webpages.

Although having encrypted sites gives users a more secure experience, encryption has some unintended consequences. When traffic is encrypted between the website and the desktop browsing the site, the firewall cannot evaluate the traversing traffic. This means, in the past, a firewall could evaluate a large majority of web traffic. Now, the firewall can only evaluate about 10% of web traffic, because the rest is encrypted.

Bad actors have focused on these security holes and have built their malware to navigate encrypted traffic to get through the firewall and to the workstation. To fight this issue, TLS inspection can be implemented on a Next Generation Firewall to inspect the encrypted traffic passing through on a daily basis.

Today, with TLS inspection, firewalls can get back to inspecting a majority of web traffic farther than just 10% that isn’t encrypted today. This closes a major security gap many institutions may not even know they have.

What steps can you take to increase your online security?

Although there are several ways you can increase your level of online security, as of now, there is no software that guarantees you will not be compromised. However, in addition to encryption, you can take several steps to keep your online presence safe and secure.

A few of the steps you can take to fight malware are:

  1. Anti-Malware Scanning – an anti-virus engine that came about in the Universal Threat Management (UTM) devices. Anti-malware is a software program designed to prevent, detect and remove malicious software on IT systems.
  2. Sandbox Analysis Piece – an additive that enables a firewall to analyze a file and determine its risks level. If the file is determined to possibly be malicious, the file can be sent to the sandbox where the file can be detonated. If the file appears malicious after detonation, the file is blocked from being downloaded to the end user. If the sandbox determines the file is likely safe, the file is allowed to pass through the firewall to the end user for us.

To learn more ways to protect your institution, watch our recorded webinar, “Why You Shouldn’t Ignore Encryption.”

22 Dec 2020
3 Top Security Threats Financial Institutions Must Defend Against

3 Top Security Threats Financial Institutions Must Defend Against

3 Top Security Threats Financial Institutions Must Defend Against

Security remains one of the primary areas of concern for community banks and credit unions, according to our recent sentiment survey and based on responses, the top three security threats that keep survey respondents up at night are cybersecurity, information security and ransomware.

Here’s a synopsis of each of these security categories as well as some proven best practices that can help institutions address them:

#1: Cybersecurity

Cybersecurity is a broad area for financial institutions to truly master, especial smaller community banks and credit unions with fewer resources to devote to defending themselves – something that National Credit Union Administration Chairman Rodney Hood has even acknowledged.
In today’s world, cybersecurity threats are ubiquitous, with cyberattacks 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report. However, banks and credit unions can take advantage of a number of resources to strengthen their security efforts. Two valuable tools include the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA.

Institutions can also capitalize on the National Institute of Standards and Technology (NIST) Cybersecurity Framework to address cybersecurity issues. Not only can the Cybersecurity Framework help institutions properly evaluate their defensive capabilities, but it provides policies and procedures that can help them identify and even resolve security issues.

#2: Information Security

The goal of information security is to prevent electronic and physical data from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. More specifically, information security is a set of strategies for managing the processes, tools and policies that are necessary to defend data when it is being stored and transmitted between different machine or physical locations.

The three basic principles of information security are what are known as the “CIA” triad: Confidentiality, Integrity, and Availability. “Confidentiality” relates to being able to identify who is trying to access data and block attempts by unauthorized individuals. “Integrity” entails maintaining data in its correct state and preventing it from being improperly modified—either by accident or maliciously. “Availability,” like confidentiality, equates to ensuring data can only be accessed only by users with the proper permissions.

Today, institutions face a variety of threats to their data security, including breaches, malware, and deceptive phishing emails that trick victims into divulging their private information. These types of attacks can have a detrimental and long-lasting effect on companies, such as a loss of customers, reputation, revenues, and profits.

Financial institutions are common targets of malware, phishing scams, and data breaches. About 50 percent of all unique organizations impacted by “observed” phishing domains were from the financial services sector, according to Akamai Technologies’ 2019 State of the Internet/Security Financial Services Attack Economy Report.

As a defensive tactic, organizations should implement a layered approach to preventing information security threats. This means employing multiple security measures, policies, and procedures, from patch management to secure software development. However, people can be the first—and best—line of defense, so educating employees about potential cybersecurity threats is crucial.

#3: Ransomware

As the name implies, ransomware is malicious software that is designed to block access to a computer system until the victim pays a sum of money. The ransomware threatens to publish the data or deny access to it either temporarily or permanently.

Regardless of how the attack is initially perpetrated, ransomware presents a serious threat to all types of organizations. It typically begins when someone downloads a malicious email attachment or visits an infected website. The ruse is often undetectable, so most victims are not aware the data breach is happening—until it is too late. Unfortunately, ransomware is difficult to stop, and it can take a huge toll on consumers and organizations, causing frustration, disruption, data loss, and financial damage.

The problem with ransomware is that it is both widespread in nature and costly to address. And ransomware attacks—along with other cyber scams—began surging during the COVID-19 pandemic, according to the July 2020 McAfee COVID-19 Threat Report. A recent example is Ransomware-GVZ, which displays a note and demands payment in return for decrypting the company’s compromised computer systems and the data they contain.

Fortunately, there are actionable steps financial institutions can take to defend their data against ransomware attacks. Some of the most practical measures include keeping operating systems patched and maintaining up-to-date malware software to detect potential threats. Another good practice: keep files backed up, so the data can be replaced if a hacker ever holds it hostage. However, the time to implement defensive data security strategies is before a cyberattack happens.

For more insight about these top three security threats and best practices to defend against them, download our Top 10 Banking, Security, Technology and Compliance Concerns white paper.

12 Nov 2020
The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

In response to the Coronavirus pandemic, many financial institutions have implemented new technologies and made modifications to their IT infrastructure to better serve customers, members, and employees during this time. These changes may have increased the institution’s inherent risk profile, however, making it necessary to review the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) or National Credit Union Association’s Automated Cybersecurity Examination Tool (ACET). When adjustments are made to the organization, community banks, and credit unions must evaluate their risks and perform a gap analysis to ensure the institution is protected from cyber threats.

What is a Cybersecurity Gap Analysis?

A cybersecurity gap analysis starts evaluating the results of the CAT or ACET, (which is simply a snapshot in time of where you are with your risks (inherent risk profile) and controls (cybersecurity maturity) and then comparing “where your institution is” to “where you need to be.” In almost every case, there is some degree of misalignment between the two. Some common questions financial institutions ask are “Could we be doing more to oversee our cloud providers?” or “Should we be doing more to manage our internal administrators or third parties?” The idea of the gap analysis is to take your risk areas and determine what set of controls are most effective against those specific risk areas.

Completing the Cybersecurity Maturity section, for example, helps financial institutions better identify missing controls and processes. So, in order to increase the level of cybersecurity maturity, institutions should continually implement changes even if their inherent risk profile doesn’t change. Conducting a gap analysis is the first step in this process.

Continuous Improvement

Why should institutions strive to continuously improve their security posture even if their risk profile doesn’t increase? Simply put, because the threat environment is constantly evolving. New threats (and new twists on old threats) require constant vigilance and continuous improvements to existing controls. Standing still means you’re probably falling behind. On the other hand, making steady, incremental progress on your control maturity demonstrates a proactive, forward-thinking approach to cybersecurity.

Key Areas of Focus

First, financial institutions must determine if their controls and risks align – no small task as there are roughly 30 risk elements and nearly 500 control maturity elements in the assessment. Attempting to improve all of these areas in the CAT can be challenging and expensive for any institution, but especially smaller community banks and credit unions. While all control maturity domains are important, if your financial institution has limited resources, there are two key domains that you should focus your attention on when developing the gap analysis.

  • Domain 4: External Dependency Management
  • This domain involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships that provide access to the institution’s technology and information. Most financial institutions have a host of outsourced relationships that they rely on to keep operations running. Evaluating the interdependencies and associated security gaps from third-party vendors should be a key part of your analysis process.

  • Domain 5: Cyber Incident Management and Resilience
  • This domain focuses on establishing, identifying, and analyzing cyber events, as well as the ability to prioritize, contain, and mitigate during cyber events. The institution should also have the ability to properly inform the appropriate stakeholders in response to a cyber event. Cyber resilience includes both planning and testing to maintain and recover ongoing operations during — and following — a cyber incident. In the current security environment, it’s not if a cyber event will occur but when. Financial institutions should have an effective cyber incident response plan to control, contain, and recover from a potential cyber incident.

For more information, watch our Banking Bits and Bytes episode, “What is a Cybersecurity Gap Analysis?”

02 Nov 2020
The Impact of Digital Banking During the Coronavirus Pandemic

The Impact of Digital Banking During the Coronavirus Pandemic

The Impact of Digital Banking During the Coronavirus Pandemic

The coronavirus (COVID-19) pandemic has drastically reshaped the way banks and credit unions operate today. While financial institutions value face-to-face interactions with their customers and members, social distancing requirements and other safety precautions have caused retail banking to go almost entirely digital. This change impacts not only how financial institutions conduct their business and interact with customers and members, but also how they keep their institutions secure.

In this blog post, we outline 3 key ways the pandemic has impacted the industry and consumers, and how financial institutions are managing these changes in real-time while ensuring they continue to operate effectively for their employees, customers, members, and other stakeholders.

1. Know Your Customer

For banks and credit unions, know-your-customer (or member) procedures are a key function to establish a customer or member’s identity, understand their financial activities, and evaluate the level of risk to the institution. Traditionally, before opening an account, completing a transaction, and/or sharing private information, many financial institutions have relied on at least some face-to-face interactions. For community financial institutions, know-your-customer has gone well beyond best practice to become a competitive advantage. Many (if not most) community institutions pride themselves in knowing their customers by name!

However, due to the COVID-19 pandemic, financial institutions need to find ways to verify their customers’ identities and retain that personal touch using digital channels. Consumers want a frictionless banking experience where they feel trusted and can quickly receive the products and services they need, but they also want to avoid feeling like just another number. Institutions must balance managing remote transactions that could increase their security posture, against technology and policies that positively identify customers without alienating them. As a result, some financial institutions are leaning towards increased security by starting to adopt a “zero-trust” stance where every individual and transaction is considered suspicious unless proven otherwise.

2. Technology Updates

To protect customers and members during the pandemic, banks and credit unions have moved from in-branch, face-to-face interactions to using remote channels such as online, telephone, ATM banking as well as the drive-through to serve their customers. Our experience has been that many institutions that may have technology upgrades on their roadmap two or three years down the road have had to accelerate those projects. Others have added new initiatives to increase their remote capabilities and enhance their electronic services. However, all this likely requires tighter security protocols for customer verification. This can be challenging for smaller financial institutions that rely on more traditional in-branch visits to provide services to their customers or members, particularly if branches are closed or observing limited hours and services. It is up to these institutions to find the right balance of physical and digital solutions to ensure customers and members receive the same level of service they were accustomed to prior to the pandemic.

3. Digital Adoption

The COVID-19 pandemic has driven consumers to rely more heavily on digital channels for their banking needs. This has accelerated digital transformation for financial institutions in the U.S. as their customers demand solutions that allow them to quickly and easily complete transactions remotely. To meet this demand, financial institutions have reevaluated their traditional strategies, implemented and even accelerated digital initiatives, and are more inclined to not just enable but encourage digital capability for their customers. As they encourage consumers to adopt new solutions and remote tools, it will be critical to assess the risk of these solutions and develop controls to keep the network safe and protect sensitive, financial information.

Banks and credit unions must be able to provide the products and services their customers and members need all while keeping information secure, even in the midst of a pandemic. Having a solid plan to guide how you manage operations can make all the difference. One final thought, when the dust settles and things go back to “normal”, the steps you’ve taken to enable digital engagement with employees and customers will be considered resilience measures to mitigate the impact of a future event of this nature. Resilience will be a focus for regulators in future examinations.

To learn more about pandemic planning and best practices, download our latest white paper, “Navigating the Coronavirus Pandemic: Best Practices for Pandemic Planning and Key Lessons Learned.”

08 Oct 2020
Best Practices for Developing a Compliant Cyber Incident Response Program

Best Practices for Developing a Compliant Cyber Incident Response Program

Best Practices for Developing a Compliant Cyber Incident Response Program

If you think a cyber incident won’t impact your financial institution, you are seriously underestimating the lengths cybercriminals will go to steal your customers’ or members’ non-public information. According to a new report from NuData Security, a Mastercard company, financial institutions receive the highest percentage of sophisticated attacks (96%) amongst all industries.

As cybercriminals continue to exploit organizations and increase the quality of their attacks, financial institutions need to have a compliant incident response plan in place to control, contain, and recover from a potential cyber incident quickly and efficiently.

Safe Systems held a webinar discussing what a compliant cyber incident response plan should look like and shared key best practices community banks and credit unions should use to effectively document a cyber incident. In this blog, we’ll cover a few of the key points from the webinar.

Elements of a Compliant Incident Response Program

The requirements for incident response have changed significantly since 2005. The guidance was broad enough to encompass many of the events that are occurring today including cybersecurity and pandemic-related events. According to the Federal Deposit Insurance Corporation (FDIC), there are five key elements of a compliant incident response program:

  • Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused
  • Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
  • If required, filling a timely suspicious activity report (SAR), and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access or use of customer information
  • Notifying customers when warranted in a manner designed to ensure that a customer can reasonably expect to receive it

Although these requirements have essentially stayed the same, there is one key change that has occurred in the FFIEC’s 2019 update to the Business Continuity Handbook. The guidance now requires financial institutions to reference or include the incident response plan (IRP) in the business continuity management plan (BCMP). While still acceptable to have a separate incident response plan, somewhere within your BCMP you must now reference the IRP.

How to Document and Maintain Evidence of an Incident

Documentation is a key component of incident response to provide auditors, examiners, and other stakeholders with key information about the abnormal event or incident. Initial steps include the recording of basic facts about the suspicious event before it becomes an official incident.

Key questions include:

  • What specific abnormalities were noticed?
  • Where were they discovered?
  • When were they discovered?
  • Who first noticed the abnormality or event and who did they notify/involve?
  • If the event escalates to an incident, how did it happen, and what were the contributing factors that allowed it to happen?

If the event is categorized as an “incident,” you need to know how to document and maintain the evidence; what decisions were made; and the resulting actions taken. When enacting your containment strategies, part of that should involve collection and preservation of the evidence, including all the key records created by all the various technologies your institution uses. The guidance references that all financial institutions should have some type of logging intelligence. But which logs are most important for incident response?

When creating a logging strategy, there are five key challenges to consider:

  • Sources – Logs are generated from various sources such as users, databases or file shares, endpoints, networks, applications, and cloud services. With so many logs coming from different sources, it’s important to be aware of all the systems and applications generating logs and know how to access them to monitor efficiently
  • Log Volume – The volume can be different depending on the source. Some sources are quiet and easier to manage while other sources like network switches and firewalls are a constant torrent of volume and may be difficult to log. It’s important to determine what is realistic for your institution to store and manage
  • Log Protocols – All of the various sources speak different languages or protocols. Some of them are sending emails using a language called simple mail transfer protocol (SMTP), while other sources like network switches are sending information using a constant stream of Syslog data. It is nearly impossible to create a centralized system that can speak all of these languages perfectly so you must determine how your institution will extract intelligence from the logs
  • Log destinations – Once you’ve collected information, where are you going to send it? You’ll need to determine storage destinations for the different types of logs
  • Log interaction – After you’ve built the logging platform, do you want it to be searchable? You’ll need to decide how you want to interact with the data and how long you will keep it. Adding data retention can become significantly more expensive depending on the time frame for storage

Different types of data likely require different lengths of time for retention. Your retention policy should outline the expected retention time frame for each data log. Institutions should carefully consider all these key challenges when building a logging strategy that fits their unique needs.

If you’d like to learn more about cyber incident response, download our recorded webinar, “Not If, But When: Best Practices for Cyber Incident Response.”

01 Oct 2020
After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

In 2020 we’ve learned a lot about ourselves, and whether the general population realizes it or not, they have learned a lot about something often relegated just to banking: Risk Tolerance. And with that in mind, here are seven key items that your institution should consider while budgeting for 2021:

1. Laptops

Supply is down, demand is up, so from a pricing standpoint, you are unlikely to find great deals on laptops, but their portability has been a key component to companies and employees being successful during the pandemic. Remote work is a great option for employees who do not need face-to-face interactions with customers or members, but not every department can work successfully outside of the main office or branch.

When planning for next year, each position in the institution needs to be evaluated, if it hasn’t already, to determine the ability and effectiveness of remote working. When possible, consider having remote employees use a company laptop going forward. In a recent Safe Systems survey of community financial institutions, 1/3 of respondents have already decided that they will be purchasing more laptops this year.

2. Hardware Management Software

How many of the controls you use to secure your institution’s devices require the device to physically be in the office? As the work environment changes and more people make the shift to working from home offices, your current controls need to be evaluated to ensure they work just as effectively outside of the branch. For years, the push for “agentless” controls has been popular, but many of these controls assumed the office was a well-defined building where all devices used the financial institution’s network. As the home office becomes the new standard for many banks and credit unions, the need for agent-based controls is greater than ever. Controls/security measures are no longer effective if they require the device to be on premise.

3. Business Continuity Plan (BCP) Update

Having an updated pandemic plan as part of your BCP is still likely a need for many institutions. Because it has been more than a century since a full-scale pandemic hit the U.S., many of the assumptions and concepts that pandemic plans were based on have proven to be incorrect. For instance, many plans outlined operational changes based on only 50% staff for just a week or two. Much of the concern before 2020 was making sure staff members were properly cross trained in the event key individuals were unavailable for days or perhaps a few weeks. While this is still very important, it represents only a tiny portion of truly being ready for a pandemic.

Pandemic plans often did not address managing operations for a long duration or important measures like social distancing, security measures, consumer access, etc. Financial institutions must take a hard look at key lessons learned so far during the COVID-19 pandemic and update their plans accordingly.

4. Moving to the Cloud

Recognizing that having employees working outside of the office is a real possibility moving forward, investing in new servers and putting them in offices is becoming an antiquated idea. The cloud provides a level of redundancy, scalability, and accessibility that cannot be matched by buying a single server. It also means no one has to be in the office to manage the infrastructure. As servers need to be replaced, banks and credit unions should seriously consider the process of moving to the cloud.

5. Client Experience

One question every institution should be asking itself is: “how can we better enhance the customer experience?” While IT is usually seen as a cost center, the events of the past year may have opened a door for IT to step up and offer solutions that directly affect the customer experience. The pandemic has forced many people, some maybe for the first time, to adopt digital banking solutions. If IT can offer specific tools and/or insight into how to improve the customer experience, this may be the opening that IT has hoped for to secure a “seat at the table” among their institution’s leadership.

6. Cybersecurity

Garmin, the GPS and active wear company, reportedly paid $10 million in 2020 to counter a ransomware attack. Their customers were without the services for over a week while Garmin’s data was held hostage. All of the information about their case is not available yet, but the sad reality is that they likely could have prevented the entire situation with just a few technology solutions and security settings being implemented correctly. The threat to your data is as real today as it ever has been. Be sure to have a conversation with a security company you trust to ensure that even if you are the target of a ransomware attack, it won’t be able to hurt your business long-term. Invest in cybersecurity now, so that your institution won’t end up paying much more later.

Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report, and cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights.

Unfortunately spend and layers of protection most likely need to increase annually to address this issue.

  • Employee training – to ensure adequate and effective
  • Perimeter protection – to ensure the appropriate layers are enabled and all traffic is being handled correctly including encrypted traffic
  • Advance threat protection and logging – to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy – to ensure ransomware can’t wipe out your data

Per Computer Services, Inc (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

7. ISO

With the increase in responsibilities of the Information Security Officer and the focus on separation/segregation of duties, there has been an uptick in the number of institutions looking for virtual ISO (VISO)-type solutions. These solutions can help by taking some level of burden off of internal resources, provide staff with templates or toolsets when needed, and oversight to ensure nothing is falling through the cracks.

For 2021, there are a lot of things to consider. One focus should be to look at the changes your institution had to make because of the pandemic and what changes you should consider making in the future to improve cybersecurity, information security, and as always, your customers’ and members’ experience.

03 Sep 2020
The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The Peoples Bank Implements Virtual ISO Solution to Support Succession Planning for the ISO Role

The ISO is tasked with multiple simultaneous activities; supervising the financial institution’s business continuity planning, project management, vendor management, cybersecurity, exams and audits, and information security, which can be an overwhelming responsibility for one person to manage. This presents operational and compliance challenges for the institution if there is no second-in-command should the ISO become suddenly unavailable. For this reason, the Federal Financial Institution Examination Council (FFIEC) in their Management booklet outlines the importance of succession planning for key roles within the institution, including the ISO.

The Challenge

Effective succession planning involves proactively identifying alternate personnel and initiating proper cross-training for critical roles well in advance. A case in point is Billy Peele, who has worked with Iva, South Carolina-based The Peoples Bank for 45 years, and who has plans to retire by the end of 2020. Overseeing the bank’s IT and InfoSec departments, Peele has also functioned as the institution’s ISO. With a succession plan in place, the bank selected Jill Seymore and Addrian Wilson to jointly assume the title and responsibilities of the ISO in preparation of Peele’s departure.

Although highly skilled in banking operations, Seymore and Wilson initially lacked the level of ISO related experience necessary to fulfill the role. Specifically, the pair wanted a better grasp on the IT reports and to learn best practices in reviewing these reports from the ISO perspective. This learning curve could have been overwhelming for the new ISOs, but The Peoples Bank decided to implement a proven virtual ISO solution to give Seymore and Wilson the tools to become more confident in the new role.

The Solution

Too often, new ISOs do not receive a detailed hand-off document from the predecessor and may not know where to start to complete key responsibilities. Fortunately this was not the case for The Peoples Bank as Safe Systems’ ISOversight Virtual ISO Solution formalized all responsibilities into a structured framework for Seymore and Wilson, allowing for methodical review of all tasks on a monthly, quarterly, and annual basis to ensure continuity for the bank.

ISOversight serves as a risk management tool designed to support the role of the ISO by augmenting existing personnel and ensuring that all tasks and related activities are completed on time and properly reported to the various stakeholders. ISOversight helped ease Seymore and Wilson into the ISO position by grouping all of the various responsibilities into a unified platform to effortlessly manage compliance and security activities. Not only did this clearly outline key requirements of the ISO, but it also educated Peele’s successors on how to effectively perform the role.

The Results

ISOversight gave Seymore and Wilson the confidence that allowed them to trust the bank’s IT department while verifying all interrelated activities are running smoothly and securely. Reviewing reports and receiving alerts with the assistance of the VISO helps the new ISOs extract relevant, actionable information to determine if there are anomalies or exceptions that they should be aware of and act on.

The key to succession planning is to find ways to standardize and maintain the consistency and continuity of the responsibilities of the ISO. In this case, the bank can be confident that information is secure, tasks are being completed on time, and documentation is shared with auditors, examiners, and the board. At The Peoples Bank, ISOversight provided a seamless transition for Seymore and Wilson, while laying a solid foundation for future ISO activities.

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

27 Aug 2020
Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Three Virtual ISO Delivery Models for Community Banks and Credit Unions

Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.
– FFIEC Information Security Handbook

Information security officers (ISO) have a wide range of responsibilities and navigating them can be quite challenging, especially with increased scrutiny from examiners on alignment of policies, procedures, and practices. Adding to that challenge is the associated element of accountability; the premise that unless your practices are properly documented and reported to the various stakeholder groups, there may be doubt in the mind of the examiner as to whether or not they actually happened.

As a result of this responsibility + accountability challenge, many financial institutions are turning to virtual information security officer (VISO) solutions to support the role of the ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time; are following approved procedures; and are properly reported to the various stakeholders.

In a recent webinar, Safe Systems outlined the three virtual ISO delivery models available to community banks and credit unions today and discussed key considerations when implementing each.

1. Outsource All Activities

In this model, the financial institution hires a third-party provider to take on all of the responsibility and accountability tasks of the ISO role. Outsourcing these activities minimizes your staff’s involvement, potentially freeing up time to focus on more revenue generating activities, but this approach is typically more expensive because the third-party provider is doing all of the heavy lifting.

Another important consideration is that outsourcing everything can also isolate key personnel from important procedures and practices. If the institution isn’t involved in the day-to-day information security activities, when IT auditors and examiners question your personnel, they may not have the necessary day-to-day procedural knowledge to answer their questions. For example, there will likely be activities the outsourced provider is doing that the ISO is unaware of or they are using procedures not familiar to your personnel. This could lead to audit and examination observations or findings, as the ISO is expected to have comprehensive knowledge and understanding of all information security activities

Outsourcing information security tasks is best for financial institutions with neither the time, expertise, nor inclination to perform the duties of the role. However, it comes at a higher cost, both in terms of capital outlay and also in the possibility of ISO disassociation from actual procedures and practices. The FFIEC Management Handbook uses terms such as “engaging with…,” and “working with…,” and “participating in…,” and “informing…,” to describe the typical responsibilities of the ISO. This level of involvement may be more difficult under the “outsource all” model.

2. Toolset only (Apps, Checklists, Templates, etc.)

Another option is to select a model where there’s a toolset provided to accomplish ISO tasks. The toolset could consist of applications, checklists, or templates that may be prefilled or partially filled. With this model, you’re given the tools to manage ISO responsibilities without the support. There’s less human interaction, which typically means the service is less expensive.

However, the toolset model requires more effort from staff and requires the financial institution to rely on internal resources for information security expertise and guidance. Without this guidance, this model may also introduce some inconsistencies between the institution’s policies and procedures. For example, if you specify something in one area of your policies and you reference something that may conflict with that in another area, auditors are likely going to notice and question you on it, and that could cause them to dig deeper into other areas. Policy/procedure consistency is one of the most important indicators of strong infosec governance.

This model may include access to compliance guidance and expertise, but it would be reactive instead of proactive. It is best for institutions that have the necessary internal expertise, but they just need the additional structure a toolset provides to ensure all activities are completed in a timely manner.

3. Hybrid (Toolset + Consultation)

Finally, a hybrid model combines the first two models to provide a toolset plus additional expertise, proactive guidance, and consultation. It typically has better integration between various ISO practices because it’s all under one umbrella. As a result, the institution gains consistency and better coordination within and among its policies for business continuity, vendor management, incident response, project management, and information security. However, because of the tight integration, financial institutions that do not adopt all of the tools that support this model may not see the maximum benefit. Also, because of the increased level of ISO engagement, it may be more resource intensive initially, especially if the institution is behind on key ISO tasks. However, once tasks are brought up to date, ongoing maintenance is simpler due to the integrated toolset. This model is also quite flexible and can easily adapt to the evolving needs of the institution.

This is the model we decided to adopt for our virtual ISO solution, ISOversight. We’ve found this model is best for institutions that desire the advantages of regular active involvement with outside expertise, plus a toolset and reporting to ensure the ISO remains fully engaged. The price point is somewhere between the other two models; less than a complete outsource, but a bit more than toolset only.

ISOversight is a risk management solution that provides accountability for all of the responsibilities of the ISO. We have monthly touch point meetings, and we tailor the service to meet each institution’s unique requirements.

To learn more about the information security officer role and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

13 Aug 2020
One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with Safe Systems’ Virtual ISO Solution

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Mergers and acquisitions can present significant operational challenges for information security officers (ISO) who are tasked with ensuring a smooth transition of the information security program. Often, some key responsibilities of the ISO may be overlooked as other tasks related to the merging of the two institutions take precedence, overextending the ISO as they work to manage the information security program effectively and stay on top of regulations.

The Challenge

Eric Nadeau, chief financial officer at One Florida Bank, faced this very issue when his bank acquired another bank in Florida to expand the institution’s reach across the state. Nadeau wore many hats at the bank serving as the information security officer, chief financial officer, head of accounts payable, and director of both HR and IT. Although Nadeau understood the role and responsibilities of the ISO, he simply lacked the necessary time required to develop a formal program to efficiently complete all ISO-related tasks.

After acquiring the other bank’s charter and then merging the two institutions, Nadeau knew that his bank’s existing compliance management practices would not be enough to accommodate the rapid growth and continue to satisfy the regulators. While he needed assistance in managing the information security program, the institution was not yet ready to make the investment to expand personnel by adding a dedicated ISO.

The Solution

Following the merger, the bank needed a strong operational structure in place to get the now larger institution up and running and meet regulatory expectations quickly. During the acquisition process, Nadeau was introduced to Safe Systems’ ISOversight VISO (Virtual Information Security Officer) solution. The institution One Florida Bank acquired was already a Safe Systems customer using its network management services. After learning more about the VISO and compliance program, Nadeau performed his due diligence and made the decision to implement the ISOversight solution to streamline the bank’s information security processes.

A VISO serves as an extension of the in-house ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time and are all properly documented and reported to the various stakeholders. ISOversight’s integrated approach to vendor management, business continuity planning, cybersecurity, strategic planning, and information security influenced Nadeau to implement a VISO strategy.

“We had a very aggressive growth plan and I was wearing many hats. I couldn’t cobble together a bunch of Excel-based risk assessments and manual tasks into a formal process within an acceptable time frame,” said Nadeau. “I needed a support structure that I could leverage very quickly to sustain our bank’s strong and rapid growth plan and ISOversight provided that.”

The Results

While Nadeau expected the bank to grow, he did not anticipate that the bank would become a $690M institution in just 18 months. With ISOversight, Nadeau was able to quickly implement new operational structures for the institution amidst this rapid growth.

ISOversight combines all the various risk assessments into one centralized portal with ease, eliminating the use of multiple spreadsheets and numerous documents. The VISO enabled the bank to create a new compliance infrastructure with easy-to-read summaries of all ISO activities, as well as establish a new fully compliant business continuity management plan, a robust vendor management program, and comprehensive project and audit/exam tracking. ISOversight provides an integrated approach to all these initiatives as they all work hand in hand.

“The first year after the acquisition required a massive amount of work, but ISOversight allowed our bank to prioritize and complete tasks until we reached a smooth and successful integration,” said Nadeau. “Even examiners have commented on the progress we’ve made and recognized the value that the integrated platform provided to our management.”

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

06 Aug 2020
Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Managing Information Security Requirements and Expectations: Accountability vs. Responsibility

Of the many roles within a financial institution, the information security officer (ISO) is the most critical for the protection of confidential and nonpublic personal information and maintaining compliance with federal regulations. In fact, the Federal Financial Institution Examination Council (FFIEC) goes so far as to mandate that all financial institutions have one or more individuals dedicated to the position of ISO.

Safe Systems held a webinar last week outlining the most common challenges for ISOs and some helpful ways that they can better identify, perform, and document their regulatory responsibilities. In this blog post, we’ll highlight two of the most important elements of the ISO role and outline 8 key regulatory responsibilities all ISOs should focus on to meet examiner expectations.

Key Elements

For ISOs, everything ultimately hinges on responsibility (specific tasks the ISO must perform) and accountability (specific documentation ISOs must provide to key internal and external stakeholders). In fact, these terms are referenced multiple times within the FFIEC guidance:

“The ISO is responsible for overseeing and reporting on the management and mitigation of information security risks across the institution and should be held accountable for the results of this oversight and reporting. – FFIEC Management Handbook

“Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program.” – FFIEC Information Security Handbook

Individuals in the ISO role must effectively demonstrate both elements to adequately meet regulatory expectations.

Maintaining Compliance

The ISO must not only be able to perform key responsibilities of the role, but he or she must also provide proper documentation to specific stakeholders to satisfy the accountability requirements. The FFIEC’s Management Handbook outlines 8 key responsibilities of the ISO role including:

  1. Implementing the information security strategy and objectives, as approved by the board of directors, including strategies to monitor and address current and emerging risks
  2. Engaging with management in the lines of business to understand new initiatives, providing information on the inherent information security risk of these activities, and outlining ways to mitigate the risks
  3. Working with management in the lines of business to understand the flows of information, the risks to that information, and the best ways to protect the information
  4. Monitoring emerging risks and implementing mitigations
  5. Informing the board, management and cybersecurity risks and the role of staff in protecting information
  6. Championing security awareness and training programs
  7. Participating in industry collaborative efforts to monitor, share, and discuss emerging security threats
  8. Reporting significant security events to the board, steering committee, government agencies, and law enforcement, as appropriate

When performing these key responsibilities, the ISO must reference the institution’s policies (what you say you do); procedures (how you say you’ll do them); and actual practices (what you actually do and are able to document). In our experience, we’ve seen that there is often a gap between procedures and practices, which often results in the majority of audit and exam findings for financial institutions.

To address this issue, many community banks and credit unions are turning to virtual ISO solutions. A virtual ISO platform serves as a risk management solution that addresses the regulatory expectations and important tasks that the ISO must oversee. The solution helps financial institutions augment their internal ISO role, streamline responsibilities, and ensure the institution’s procedures and practices are properly aligned. Most importantly, a virtual ISO can make sure that all stakeholders; Board, committee, auditor, and regulator, have the appropriate reports to document that alignment.

To learn more about the information security officer role, the 3 virtual ISO delivery models, and the benefits of virtual ISO solutions, watch our recorded webinar, “ISO Requirements and Expectations: Accountability vs. Responsibility.”

04 Aug 2020
Maintaining Information Security to Combat Cyber Attacks

Maintaining Information Security to Combat Cyber Attacks

Maintaining Information Security to Combat Cyber Attacks

As banks and credit unions continue to work to keep all employees and customers/members safe during the pandemic, information security should be a top priority. Because many businesses and consumers have shifted towards digital channels, threat actors have launched a new wave of attacks specifically targeting financial institutions and other financial activities. According to VMware Carbon Black, attacks against the financial sector increased 238% globally from the beginning of February to the end of April. Protecting your institution’s nonpublic personal information is critical as we continue to move forward in a heightened security threat landscape. Here are a few things to keep in mind:

CIA of Information Security

Information security focuses on ensuring the Confidentiality, Integrity, and Availability of virtually all forms of information. It involves protecting digital and physical data from unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction. Some of the most serious—and alarming—threats to information security are data breaches, malware, and phishing.

  • Data Breaches
  • With data breaches, sensitive, confidential, or otherwise protected information is accessed or inappropriately disclosed. The negative impact of such a breach can result in diminished customer loyalty, a tarnished brand image, and loss revenues and profits. These adverse effects can last for years—with some companies never recovering.

  • Malware
  • Malware is any piece of software that was written with the intent of damaging devices and/or stealing data. There are many different types of malware including, viruses, trojans, spyware, and ransomware. Fintech holds a special interest from the malware community-at-large. According to cyber threat intelligence company Intsights, 25 percent of all malware targets financial institutions.

  • Phishing
  • With phishing, cyber attackers use fraudulent emails and websites to solicit people’s credit card numbers, passwords, account data, and other personal information. Financial institutions are common targets of phishing scams that are engineered to trick victims into disclosing their information.

Best Practices for Information Security

Security threats can affect financial institutions through numerous weaknesses. So institutions should take a layered approach by using a combination of security measures, policies, and procedures. According to the FFIEC IT Handbook’s Information Security booklet, common layers in security controls should include:

  • Patch management
  • Asset and configuration management
  • Vulnerability scanning and penetration testing
  • Endpoint security
  • Resilience controls
  • Logging and monitoring

However, since humans are often considered to be the first—and best—line of defense for preventing cyber-attacks, employees need to receive the proper education and training on the latest scams and techniques. By teaching staff how to detect suspicious emails, links, and websites, financial institutions can significantly strengthen their security and avoid unnecessary trouble. The more user training an institution provides, the lower the success rate of phishing attacks against that institution. Ultimately, an institution’s approach to security will depend on the assets it is protecting, along with its unique vulnerabilities, operation, and strategic objectives.

For more information, download our complimentary white paper, “Top 10 Banking Security, Technology, and Compliance Concerns.”