11 May 2023

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Importance of Effective Third-party Management

As financial institutions increasingly rely on outsourced providers, third-party management is becoming a more critical aspect of managing risk. Institutions depend on third-party providers for a variety of essential services, including technology, operations, and marketing. And while these entities offer significant benefits, such as cost savings and improved efficiency, they also pose a substantial risk. We often refer to this as “inherited” risk, as institutions will inherit the residual risk of the third party. If not properly identified, measured, and addressed, inherited risk can expose financial institutions to threats such as regulatory non-compliance, operational downtime, and reputational damage. However, institutions can successfully mitigate many of these risks by ensuring that they thoroughly vet outside providers prior to engagement, properly structure contracts, and employ ongoing monitoring and reporting.

Key Elements

The Federal Financial Institutions Examination Council (FFIEC) has issued guidelines for managing vendor relationships effectively. These standards emphasize the importance of several key elements, including:

Due diligence: Financial institutions must evaluate vendors’ financial stability, reputation, and regulatory compliance prior to engagement. This includes assessing vendors’ security controls, data protection policies, and disaster recovery plans.
Contract management: Vendor agreements should clearly outline the scope of work, deliverables, and performance metrics. They should also include provisions for termination, dispute resolution, data disposal, and indemnification.
Ongoing monitoring: Financial institutions must regularly monitor their third parties to ensure that they continue to meet contractual obligations and regulatory requirements. This includes periodic risk assessments, reviewing vendor reports, and could even include conducting on-site visits.
Risk assessment: Institutions should assess the level of risk associated with each vendor relationship based on the services provided, the vendor’s access to sensitive data, and the potential impact of vendor failure. Doing so can help financial institutions allocate resources more effectively to minimize potential risks.
Board and management oversight: Third-party management should be an ongoing topic of discussion at the board and management levels. This includes not only approving policies and procedures, but also reviewing risk assessments and monitoring reports, and making decisions about initiatives that require new vendor relationships.

Common Misconception

Risk management requires first identifying the risk’s source before it can be measured and mitigated. To accomplish this, it’s important to separate the risks of the underlying initiative from the risks of the third party that supports the initiative. With the possible exception of reputation risk, most of the risks surrounding the evaluation and implementation of a new initiative are associated with the initiative itself, not the third party. Simply put, if the strategic, operational, and regulatory risks would be present in the initiative regardless of the third party selected, it does not belong to the third party, it belongs to the initiative or project. We’ve found this to be a fairly common misconception, even among auditors and examiners.

Effective Solutions

Once the risk source is confirmed as associated with the third party as opposed to the initiative, institutions must create a protocol for what risks to assess and how to assess them (the inherent risk), what specific controls to implement, and the effectiveness of those controls assuming they will be correctly implemented and operate effectively (the residual risk). This is where an app can significantly help standardize and streamline the process. An automated third-party risk management program will identify and assign specific controls according to the specific risks and risk levels identified.

With the increased focus on third-party risk management, more banks and credit unions are finding that auditors and examiners expect institutions to not just identify appropriate controls, but to actually request, receive, and review them. Particularly key control documents, such as contracts, financials, and audit reports, such as System and Organization Controls (SOC) reports. However, knowing what to look for (and where to look) in these documents can be challenging. Partnering with a third-party service to assist you can provide a second set of eyes and additional expertise to ensure that these documents are supplying the necessary controls.

Other key features to look for in an effective third-party risk management program include the ability to assign one or more vendor managers, email reminders when tasks are due or overdue, automatic Office of Foreign Assets Control (OFAC) checks, the ability to easily identify and track complementary user entity controls (CUECs), the ability to store key vendor documentation and notes. Also, a robust on-demand reporting feature is important to be able to provide stakeholders with timely, accurate updates on the status of your third-party risk management program.

By associating with the right partner, financial institutions can develop a strong third-party risk management program that aligns with guidance, keeps data private and secure, and minimizes the impact of third-party cyber threats. Safe Systems, for example, offers a wide range of vendor management solutions to help institutions ensure regulatory compliance.

08 Sep 2022

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

27 Jul 2022

Banks, Compliance, Credit Unions Christine Ray 0 comment

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

30 Mar 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Get Prepared for the New Computer-Security Incident Notification Rule

As of April 1^st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)

Understanding the Regulations

To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:

The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.

A “computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.

Recognizing the Gray Areas

The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.

In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.

Preparing for the Unknowns

At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:

FDIC institutions:

Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at: incident@fdic.gov.

OCC Institutions:

Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email (BankNet@occ.treas.gov) or phone (800) 641-5925.

Federal Reserve Institutions:

Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to incident@frb.gov or by telephone to (866) 364-0096.

Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.

Steps to Take Now

There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.

Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.

For more information about this important topic, access our webinar on “New Cyber Incident Notification rules: How to Get Prepared”, or this recent blog post from Compliance Guru.

02 Feb 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”

05 Nov 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

29 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2021 Hot Topics in Compliance: Mid-Year Update

2021 Hot Topics in Compliance

While the COVID-19 pandemic certainly isn’t over, financial institutions have learned valuable lessons so far. In retrospect, the pandemic’s impact on community banks and credit unions hasn’t been as catastrophic as examiners had initially feared—at least not financially. Key impacts have been mostly operational, involving risk related to temporary measures taken to weather the crisis. For instance, examiners will want to know what modifications institutions have made to their operational processes to accommodate an increasingly mobile customer and member base and remote employees, and whether they accounted for additional fraud, cyber threats, or other risks as a consequence. If institutions implemented new products or services, they would need to also account for the operational risk associated with these changes—especially if additional third-party providers were involved. That said, throughout the pandemic, the overall industry demonstrated a very high level of resilience.

In addition to the post-Pandemic lessons, there are other important compliance trends and new regulatory guidance that institutions should anticipate as we approach the rest of the year:

Emphasis on Ransomware Cybersecurity

Recently, ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely ramp up going forward. This will be reflected, in part, by the number of (and types of) assessments that they may expect financial institutions to perform on an annual basis, including the familiar Cybersecurity Assessment Tool (CAT) and newer, non-compulsory Ransomware Self-Assessment Tool (R-SAT) developed partly by the State regulatory bodies.

In addition, at the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) has recently developed its Cyber Security Evaluation Tool. This tool is not specific to the financial industry but rather designed to apply to multiple industries. And the National Credit Union Association (NCUA) decided earlier this year to move away from using its version of the CAT, known as the Automated Cybersecurity Evaluation Toolbox (ACET). It’s now prioritizing a modified InTREx for Credit Unions (InTREx-CU), which is designed to enable credit unions to identify and remediate potential high-risk areas, including within the cybersecurity controls domain.

Changes with Cyber Insurance

Major shifts are also happening with cyber insurance. Because of excessive losses by the insurance industry, there will very likely be increased deductibles, increased exclusions, and decreased limits for covering cyber losses. Cyber insurance coverage—which is not an absolute requirement by regulatory agencies—is going to be more difficult and expensive to obtain. So, the lesson is: As insurance policies come due, don’t automatically renew before you assess what has changed in terms of the coverages, exclusions, and limitations, and make sure you’ve documented your cost-benefit decision.

New Guidance on Architecture, Infrastructure, and Operations

In June, the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. The updated guidance, which replaces the “Operations” booklet issued in July 2004, acknowledges the inextricable link between an institution’s operations, architecture, and infrastructure. Or as a recent FFIEC press release states:

“The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers, along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet provides a fresh take on several concepts: It recognizes different treatments for smaller or less complex institutions and adopts a different approach to data classification by factoring in value with criticality and sensitivity. All entities—not just credit unions and banks but also non-financial, third-party service providers—are expected to adhere to the guidance.

In addition, there are also pending new rules for incident notifications for banks, service providers, and core providers, which isn’t surprising with all the recent cybersecurity attacks. Finally, examiners are also expecting more detailed board reporting, such as showing how an institution’s business continuity management plan, business strategy, and risk appetite are all aligned.

For more information about the latest expectations, compliance trends, and regulatory guidance, listen to our “2021 Hot Topics in Compliance: Mid-Year Update” webinar.

02 Apr 2021

Banks, Credit Unions, Security Brian Brannon 0 comment

Is Cybersecurity Your Weakest Link?

SKIP AHEAD:

Importance of Being Secure
Malware and Ransomware
Internet of Things (IoT) Attacks
Phishing Scams
Lack of Third-Party Vendor Security
Insider Threats
Lack of Employee Training and Security Expertise
Combating Security Threats and Ensuring Institution Security
Managing Security Needs

Is Cybersecurity Your Weakest Link?

The financial landscape has changed drastically in the last 20 years, one of the most notable changes being the variety of financial services now being offered online. Although the wide-spread use of internet has made it possible to receive financial guidance from anywhere in the world, it has also created an environment where sensitive information and data could potentially be compromised by cybercriminals.

Today, professional hackers are spending more time and money than ever before to gain access to personal information for both monetary gain and “professional” recognition. The sensitive information that the financial services industry has access to continues to make them a prime target for hackers and other cybercriminals. Attacks can range from malware threats, DDOS attacks, phishing attempts and data breaches – all of which bad actors can use to commit fraud themselves or sell to a third-party.

Importance of Being Secure

Cybercrime continues to be a growing problem for banks and credit unions across the country. The impact of a cybercrime can be very costly for a financial institution, both financially and from a reputational standpoint. The main risks include theft or unauthorized access to sensitive customer information along with the disruption of normal business operations.

In addition, as the number of security threats continues to increase in the financial services industry, regulators are taking a closer look at financial institutions’ policies and procedures to ensure that they can effectively safeguard confidential and non-public information. As an example, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) is designed to ensure financial institutions are prepared in the event of a cybersecurity attack. The FFIEC CAT is now the guide regulators are using to examine institutions and determine their level of cybersecurity preparedness.

Some of the most common security threats financial institutions face today include:

Malware and Ransomware

Ransomware has established itself as one of the leading cyber threats for many organizations, but especially financial institutions. Using ransomware technologies, hackers can gain complete access and control over legitimate websites, often by encrypting data or programs, and extort ransom payments from victims in exchange for restoring access to the individual or business. Malicious software, or “malware”, is no longer characterized by simple aggravating popups and sluggish computer performance, but rather the encryption of all data on a machine, rendering it unusable.

Internet of Things (IoT) Attacks

Unsecured Internet of Things (IoT) devices such as DVRs, home routers, printers and IP cameras are vulnerable to attack since they are not required to have the same level of security as computers. To breach a financial institution, attackers will target insecure devices to create a pathway to other systems. Unsecure IoT devices are also used to launch distributed denial-of-service attacks (DDoS) against institutions. These DDoS attacks prevent legitimate users from accessing computer systems, devices or other online resources. The perpetrator floods the victim’s machine or network with false requests from various sources to overload the system and prevent legitimate access. A well-executed attack can interrupt a host of banking services including website access, ATM networks, and online banking platforms, in addition to internal systems and functions.

Phishing Scams

Phishing scams that specifically target financial institutions’ employees, attempting to obtain sensitive information such as usernames and passwords, have become increasingly common within the last few years. The goal of phishing is to direct employees to a fraudulent website where they are asked to share login credentials and other personal information. The information that employees are tricked into providing then allow for cybercriminals to read a bank or credit union’s critical information, hack into the employee’s bank and social media accounts, send emails on an employees’ behalf, and gain access to internal documents and customer financial information.

Lack of Third-Party Vendor Security

While a financial institution might have the right security systems and policies in place to protect itself and its customers from a cyber-attack, its third-party providers may not have the same level of security and diligence. This creates a major vulnerability for the financial institution. Without a proactive approach to vendor management, financial institutions are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers. Federal regulators have issued guidelines to help institutions better understand and manage the risks associated with outsourcing a bank activity to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks to properly establish and maintain effective vendor and third-party management programs.

Insider Threats

Often, all it takes is a disgruntled employee or ex-employee to release valuable security information and compromise system and data security. Additionally, cybercriminals are increasingly realizing success through bribery as a means to entice bank employees to give up their login credentials or other security information, allowing direct access to internal systems.

Lack of Employee Training and Security Expertise

The COVID-19 pandemic has certainly brought its share of challenges to the financial sector of business, including increased network vulnerability and internal threats as employees transitioned to a remote work environment. These changes required cybersecurity personnel to change their online security baseline and continuously adapt to the changing IT security landscape. With the increased popularity of remote work, company IT staff are encouraging employees to take charge of their own online security through testing and training. The training includes topics like the importance of password security and multi-factor authentication and helps employees understand their roles and responsibilities in protecting against security threats. Until this learning gap is resolved, financial institutions will continue to struggle to efficiently manage cybersecurity threats.

Combating Security Threats and Ensuring Institution Security

While cybersecurity has become a major point of discussion among professionals within the financial industry, the truth is that many financial institutions are too complacent when it comes to protecting themselves. With hackers using advanced technology, the “bare minimum protection” is no longer enough to keep sensitive information safe. To adequately protect against security threats, financial institutions must ensure that every device on the network has up-to-date antivirus software, adequate firewall protections and that all patches are up-to-date as a minimum requirement. In addition, financial institutions should also employ a layered security strategy, from the end-user to the internet to establish a secure IT environment. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation.

A uniquely tailored layered security approach enables financial institutions to:

Monitor antivirus for servers, workstations, and off-site laptops
Use services that evaluate site lookups to avoid exposure to compromised websites
Scan the network for vulnerabilities and detect unusual activity against hackers and rogue employees
Block access to all external ports while also monitoring the access of various machines
Meet government regulations and requirements
Counter extortion threats by preventing a hacker from holding your customer’s personal data for ransom with special customized software for stopping ransomware
Patch machines, encrypt laptops, and install alerts on new devices plugged into the network

The security landscape is constantly evolving, and it is imperative to have a solid security plan in place that accounts for this evolution. It should be a fluid document that is frequently reviewed, updated and that specifically outlines administrative, technical, and physical controls that mitigate evolving risks. It is also important to test the full plan on a regular basis to ensure all procedures can be executed successfully and verify that all regulatory requirements are met.

Managing Security Needs

Many community banks and credit unions find that managing the security needs of their organization can be a time-consuming and challenging task. To help augment the security responsibilities, these institutions are turning to financial industry-specific IT and security service providers to act as an extension of their organization, provide timely support, and help the financial institution successfully design and execute a comprehensive security strategy. The right solution provider couples security measures with an understanding of and support for the unique security and compliance demands of the financial industry.

At Safe Systems, we believe that proactively protecting customer data will always be more cost effective than falling victim to malicious activity. To that end, we have the unique expertise to ensure that financial institutions employ the right combination of both broad and specific security products to create an ecosystem of protection. Safe Systems helps secure an organization’s endpoints, devices, and users by assessing vulnerabilities, detecting unwanted network activity, safeguarding against data loss, and preventing known threats while staying ahead of developing ones.

28 Jan 2021

Banks, Technology Mike Bell 0 comment

Why De Novo Banks Should Choose the Cloud

De novo banks have enough to be concerned about as they struggle to get established: raising capital, selecting a core system and products, getting enough personnel in place—and keeping everything afloat until they begin to thrive. Opting for the Cloud is one of the most prudent decisions a de novo bank can make.

Ease and Speed

A key benefit of employing the Cloud is the ease and speed of implementation, which is especially advantageous for a de novo with a tight timeline to get up and running. The Cloud also affords a de novo the ability to choose technology solutions based on its unique specifications. Rather than trying to estimate and make provisions for future growth, the bank can select cloud services according to its current requirements and as the de novo grows or reduces its operation over years, it can make the necessary adjustments to fit. In a real-world scenario, if a bank needs the capacity to process more loans, a cloud provider can instantly ramp up to meet that demand.

Cloud services also provide de novos with the cost-saving flexibility to forgo extensive infrastructure investments upfront and help avoid the expense of maintaining and replacing outdated hardware over time. Working with a major cloud provider means de novos will always be using the latest and best technology. This supports more predictable technology costs, especially when working in tandem with a managed cloud provider that can minimize the need for retaining a larger IT staff.

Disaster Recovery

Financial institutions—no matter how new they are—must have a strategy in place for restoring their IT infrastructure, data, and systems following adverse events, such as natural disasters, infrastructure failures, technology failures, the unavailability of staff, or cyber attacks, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

When a de novo chooses the Cloud to support its banking system, it simplifies many of the typical aspects of disaster recovery (DR). Cloud-based DR allows institutions to replicate the data in their main offices and transmit it to a safe location that staff can access during a catastrophic event. Having continuous replication means there’s minimal lag time when switching from live to DR mode. Plus, the Cloud makes it easier for IT staff to go live, run tests, and complete tests more thoroughly. Ultimately, cloud services can help de novos go beyond merely addressing disaster recovery, to instituting steps for disaster avoidance.

Here are some other compelling reasons for de novos to embrace the Cloud:

Security: A de novo bank has access to more security resources with the Cloud, making it easier to incorporate the best practices that regulators expect. Major cloud providers like Microsoft, Google, and Amazon maintain an army of security experts; they simply can offer more robust security than small de novos can build on their own.
Compliance: Leading cloud vendors are well versed in regulatory compliance issues, and de novos that use managed cloud providers receive a comprehensive solution that can further enhance compliance and vendor management.
Flexibility: With cloud services, de novos not only gain the advantage of being able to manage their IT infrastructure from anywhere, but they also gain the capability to easily turn on/off cloud services allowing them to quickly explore new ideas or diagnose problems within their environment.

The simple truth is that a de novo bank could never build an IT infrastructure on par with what it can accomplish through the Cloud. And working with a managed cloud service provider like Safe Systems can make using the Cloud even easier, leaving bankers free to focus on banking.

13 Aug 2020

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with Safe Systems’ Virtual ISO Solution

One Florida Bank Achieves Rapid Growth and Streamlines Information Security with ISOversight

Mergers and acquisitions can present significant operational challenges for information security officers (ISO) who are tasked with ensuring a smooth transition of the information security program. Often, some key responsibilities of the ISO may be overlooked as other tasks related to the merging of the two institutions take precedence, overextending the ISO as they work to manage the information security program effectively and stay on top of regulations.

The Challenge

Eric Nadeau, chief financial officer at One Florida Bank, faced this very issue when his bank acquired another bank in Florida to expand the institution’s reach across the state. Nadeau wore many hats at the bank serving as the information security officer, chief financial officer, head of accounts payable, and director of both HR and IT. Although Nadeau understood the role and responsibilities of the ISO, he simply lacked the necessary time required to develop a formal program to efficiently complete all ISO-related tasks.

After acquiring the other bank’s charter and then merging the two institutions, Nadeau knew that his bank’s existing compliance management practices would not be enough to accommodate the rapid growth and continue to satisfy the regulators. While he needed assistance in managing the information security program, the institution was not yet ready to make the investment to expand personnel by adding a dedicated ISO.

The Solution

Following the merger, the bank needed a strong operational structure in place to get the now larger institution up and running and meet regulatory expectations quickly. During the acquisition process, Nadeau was introduced to Safe Systems’ ISOversight VISO (Virtual Information Security Officer) solution. The institution One Florida Bank acquired was already a Safe Systems customer using its network management services. After learning more about the VISO and compliance program, Nadeau performed his due diligence and made the decision to implement the ISOversight solution to streamline the bank’s information security processes.

A VISO serves as an extension of the in-house ISO by augmenting existing personnel and ensuring all tasks and related activities are completed on time and are all properly documented and reported to the various stakeholders. ISOversight’s integrated approach to vendor management, business continuity planning, cybersecurity, strategic planning, and information security influenced Nadeau to implement a VISO strategy.

“We had a very aggressive growth plan and I was wearing many hats. I couldn’t cobble together a bunch of Excel-based risk assessments and manual tasks into a formal process within an acceptable time frame,” said Nadeau. “I needed a support structure that I could leverage very quickly to sustain our bank’s strong and rapid growth plan and ISOversight provided that.”

The Results

While Nadeau expected the bank to grow, he did not anticipate that the bank would become a $690M institution in just 18 months. With ISOversight, Nadeau was able to quickly implement new operational structures for the institution amidst this rapid growth.

ISOversight combines all the various risk assessments into one centralized portal with ease, eliminating the use of multiple spreadsheets and numerous documents. The VISO enabled the bank to create a new compliance infrastructure with easy-to-read summaries of all ISO activities, as well as establish a new fully compliant business continuity management plan, a robust vendor management program, and comprehensive project and audit/exam tracking. ISOversight provides an integrated approach to all these initiatives as they all work hand in hand.

“The first year after the acquisition required a massive amount of work, but ISOversight allowed our bank to prioritize and complete tasks until we reached a smooth and successful integration,” said Nadeau. “Even examiners have commented on the progress we’ve made and recognized the value that the integrated platform provided to our management.”

For more information, download the full white paper, “5 Case Studies: Exploring Common Challenges Faced By The Information Security Officer.”

16 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

“Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
“Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
How do you plan to continue providing services in the event of the loss of key employees?
Have you been in communication with your critical third-party providers?
Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

12 Jun 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The “Inherited” Risk – Assessing and Reporting on Vendor Risk

Vendors are the largest source of non-preventable risk for a financial institution, so it is critical that banks and credit unions carefully evaluate, monitor, and manage all vendor relationships to remain compliant and reduce risk. Additionally, institutions must be able to accurately assess risk, implement adequate controls, and provide all stakeholders (including regulators, management, and the Board) with appropriate reporting to convey the overall status of the vendor management program at any point in time.

Assessing Vendor Risk

The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified in order to achieve a level of residual risk that is within your risk appetite.

Depending on the information you get from the risk assessment, you can clearly map out the level of inherent risk based on the vendor’s access to data and systems and the level of criticality for each vendor. These results will provide the information you need to control the risks, and ultimately report the overall results of your vendor management program to your key stakeholders.

When conducting a risk assessment you want to include all vendors but focus particularly on your critical vendors. A critical vendor is defined as one that either provides a product or service that is a key interdependency of one or more of your products or services, or one that stores, processes, or transmits non-public customer or confidential information.

Once you’ve established the initial or inherent risk level, you can identify one or more controls to off-set the risks. Typically, you want the vendor’s third-party audit report or SOC report; audited financials; insurance binders; a copy of their incident response and disaster recovery plans; and any testing the vendor has done on these plans. If you can’t obtain a SOC report, you’ll need compensating controls to determine their network security. Ask if they have an information security program and if they’ve conducted any vulnerability and penetration testing. You should also request a report of examination (ROE) from your primary federal regulator on your core provider.

Reporting to Stakeholders

When reporting to the various stakeholders within your institution, many of the reports are relatively similar, but the level of detail will be slightly different for each stakeholder group.

Board

The primary stakeholder that financial institutions must report to is the Board. When presenting to the Board, reporting does not generally need to be highly detailed and should provide a brief, high-level summary of the overall program.

Additionally, it is not necessary for the Board to see this report every time they meet. The requirement is to present an annual update, but we recommend reporting more often if the pace of internal change dictates (whether twice a year or quarterly) to show you are adequately managing vendor risk on an on-going basis. Here is an example of what a Board report should look like:

Management

The management committee (i.e. IT Steering) requires a bit more detailed information than the Board does, and unlike Board reporting frequency, IT should report to the management committee every time they meet. If your management committee meets on a monthly basis, you should produce a report each month as well and communicate this information to the committee. Management needs to know what you’re doing; what you’re not doing; what you’re behind on; and have a good understanding of your progress.

Regulators

Regulators typically review the same reports as your board and committee. However, auditors and examiners will tend to take a deeper dive into your vendor management program and want to review everything you have on your critical vendors. They are looking to see if you’ve done a risk assessment and if you have identified the reports from the vendor that will line up with, control, and offset the risks you identified in the risk assessment. The report you present to examiners and auditors may have more of a narrow but deeper focus, taking a more detailed view of your most critical vendors.

04 Jun 2020

Banks, Credit Unions, Technology Allison Stahlman 0 comment

I’m New to Banking Technology – What Do I Need to Know?

The reality for the community banking industry is that often, institutions are limited in staff size, especially in IT. As a result, employees are sometimes placed in an IT role without any prior experience and they are forced to learn the “ins and outs” of information technology quickly to ensure that the institution stays in compliance and the IT environment is secure.

This can be a daunting task for a financial institution employee who’s been placed in an IT role for the first time. From our experience working with more than 600 community financial institutions, there are four key steps that someone who’s new to banking technology needs to know to quickly get up to speed on all things IT:

Step 1: Determine the Financial Institution’s Current State

When stepping into an IT role from another department, the first thing you must do is get a strong understanding of the current state of the institution and how the IT infrastructure is set up. Key questions include:

What does the IT infrastructure look like?
What technology is currently in place?
Is there hardware or software that is reaching end-of-life?
Are network schematics and data flow diagrams up to date and accurate?

Look at all the policies and procedures currently in place and understand what management has approved for the information technology program and how the environment is organized. It’s important to know exactly where the bank is from an IT perspective because without this knowledge you won’t be able to troubleshoot potential issues or plan strategically for where the financial institution needs to be to meet compliance guidelines.

Step 2: Review Vendor Relationships and Responsibilities

It is critical to know exactly who is responsible for each IT activity. Many community banks and credit unions use a variety of vendors, including core providers, cloud providers, managed services providers, and others. It’s important to understand which vendors are involved with all your hardware, software, and IT services and review the service level agreements (SLAs) which are typically found in the contract to be clear on what the vendor should be providing to the institution. This is crucial because if an issue arises you need to know if it is your responsibility to handle it internally or if you should reach out to a vendor for support. Make sure you are clear about what the institution’s vendors are responsible for, when to go to them for help, and which activities are your responsibility under the SLA.

Another key part of this role is vendor management. As a new IT admin, you have a shared responsibility for monitoring and managing the institution’s vendors and weighing the risks each one poses to the institution. To keep the network compliant and secure, you need to thoroughly evaluate potential vendors; identify critical vendors and services; implement an effective risk management process throughout the lifecycle of the vendor relationship, and report appropriately to senior management. Some key best practices include:

Developing plans that outline the institution’s strategy;
Identifying the inherent risks of the specific activity, and the residual, or remaining, risk after the application of controls;
Detailing how the institution selects, assesses, and oversees third-party providers;
Performing proper due diligence on all vendors;
Creating a contingency plan for terminating vendor relationships effectively; and
Producing clear documentation and reporting to meet all regulatory requirements.

Having a proactive plan in place will help you effectively manage vendors and have a clear understanding of the level of criticality and risk for each service provider. Properly vetting and managing vendors will reduce risk for the institution, while also ensuring compliance requirements are met successfully.

Step 3: Understand the Institution’s IT Organizational Structure

How IT roles are structured within a community bank or credit union varies by the institution, but many financial institutions have an IT administrator, information security officer (ISO), chief information officer (CIO), and an IT steering committee to support IT activities. It’s important to learn how the institution is set up and understand what the ISO and CIO are responsible for so you can work together to ensure the institution’s environment is operating securely and efficiently. It’s also important to make sure all ISO duties are separated from other IT roles at the institution to maintain compliance with FFIEC requirements.

At some point, every functional area of a bank or credit union touches IT in one way or another so understanding how every system, application, and functional area within the institution operates and relates back to IT enables you to help the staff by troubleshooting the different issues each department may experience.

Step 4. Review Recent Audits and Exams

Another way to determine the current state of the financial institution is to review all recent IT audits and exams. Determine if there were any findings or recommendations made by a regulatory agency and make sure that this has been addressed and remediated appropriately. With this information, you can tell if there are any current issues or pain points and start to make strategic plans or address specific issues as they arise.

Financial institutions are held accountable for FFIEC compliance and must manage regulatory activities including reporting effectively. New IT personnel should become familiar with FFIEC guidance and understand what is required to meet regulatory expectations and perform well on future audits and exams.

With these steps, new IT admins can gain a deeper understanding of information technology and what their key responsibilities are at the financial institution to ensure the community bank or credit union can successfully meet examiner expectations and keep operations running smoothly.

01 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

23 Apr 2020

Banks, Credit Unions, Technology Jamie Davis 0 comment

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”

09 Apr 2020

Banks, Compliance, Credit Unions Christine Ray 0 comment

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

With ongoing cybersecurity threats; increased use of third-party providers; and constantly evolving regulatory and reporting requirements, the role of the information security officer (ISO) is even more important in today’s complex banking environment than ever before. However, community bank and credit union ISOs often struggle to keep up with the growing number of responsibilities this role requires – often forced to manage critical tasks with limited resources and a lack of segregation of duties.

The Challenge

Nicole Rinehart, Chief Operations Officer at American Pride Bank, ran into this very issue as the sole IT admin at American Pride Bank. Managing all of the ISO responsibilities, including critical activities such as Board reporting and the production of comprehensive reports for examiners, was difficult to manage due to the many manual processes required.

During a regulatory examination, an examiner recommended the bank focus on having more independence within its ISO duties. The Federal Financial Institution Examination Council (FFIEC) states that all financial institutions must have separation of duties for the ISO role. To accomplish this, the bank began evaluating solutions to help streamline processes and ensure complete oversight of all information security activities.

The Solution

Implementing a Virtual ISO to Improve Compliance Posture Complimentary White Paper

After consideration, American Pride Bank decided to partner with Safe Systems and implement its ISOversight virtual ISO solution. The service includes a suite of applications and programs to help institutions streamline management of key compliance duties including the CAT, BCP, Vendor Management and Information Security.

In this case, the bank was already leveraging individual components of ISOversight. By converting to the virtual ISO service, they gained additional tools, reports, and expert compliance support. An important part of the solution includes monthly meetings with the Safe Systems compliance team to assess the bank’s information security activities and provide guidance.

The Results

With ISOversight, American Pride Bank has improved its overall preparation and communication of the information security program. All key stakeholders in the bank have access to ISO-related items in real-time, and the information security program is more organized and streamlined, enabling the bank to save time on monitoring and reporting.

“The ISOversight solution has been a game-changer for our bank because now we have a robust process in place working with Safe Systems and a full committee of our team members to ensure all tasks are completed accurately and nothing slips through the cracks,” said Rinehart. “It’s so important to have a process like this, especially when you have limited resources. Safe Systems has truly become an extension of our internal team, helping us to stay on track with ISO responsibilities and ensuring we comply with all regulatory requirements.”

To learn more, read the full case study, “American Pride Bank Streamlines Processes and Improves Compliance Reporting with Safe Systems’ ISOversight Virtual ISO Solution.”

28 Nov 2018

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2019

As 2018 winds down, banks and credit unions are thinking ahead to 2019. They are determining the new solutions, products, and enhancements needed to meet their strategic plans in 2019 and beyond. In addition, they are evaluating what needs to be updated or upgraded and the processes that can be improved upon.

There are three key areas banks and credit unions should focus on during budgeting season – technology, security and compliance. While lines that separate technology, security, and compliance are blurry at best, 2019 budgeting items for operations fall largely into these three buckets.

Compliance

Managing Risk with Truly Secure Vendor Management Program Get a Copy

While the focus of many examiners has shifted back to financial aspects of institutions, the top three findings our customers report relate to:

Vendor Management – Typically the current vendor management solution (if it exists at all) is deemed inadequate or insufficient. Often the solution doesn’t cover all vendors or provide a way to adequately assess these vendors.
Business Continuity Planning (BCP) – In the mid to late 2000’s many banks and credit unions updated their Business Continuity Plan. However, for many institutions, these plans have remained relatively unchanged for a decade now. Technology and business processes on the other hand, have changed rapidly over the last decade. The Federal Financial Institutions Examination Council (FFIEC) has also updated their guidance to address the current challenges of BCP. If the institution’s plan has not been thoroughly updated in a while, the institution may be at risk of a finding on a future exam.
With both of these findings there may be an additional finding of inadequate management or board oversight. Often these findings happen on the same exam and are followed with a concern with oversight. Many of the calls Safe Systems gets after an exam relate to these issues.

Avoid finding yourself under a Memorandum of Understanding or a Matters Require Attention by budgeting to ensure your compliance processes are up to date.

Vendor Management solutions can run from $2,500 to more than $6,000 per year. Business Continuity Plans can range more significantly from a couple of thousand to more than seven thousand dollars per year. Do some research and find some solutions that would meet your institution’s needs and identify their year one cost and annual cost thereafter.

Security

With attacks on the rise and businesses continually falling victim to cybercrime, security needs to be an institution’s priority. There are innovative solutions coming to market every day to help address security risks. These solutions can help mitigate the risks that your institution faces, but they can also cause confusion on where you should focus your attention. For the next several years, it is in the institution’s best interest to continually focus on the impending security landscape and verify that your budget reflects your strategy.

One place to start is to review your current solutions. Verify that your current investments are still applicable for your ever-changing environment. Upon investigation, you might find features that are available as an add-on to your current solution to help mitigate risk. You may also find holes in your current strategy that may need to be rectified.

Moving Beyond Traditional Firewall Protection to Develop an Integrated Security Ecosystem Get a Copy

As of October 2018, 90% of web traffic accessed through Chrome, the most popular web browser, was encrypted. These numbers have been increasing rapidly over the last few years. Many firewalls can only inspect unencrypted web traffic. This was a small risk when encrypted websites were less common. With the sudden rise of encrypted web traffic, many firewalls are NOT equipped to scan this data. It is possible to scan encrypted web traffic, but for many institutions this will require changes and additional investment. The risk of not scanning this encrypted web traffic significantly increases the chances of your institution becoming a victim of a malware outbreak or a data breach. Examiners in some regions have started to pick up on this security hole, and they are encouraging institutions to address this issue.

Another area of concern for institutions is new and emerging threats. Attackers are continually innovating and improving their attack methods, and basic security solutions may not be enough to detect and prevent these advanced attacks. Newer solutions specifically designed to analyze the growing attack techniques have been developed. The use of sandbox technology and machine learning are being tasked to make it more difficult for attackers to be successful. In many instances, these solutions can be imbedded within your perimeter firewall solution. These types of defenses can vastly increase the effectiveness of your security landscape.

Even though your firewall is viewed as a technical security device, it is also the device that grants users access to the internet. The internet has quickly become a business-critical service. When strategizing about upcoming budget aspects, the institution should consider the business risks involved when an internet device causes downtime. There are ways to mitigate internet downtime using high availability solutions. High availability involves having two firewall devices configured in a cluster. If one device fails, the second device seamlessly takes over responsibility so that downtime is avoided.

Additional devices and licensing will also affect the budget. These changes can be small or very large depending on the scope and goals of your strategy. Going forward, have a plan and strategy to deal with the ever-changing security landscape.

Technology

The biggest move in technology over the last half decade has been the move to the cloud. This will continue to be the case in 2019. The cloud offers benefits such as low maintenance, high availability and rapid disaster recovery that can’t be easily or affordably addressed with in-house solutions. The future likely means more servers and business functions moving to the cloud. This likely is where technology spend will move over the next 5 years. Another term for this is Infrastructure as a Service (IaaS). There are three likely situations that will lead to this move and determine how your institution makes the transition.

Your institution desperately needs high availability and/or disaster recovery and is willing to incur the cost of moving from a hardware-based solution to a cloud-based solution.
Your institution’s hardware infrastructure is reaching the end of its life and it is time to purchase all new hardware or move in a new direction. This can be a good time to evaluate your current setup and what is best for the future.
Your institution has some regular hardware turnover scheduled for next year and wants to evaluate slowly moving to the cloud. Instead of buying a new server, it may be time to evaluate what the future of your infrastructure will look like and if the cloud is a long-term solution.

Everything You Need to Know About the Cloud Get a Copy

Some vendors pitch the move to IaaS as a cost savings move. There are cost savings involved. No more hardware to buy and maintain; no more electricity to run the devices; no more cooling to keep hardware cool; and the ability to achieve high availability is easier and more efficient. However, the move to IaaS is typically not a cost savings, but a feature advantage. Most institutions will be lucky if they break even with moving to an IaaS model, but they will gain great redundancy, uptime, reliability, and disaster recovery capabilities.

Generic cost estimates are impossible due to the fact that everyone has different infrastructure, needs, wants, etc. But if flexibility and added freedom is something your institution wants or needs, start investigating what IaaS might cost for your institution. This technology has matured greatly over the last few years and continues to evolve, making it viable now and likely the wave of the future.

In moving into 2019, focus on two things. Are my current processes and products adequate? Not have they passed exams this year, but are they mitigating the current risks to the institution? Too often measuring by exams leaves the institution open to a false sense of security and potential exam issues in the future. For compliance, ensure the institution’s processes are thorough, up to date, and adequate to meet the needs of the institution. For technology, consider what the long-term goals of the institution are and start working on a plan to implement these changes. Security is going to need new investments each year for the foreseeable future. The historical solutions for security problems have been successful which has forced criminals to find ways around them. It’s time to realize that the threats have changed, and it is time to address the new threat landscape.

18 Jul 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Community Neighbor Bank Eliminates Stress of Vendor Management and Enhances Compliance Posture

It is more important than ever for financial institutions to manage vendors efficiently, but many struggle with the best way to successfully accomplish this. Most community financial institutions do not have a formal department dedicated to vendor management, and some still perform this process manually (on a spreadsheet for example), potentially leaving the institution vulnerable.

Camden, Alabama-based Community Neighbor Bank recognized the shortcomings of using a spreadsheet to track and manage its nearly 40 vendors. This method also made preparing reports for auditors cumbersome and time consuming. In response, Lisa Dailey, Assistant Vice President and IT Manager at Community Neighbor Bank, sought a solution to automate and streamline the vendor management process and help the bank to more efficiently manage contracts, renewals and other critical activities such as risk assessments.

“As our vendor list grew and cybersecurity risks increased, we realized that we needed a better way of calculating risk, identifying critical vendors, and tracking contracts and reports,” said Dailey. “We wanted to ensure our institution was efficiently managing all our outsourced relationships.”

After careful consideration, the bank determined that Safe Systems’ vendor management solution represented the most cost-efficient, proven method to control and manage its third-party risk.

Improved Risk Assessment and Due Diligence

Prior to implementing Safe Systems’ vendor management solution, compiling a complete list of all vendors and accurately performing the risk assessment on all vendors was a complicated task for bank staff.

“Performing the risk assessment on each vendor and understanding our inherit risk had been a challenging process,” said Dailey. “Safe Systems helped us understand how to manage the various risk levels of our vendors and the level of due diligence needed for each level.”

In addition to a more efficient risk assessment and due diligence process, the bank also benefits from the ability to proactively manage vendor renewals; a centralized location for all documents so staff and management and can easily access them; and detailed information for audit purposes and executive summaries for board review.

Enhanced Compliance Posture

The industry has seen regulators more closely scrutinizing the vendor management process within financial institutions, and it was often difficult for the bank to provide the level of vendor reporting that regulators required based solely off of a spreadsheet. Safe Systems’ vendor management solution has enabled the bank to more easily provide the proper documentation to examiners in a timely manner — enhancing the bank’s ability to meet regulatory requirements and increasing its compliance posture.

“We have received positive feedback from regulators since we made the switch from a manual to an automated process,” said Dailey. “Working with Safe Systems has improved our ability to meet the evolving regulatory requirements, and we’ve significantly reduced the amount of time spent monitoring and managing our vendors.”

“We are fully confident going into all exams because we can easily provide any reports requested, and we have a comprehensive view of all our vendors,” continued Dailey. “Safe Systems is truly a valued extension of our team.”

For more information, download our complimentary white paper, “Managing Risk with Truly Secure Vendor Management Program.”

06 Dec 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

Honey Pots: $2,500+

A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

Expired in 2017 and should be replaced or upgraded

Windows Vista
Symantec Endpoint 10.x
Microsoft Office and Exchange 2007
Backup Exec 2015
Adobe Acrobat XI

Expires in 2018 and should be replaced or upgraded

ESXi/vCenter 5.5 expires 9/19/2018

Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

25 May 2017

Credit Unions Holly Hooks 0 comment

Stay Compliant! 3 Areas Your Credit Union Should Focus on to Better Meet Regulator Expectations

Credit unions establish relationships and partnerships with third-party providers to meet strategic objectives, enhance member services, and manage competitive pressures. When a credit union actively manages its third-party relationships, the institution can then provide a wide range of potential benefits to its members.

However, third-party relationships also come with a high level of risk for financial institutions, making it crucial for them to have a solid vendor management program in place to effectively manage their vendors. A number of regulatory agencies including the National Credit Union Administration (NCUA) provide guidance to help credit unions evaluate the risks of working with third-party providers and understand examiner expectations related to their vendor management processes.

In a Supervisory Letter, the NCUA identified the following 3 concepts that credit unions should address and examiners should ensure are commensurate with the credit union’s size, complexity, and risk profile:

Risk Assessment and Planning

Before entering into a new third-party relationship, credit unions should determine whether the relationship complements their overall mission and philosophy. The credit union should evaluate the risks and benefits of outsourcing this process with the risk and benefits of keeping it internal. An explanation of how the relationship relates to the credit union’s strategic plan, long-term/short-term goals, objectives, and resource allocation requirements should all be documented. The credit union should conduct an initial risk assessment that includes the evaluation of enterprise risks including compliance, strategic, and reputation.

Due Diligence

Conducting thorough due diligence includes demonstrating a strong understanding of a third party’s organization, business model, financial health, and program risks. To ensure the proper risk controls are in place, credit unions must understand a prospective vendor’s responsibilities and all of the processes involved. Examiners should evaluate if the credit union’s due diligence process includes background checks, examining the third-party’s business model, the determination of how cash flows move between all parties in the proposed third party arrangement, financial and operational controls, contract evaluation and accounting considerations.

Risk Measurement, Monitoring and Control

Credit unions must establish ongoing expectations and limitations, compare program performance to expectations, and ensure all parties are fulfilling their responsibilities. Credit unions should develop policies and procedures detailing the responsibilities of the credit union and third-party including management oversight and reporting. On-going monitoring of controls over the third-party relationship should be implemented to mitigate risks.

Reduce Risk, Increase Compliance with Vendor Management Software

Regulations repeatedly make it clear that the use of third-party vendors or service providers does not reduce the responsibility of your credit union to ensure that data is safe, secure and complies with all applicable laws, regulations and security best practices. While it is more important than ever for credit unions to manage their vendors, many struggle with the best way to efficiently and successfully accomplish this. Until recently, most credit unions had only a handful of managed vendors, which could be tracked manually via a spreadsheet. While this may have worked in the past, regulators’ expectations today are much more sophisticated.

To comply with NCUA regulations, every credit union must be able to provide proper documentation on the ongoing monitoring and management of its vendor management program. Automating vendor management functions not only saves your staff time but also helps to ensure the institution is in compliance with regulatory requirements. An automated vendor management solution is an effective tool to help credit unions reduce risks and improve examination results.

For more information, please download our white paper: Why Automation is the Answer to Credit Unions’ Vendor Management Challenge.

Why Automation is the Answer for Credit Unions’ Vendor Management Challenge

How confident are you in the management of your vendors?

23 May 2017

Banks, Credit Unions Christine Ray 0 comment

Carolina Alliance Bank Enhances Compliance Posture with Safe Systems’ Vendor Management Solution

Vendor management has taken on an increased level of importance as regulators are now more heavily scrutinizing how banks manage their third-party vendors. In response, many community banks and credit unions are looking for more efficient, effective ways to monitor their outsourced vendors, protect themselves from associated risks, and maintain overall compliance.

For South Carolina-based Carolina Alliance Bank, manually monitoring vendors through a spreadsheet simply became too time-consuming and cumbersome a task for its staff. The bank sought a proven solution that could help streamline vendor management processes and enable them to more efficiently manage contracts, renewals and other critical activities. As a long-time customer of Safe Systems, the bank determined that implementing this industry-specific, automated vendor management solution was the most cost-efficient method to control and manage the risks associated with its third-party providers.

Improved Compliance and Streamlined Processes

Using the manual spreadsheet method, it was sometimes difficult for the bank’s staff to provide the level of vendor reporting that regulators required. In contrast, Safe Systems’ Vendor Management solution enabled Carolina Alliance Bank to more easily provide the proper documentation to examiners and in doing so, clearly demonstrate that bank staff are properly reviewing and monitoring vendors on an on-going basis.

Furthermore, the bank is now able to centralize all documents in one location where staff and management can easily access them to provide detailed information for audit purposes and executive summaries for board review. Through this level of intelligent automation, paired with Safe Systems’ compliance support, the bank has significantly reduced the amount of time spent on vendor management processes, which has freed up resources to focus on additional revenue-generating activities for the bank.

“Since we switched over from a manual to automated process, we’ve received nothing but great feedback from regulators,” said Judy Price, Vice President at Carolina Alliance Bank. “Working with Safe Systems has enhanced our ability to meet regulatory requirements and provide ‘top of the line’ technology to our staff and customers. They are truly a valued extension of our team.”

For more information, download our vendor management case study, “Carolina Alliance Bank Improves Vendor Management Process.”

17 May 2017

Compliance, Credit Unions Darren Bridges 0 comment

Evaluating and Selecting Third-Party Vendor Relationships – What your Credit Union Needs to Know

Choosing a Credit Union Vendor

The majority of credit unions rely on third-party service providers for specialized IT services and technology that improve the overall quality and efficiency of the organization and for mission-critical software and hardware to actually run their business. As such, third-party providers have become an essential component of day-to-day operations, but it is important that credit unions understand the operational and reputational risks they assume if they do not select and manage these relationships and providers appropriately.

Some of the potential risks of using a third-party service provider include:

Compliance risks including violations of laws, rules or regulations or non-compliance with policies and procedures;
Reputational risks including dissatisfied members or regulation violations that lead to public enforcement actions;
Operational risks including losses from failed processes or systems, or losses of data that result in privacy issues;
Transaction risks including problems with service or delivery; and
Credit risks if a third-party is unable to meet its contractual obligations.

To help eliminate some of the risk that comes when working with third-party providers, there are several steps a credit union should take and processes that should be put into place before entering into an agreement with an outsourced provider. Before entering into a third-party relationship, credit unions should:

Determine whether the relationship complements their credit union’s overall mission and philosophy;
Document how the relationship will relate to the credit union’s strategic plan;
Design action plans to achieve short-term and long-term objectives;
Perform proper due diligence on all vendors;
Assign authority and responsibility for new third-party arrangements; and
Weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house, if possible.

Once a vendor is selected, credit unions should:

Adopt risk management processes to coincide with the level of risk and complexity of its third-party relationship;
Implement an effective risk management process throughout the life cycle of the relationship including: plans that outline the credit union’s strategy, identification of the inherent risks of the activity, and detailing of how the credit union selects, assesses, and oversees the third-party;
Have written contracts that outline the rights and responsibilities of all parties;
Implement a process for ongoing monitoring of the third-party’s activities and performance;
Have a contingency plan for terminating the relationship in an effective manner; and
Have clear documentation and reporting to meet NCUA regulations and requirements.

Following all of these steps and ensuring third-party relationships are managed correctly can be a time-consuming, often cumbersome responsibility for credit union staff. In response, credit unions are looking for ways to more efficiently perform due diligence and manage their outsourced vendors, protect themselves from risk, and maintain NCUA compliance and requirements. Credit unions often determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. When implemented correctly, automated vendor management solutions can save a tremendous amount of time and money, reduce risks and eliminate potential compliance issues.

For more information please download our white paper, Why Automation is the Answer to Credit Unions’ Vendor Management Challenge

Why Automation is the Answer for Credit Unions’ Vendor Management Challenge

How confident are you in the management of your vendors?

10 May 2017

Compliance, Credit Unions Chuck Copland 0 comment

Six Ways to Strengthen your Credit Union’s Vendor Management Program

Credit unions rely on third-party providers to offer specialized services and technology assistance to keep their operations running smoothly and help improve the overall quality and efficiency of their organizations. Vendor management has always been an important issue for credit unions, but with increased scrutiny from the NCUA, they now run greater risk of getting fined for not adequately managing their third-party vendors. In response, many credit unions are looking for ways to more effectively manage their roster of outsourced vendors while protecting themselves from the associated compliance risk.

Here are six steps to more efficiently monitor and manage third-party providers, ultimately strengthening a vendor management program:

Perform Thorough Due Diligence

The due diligence process ensures that a credit union has a consistent and reasonable approach to vetting its vendor relationships — especially if the vendor is providing a core business function or has access to personal confidential information. It’s not enough to perform due diligence during the initial vetting stage. Conducting diligence throughout the relationship, especially with mission-critical vendors, is essential to avoid being blindsided. Properly vetting and managing vendors will reduce risk for the credit union, while also ensuring all FFIEC and NCUA regulations and requirements are met.

Develop Consistent Risk Assessment

To properly assess risk exposure for vendors/services, establish consistent criteria to appropriately weigh the risk each poses to the credit union. This will help you grade or designate a level of criticality and risk for each service and each vendor. For example, will a vendor have access to private member data? Will it operate with our core system? The criticality will have a significant impact on the review process, as a more critical service or vendor will ultimately require more due diligence to be performed.

Incorporate Vendor Management into the Business Continuity Plan

If a credit union does not thoroughly analyze its vendors as part of the business continuity planning (BCP) process, it opens itself up to the risk of extended downtime. It is crucial for credit unions to know exactly how they are going to recover if their vendor goes down. Business Continuity/Disaster Recovery capabilities should be reviewed to determine if they align with the credit union’s Recovery Time Objectives. Regulators expect and mandate that credit unions have alternative procedures and processes in place in the event of disruption of service from a mission-critical provider.

Board of Director Involvement

The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the credit union’s Board of Directors and its senior management. It is typically the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the Board and helping manage the process. In order to effectively communicate the need for comprehensive vendor management to the board, the ISO must first thoroughly understand exactly what examiners are looking for. NCUA’s Supervisory Letter 07-01 is designed to help credit unions better understand and manage the risks associated with outsourcing. This should not be a one-way line of communication. Board members are expected to understand the process and risks clearly enough to provide a credible challenge to the ISO when appropriate.

Monitor and Control the Vendor Relationship

Proper Vendor Management is cyclical. Staying abreast of important key dates, contract changes and upcoming vendor reviews and contract renewals is a key step in a vendor management program. Not doing so can end up costing you significantly, not to mention the added burden of inefficiencies if the process is not handled well.

Implement an Automated Vendor Management Solution

Many credit unions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain FFIEC compliance. Oftentimes, credit unions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. Moreover, an automated solution helps hold vendor managers accountable to a process that often gets “put on the backburner.” A complete vendor management system also ensures your Board of Directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.

Leveraging the skills and experience of third-party service providers can help credit unions better meet their members’ needs while accomplishing their strategic goals. Those that implement a solid vendor management program — and actively manage those relationships — will have the greatest level of success.

22 Feb 2017

Jumping through hoops for vendor management

Banks, Compliance Christine Ray 0 comment

Northside Bank Enhances Compliance Posture with Safe Systems’ Vendor Management Solution

Vendor management has always been an important issue for bankers but with increased regulatory demands, examiners are now citing financial institutions for not adequately managing their third-party vendors. In response, many financial institutions are looking for ways to more effectively manage their roster of outsourced vendors while protecting themselves from the associated compliance risk.

Georgia-based Northside Bank is just such an example, as it wanted to streamline its vendor management program to more efficiently monitor and manage its third-party providers. The bank began researching vendor management solutions to find a partner that could adequately meet its compliance needs, and after careful evaluation, selected Safe Systems’ industry-specific, automated vendor management solution. As a result, the bank is now able to cost-effectively execute its vendor management initiatives despite its lean IT staff.

“We needed help simplifying our vendor management processes to better meet regulatory requirements,” said Kim Grimes, VP, Director of Information Systems at Northside Bank. “With only one internal IT resource at the bank, Safe Systems helped us more efficiently manage our third-party vendors and successfully achieve our IT, security and compliance goals.”

Improved Compliance and Streamlined Processes

The products and services Safe Systems provides have enhanced the bank’s ability to meet regulatory needs and provide the necessary technology to both its staff and customers. The bank reports that Safe Systems’ application and support services have also produced meaningful time savings, allowing bank staff to focus more time and energy on additional revenue-generating activities.

“Working with Safe Systems has really simplified our vendor management process,” said Grimes. “Not only are the manual, time-consuming responsibilities now fully automated, but our exam process has been much smoother and regulators have been impressed with our program. In fact, our auditors and examiners have even commented that the Safe Systems solution is such a comprehensive product.”

A Trusted Partner

While the bank originally selected Safe Systems for NetComply, through the years it has added additional Safe Systems solutions including, Continuum and C-Vault disaster recovery services, SafeSys Mail hosted email along with the Vendor Management Solution.

“We consider Safe Systems to be a true partner to our bank and we greatly value their knowledge and support,” said Grimes. “Working with the Safe Systems team enables our bank to thrive in today’s challenging environment. They truly understand our business and what examiners require from us, and have the staff and products to support, meet and exceed those expectations.”

23 Jan 2017

Banks, Compliance Chuck Copland 0 comment

Vendor Management – The Importance of Management and the Board of Directors

Vendor Management Board

Financial institutions rely heavily on third-party service providers to offer specialized expertise and services to ensure the institution is successful – something reflected by the results of Safe Systems’ recent 2017 Community Bank Information Technology Outlook Study. In fact, when you add up the number of third-party providers associated with a single institution, the total can be staggering. Results of the study indicate that 32% of respondents currently manage 1-25 vendors; 31% manage 26-50; and 28% manage between 51-100 vendors.

The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the institution’s board of directors and senior management. It is the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the board and helping it manage the process. Unfortunately, sometimes senior management and/or the board may not fully understand the need for comprehensive vendor management, or the pitfalls of neglecting due diligence of service providers.

In order to effectively communicate with the board, the ISO must first thoroughly understand exactly what examiners are looking for. Federal regulators have issued guidelines recently to help institutions better understand and manage the risks associated with outsourcing a bank activity (including functions that support a bank activity) to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks, their boards of directors and management on how to properly establish and maintain effective vendor and third-party management programs.

Understand Examiner Expectations for the Board and Senior Management

Lack of board and management involvement has direct consequences. Inability to prove board oversight can lead to a poor CAMELS score (and subsequent FDIC insurance premium increase), enforcement actions such as an MOU (Memorandum of Understanding), or financial penalties. Examiners expect the board and senior management to develop and implement enterprise-wide policies to govern the outsourcing process consistently. These policies should address outsourced relationships from an end-to-end perspective, including establishing the need to outsource a function, selecting a provider, negotiating the contract, monitoring the vendor regularly, and discontinuing the business relationship. Examiners also expect to see evidence that an institution’s higher-risk vendor relationships receive additional scrutiny above and beyond providers that present less risk to the institution.

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities
in 2018

Streamline Vendor Management Oversight

While it is more important than ever for the board of directors and management to oversee and manage the risk associated with vendors, many continue to struggle with the best way to efficiently and successfully accomplish this. According to the survey, 48% of respondents are still using a basic spreadsheet to manage their vendors. While this may have worked in the past, regulators now expect all vendors to be assessed, easily overwhelming the manual process. In addition, spreadsheets provide no proactive alerting mechanism for expiring contracts and upcoming vendor reviews. They also do not provide the ability to collaborate across the organization and make producing management reports and documentation more challenging than it should be.

Many financial institutions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain government compliance and regulatory requirements. Oftentimes, financial institutions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions built around the specific needs of all of the key players within the financial institution saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. A complete vendor management system ensures your board of directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.

Communicating with the board of directors and upper management can be a daunting task, but it is extremely important for financial institutions to ensure the appropriate people are involved in their vendor management program. Doing so not only saves the financial institution time in the long run by helping to focus resources, but also helps protect financial institutions from future poor exams, penalties, fines and additional regulatory scrutiny. Ultimately, it is the Board of Director’s responsibility to protect itself and its sensitive data. Having buy-in and participation from the Board and Senior Management helps ensure that this important Information Security process gets the attention it requires.

For more information please download our complimentary white paper, 2017 Community Bank Information Technology Outlook Study.

11 Jan 2017

Banks, Compliance Jamie Davis 0 comment

5 Consequences of Doing Nothing: Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

In today’s fast-paced banking environment, most financial institutions use a number of third-party vendors to keep bank operations running smoothly. In a recent banking survey, 47 percent of banks cited the use of spreadsheets to help keep track of their third-party providers. While many banks have systematized vendor management and implemented new vendor management software, there are still a large number of banks that do not actively manage their vendors at all. Further still, there are some institutions who view “vendor management” as simply knowing who their vendors are based on a review of the bank’s accounts payable report.

While an accounts payable report allows the bank to keep track of each vendor partner and the services they provide, this is not what regulators are looking for when evaluating an institution’s vendor management program. According to the FFIEC IT Examination Handbook, having a comprehensive list of vendors means nothing if it is not being used to identify risks and manage compensating controls of those risks for each third party service provider. Without a proactive approach to vendor management, banks are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers.

Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

Here are the top 5 consequences your bank could face by not having a solid vendor management program in place:

Missing Yearly Opt-out Dates

Today, too many banks are taking a reactive approach to vendor management which can lead to some major problems for these institutions down the line. For example, a bank may be unhappy with its current vendor and want to look for other alternatives, but in this reactive approach, the bank is really only managing its vendors when there is an immediate issue. When it comes to vendor management, proactively monitoring third-party providers and fully understanding the parameters of the vendor contract can help alleviate this by preventing an institution from being locked into a contract with a vendor that is not performing up to standards.

Unnecessary Costs

Contract management represents a major component of effective vendor management and overall budgeting and profitability. We’ve found that once banks begin an efficient vendor management program, they have a better picture of how their money is being spent, as many discover that they’ve been spending money on services that their bank is no longer using. A common, simple example is a bank that had been spending $45 monthly on a phone line for a fax machine that was no longer in the branch. While by itself, this is a relatively small expense, when bundled with other incremental savings, it can lead to meaningful savings.

Loss of Critical Bank Services

What would happen if your bank’s item processing provider went out of business without warning? For many community banks, this could lead to weeks of researching new vendors, evaluating each choice, and negotiating new contracts. For many banks, being without a critical service is not an option, so it is imperative that banks closely monitor their vendor’s financial statements and have alternative options in place.

Vendor Cybersecurity Events

Without a solid vendor management program, financial institutions may actually be opening themselves up to increased cybersecurity risk. Community banks should understand that their cybersecurity posture is only as good as the cybersecurity of their vendors. Often, a third-party service provider can unknowingly provide a back entrance to hackers who are looking to steal sensitive customer data. Having a procedure in place to identify the risks associated with each vendor will help banks to effectively research third-party providers and help mitigate potential risks to the institution

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

Non-compliance With Government Regulations

Today, bank vendor management processes must align with examiner expectations or the institution runs the risk of being written up and receiving a low CAMELS score. If you are not properly tracking, reviewing, and heavily monitoring your vendors, your bank could be sitting on a time bomb. Some financial institutions haven’t received a written warning from examiners yet only because they haven’t had to update their processes for some time, or because the regulator was focused on another process at the time of the last review. In our experience however, a bank is rarely written up for just one offense. If an examiner sees that the bank isn’t following through on vendor management, they may begin to look more closely into its business continuity plan or cybersecurity procedures as well.

Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

Since regulators have placed higher importance on how community banks manage their vendors, it can be extremely difficult (or impossible) to gain the required level of insight from a list or a spreadsheet. Simply knowing who your vendors are is not what regulators are looking for. Examiners expect banks to take appropriate steps to mitigate risk and keep the institution safe. Therefore, it is important to have a good understanding of which vendors have access to your institution’s data and how that impacts the banks’ ability to function on a daily basis.

Financial institutions can take a more proactive approach by including non-disclosure agreements, tracking vendor contracts, having a third-party audit their vendors, and analyzing the existing – and emerging — risks. Banks should also confirm that their vendors have the right controls in place to serve the institution properly and have a backup plan in place should that vendor fail to perform. Proactively managing vendors allows banks to better meet regulatory demands, prepare for the unexpected and maintain their good reputation.

26 Oct 2016

Banks, Compliance Tom Hinkel 0 comment

The Importance of Integrating Vendor Management and Business Continuity Planning for Community Banks

In today’s banking environment, most financial institutions rely on third party service providers (or vendors) to conduct business on a day to day basis. In fact, without the help of third party service providers, a bank’s ability to provide products and services to customers would be severely impacted. When banks choose to outsource key bank functions to a service provider, however, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations in a desired timeframe in the event of a disruption.

When creating a business continuity plan, financial institutions have to be able to account for all interdependencies within the institution and evaluate the risks. Interdependencies can be classified into assets, or things you own, and vendors, or things you outsource. The FFIEC recently issued new BCP Guidance in the form of an addendum to the IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers. The guidance requires institutions to have certain controls in place to mitigate these risks and discusses a few key points regarding the management of third party providers:

“Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.”
“Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.”
“Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.”

Why Does VM Come into Play When Talking About BCP?

As banks evaluate vendors, they are assessing several key elements, but mainly, the criticality of the product or service the vendor provides. In doing so, bankers should be asking: How important is this vendor to what we do? If they fail, how many of our services fail? Criticality is expressed in terms of Recovery Time Objectives (RTOs). Each bank must determine their own unique RTOs for their institution, and must also assign the same RTO to the third-party vendor. Banks then assign the criticality rating to the vendor based on the criticality of the service that the provider supports. This helps ensure the vendor is equipped to adequately perform their agreed upon task so the bank can conduct business as usual. If the provider is not up and running, then the bank can’t be up and operating either, at least not without work-arounds in place.

When doing BCP planning, the financial institution must look at all areas of the bank and the services and products provided – teller services, lending services, ATMs, accounting, etc. and identify all of the interdependencies or third parties necessary to make these services happen. BCP also looks at RTOs for the entire process. So, if the bank assigns an RTO of one day to the teller process on the BCP side then everything that process requires, including a third party provider, also now inherits that same RTO on the vendor side. There must be a tight cohesion between the vendor management process and the BCP.

Successfully integrating vendor management and business continuity planning is critical for financial institutions, especially when adhering to the FFIEC regulations and guidance. While this can be a tough assignment for bankers, it is a necessary process that has a direct impact on the health of the institution.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

20 Jan 2016

Banks, Compliance Tom Hinkel 0 comment

Banks Can’t Outsource Responsibility, but You Can Ensure a Solid Vendor Management Program

Banks Can't Outsource Responsibility, but You Can Ensure a Solid Vendor Management Program

You Can’t Outsource Responsibility

The vast majority of financial institutions rely on third-party service providers to offer not only specialized IT services and technology assistance that help improve the overall quality and efficiency of the organization, but also for the software and hardware that actually run their business. However, even when a service is outsourced, the ultimate responsibility for the management of the vendors and the risks associated with that activity lies with the financial institution, specifically the Board of Directors and the senior management team.

The Burden of Vendor Management

All federal regulators have issued guidelines recently to help financial institutions understand and manage the risks associated with outsourcing a bank activity (including supporting a bank activity) to a service provider. To remain compliant with governing organizations, it is important for all financial institutions to find ways to strengthen their vendor management programs.

While it is more important than ever for financial institutions to manage the risk associated with vendors, many struggle with the best way to efficiently and successfully accomplish this. Most community financial institutions do not have a formal internal department dedicated to vendor management. In fact in a recent survey, only one out of 300+ of our financial institution clients has a full-time dedicated vendor relationship manager. Instead, because many outsourced relationships have a technology component, this responsibility often falls to the IT department or the ISO. Furthermore, most still perform this process manually, potentially leaving the institution vulnerable to risk.

Finding the Right Partner

Many financial institutions are looking for ways to more effectively manage their outsourced vendors and protect themselves from the risk, often referred to as inherited risk, acquired by association with outsourced service providers. Financial institutions must be aware and responsible for any cybersecurity risks of their vendors, and the potential for any vendor that stores, processes or transmits data to expose the bank or credit union to additional risks. In addition, the criticality of the vendor must also be assessed. What specific processes performed by the institution require proper operation and/or support from the vendor? Does the contract specify both required actions as well as specific remedies in the event of a cybersecurity incident at the vendor?

Is Automation Right for You?

So, what is the best way to manage this risk in an efficient manner while not overwhelming the vendor manager? Oftentimes, financial institutions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions built around the specific needs of all of the key players within the financial institution saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. A complete vendor management system ensures your vendor managers (and any other stakeholders) are notified of all of the critical activities and actions required to effectively monitor a third party relationship, such as ensuring all risk assessments, controls reviews and documentation, is up to date.

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Automating vendor management functions not only saves your financial institution time today by helping you focus your resources, but also helps protect you from future regulations and guidelines. It also reduces costs through closer oversight of contract renewals; provides reporting to all stakeholders; and generally increases security (including cybersecurity) throughout the organization.

Ultimately, it is the financial institution’s responsibility to protect the financial institution and its sensitive data no matter where that data is stored, processed or transmitted, and an automated vendor management solution is an important step in this process.

10 Nov 2015

Banks, Compliance, Credit Unions Darren Bridges 0 comment

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions

Recent cybersecurity incidents affecting financial institutions have largely involved third-party service providers, prompting increased attention by regulators, and increased scrutiny on oversight of third party relationships. To maintain compliance with today’s stringent regulatory environment, community banks and credit unions must ensure their vendor management processes monitor and document every aspect of their vendor relationships, including vendor concerns such as financial viability and information security practices of their vendors.

To address this concern, we at Safe Systems are now offering our new vendor management solution to the marketplace. This web-based software automates the process of contract management, product risk assessment, and controls review to help banks and credit unions effectively manage third-party service providers and maintain regulatory compliance. This proven solution has been in use by a select group of approximately 20 client institutions during the past year.

“By the time I had used Safe Systems’ Vendor Management application for several weeks, I was convinced that this product met State Bank of Cochran’s needs for an automated vendor management solution. Their Vendor Management application met all of the regulatory specifications of a sound vendor management program: risk assessment, due diligence in selecting a third party, contract structure and review, documentation and reporting, as well as independent reviews, and ongoing oversight,” said Leesa Anderson, CTO of State Bank of Cochran.

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

As a Software as a Service (SaaS) solution, our vendor management software centralizes vendor profiles and data into a client dashboard to provide real-time alerts, reporting, and recommended controls. This customizable solution enables banks to automate vendor management activities, assess risk, and easily upload and track contracts from multiple vendors. Our vendor management solution also stores information in a SOC1 and SOC2 audited datacenter and integrates vendor information into our client management portal, “the Safe.” In addition, we provide ongoing training and consulting services with each license.

Vendor management is often the most under-manned function within a bank’s IT department. Many community financial institutions keep track of their vendor management activities manually using spreadsheets, but with our web-based software solution, banks and credit unions can easily monitor and manage multiple third-party service providers; understand the level of risk each vendor poses to your institution; and ensure compliance with regulatory guidelines.

03 Nov 2015

Banks, Technology Jamie Davis 0 comment

What Community Banks Should Budget for, but Often Forget

Money Tree

As 2016 budget season quickly approaches, I wanted to share the IT, Security and Compliance budget items community banks and credit unions should budget for, but often forget. While creating a budget can help you execute your strategy, any shortcomings (to respond to changes in regulation or things you didn’t think about ahead of time) can quickly derail your plans and force you to make critical trade-offs. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints. While this list is not comprehensive, it highlights the top items you should consider as you build your budget for 2016.

Here’s our list of what banks often forget to (but should) include in their budgets.

1. Business Continuity Planning and Testing: $3,000 – $8,000

You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:

BCP updated to meet current regulations
Annual plan testing to validate
Training for gaps found during test or updates to the plan

2. Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.

3. New and Replacement Technology: $500 – $10,000

Be sure all products that vendors are sun setting are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices.

Server 2003 servers
VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
SQL 2005 or earlier instances (end of support April 12, 2016)
Domain replication from FRS to DFST
Extending warranties on hardware more than 3 years old
VEEAM Backup & Recovery version to 8 or higher

4. Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products and using more vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become quite cumbersome. An automated solution may enable you to be more efficient and will ensure all i’s are dotted and t’s are crossed.

5. Training: $500 – $1,500

6. Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. One way to do this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Including these items within your 2016 budget now will prevent you from having to make difficult decisions and trade-offs next year.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

27 Oct 2015

Banks, Compliance Tom Hinkel 0 comment

Banks – Reduce Risk, Increase Compliance with Vendor Management Software!

Today community financial institutions are increasingly relying on third party vendors for critical software, products and services. Regulations repeatedly make it clear that the use of third party vendors or service providers does not reduce the responsibility of your financial institution to ensure that data is safe, secure and complies with all applicable laws, regulations and security best practices. Often this is accomplished through a vendor management function within your bank or credit union.

It is more important than ever for financial institutions to manage their vendors, but many struggle with the best way to efficiently and successfully accomplish this. Until recently, most intuitions had only a handful of managed vendors, which could be tracked manually via a spreadsheet. While this may have worked in the past, regulators now expect all vendors to be risk assessed, easily overwhelming the manual process. In addition, spreadsheets provide no proactive alerting mechanism for expiring contracts and upcoming vendor reviews. They also do not provide the ability to collaborate across the organization and make producing management reports and documentation challenging.

Banks and credit unions should strongly consider the benefits of automating their vendor management functions using vendor management software designed specifically for the requirements of financial institutions. Implementing an automated solution for managing vendor relationships saves a tremendous amount of time and virtually eliminates compliance headaches.

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize critical vendor management data

Having an automated system in place helps ensure all vendor information such as contracts and audit reports are located in one place. A centralized location provides financial institutions a way to efficiently manage multiple vendors and all the activities involved in managing a vendor relationship; from assessing the risks, to evaluating controls. It also ensures easy access for all those within the institution who are involved with managing the relationship. The ability to assign multiple vendor managers is an important feature for institutions struggling with the burden of addressing a greatly increased workload.

Use technology to manage the vendor management process

An automated online alerting feature ensures all bank and credit union stakeholders are notified of important key dates, including contract renewals (including auto-renewals), upcoming vendor reviews and annual Board reviews. It offers a comprehensive, up to the minute summary of the vendor relationship and ensures your financial institution is alerted to significant dates and all required activities.

Automate reporting and documentation processes

Automated systems also make providing proper documentation and reports to regulators a lot easier. In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. Automated solutions provide reports that include a comprehensive inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and management committees.

Automating vendor management functions not only saves time but also helps with ensuring your financial institution is in compliance with all the increased regulatory expectations and guidelines now in effect around vendor management. Ultimately, it is your financial institution’s responsibility to protect your customers and members and their sensitive data. An automated vendor management solution is a very effective tool for not only properly managing the process, but providing the necessary proof in the form of documentation to all stakeholders – management, auditors, and examiners!

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

13 Oct 2015

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Vendor Management Best Practices for Community Banks and Credit Unions

Vendors play an important role in the financial services industry. Financial institutions rely on third-party service providers to offer specialized services and technology assistance that help improve the overall quality and efficiency of their organizations.

To perform these services, vendors often must access, transmit, store or process sensitive information, including customers’ personal information. Financial institutions are responsible for managing the inherited risk, which is the residual risk the institution acquires, or inherits, from each service provider. Financial institutions must be aware of and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank or credit union to additional risks.

Regulators have issued guidance to help in understanding and managing the risks associated with outsourcing a bank activity to a service provider. To remain in compliance with governing organizations, it is important for all financial institutions to strengthen their vendor management programs. These enhancements safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.

To help your community financial institution execute vendor management safeguards, here are some best practices for implementing a successful, secure and compliant vendor management program.

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize Vendor Information

To efficiently manage multiple vendors and all the activities involved in managing a vendor relationship, it is important to have all information housed in one centralized location. It also serves as a central repository for regulatory reporting.

Assess Risk

Have a list of all vendors that conduct businesses with the financial institution and rank each vendor according to its level of access to critical data and importance to operational activities. For most institutions, only about 10-15% of vendors are considered high risk, but all outsourced relationships must be risk-assessed. Establish a risk tier and implement different controls for the different risk levels.

Review Controls and Perform Due Diligence

Once risks have been assessed, the financial institution should perform due diligence for all vendors, with the intensity of the effort commensurate with the risk category; low risk vendors may only need a cursory review, while high risk vendors need a deeper dive. Due diligence activities include reviewing and assessing the vendor’s financial health; knowledge and familiarity with the financial services industry and banking regulations; information security controls in place and ability to recover from breaches or disasters. These activities and the vendor relationships need to be documented and procedures put in place; that ensure the vendor information is updated and monitored on an ongoing basis. These same procedures must also insure that service providers are complying with any applicable consumer finance laws and regulations, and have a plan in place to promptly address and identify problems.

Proper Documentation and Reporting

In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. This documentation should include (at a minimum) a current inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and independent review reports. It should also be able to easily identify all high inherent risk vendors and all high residual risk vendors.

Following these steps will help ensure your financial institution is in compliance with the regulations and guidelines around vendor management. Ultimately, it is the financial institution’s responsibility to ensure all sensitive data is protected. Implementing the above processes and procedures will help create a solid vendor management.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

07 Oct 2015

Banks, Compliance Tom Hinkel 0 comment

Vendor Management — An Undermanned Function in Community Financial Institutions

Successfully managing your vendors

While the issue of vendor management and oversight is not new to the financial services industry, recent enforcement regulations actions by the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB) and the Federal Financial Institutions Examination Council (FFIEC) have given financial institutions a new set of regulations to follow.

The Times They Are a-Changin’

In fact, earlier this year the FFIEC issued an update to the Business Continuity Handbook to assist financial institutions in understanding and managing the risks associated with outsourcing a bank activity to a service provider. The new appendix, appendix J, entitled Strengthening the Resilience of Outsourced Technology Services, focuses on third-party oversight and cybersecurity, confirming that these two areas will come under ever-increasing scrutiny. Banks are now more than ever, encouraged to conduct due diligence and take their own steps to ensure vendors address security gaps.

The definition of service provider has expanded, which means that most institutions will need to expand their list of managed vendors way beyond simply those that provide banking services. The Federal Reserve issued a regulatory update in 2013 titled “Guidance on Managing Outsourcing Risk.” In it, they defined “service providers as all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”

Regulators know the vast majority of financial institutions outsource at some point, in fact recent studies put the number of financial institutions that either transmit, process or store information with third-parties at more than 90 percent. They also know that most recent cyber security incidents affecting financial institutions involved third-party service providers.

CyberSecurity is an additional reason for enhanced vendor management.

Why? Because banks must manage the “inherited risk” of their vendors. Inherited risk is the residual risk the institution acquires, or inherits, from each service provider. Banks must be aware and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank to additional risks. Incident response is also an area financial institutions need to monitor and control, because when preventive controls aren’t effective, responsive controls must compensate.

Complimentary White Paper
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Spreadsheets are simply not enough

Most community financial institutions do not have a formal internal department dedicated to vendor management and have historically failed to stay on top of their third-party relationships because of a lack of manpower and resources. In fact, only one out of 300 of our clients, has a dedicated vendor relationship manager. Instead, this position usually falls underneath the IT department, on a part-time basis and many still perform this process manually. About 90 percent of our clients keep track of their vendor management activities manually using Excel. However, for an average community financial institution to properly perform vendor due diligence and vendor management, some form of automation is required because the process of managing ongoing due diligence and contract tracking with multiple vendors is a very time consuming task.

In addition, a certain set of expertise is required to adequately perform this important function. To adequately perform vendor management responsibilities, the person must be able to maintain their expertise on an ongoing basis, have the time to work closely with the business manager who owns the relationship and be able to work with the vendor or other stakeholders within the bank when necessary, as well as have a strong technology background and truly understand banking and financial services.

With regulators now demanding greater control and accountability from financial institutions, how will your financial institution enhance its vendor management program?

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture