Author: Jamie Davis

21 May 2020
The Value of Network Reporting for Community Banks and Credit Unions

The Value of Network Reporting for Community Banks and Credit Unions

The Value of Network Reporting for Community Banks and Credit Unions

With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.

In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:

  1. Gaps Between IT Staff and ISO/Compliance Teams
  2. In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.

  3. Oversight to Better Manage Controls
  4. Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.

  5. Limited Access to Reports
  6. Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.

    Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.

To learn more about information security reporting and get a demo of our NetInsight ™ cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”

07 May 2020
How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

Disaster recovery is a concern for all financial institutions, regardless of size or location, and is essential to protecting data, infrastructure, and overall business operations. In addition to having a thorough disaster recovery (DR) plan, community banks and credit unions need to have a solid site recovery environment to facilitate a quick return to normal business operations, in the event of a natural disaster or other disruption.

Cloud disaster recovery solutions are growing in popularity among many community banks and credit unions. However, it is important to understand the key differences in site recovery models to determine the best fit for your institution.

In a recent webinar, Brendan McGowan, Chief Technology Officer at Safe Systems, outlined the three most common site recovery models available to community banks and credit unions today and discussed key considerations when implementing each.

In-House Site Recovery

When using an in-house site recovery model, financial institutions commonly have a virtualized server environment. These machines often run in a VMware vSphere environment which sits on top of a storage array. On the DR side, there is essentially a clone of the production environment to receive the replicated data. This works well for many financial institutions, however, there are a few considerations to keep in mind.

House Site Recovery

With in-house site recovery, you’ll need to:

  • Have redundant hardware in the DR environment at an additional cost.
  • Purchase an additional facility like a co-location or branch for DR.
  • Oversee hardware and software lifecycle management for both production and DR environments.
  • Set up dedicated connectivity like multi-protocol label switching (MPLS) to point replication to the DR environment.
  • Conduct regular maintenance to ensure all replications are healthy and perform periodic testing.
  • Have significant expertise and talent to make sure the system works correctly and consistently.

Cloud Site Recovery

In this model, the production environment remains the same, but the hardware and software used in the DR environment are replaced with a cloud-based solution. With cloud site recovery, financial institutions don’t have to pay for servers and computing time until the day they need to turn on the disaster recovery solution. Until then, the institution will only be billed for the amount of storage it consumes.

Cloud Site Recovery

When you use a cloud site recovery solution like Microsoft Azure Site Recovery, you create a storage pool to receive replication from a small server on-premise, which is the cloud site recovery replication server. The replication server works by having each of your production servers send its data changes in real-time to the cloud application server. This server is compressing, encrypting, and deduplicating all of the incoming data and continuously shipping it securely to your cloud site recovery storage pool.

With the cloud site recovery model, you no longer have to:

  • Deal with redundant hardware on the DR side since everything is stored in the cloud.
  • Manage hardware and lifecycle management on the DR-side.
  • Pay for separate facilities since the data is in the cloud, and you can store your data anywhere in the world.
  • Worry about dedicated connectivity because you can send all of the replication over the internet with a simple virtual private network (VPN).
  • Handle all of the maintenance or have the expertise required to run the system.

Cloud-Native Resilience

In the cloud-native site recovery model, both the production and disaster recovery environments are in the Cloud. To set up the cloud environment, using Microsoft Azure, for example, you can sign up for Azure Virtual Machines, which would correlate to VMware vSphere in your environment. After that, you can set up your production virtual machines.

Cloud-Native Site Recovery

At this point, you can register for cloud site recovery for your institution’s individual virtual machines. Once you’ve selected your machines for replication, the system automatically moves that data to whichever Azure zone you select so you get to choose some zone disparity.

In the cloud-native resilience model:

  • There is no Azure site replication server as there was in the cloud site recovery model.
  • Since both environments are cloud-native, all the data is in the cloud and you need not worry about a replication server. Simply check a box to turn it on.
  • In addition, file backup is also a simple checkbox for each server, providing you the option to choose the location to store the data.

Migrating to cloud-based services is a great option to reduce maintenance; significantly speed up the disaster recovery process; and improve overall operations for your institution. If you are interested in implementing a cloud-based disaster recovery solution, Safe Systems can help you determine the right environment for your institution.

To learn more about disaster recovery and moving to the Cloud, watch our recorded webinar, “The Cloud: Recovery and Resiliency is Just a Click Away.”

23 Apr 2020
Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”

27 Mar 2020
What Community Banks and Credit Unions Should Do to Combat COVID-19

Facing a Pandemic: What Community Banks and Credit Unions Should Do to Combat COVID-19

What Community Banks and Credit Unions Should Do to Combat COVID-19

As the Coronavirus pandemic continues to rise throughout the world, it is important for community banks and credit unions to effectively carry out their pandemic plans to stop the spread of the virus and implement alternative ways to serve customers or members during this critical time. Safe Systems held a webinar last week covering five things all community banks and credit unions need to do during a pandemic. In this blog, we’ll cover a few of the key points from the webinar.

  1. Pandemic Testing
  2. According to the Federal Financial Institution Examination Council (FFIEC) guidelines, financial institutions need to have a “testing program designed to validate the effectiveness of the facilities, systems, and procedures identified” in their business continuity plan. In a pandemic, it is the people who are affected more than the facilities, so your systems and processes become more impacted than anything else.

    A preventative program has to address:

    • Monitoring outbreaks
    • Educating and providing appropriate hygiene training and tools to employees
    • Communicating with customers and members
    • Coordinating with critical providers and suppliers

    With the pandemic already underway, it can feel counterproductive to conduct a pandemic test for your financial institution. However, we’ve found it’s never too late to test and improve your pandemic plan, even in the midst of a crisis. Make sure you are validating your succession plan and cross training measures by purposely excluding certain key individuals from actively participating in the testing exercises you conduct for your institution. During a pandemic, important individuals may not be in the branch or available every day, so it’s important that you test your plan to make sure the institution can still operate efficiently.

  3. Social Distancing
  4. Social distancing is a term that’s come out of this global pandemic to stop the spread of the virus. The Center for Disease Control (CDC) states that individuals should keep a six-foot minimum distance from others to limit the spread of the virus, but how does this impact the way your financial institution does business? Think of how your teller line, customer service areas, lending offices, etc. are set up. For these more personal, face-to-face interactions, it is important for you to change the location set up to ensure the 6-foot distance is achieved to protect both the customer and employee. Here are some tips from the American Bankers Association® to consider:

    • Require non-customer facing personnel work from home and try limiting interactions of personnel as much as possible in offices.
    • Have staff sign in when they arrive and leave.
    • Designate times for “at risk” customers (because of age or condition) to visit the lobby when no others are allowed.
    • Make loans or open new accounts by appointment only. When you close a lobby, designate one drive-thru for business customers and one for consumers, as their transactions are very different and differentiating the two can help speed transactions.
    • Keep your messaging positive. Don’t not use the word “Closed” on your door or website; instead use “Appointments Available.” Remind customers that banks are never truly closed, thanks to online and digital platforms that provide customers with 24/7 access to their accounts.

    We are posting tips, resources, and FAQs from ABA, FDIC, NCUA, and our own Safe Systems’ experts on the homepage of our website.

  5. Security in Social Distancing
  6. For employees that are able to work from home, providing resources for working outside of the institution is another great option to keep staff and the public protected. If your staff members are working from home, here are a few things to consider to ensure the institution maintains both security and productivity.

    • Do your employees have enough bandwidth at home?
    • Do you have a dedicated VPN device?
    • Do you have a firewall to allow this connection?
    • Can the firewall/device handle the number of devices actively connecting remotely at one time?
    • Do you have enough licenses (if needed) for each user to connect remotely?

    When your staff is working from home, you still must worry about security. You will need to decide how they connect to your network, what device they use, and how that device is secured. For instance, if you are allowing an employee to use their personal computer, then reference your remote access policy. It should include rules for the appropriate cyber hygiene of the remote device (patching, antimalware, etc.), and should be signed by the end-user. OpenDNS offers free security options for DNS lookups on home computers, which is also a good consideration should you need to update or create a home PC access policy and requirements. You may also require multi-factor authentication as an additional precaution to keep the network secure.

Financial institutions provide critical services to their communities and must be able to support customers and have alternate ways of doing business during a pandemic.

If you would like to gain more insights on COVID-19 and listen to a brief Q&A from our compliance team and information security officer, download our recorded webinar, “5 Things Community Banks and Credit Unions Need to do During a pandemic.”


Watch Recorded Webinar


As many community banks and credit unions are still formulating their responses to the pandemic, we’d like to collect and share what steps financial institutions are actively taking to protect employees and customers while maintaining business operations. Please take a few minutes to complete this survey and tell us how your institution is responding to the novel coronavirus (COVID-19) pandemic.


How are you responding to the Pandemic? Take the Quiz


12 Mar 2020
Pandemic Planning for Covid-19

Pandemic Planning for Covid-19: What Community Banks and Credit Unions Need to Know

Pandemic Planning for Covid-19

With COVID-19 (Corona) Virus in the news, community banks and credit unions are evaluating how best to respond. In any business where face-to-face contact with the general population is expected, easy answers are not always available. According to the Federal Financial Institution Examination Council (FFIEC), pandemic planning, in advance of imminent risk to particular institutions, helps minimize the disruptions to services to consumers, businesses, and communities when such contingencies occur. To unpack how a community financial institution can prepare for a pandemic, let’s break the key issues into smaller pieces.

Ensuring Distance and Limiting Contact

How can a financial institution protect its employees? Working remotely is a great option for employees who do not need face-to-face interactions with customers or members. If you plan to have employees work remotely, how will they be able to securely connect to the network? There are many questions you’ll need to answer to ensure your institution can support employees and keep the institution safe:

  • Do you have a dedicated VPN device?
  • Do you have a firewall to allow this connection?
  • Can the firewall/device handle the number of devices actively connecting remotely at one time?
  • Do you have enough licenses (if needed) for each user to connect remotely?
  • Do your employees have enough bandwidth at home?

Take these points into consideration when building out your plans to have employees working outside of the physical branch or office location. These tools can help support a strong connection and protect the institution from outside security threats.

Review my BCP for Free

While working remotely is an option for some, it is not the case for all. So how can everyone limit the chance of person-to-person transmission of the disease? The Center for Disease Control (CDC) recommends maintaining a 6-foot distance between individuals. To manage this in an institution, moving customer-facing employees to the drive-through only for interactions with your teller line is an option. To limit the virus being transferred from paper, pens, etc., have the employees wear disposable gloves. In theory, an employee is much less likely to touch their face if they are wearing gloves, so it is important to stock your drive-through with boxes of disposable gloves and hand sanitizer. To show your customers or members that you care for their safety, buying individual packaged wet wipes and sending those with each transaction is a nice touch and shows your commitment to protecting everyone.

In addition, make sure the institution is keeping up with the CDC recommendations for Covid-19 and pass these along to your employees. Put posters up in your bathroom reminding people to wash their hands regularly with soap and warm water for at least 20 seconds. There are several studies available online that shows that soap and 20 seconds of scrubbing makes a significant difference in lowering your risk of transferring germs. And while it may seem draconian, institutions may need to impose a “no handshake and hugging” policy to set the expectation that you are keeping everyone’s health in mind.

Be sure that high traffic areas are cleaned regularly with chemicals that are proven to kill viruses. If the cleaning crew comes once a day, be sure they are wiping down all surfaces with the appropriate chemicals. If the cleaning crew comes less often, consider increasing their visits or assigning someone the job to wipe down all surfaces where employees work on at least a daily basis to decrease the likelihood of spreading the virus.

Developing New Methods to Serve Customers Effectively

Keep in mind that the teller line isn’t the only place where customers and members interact with staff, as Customer Service Representatives and lending officers can attest. Break down the steps required for each process and define when face-to-face contact is truly required. Maybe it is to obtain a driver’s license, create a signature card, or sign off on a loan.

  • How much of this can be done from a distance without creating awkward moments?
  • What does the law require?
  • What options does your institution have?
  • Which of these can you gather through the drive-through?
  • Which could be obtained via fax, email, digital uploads, eSignature-type software, etc.?

Your institution will need to review all critical processes to identify each step required to provide services while limiting contact as much as possible. Implement as many of these options as you can and follow up by testing each option and determining what works best for your institution’s unique needs.

In speaking with an institution recently, they stated they were having each department work from home on different days to test out their abilities in case they have to implement their pandemic plan. This approach has many great advantages. One, they are preparing their employees and their technology to ensure everything works. Two, they are performing a pandemic test, so as long as they document the results, they can provide their auditors and examiners proof of their preparedness at their next audit or exam.

Many community financial institutions pride themselves on the personal touch of face-to-face meetings and building business through face-to-face relationships. It is important to remember that having technology options available as backups for times of need doesn’t mean your institution is abandoning its roots long-term. It means you are taking the necessary precautions to minimize disruptions to service and protect both your employees and the public at large.


20 Feb 2020
What the NCUA’s 2020 Supervisory Priorities Mean for Your Credit Union’s ACET Cybersecurity Efforts

What the NCUA’s 2020 Supervisory Priorities Mean for Your Credit Union’s ACET Cybersecurity Efforts

What the NCUA’s 2020 Supervisory Priorities Mean for Your Credit Union’s ACET Cybersecurity Efforts

The National Credit Union Association (NCUA) released the Automated Cybersecurity Examination Tool (ACET) in 2017 to help credit unions assess their current cybersecurity preparedness level and since then, examiners have been primarily focused on making sure the assessment is completed. However, in January, the NCUA issued its supervisory priorities stating, “In addition to the ACET, the NCUA will be piloting new procedures in 2020 to evaluate critical security controls during examinations between maturity assessments.” This means that credit unions must now go beyond simply completing the ACET to successfully meet these expectations.

Safe Systems compliance expert, Tom Hinkel, held a webinar last month covering the difficulties of filling out the ACET and how credit unions can best prepare for the NCUA’s new procedures. Key points from the webinar included:

Challenges in Accurately Completely The ACET

Before taking the next steps in the ACET process, it is important for credit unions to understand how misinterpreting a question or a declarative statement can significantly impact the accuracy of the overall assessment. If the responses are inaccurate, then the conclusions aren’t going to be correct either. The main challenge is that most of the items in the inherent risk profile are open to interpretation, and how a credit union chooses to interpret those questions affects where it will set its risk level for each part of the assessment. The NCUA has added pop-up descriptions throughout the assessment to help with interpretation and while this is useful, it does not eliminate all possibility of misinterpretation. Having access to compliance expertise during this process can help provide more clarity for credit unions to ensure that each answer is truly accurate.

Steps Toward Cyber Maturity

Originally defined by the FFIEC, the five steps of the cybersecurity assessment process include: 1) completing the ACET; 2) identifying gaps; 3) determining desired state of maturity; 4) developing an action plan; and 5) reporting and reevaluating. However, many credit unions cycle back and forth between step one and step five without making sure that steps 2, 3, and 4 are completed as well. Without looking at the output of the assessment and making adjustments based on the results, the institution hasn’t improved its cybersecurity posture. It has just defined it. With the NCUA’s new supervisory priorities, examiners now expect credit unions to take the appropriate next steps to continually evolve their cyber maturity based on risk.

ACET Cybersecurity Graphic

Gap Analysis

The webinar covered how credit unions can better analyze their risk and control levels and identify cybersecurity gaps. A “gap” is defined as the difference between an institution’s residual risk level (risk after applying controls) and its risk appetite (where management expects the credit union to be). However, the ACET is clear that the risk assessment portion is designed to capture inherent risk, and the credit union must then be able to get from inherent risk (before controls are applied) to residual risk in order to conduct a meaningful analysis of its risk and control areas. The ACET doesn’t provide a straightforward way to do this, unfortunately, but it is a requirement in order to accurately identify the institution’s gaps.

Desired State of Maturity

Watch VideoYou’ve Completed the ACET, but Is That Enough?  Watch Recorded Webinar

Once an institution identifies “where it is”, the next step is to determine its “desired state of maturity,” defined as any level at (or below) the institution’s risk appetite. Cyber risk appetite—in turn—is defined as the amount of risk the institution is willing to accept when trying to achieve its objectives. The risk appetite is set and approved by the Board, and while they may decide a single enterprise-wide cyber risk appetite is sufficient, generally they will prefer to assign a separate risk appetite to each business process. Apart from how your institution decides to define cyber risk appetite, it is a critical step to get to the action plan.

Action Plan

The action plan is made up of the declarative statements that the institution plans to achieve prior to the next assessment in order to close the gap between the “current level” and the “desired state.” Because the threat environment is continually increasing, examiners now expect to see steady incremental increases and improvement over time. Essentially, if an institution is deemed stable on the risk side and doesn’t increase on the control maturity side, their cybersecurity posture is effectively moving backward. The webinar highlights how credit unions can use their ACET results to drill down from the domain level to the contributing components and from there to the individual declarative statements to identify and prioritize specific action plan objectives.

Report and Reevaluate

Finally, a significant part of the assessment is not just understanding where you are, where you need to be, and how you’re getting there, but also communicating your efforts clearly to all stakeholders. Credit unions need to show what improvements have been made and how those results were achieved. The FFIEC provided a document to CEOs and Boards to assist with this process. We believe superimposing your results on this graph demonstrates an effective way to present cybersecurity posture to your auditors and examiners, as well as the IT steering committee, and the Board:

ACET Cybersecurity Graphic

If you’d like to find out some best practices and tips to help improve your cybersecurity process and increase your compliance posture, download our recorded webinar: “Cybersecurity Preparedness: You’ve Completed the ACET, but Is That Enough? What Do Regulators Expect Next?”

13 Feb 2020
Reevaluating Business Continuity

Reevaluating Business Continuity: New FFIEC Guidance Equals Major Plan Overhaul for Banks and Credit Unions

Reevaluating Business Continuity

The FFIEC updated its BCP IT Examination Handbook in November 2019. In fact, the handbook is no longer called BCP (Business Continuity Planning) but is now called BCM (Business Continuity Management). This represents the first major update since 2015 and many community banks and credit unions may now be wondering what this means for their institution today, and what changes they’ll need to make to maintain compliance in the future.

Safe Systems compliance experts, Tom Hinkel and Jackie Marshall, held a webinar last month covering the new BCM guidelines and how auditors and examiners will assess plans going forward. The new guidance calls for community banks and credit unions to rethink their approach to business continuity and be prepared to make appropriate plan revisions, up to and including a complete overhaul. In this blog, we’ll cover a few of the key points from the webinar.

Strong Focus on Resilience

Watch VideoDoes the New Business Continuity Guidance Require a Whole New Plan? Watch Recorded Webinar

With the title change from business continuity planning to business continuity management, the business continuity plan is now just a subset of the overall BCM process, one in which a financial institution must proactively plan for resiliency to adverse events and recovery from those events. The BCM places a heavy focus on “resilience.”

Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The terms “withstand” and “recover” are the two keys for understanding resiliency, with an emphasis on withstanding adverse events. While traditional BCP has been focused more on recovery, the FFIEC has shifted its attention toward resiliency.

The FFIEC wants community banks and credit unions to take an enterprise-wide, process-oriented approach to business continuity, meaning institutions should go beyond planning to recover and focus on the overall resilience of operations. The ultimate goal is for financial institutions to be more proactive and in doing so, avoid or minimize having to implement traditional recovery measures down the road.

Business Continuity vs. Disaster Recovery

With this new emphasis on resilience, it is critical to understand the differences between business continuity and disaster recovery. The business continuity plan focuses on critical functions, while the DR plan focuses on the recovery of technology solutions specifically. In the previous guidance, business continuity and disaster recovery were closely tied together, but now the FFIEC has separated these two concepts completely.

The guidance now states that “The business strategy, not technology solutions, should drive resilience.” Financial institutions cannot rely on technology alone to ensure resilience. Often, alternative procedures have nothing to do with technology. In fact, although technology can help provide resilience, in many cases technology could be what failed in the first place. Financial institutions must be able to offer products and services to their customers or members regardless of technology, and often that could mean using manual processes and procedures to accomplish this.

Ensuring critical functions are available and operating normally is essential to assure there isn’t a negative impact on the institution’s reputation after the event, and that’s a key part of the business strategy.

Key Process Changes for Developing the Plan

When thinking about the development of the plan, it’s important to note some key changes the FFIEC put in place. In the 2015 guidance, the FFIEC advocated a cyclical, process-oriented approach to business continuity planning. The four steps in this process included:

  1. Business Impact Analysis – What you do
  2. Risk Assessment – Negative things that can happen to what you do
  3. Risk Management – How you recover if the negative things identified in Step 2 happen
  4. Risk Monitoring and Testing – Reviewing, testing, and repeating the process

The Previous 4 Steps of Business Continuity Planning

BCP 4 Steps

While this approach is reflected in four steps, the business continuity planning process actually represents a continuous cycle.

The FFIEC has made significant changes to better reflect this in the 2019 guidance. Now, instead of four steps, there are 10 steps financial institutions need to complete to develop the plan. This is a bit more complicated than the process has been in the past and will require more time for plan preparation and maintenance.

The Current 10 Steps of Business Continuity Management

BCM 10 Steps

The new 2019 BCM guidance gives financial institutions a host of new items to evaluate and prepare for this year. If you’d like to find out what other changes were made that will impact your financial institution, download our recorded webinar, “Does the New Business Continuity Guidance Require a Whole New Plan?”

Or, if you’re not sure if your institution is BCM ready, then request a complimentary plan review to ensure that your business continuity plan is keeping up with changing regulations.


Free Plan Review

05 Dec 2019
How to Maintain Bank Compliance and Security During the Holiday Season

How to Maintain Bank Compliance and Security During the Holiday Season

How to Maintain Bank Compliance and Security During the Holiday Season

The holiday season is in full swing, which means many employees are heading out of the office to enjoy some vacation time. However, just because it’s the holiday season, it doesn’t mean that cybercriminals are taking time off. Cybersecurity attacks continue to increase and are becoming more sophisticated. Institutions are expected to maintain bank compliance with regulatory guidelines and ensure all technology assets are working properly so operations continue to run smoothly during the holidays.

This can be a challenging time for many community banks and credit unions that have a small staff and rely on key individuals to make sure all activities related to technology, compliance, security, and regulatory requirements are taken care of. Today’s community financial institution relies on the IT department to maintain its hardware and software and to ensure all systems are available when needed. The department is also responsible for monitoring an array of ongoing IT concerns like anti-malware, cybersecurity issues, service-related touch points, compliance updates, and email security, to name just a few. So, what happens when the people responsible for these crucial aspects of the institution go on vacation?

Partner Up

Many financial institutions are turning to an industry-specific managed services provider to act as an extension of their organization and help augment internal technology and compliance resources and responsibilities. The right managed services provider, who is familiar with the banking industry, can serve as a true partner and work alongside current staff to provide timely support, and manage the technology, security, and regulatory compliance aspects for the institution.

A managed services provider can help automate and manage many of the administrative functions that normally fall to the technology or compliance department, making it less daunting for employees to get away. In addition, while this not only saves time and improves efficiencies, it also helps the bank or credit union extend its support hours beyond the traditional 9 to 5 retail hours, which is key for IT departments with limited staff.

Managing IT resources, bank compliance-related issues and combatting cybercrime are some of the greatest challenges and concerns for financial institutions today. When IT and security staff are out or unavailable, outsourcing these processes helps fill the personnel gap and provides added stability for the institution and peace of mind to all.

10 Oct 2019
5 Things Community Banks and Credit Unions Should Budget for in 2020

5 Things Community Banks and Credit Unions Should Budget for in 2020

5 Things Community Banks and Credit Unions Should Budget for in 2020

The final months of the year signal the beginning of many traditions. For community banks and credit unions, the Fall marks the start of budget season. Financial institutions use this time to assess the year’s performance, make necessary adjustments—or full upgrades—for 2020 and beyond.

As you know, technology and security are constantly evolving, and compliance continues to be a moving target, so it’s time to consider important areas your institution needs to budget for in the next year. To ensure that your institution heads into 2020 on an upward trajectory, here are five key items to include on your list.

  1. Hardware
  2. Every year hardware should be evaluated to see if it is under warranty; in good working condition; and that the operating system hasn’t reached end of life.

    Two dates to be aware of:

    • SQL Server 2008 R2 reached end of life on 7/9/2019
    • Windows Server 2008 and 2008 R2 reach end of life on January 14, 2020

    These items will need to be upgraded or replaced as soon as possible with supported software. If the decision is to replace a server based on these products being end of life, there are options to consider as covered in number 2 in this article.

  3. Cloud vs. In-house Infrastructure
  4. Free eBookEverything You Need to Know About the Cloud Get a Copy

    Moving internal infrastructure out of the office is the new trend. This move feels similar to the move to virtualization, in that everyone agrees this is the next logical step in the evolution of computing. You should be asking the same question about cloud infrastructure as you did about virtualization—when is the right time for your institution to make the move and what are the pros and cons of this move? When the time comes to replace pieces of your infrastructure, start to gather information about the benefits of moving to the cloud and the costs associated with it. Remember, each server has both direct and indirect costs.


    • Server Hardware
    • Warranty
    • Software


    • Electricity
    • Cooling
    • Storage/physical space
    • Maintenance
    • Backup
    • Disaster Recovery

    Each year as hardware becomes outdated and needs to be replaced, evaluate whether moving that server to the Cloud makes sense. Be sure that the functions of the server can be accomplished in a cloud environment. Once a presence in the cloud is established, future growth and changes become much easier and quicker.

  5. Firewalls
  6. Download Free PDFMoving Beyond Traditional Firewall Protection to Develop an Integrated  Security Ecosystem Get a Copy

    Firewalls continue to evolve as network and cybersecurity threats evolve and change. Ten years ago, adding intrusion prevention systems (IPS) to firewalls became commonplace in the industry. Now there are a host of new features that can be added to your firewall to improve your institution’s security posture. Many of these fall under products using the term next-gen firewalls. A few key features to consider include:

    • Secure Sockets Layer, or SSL, is the industry standard for transmitting secure data over the internet. The good news is most websites on the internet now use SSL to secure the traffic between the PC and the website. The bad news is, your firewall may be protecting your institution from fewer sites than ever before. Google researchers found that 85% of the websites visited by people using the Chrome browser are sites encrypted with SSL. This means that for many firewalls, 85% of web traffic cannot be inspected by the firewall. Many firewalls can perform SSL inspection but may require a model with more capacity; a new license to activate the feature; and configuration changes to enable this feature to work.
    • Sandbox analysis is a security mechanism used to analyze suspect data and execute it in a sandbox environment to evaluate its behavior. This is a great feature to introduce to your infrastructure because it provides more testing and insight into the data coming into your institution.
    • Threat intelligence feeds (like FS ISAC), built-in network automation, and correlation alerting are also important features that can help you keep track of emerging security threats; automate key processes; and improve your institution’s cybersecurity posture.

    Consider enhancing your firewall features or upgrading to a next-gen firewall to ensure the traffic traversing your firewall is truly being evaluated and inspected.

  7. Virtual Information Security Officer (VISO)
  8. A newer service that has grown in popularity over the last year is the Virtual ISO or VISO role. While services like this have been available for a while, this is the first year we have heard so much talk from community financial institutions. As the job of Information Security Officer (ISO) has become more involved the expertise needed has grown as well. These VISO services offer a way to supplement the internal staff with external expertise to accomplish the tasks of the ISO. Budgeting for a service like this becomes critical if one of the following is true:

    • No one else in the institution has the needed knowledge base and finding this knowledge set in your area is difficult or expensive;
    • Your current ISO does not have a background in the field or is wearing too many hats to do it well;
    • Your current ISO is likely to retire or leave due to predictable life change events; or
    • The role of ISO and Network Administrator or other IT personnel do not provide adequate separation of duties at the institution.

  9. Disaster Recovery (DR)
  10. Many institutions do not have a fully actionable or testable disaster recovery process. A verified DR process is a critical element of meeting business continuity planning (BCP) requirements. Therefore, this can be a significant reputational risk for the financial institution, if not done correctly. If your institution hasn’t completed a thorough and successful DR test in the last 12 months, it is time to evaluate your current DR process. Using a managed site recovery service can ensure you have the proper technology and support to thoroughly test your DR plan and recover quickly in the event of a disaster.

    Budget season is a time to address needs and wants, but also a time to seek improvement or evaluate key changes for the new year and beyond. For example, moving your infrastructure to the cloud may not make sense for the coming year, but the insight gained by evaluating it this budget season improves your knowledge-base for when it is time to make that decision. As we conclude 2019, we hope these insights position your institution for a productive budget season and a successful 2020.

23 Sep 2019
The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

Disaster recovery planning is an essential aspect of protecting a financial institution’s data, infrastructure, and overall business operations. It encompasses restoring access to the information technology systems and other resources that organizations need to resume critical business functions. This includes everything from networks, servers, and computers to software applications, data, and connectivity (fiber, cable, or wireless).

Without all the necessary system components in place, financial institutions will not be able to access critical files and applications and function effectively during a disaster situation. This can result in significant losses in employee productivity, business and, ultimately, public trust. Given all the looming threats—natural disasters, fires, floods, power outages, hardware failures, or plain human error—a do-it-yourself (DIY) approach to disaster recovery can be dangerous for banks and credit unions.

A DIY approach to disaster recovery is when a financial institution performs or puts together a disaster recovery solution in-house and all hardware and software that is required must be implemented by an IT staff member. While this can be costly depending on the amount of resources an organization needs to restore and maintain their environment, it is also a technical and time-consuming process, which can be a burden for institutions with limited IT staff.

So Much at Stake

Most DIY disaster recovery solutions involve multiple technologies along with automation, scripting, and well-documented procedures. These components and processes can be difficult for a static IT environment to manage, and technology continues to change and evolve, adding an extra layer of complication to the process. A DIY approach requires in-house resources to be available, and in the case of a disaster, communications may be limited, or the employees may be caught in the disaster themselves and unable to respond.

Testing is an important component of disaster recovery to ensure the institution can recover quickly and meet its unique Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). However, DIY disaster recovery solutions are often difficult to test because few IT departments are equipped to do a full outage simulation with complete failover to the disaster recovery environment. Testing enables failures to be documented and corrected, but without proper testing, the risk of extended downtime in the event of an actual disaster remains high.

Get My CopyHow Southern Bank and Trust Recovered from Hurricane Irma Get a Copy

The DIY disaster recovery approach often starts with the best intentions. However, a lack of understanding of the ongoing time commitment by senior management and the IT knowledge required to keep disaster recovery systems up-to-date and effective is easily overlooked as time passes. At the very least, inadequate disaster recovery can end up costing a financial institution more time and expense. As a worst-case scenario, it can lead to reputational damage if the institution cannot successfully bounce back from a disaster or other business disruption.

Benefits of a Managed Services Provider

To combat these issues, financial institutions should consider using a managed services provider to support their disaster recovery needs. This can offer a more affordable, feasible, and reliable alternative than going the DIY route. A managed site recovery solution that replicates servers from a financial institution’s site to the cloud can get the organization back up and running in minutes—not hours or days—after a natural disaster, system outage, or other disruption. Partnering with the right services provider will also ensure financial institutions find the right-sized solution for their needs so they are not underestimating or over-spending trying to do it themselves.

In addition, working with a managed services provider can provide several other benefits over a DIY solution. For one, the solution is setup, installed, monitored, and maintained by experts in the field. The institution doesn’t have to worry about their key IT personnel spending their time focused solely on the recovery process during a disaster. Instead, they can focus on getting users setup on computers, ensuring printers are connected, and verifying that critical applications are installed. In short, managing the disaster recovery process would just be another burden for them to bare. Community banks and credit unions have the comfort of knowing that a skilled managed services provider and redundant resources will be available when needed.

A managed services provider can also provide annual DR testing and on-going support to ensure the institution is well-equipped to recover from any disaster.

All financial institutions can benefit from managed site recovery services. And partnering with a managed services provider can be especially advantageous for banks and credit unions with branches that are grouped within the same geographic area. The impact of a storm could be even more devastating to these types of institutions if they lose their only branch or the location hosting communication to their core provider.

A DIY approach may seem like the easier route to take, but when a disaster strikes, financial institutions shouldn’t have to recover on their own. A managed services provider can work as an extension of the internal team to provide dedicated support and ensure the institution recovers quickly and efficiently. The goal of a disaster recovery program is to ensure continuity, not only for the financial institution, but for the communities it serves. In the event of a disaster, financial institutions need to have a solid DR environment in place and detailed processes to recover successfully. Working with a team that can effectively address the institution’s unique needs and provide dedicated DR support streamlines internal processes, improves disaster preparedness, and provides confidence that no matter what disasters arise, the institution will be able to resume business operations.