Category: Banks

04 Oct 2024
How to Navigate the Sunset of the FFIEC CAT and Integrate a New Approach to Cybersecurity Preparedness

How to Navigate the Sunset of the FFIEC CAT and Integrate a New Approach to Cybersecurity Preparedness 

The Federal Financial Institutions Examination Council (FFIEC) recently announced that the Cybersecurity Assessment Tool (CAT) will sunset on August 31, 2025. This tool, utilized since 2015, has aided financial institutions by providing a structured approach to identify risks and gauge preparedness in managing cybersecurity.

The Shift in Cybersecurity Landscape

The priority for this ongoing objective hasn’t diminished, however, the CAT has been losing its value over the last few years as many FIs have maximized their maturity levels in the 5 security domains. The industry is long overdue in leaning into a “refreshed” option to annually assess evolving inherent cyber risk changes and the evolving maturity of cyber security controls. Newer tools like the Ransomware Self-Assessment Tool Version 2.0 (RSAT 2.0) created by a consortium of state banking organizations, the FBI and the Bankers Electronic Crimes Task Force, have taken a unique approach to cyber preparedness by addressing a specific but prolific cyber-attack vector: Ransomware. At Safe Systems, we believe that changes in cyber preparedness framework options including the use of a multiple-dimensional approach, mark an opportunity for banks to enhance efforts to improve cybersecurity posture.

Embracing New Government Resources and Industry-Developed Tools

As the dust continues to settle regarding front runners and frameworks emphasized by federal regulatory agencies, the FFIEC recommends models to migrate to including the National Institute of Standards and Technology Cybersecurity Framework 2.0 (NIST CSF 2.0) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. These frameworks are designed to be industry-agnostic, providing a wide array of controls and best practices that can be customized to fit the unique needs of financial institutions. The inclusion of the latest government resources ensures that cybersecurity measures do not remain stagnant and evolve with emerging threats.

In addition to government resources, industry-developed tools such as the Cyber Risk Institute’s (CRI) Cyber Profile and the Center for Internet Security Critical Security Controls are key alternatives. These tools are endorsed for their ability to integrate with various frameworks and assist financial institutions in continuously evolving their cybersecurity posture.

Preparing for the Transition

As the sunset of the FFIEC CAT approaches, it’s important for financial institutions to prepare for the change to alternate risk assessment methodologies. Considerations include:

1. Review Current Practices: Begin with a thorough review of your current cybersecurity practices using the CAT. Identify any gaps or areas that require improvement and benchmark them against the new tools recommended by the FFIEC. Use your latest CAT (2024 or early 2025 version) as a platform for moving forward with a new tool.

2. Evaluate New Resources: Engage your IT, cybersecurity teams, trusted third parties, and peers to understand how the available frameworks may be integrated into your existing processes. Consider tools that align with your institution’s asset size, risk profile, and existing infrastructure. Also include your cyber risk appetite, growth objectives, and previous experiences with impactful cyber-attacks.

3. Train and Educate: Ensure your staff are comfortable with the newly adopted framework(s). Comprehensive training and continuous education are essential in adapting to new cybersecurity measures and maintaining a strong defense against emerging threats. Consider partnering with a trusted third party to complete the cyber assessment process year after year with your staff. This way gaining the benefit of experiences the third party has with other like-minded FIs.

4. Stay Informed: Participate in webinars and discussions hosted by the FFIEC, federal/state regulators, IT audit firms and other reputable cybersecurity organizations like FS-ISAC to stay updated on best practices and new developments in the field.

The evolution of cybersecurity demands that financial institutions stay agile and informed about the latest tools and frameworks. The sunsetting of the CAT provides an opportune moment for banks to reassess their cybersecurity strategies and align with contemporary measures that offer a customized approach to security. By proactively adopting new resources and continuously evaluating cybersecurity practices, financial institutions can better manage risks and safeguard against cyber exposure and loss of customer confidence.

Safe Systems stands ready to support you through this transition, ensuring that your institution remains resilient and secure in an ever-changing threat landscape. BTW -If you have any concerns regarding your Information Security Program and/or IT Management Policies/Procedures, or simply need a second opinion, please consider taking advantage of our complimentary InfoSec Program Review.

29 Aug 2024

Understanding and Avoiding Misconfigurations in Conditional Access Policies

Conditional Access Policies (CAPs) are essential for safeguarding your financial institution’s data and ensuring that only authorized users gain access to critical systems. Yet, misconfigurations in these policies can create significant vulnerabilities. In a recent webinar, Top 3 Most Common Misconfigurations for CAPs, Safe Systems’ M365-certified administrators delved into common mistakes and demonstrated firsthand how to fix them.

This webinar was the first in the highly anticipated M365 Immersion Training, a 4-part online series focusing on the most crucial aspects of Microsoft 365 (M365) security. This blog explores some of the highlights from the first session, including key terminology, policy scenarios, and best practices for policy management.

Understanding the Language of Conditional Access

CAPs act as an identity firewall, setting stringent conditions for user authentication across various applications and devices. Before diving into the complexities of CAPs, it’s crucial to grasp the key terminology.

  • Entra ID: The identity platform within Azure where CAPs reside.
  • Named Locations: These are specific network locations, such as IP ranges or countries, recognized by CAPs.
  • Logic Gaps: Holes in your policy set that can lead to unauthorized access.
  • Compensating Controls: Additional policies created to target logic gaps found in your CAPs.

Understanding these terms is the first step toward ensuring that your CAPs are both effective and secure.

3 Most Common Misconfigurations

Misconfiguring CAPs is like locking every door in your house but forgetting to lock the windows; it might look secure on the surface but is fundamentally flawed. CAPs must be meticulously configured to avoid creating security vulnerabilities.

Here are the three most common errors to be aware of:

  • Exclusion of Break Glass Accounts: These are emergency access accounts that should almost always be excluded from CAPs to ensure that administrators can regain control in case of a lockout or technology failure.
  • Improper Definition of Named Locations: Incorrectly defining a named location can lead to overly broad or restrictive access controls.
  • Overlooking Multi-factor Authentication (MFA) Requirements: Failing to extend MFA requirements to cover all potential access scenarios can expose the system to unauthorized access.

Implementing fixes is not just about addressing the immediate issue but also about future-proofing your CAPs. To see a hands-on demonstration of how these common misconfigurations can occur and how our team resolves them, watch this 5 minute excerpt from the webinar.

Key Takeaways and Best Practices

Effective management of CAPs is not just about implementation but also about ongoing management and continuous improvement. Institutions should adopt the following best practices to ensure their CAPs provide the intended security without unintended consequences:

  1. Proper Naming and Documentation: Ensure accurate and meaningful naming for CAPs and related entities to avoid confusion.
  2. Use of Report-Only Mode: Initially deploy policies in report-only mode to monitor their impact without affecting business continuity.
  3. Regular Review and Testing: Policies should be reviewed and tested at least quarterly to ensure they align with current security needs and operational requirements.
  4. External Validation: Utilize external audits from trusted vendors for an unbiased assessment.
  5. Comprehensive Training: Ensure that IT staff are well-trained in understanding and managing CAPs, including awareness of common pitfalls and best practices.

Conclusion

Conditional Access Policies are your frontline defense against unauthorized access. Regular reviews, external audits, and comprehensive documentation are your keys to mastering CAPs, ensuring that your security measures are always a step ahead of potential threats.

If you’ve missed this session, it’s not too late to register for the rest of the M365 Immersion Training. When you register for the series, you will gain access to the full recording of this webinar, plus all upcoming live sessions.

01 Aug 2024

Effective Governance and Communication: Enhancing Your FI’s Resiliency

With the rise in cyber threats and the increasing complexity of regulatory requirements, Information Security Officers (ISOs) face unprecedented challenges. This blog focuses on the importance of governance and effective communication as a key strategy for enhancing operational resiliency.

The Gramm-Leach-Bliley Act (GLBA) first brought to the forefront the importance of establishing the role of an ISO for financial institutions (FIs). However, the significance of this role has only magnified as information technology has become essential to every department and business function within an FI. The exposure of customer non-public information (NPI) has exponentially increased with the widespread adoption of online transactions, mobile banking, and third-party relationships.

Managing information security risks effectively requires collaboration. Each stakeholder group, including end-users, IT management, IT Steering Committee, Executive Management, Risk/Audit Committees, and the Board of Directors, plays a crucial role in supporting and executing information security standards. Segregating duties between IT management and the ISO is one of the biggest challenges for many FIs. For those that lack a formal infrastructure, the FFIEC provides “visibility” and “accountability” guidelines showing how an ISO can and should collaborate with IT management.

In addition, ISOs must break down silos and communicate clearly with all the various stakeholders. This effort requires access to relevant, actionable, and up-to-date information that aligns with each group’s distinct reporting needs, engagement level, and technical understanding.

ISOs may also need to broaden the scope and frequency of their communications. For instance, it is a good best practice to meet with the Board more frequently than once a year. Board members will benefit from periodic discussions with the ISO and IT management to accurately and quickly identify potential issues related to risk such as inconsistent server backups, software patches, and systems nearing EOL. A comprehensive understanding of Human Resources standards and their impact on information security is also important to ensure that policies and procedures are consistent across the organization.

To facilitate and ensure these meetings and conversations are effective, ISOs should rely on industry-standard frameworks that can be customized for audience-based agendas and repeatable tasks. Essentially, ISOs should be transparent in communicating changes that could result in increased risk to NPI.

Overall, this can be a challenging effort, especially for smaller banks and credit unions who may not have the expertise or the time to ensure a consistent approach to governance and communication. For this reason, many FIs choose to partner with a reliable Virtual Information Security Officer (VISO) service. These third-party services provide strategic guidance and the necessary oversight to ensure comprehensive information security management.

Safe Systems ISOversight® is a VISO service that includes a suite of applications, real-time reporting, and knowledgeable FFIEC risk-management professionals who assist with policy implementation, third-party relationship management, BCP, cybersecurity risk assessments, incident response and BCP testing, and other required tasks that are customized for each FI. They also provide ongoing coaching and accurate reporting to help with communication tailored to each stakeholder group. These collaborative efforts will go a long way to ensure operational resiliency and reduce reputation risk.

For a deeper understanding of governance and communication within the ISO role and to gain more insights into enhancing operational resiliency, refer to the complete white paper, Operational Resiliency: Elevating the Role of the ISO.

18 Jul 2024

Ask the Experts: Get Reliable Answers to Your Risk Management Questions on ComplianceGuru.com

We are excited to announce the relaunch of ComplianceGuru.com. For over a decade, Safe Systems’ Compliance Guru site has been a trusted resource for community banks and credit unions providing essential insights on regulatory trends and compliance best practices.

We’ve reimagined it to be more interactive, allowing you to ask questions directly to our FFIEC risk and compliance experts, addressing risk management topics and concerns most relevant to your institution. You can also learn what your banking peers are concerned about and leverage the advice from our team to strengthen your security posture.

Since launching the new site, our Gurus have answered questions about Ransomware Self-Assessment Tool (RSAT) 2.0, NIST Cybersecurity Framework (CSF) 2.0, and work area security.

Here is a sample of what they’re saying about these important topics:

RSAT 2.0: A Proactive Approach to Ransomware Threats

Financial institutions are increasingly targeted by sophisticated ransomware attacks. To mitigate these risks, the RSAT (Ransomware Self-Assessment Tool) was developed to support banks and credit unions in their cybersecurity efforts. Originally released in October 2020, this tool was a collaborative initiative by the CSBS (Conference of State Bank Supervisors), the BECTF (Bank Electronic Crimes Task Force), and the U.S. Secret Service.

The updated version, RSAT 2.0, released in October 2023 was designed to address emerging ransomware attack vectors.

Some key questions surrounding RSAT 2.0 that financial institutions have been asking:

  • Are financial institutions required to complete RSAT 2.0?
  • Who should be involved in completing this self-assessment tool?
  • How does RSAT 2.0 differ from its predecessor?

NIST CSF 2.0: Modernizing Cybersecurity Frameworks

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a foundational guideline for improving the security and resilience of critical infrastructure. It provides a structured approach for assessing your institution’s security posture across five components: Identify, Protect, Detect, Respond, and Recover. NIST CSF 2.0 represents the latest iteration, incorporating lessons learned and adding a sixth component, Governance.

Here are some important questions you and other institutions may be asking about CSF 2.0:

  • How can CSF 2.0 address current cybersecurity challenges?
  • What resources are available to implement CSF 2.0?
  • How can CSF 2.0 be integrated into your institution’s existing risk management framework?

Compliance Guru offers reliable and informed answers to these and other IT, cybersecurity, and information security challenges. It is an invaluable resource offering guidance and tools to help community banks and credit unions like yours enhance cyber resilience.

We invite you to subscribe to this new platform to stay informed and discover best practices that better position your institution to protect customer data and ensure compliance with important federal and state regulatory guidance.

And by the way, we’re offering a limited number of $50 gift cards* to valid U.S. financial institutions that submit risk management questions on ComplianceGuru.com. So, submit your questions today!

Ask the Gurus for a Chance to win!

* Contest Rules

To qualify for the $50 gift card, your financial institution must be a valid U.S. financial institution that submits a question on ComplianceGuru.com. Questions must be relevant to risk management topics, including but not limited to IT, cybersecurity, information security, and third-party.

11 Jul 2024

Enhance Your DR Plan: Key Testing Strategies

Disaster recovery (DR) planning is fundamental to maintaining operational resilience within financial institutions. It ensures that essential functions can be restored rapidly following a disruptive event, minimizing operational interruptions and financial losses.

DR Testing helps organizations understand how well their Disaster Recovery plan would work if an actual disaster were to occur. Here are some essential guidelines for conducting effective disaster recovery testing.

Exercise vs Test

Both exercises and tests are crucial for validating procedures in your Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) plan, but they serve different purposes:

  • Exercise: A procedure designed to validate one or more aspects of your BCP or DRP. A common exercise is a structured walk-through (“table-top”) where stakeholders go through each step and component outlined in the plan. This guarantees that everyone involved is aware of their responsibilities during an emergency. It can also help uncover inconsistencies, missing information, or errors in the plan.
  • Test: A form of exercise that measures the performance or reliability of your system resilience in a simulated environment. For example, simulating the recovery of your communication lines, servers, and applications is a DR test.

The Cost of Downtime

Financial institutions should be acutely aware of the high costs associated with downtime. According to Emerson Network Power, the average cost of data center downtime across industries increased a staggering 41 percent since 2010. Furthermore, CA Technologies reports that financial institutions face an average annual revenue loss of $224,000 due to downtime. These costs may vary according to institution size, but the key takeaway is that any amount of downtime can lead to lost revenue. This underscores the importance of rigorous and regular disaster recovery testing.

FFIEC Guidelines

The Federal Financial Institutions Examination Council (FFIEC) provides clear guidance on disaster recovery tests and objectives. The council states, “Management uses tests to determine whether system resilience conforms to the BCP and stated recovery objectives.” Here are three critical metrics to consider:

  • Recovery Point Objective (RPO): The most recent backup you can safely retrieve following a disruptive event.
  • Recovery Time Objective (RTO): The minimum time necessary to restore your services after a disruption.
  • Maximum Tolerable Downtime (MTD): The longest duration your institution can afford to be down before its future is at risk.

FFIEC expects institutions not only to define but also to test these recovery objectives. If a recovery objective falls short during testing, it should be reevaluated and adjusted accordingly.

A Comprehensive Checklist

Disaster recovery testing is essential for minimizing downtime during adverse situations. However, these tests are only as effective as the practices behind them. It’s crucial to follow a consistent and thorough testing process that includes:

  • Critical Business Functions: Confirm that systems can support vital business processes in an emergency, including alternative site transfers, increased workloads, manual workarounds, and communication timelines.
  • Technological Integration: Integrate technologies that support essential business activities, such as data replication, recovery, and off-site storage.
  • Backup Data Testing: Regularly test backup data integrity and availability.

Post-testing Evaluation

During testing, if a recovery objective does not align with actual capabilities, you should always reevaluate that particular objective. It’s also important to consider dependencies within processes. For instance, some processes with shorter RTOs, such as lending processes, may hinge on those with longer RTOs, like the lending server’s restoration time. It is also important to remember that the evaluation of the DR tests is not only to determine whether the plan is appropriate for current needs but anticipated future needs, too.

Managed DR Testing

For many institutions, outsourcing disaster recovery testing to experts like Safe Systems can streamline the process, ensuring compliance with industry standards and focusing internal resources on core business operations.

Disaster recovery testing is more than a regulatory requirement-it is a vital practice to ensure the continuous operation and financial well-being of your institution

By following these guidelines and leveraging expert services, you can ensure that your organization is prepared to respond to any disruptive event.

To equip your team with an outline of these essential testing strategies, download our infographic: Guidelines for Disaster Recovery Testing” infographic today

27 Jun 2024

Leveraging Cloud Technology for Disaster Recovery

Community banks and credit unions must stay prepared to handle unforeseen disruptions. A comprehensive disaster recovery (DR) solution is essential to ensuring financial institutions maintain operational continuity, meet regulatory requirements, and safeguard customer data. Cloud technology has emerged as a key player in modern disaster recovery strategies, providing cost-effective, secure, and scalable solutions.

Benefits of Cloud-based DR

Moving critical servers to the Cloud as virtual machines enables financial institutions to meet disaster recovery (DR) needs more cost-effectively. Traditional DR setups typically require significant investments in physical infrastructure, maintenance, and personnel, but cloud solutions eliminate the need for a dedicated DR data center, reducing both capital and operational expenditures. Additionally, cloud technology offers scalability that on-premises solutions can’t match, providing the flexibility to adapt to an institution’s evolving requirements. Whether your bank or credit union is expanding services or increasing data volumes, cloud-based DR solutions can scale to meet specific needs without requiring significant overhauls.

These cloud-based DR solutions are high-availability systems designed to rapidly recover critical servers, ensuring institutions can minimize downtime and maintain business continuity.

Managed Site Recovery

Safe Systems’ Managed Site Recovery service is a fully managed, secure data replication and failover solution built specifically for community banks and credit unions. Since each institution’s needs differ, we customize the DR solution to align with your specific requirements. Here are some other advantages to our cloud-based DR solution:

1. Meet Compliance and Examiner Requirements:

Managed Site Recovery helps institutions meet Business Continuity Plan (BCP) and Recovery Time Objective (RTO) requirements. Our service includes an annual DR test with an annual DR test with a comprehensive result write-up demonstrating a credible and robust DR strategy to examiners. According to Chris Bailey, Network Security Administrator at Bank of Cleveland, “The examiners were very pleased with how Safe Systems laid out the results and were also impressed with the fact that the test was being done by a third-party entity outside of our organization.”

2. Provide Secure Data Replication and Failover:

Our service offers strong and secure data replication with cloud server vaulting, ensuring geographically varied data center backups. This guarantees the availability of crucial business data and applications during unexpected business interruptions. Like other cloud-DR solutions, Managed Site Recovery provides expedited recovery periods to lessen disruptions and maintain operational continuity. Distinctively, it includes a team of third-party specialists available to consult on DR procedures, ensure ongoing backups and routine testing within proper timelines, and serve as an extension of your staff in the event of a disaster.

3. Save Time and Money:

Managing a DR failover data center can be complex and costly. Managed Site Recovery removes this burden, allowing your institution to focus on its core functions. By leveraging our compliant, cloud-based disaster recovery service, your bank or credit union can also meet DR requirements and ensure rapid recovery of critical servers at a fraction of the cost.

Cloud technology has revolutionized the approach to DR, offering cost-effective, scalable, and secure solutions. Safe Systems’ Managed Site Recovery service is a cloud-based DR solution that addresses the unique needs of financial institutions, helping them stay compliant, secure, and operationally resilient. This service ensures your institution can achieve peace of mind, knowing your critical data and applications are protected against disruptions, and your test results will stand up to examiners’ scrutiny.

Ready to learn more about Managed Site Recovery? Visit Disaster Recovery Service for Financial Institutions

13 Jun 2024

Resilience and Recovery: BCP and DR Essentials

The importance of disaster preparation cannot be overstated for financial institutions. These institutions must be ready for the unexpected, whether it’s a natural disaster, pandemic, or cyber-attack. If your financial institution’s systems went down, how quickly could you restore operations? Ensuring swift and efficient recovery depends on having solid Business Continuity Plans (BCP) and Disaster Recovery (DR) plans.

BCP and DR are both critical components of the overall Business Continuity Management (BCM) process, which also includes resilience, emergency response, crisis management, and third-party integration. The Federal Financial Institutions Examination Council (FFIEC) guidelines emphasize the need for institutions to adopt an enterprise-wide, process-oriented approach to business continuity. This strategy aims to ensure that financial institutions are not just prepared to recover but are also resilient enough to withstand disruptions.

Key Differences Between BCP and DR

You might wonder why both a Business Continuity Plan and a Disaster Recovery Plan are necessary. While they are closely related and designed to work in tandem, they serve different purposes. A BCP outlines the strategies and protocols that enable a financial institution to continue operations during and immediately following a disaster. In contrast, a DR plan focuses on restoring critical data and applications so the institution can operate normally.

BCP:

  • A plan to continue business operations.
  • Consists of a business impact analysis, risk assessment, and an overall business continuity strategy.
  • Includes pandemic planning as part of its overall strategy.

DR:

  • A plan for accessing required technology and infrastructure after a disaster.
  • Involves evaluating backups and ensuring necessary redundant equipment is up-to-date and functional.

Both plans require regular testing and maintenance to ensure they are effective. The BCP test, often a tabletop exercise, ensures employees know their roles during a disaster. The DR test is more hands-on, confirming that backup technologies can restore operations within the Recovery Time Objective (RTO).

7 Tips to Prepare for Disasters or Business Interruptions

Existing BCP and DR plans are crucial, but beyond that, several additional steps can further prepare your institution for various disruptions. Below are 7 best practices. Read the full white paper, BCP and DR Plans: What Every Financial Institution Needs to Know, for more.

  1. Monitor the success of backups and replication services.
  2. Utilize Uninterruptible Power Supplies (UPS) for short-term outages.
  3. Safeguard critical equipment by preemptively shutting it down if an extended outage is anticipated.
  4. Secure the server room and ensure all equipment is protected.
  5. Ensure ATMs are for customers that need access to cash.
  6. Verify key employees have someone to step in if they are unavailable.
  7. Validate and test the BCP and DR plans at least annually to ensure they are up-to-date and effective.

Choosing to Manage BCM In-house or with an IT Partner

Preparing for or recovering from a disaster can be challenging for some community financial institutions that often lack IT resources. When choosing an in-house disaster recovery solution, they face technical and time-consuming processes, which can strain limited IT staff. When outsourcing, institutions can choose a local provider for convenience, but these providers may have little financial services expertise posing its own set of difficulties. When in-house resources or local expertise are limited, another alternative is partnering with a national managed services provider that specializes in the banking industry. This offers several benefits, including streamlined processes, improved disaster preparedness, and dedicated DR support.

However an institution chooses to manage DR and BCP, it is essential to develop, implement, and regularly test disaster recovery and business continuity plans. Though daunting, using automation and outsourcing services can ease the maintenance burden and ensure compliance with evolving regulations.

To learn more about resilience and recovery, read our white paper, BCP and DR Plans: What Every Financial Institution Needs to Know.

If you’re unsure whether your institution is BCM ready, consider a complimentary plan review to ensure your BCP and DR plans are up to date and fully compliant,

06 Jun 2024

The Expanding Role of ISOs – Enhancing Security & Risk Management

For financial institutions of all asset sizes and complexity of products and services, maintaining cyber preparedness is a daunting task against increasing cyber threats, reliance on third-party vendors, and ongoing personnel changes.

ISOs are tasked with augmented duties to enhance visibility and accountability in protecting non-public information and financial transactions across all business lines. This article highlights some of the evolving complexities of the ISO role, including the heightened management of third-party relationships, improved reporting to boards and stakeholders, and thorough risk assessments of projects and third-party entities. For a more in-depth examination of this topic, read our new white paper, Operational Resiliency: Elevating the Role of the ISO.

Third-party Risk Management

In response to the evolving reliance on trusted third-party service providers, federal bank regulatory agencies released new third-party risk management guidance in June 2023. This guidance is intended to help financial institutions manage risks associated with third-party relationships more effectively, including those involving key technology service providers like financial technology (FinTech) partners. It emphasizes risk management throughout the life cycle of third-party relationships, from planning and due diligence to contract negotiation, ongoing monitoring, and termination.

The heightened regulatory emphasis on third-party risk management requires additional time and attention to vet and oversee these relationships effectively. Institutions are increasingly adopting automated third-party management tools as a strategic solution to aid the Information Security Officer and other management personnel. These application-based tools facilitate tasks such as risk ranking, control assignment, and due diligence reviews to designated “vendor managers” within particular departments or functions. Utilizing these tools is advantageous in facilitating a consistent approach among stakeholders to manage the risk of third-party relationships.

Governance and Communication

Clearly defined IT and information security roles and responsibilities are required for every Financial Institution. Information technology is now a part of every department and function within a financial institution and integrates into every facet of operations. Effective management necessitates breaking down silos between IT and ISO roles and fostering regular and clear communication to ensure everyone is aligned on the security posture of the organization. Strategies ISOs can use include frequent updates to key internal stakeholders, leveraging external Virtual ISO (VISO) services, and adopting consistent frameworks for periodic, meaningful communication.

Strategic Initiatives Risk Assessment

The ISO also must play a role in the institution’s strategic IT planning. They should be involved early in assessing risks associated with new initiatives and third-party services, ensuring alignment with overall business goals and adequate preparation for potential cyber threats or operational disruptions.

As institutions navigate these increasingly complex regulatory and cyber landscapes, the role of the ISO has never been more critical. With the growing reliance on technology and third-party services, ISOs must rise to the challenge of safeguarding sensitive information and ensuring compliance with evolving guidelines.

For a deeper understanding of the complexities and evolving expectations surrounding an ISO in today’s dynamic environment, read the complete white paper: Operational Resiliency: Elevating the Role of the ISO.

30 May 2024

Beyond the FFIEC CAT: Evolving Strategies for Cyber Resilience in 2024

As cyberattacks continue to increase in frequency and impact, incorporating a dynamic cybersecurity strategy and building resilience to cyber-attacks is an important objective for all Financial Institutions (FIs). As a part of our country’s critical infrastructure, banks and credit unions are held to high regulatory standards for keeping NPI and financial transactions secure. This is why in 2015 the Federal Financial Institutions Examination Council (FFIEC) developed a Cybersecurity Assessment Tool (CAT) with FIs in mind. For the past nine years, many FIs in the United States have used the CAT annually to identify changes in inherent risk that may lead to cyber vulnerabilities. They also use it to assess both control maturity and cybersecurity readiness over time. The CAT continues to be an acceptable cyber preparedness tool, but many FI’s are wondering, “is the CAT enough?”

Cybersecurity Resource Guide

In 2018, the FFIEC issued a Cybersecurity Resource Guide to expand acceptance of other cybersecurity frameworks and resources, including websites, tools, and methodologies like NIST Cybersecurity Framework 1.0. Designed to strengthen resiliency, it was updated in 2022 to address changes in the cyber landscape and emerging threats such as ransomware. One of the resources in the updated guide is the Ransomware Self-Assessment Tool (RSAT). The Bankers Electronic Crimes Task Force, State Bank Regulators, and the United States Secret Service collaboratively developed the RSAT. This question-based tool assists FIs in evaluating their efforts to mitigate specific ransomware risks and identify security gaps.

The overarching message of the FFIEC’s Cybersecurity Resource Guide is that FI’s should not “over-rely” on a single methodology for measuring control maturity and cybersecurity preparedness but should integrate a dynamic cyber security strategy for long-term resilience.

NIST Cybersecurity Framework (CSF) 2.0

In February 2024 another update was released, NIST CSF 2.0, which underscores the importance of a solid governance structure within an organization’s cybersecurity strategy. The release includes a sixth function, ‘Govern,’ which highlights the importance of developing well-defined internal management roles and clear policies and procedures to assess and prioritize risk. This function incorporates the increased focus from regulatory agencies on third-party risk management and provides implementation examples.

The emphasis on governance is a reminder of the ongoing challenge that many financial institutions, particularly smaller community banks and credit unions, face with dedicating resources to the role of the Information Security Officer. The updated CSF presents an opportunity for institutions of all sizes to re-assess inherent cyber risks and consider internal infrastructure changes that could impact cyber resiliency. This type of re-evaluation is critical especially when significant roles in IT or information security management frequently change due to retirement, leave, or other job shifts. By emphasizing governance and risk management policies, CSF 2.0 provides banks and credit unions a framework to evaluate their cybersecurity preparedness, while also providing a strategic edge in the continuous fight against cyber threats.

As financial institutions continue efforts to combat the growing number and sophistication of cyberattacks, a renewed cybersecurity strategy based on the use of the FFIEC CAT along with other enhanced resources such as the RSAT 2.0 and NIST CSF 2.0 could make significant strides to improve cyber resiliency.

For more information on these and other critical factors of cybersecurity management, download and watch our recent webinar, Protect, Detect, and Respond: Prioritizing Cybersecurity Management in 2024.

23 May 2024

7 Best Practices to Secure Your Printers

It’s just a printer, right? A printer might seem inconsequential, but securing all networked devices, including printers and multifunction devices (MFDs), is vital to safeguarding sensitive information within any financial institution. Consider the non-public information sent to your printers daily—overlooking these devices in your security strategy can lead to significant risks. Here are some key practices to enhance the security of these everyday devices:

1. Firmware Updates

Regular firmware updates are essential for maintaining the security and functionality of printers and MFDs. Manufacturers periodically release updates to fix vulnerabilities, enhance features, and improve performance. Without these updates, devices can become susceptible to security breaches. It’s necessary to schedule regular checks for firmware updates and apply them promptly to protect your devices against the latest threats. Some printing solutions provide firmware management and reporting as part of their contract, which is a great way to stay on top of these devices.

2. Supported Devices

It is important to ensure your institution uses supported devices for its printers and MFDs. Manufacturers provide ongoing support, including updates and patches, for current models. Using outdated or unsupported devices means missing out on these critical updates, leaving your network vulnerable to attacks. Ensure all printers and MFDs in use are within the manufacturer’s support lifecycle. When evaluating supported devices, don’t forget about ancillary devices used by remote workers.

3. Secure Print

Secure print features protect sensitive documents from unauthorized access. This involves requiring users to authenticate at the printer before their documents are printed. Implementing secure print can prevent confidential information from being left unattended in output trays, reducing the risk of data leaks.

4. Set Rules for Internal Hard Drives

Many modern printers and MFDs come with internal hard drives that store documents and other data. Establishing strict rules for the management and use of these hard drives is crucial. This includes encrypting data, restricting access to authorized personnel, and setting up automatic deletion policies for files stored on the hard drives. Many of these devices allow for immediate deletion, daily deletion, or even yearly deletion. Proper management ensures that sensitive information is not inadvertently exposed.

5. Certification of Hard Drive Status

When a printer or MFD reaches the end of its life cycle or is being repurposed, it’s vital to certify the status of its internal hard drive. This involves securely wiping or destroying the hard drive to ensure no residual data can be recovered. Certification provides assurance that all stored data has been properly eradicated, preventing potential data breaches.

6. Use Manufacturer Ink Cartridges Only

While third-party ink cartridges seem like a cost-effective alternative, they can pose security risks. Manufacturer ink cartridges are designed and tested to work seamlessly with specific devices, ensuring optimal performance and security. That’s right, ink cartridges can be a security risks. Watch this video about HP printers and ink cartridges to understand the threat and recognize that it is real for all brands.

7. Location of Printers

The physical location of printers and MFDs within your office environment can also impact security. Placing these devices in secure, monitored areas reduces the risk of unauthorized access. High-traffic areas or locations accessible to the public should be avoided. Additionally, consider implementing surveillance and access control measures to enhance physical security.

Securing printers and MFDs is a critical component of a financial institution’s network management and overall security strategy. By following these seven best practices, you can significantly reduce the risk of data breaches and ensure the integrity of your network. Taking these steps will help safeguard sensitive information and ensure banking operations continue to run smoothly.

09 May 2024
2024 05 08 How to Successfully Manage IT Admins

How to Successfully Manage IT Administrators

IT administrators are pivotal in managing daily IT operations that often play a broader role in strategic initiatives within financial institutions. Their responsibilities stretch from maintaining computer infrastructures and leading IT teams to ensuring robust network security. Effectively managing this multidimensional role requires an appropriate balance of empowerment and checks to create a framework that supports operational success and alignment with the institution’s goals. This blog explores integral strategies that can enhance the effectiveness of IT personnel.

Strategy #1: What to Do When an IT Admin Leaves

The departure of an IT administrator presents a unique set of challenges. It is crucial to immediately change passwords and disable accounts, including all administrative or elevated control accounts to secure the network and data. Developing comprehensive offboarding protocols, like documentation of processes and securing all assets, ensures continuity and security.

Strategy #2: Qualities to Look for When Recruiting

Look for candidates with a blend of technical expertise, problem-solving skills, and strong communication abilities. Potential IT Administrators should also demonstrate effective project management skills and adaptability to handle the dynamic needs of a financial institution.

Strategy #3: Expectations within the First 30 Days

The initial days for any new IT administrator should focus on understanding the institution’s IT framework and security protocols. Tasks like security audits, reviewing network infrastructures, and ensuring compliance with existing IT policies are crucial during this phase.

Strategy #4: Ensuring On-going Success

To assess the effectiveness of a new IT administrator, institutions should first monitor their transition. A new IT Administrator must be able to comprehend and efficiently manage the IT infrastructure quickly with minimal interruptions to operations and staff. They must master the basics such as managing controls, installing and reviewing patches, and conducting regular backups and disaster recovery tests.

Strategy #5: Outsourcing During an Absence

To ensure continuity, institutions can outsource critical IT functions during an administrator’s vacation or leave. Services like network monitoring, data replication, and regulatory reporting can be managed by third-party providers, ensuring uninterrupted operation.

Strategy #6: Succession Planning

Effective succession planning is vital, especially for smaller institutions. This strategy involves cross-training staff and partnering with external IT service providers to ensure a seamless transition and continued operation upon the exit of key IT personnel.

Strategy #7: Keeping Up with Current Trends

Staying updated with the latest in security, technology, and regulatory changes is essential for IT administrators. Awareness of emerging threats and technological innovations helps in proactively managing the institution’s IT landscape and compliance posture.

Managing IT administrators involves a strategic approach that not only focuses on filling the immediate gaps but also on long-term operational continuity. Partnering with knowledgeable IT and security managed service providers can offer additional support to enhance the effectiveness of IT personnel and ensure sustained institutional success.

For more details on implementing these approaches, fostering a strong relationship between IT and Information Security teams, and keeping up with changing regulatory guidance, read
7 Strategies for Successfully Managing IT Administrators.

18 Apr 2024

Seven Pitfalls of Having a Single Employee Managing Your Banking IT Infrastructure

For community banks and credit unions, effective management of banking IT infrastructure is crucial. It ensures a streamlined operation, seamless customer experience, and data security. However, relying solely on a single employee, or even a small team, to handle all aspects of network management can lead to a host of pitfalls. Let’s explore these challenges and how augmenting your resources can help you effectively manage your network.

1. Limited Expertise

It can be challenging for a single IT administrator to possess extensive expertise across all areas of network management. This person may excel in certain technical aspects like patch management, system corrections, or overall performance enhancement, but struggle to keep up with cybersecurity and regulatory reporting requirements. Not having a full understanding of any part of the process can compromise the system’s efficiency and the institution’s security.

2. Absence of Oversight

Having a single employee who is solely responsible for managing the entire banking IT infrastructure creates a lack of oversight. Without proper checks and balances, a single IT administrator could inadvertently make a critical mistake. This concentration of power can also make the system vulnerable to biases or manipulation, potentially leading to an overinvestment in technology.

3. Lack of Redundancy

Imagine a situation where your lone IT administrator falls ill, takes vacation, or leaves the organization suddenly. Without a backup plan in place, your network management may come to a halt. This leads to a long-term lack of continuity that can be detrimental to your banking operations, resulting in downtime, delayed responses, and frustrated employees and customers.

4. Insufficient Shared Knowledge

Having the keys to your network held by a single individual can create a knowledge silo. In an attempt to “just make it work”, a sole IT administrator may build scenarios that only they understand and know how to operate. This can cause significant bottlenecks, delays in the workflows, or more serious disruptions when this person is unavailable or no longer with the institution.

5. Inability to Keep Up with Evolving Technology

Technology is advancing at a rapid pace, and banking IT infrastructure needs to keep up. A single employee may find it challenging to stay updated on the latest network management tools, advancements in security protocols, and the changing regulations that accompany them. This can leave your organization vulnerable to cybersecurity threats, non-compliance penalties, and missed opportunities for optimization.

6. Increased Workload and Stress

The immense pressure and responsibility of managing an entire banking IT infrastructure single-handedly can be overwhelming. Without the benefit of support and peer collaboration, there’s a greater likelihood of errors or negligence in critical matters. The workload and stress can also lead to burnout, decreased productivity, and compromised decision-making.

7. Limited Multi-Site Management Capabilities

Many community banks and credit unions have multiple branches or offices. When a single employee or possibly a small team is tasked with managing a network that covers different locations, they may struggle to maintain continuity or provide efficient network monitoring and reporting. These limitations can make it difficult to track performance and may cause delays in addressing issues across systems.

Opting for an outsourced network management solution can enhance your network performance significantly. Your institution can benefit in multiple ways, such as broadening its expertise, increasing flexibility and scalability, and empowering your in-house team to focus on their vital competencies. Your community bank or credit union will also ensure that it’s always at the forefront of technological advancements.

NetComply One by Safe Systems is a tailored network service for community banks and credit unions, offering affordable technical support, security controls, and network management tools. Its features include proactive monitoring, patch management, training, strategic guidance, and regulatory compliance assistance. It’s designed to boost IT staff effectiveness and ensure efficiency.

For more details on why banks and credit unions like yours choose a managed network solution, check out this infographic!

04 Apr 2024

Top 10 Benefits for Financial Institutions to Outsource Network Management

Ensuring that your network is up and running smoothly is crucial to the success of your community bank or credit union. However, managing today’s complex networks can be time-consuming and resource-intensive. This is where working with a managed service provider can offer tremendous benefits. Let’s explore the top 10 advantages of outsourcing your network management:

1. IT Expertise

You gain access to a team of IT professionals with specialized expertise in network administration for financial institutions. These experts can serve as an extension to your team and are available regardless of internal personnel shifts, such as vacations, sick days, short/long-term leave, etc. This creates continuity, ensuring your network always operates at peak performance.

2. Network Uptime

Network downtime can be detrimental when it disrupts customer service and normal business operations. Outsourcing can minimize this risk through proactive monitoring and faster response times. In addition, staff may be focused on other responsibilities and can miss alerts that could lead to a network disruption. With an outsourced solution in place, alerts are monitored, captured, and prioritized to prevent small issues from becoming larger.

3. Enhanced Reporting

Accessing customizable dashboards and real-time reporting offers your institution invaluable insights into the effectiveness of your controls. It also aids in the detection and resolution of potential issues. Leveraging a managed service provider well-versed in the financial landscape who can furnish appropriate reports enhances your readiness for exams and audits.

4. Event Log Monitoring

Manually monitoring and analyzing logs can be an overwhelming, if not impossible undertaking. A managed service provider can help you evaluate all event logs to determine which activities need further investigation or action to enhance network security.

5. Scalability

As your financial institution grows, so does the complexity of your network. An outsourcing partner can help you scale your network according to your institution’s changing needs and ensure it has the bandwidth to keep up with your organization.

6. Core Competencies

Outsourcing your network management allows you to focus on what you do best – serving your customers and your community. By delegating network-related tasks to outsourced professionals, your IT staff can spend less time on routine, repetitive tasks and have more time to help front-line employees and concentrate on core competencies.

7. Improved Security

Network security is of utmost importance for financial institutions as they handle sensitive customer information. A network management service equips you with a dedicated security team that is up-to-date with the latest security measures. They can put into place strong security protocols, conduct routine patch management, and respond quickly to security threats.

8. Cutting-Edge Technology

Keeping up with the rapidly evolving technology landscape can be challenging. Outsourcing means you can leverage tested state-of-the-art tools and technologies. A managed provider constantly updates their systems and stays on top of emerging trends, ensuring that your network is using the best technology available.

9. Regulatory Compliance

Financial institutions must adhere to strict regulatory requirements and a reputable managed service provider will help you review systems reports, discuss controls assessments, and prepare for exams and audits. You will have more confidence in knowing your network is properly adhering to its operational, security, and compliance policies and procedures.

10. Peace of Mind

Perhaps the most significant benefit of outsourcing your network management is the peace of mind that it brings. Knowing that your network is in capable hands allows you to worry less and focus more on your day-to-day banking activities.

From dedicated IT expertise and increased network uptime to substantial reporting capabilities and improved security and compliance, outsourcing network management allows your financial institution to focus on your core competencies. By entrusting network responsibilities to reliable experts, you can feel confident that your network will operate seamlessly, providing a reliable and secure platform for your customers and community.

NetComply One is a network management service that includes a dedicated strategic advisor to help with technical support, training, guidance, and regulatory compliance assistance. Learn more about outsourcing your network management solution.

14 Mar 2024

Strengthening Financial Cybersecurity: Navigating the Upgrades in RSAT 2.0

In today’s rapidly evolving digital landscape, cybersecurity remains a critical concern for financial institutions. With increasing reliance on technology and expanding risk of exposure through Third-party service providers and electronic banking services, the threat of ransomware attacks continues to pose significant risks to the security, confidentiality, and integrity of financial data. The Ransomware Self-Assessment Tool Version 2.0 (RSAT 2.0) emerges as an important resource for institutions seeking to strengthen their defenses against such cyber threats.

The updated version of RSAT is designed to reflect the latest developments and regulatory insights, incorporating feedback from previous ransomware victims to enhance industry-wide resilience. Key enhancements in RSAT 2.0 include a rigorous examination of cloud-based service provider relationships, an emphasis on multifactor authentication implementations, strategic employee cyber awareness training, and robust incident response testing.

Highlights of Key Enhancements:

These updates underscore the importance of a comprehensive approach in safeguarding against the dangers of cyberattacks and reflect regulatory expectations.

  • Cloud-based data management – The tool demands a broader understanding of cloud providers and data flows, especially concerning data housed in locations outside the U.S., as well as compliance with international privacy regulations like GDPR.
  • Multifactor authentication – Another notable emphasis is the expanded focus on multifactor authentication (MFA). RSAT 2.0 seeks specific details regarding the types of MFA in place, its application across systems, and plans for future enhancements. This reflects the increasing recognition of MFA as a critical defense layer against unauthorized access.
  • Employee cyber awareness training – A third area receiving heightened attention is cybersecurity awareness training. With human error being a significant factor in security breaches, RSAT 2.0 stresses the need for comprehensive and role-based cybersecurity training. Financial institutions are encouraged to tailor training to different audiences within the organization, ensuring relevance and effectiveness.
  • Incident response testing – The new version of the tool queries institutions on their incident response testing, particularly the involvement of executive management. This inclusion highlights the importance of leadership engagement in cybersecurity readiness and incident management. Additionally, procedures for validating clean data backups are underscored, emphasizing the role of data integrity and availability in recovery efforts.

Financial institutions are provided with a valuable opportunity to self-assess their readiness to deal with the threat of ransomware in the form of RSAT 2.0.

The enhanced RSAT 2.0 is not merely a checklist but a comprehensive framework that encourages financial institutions to delve deeper into their cybersecurity posture. This self-assessment can help institutions identify areas for improvement and make informed decisions about their cybersecurity management strategies.

For more information on the RSAT 2.0 and other critical factors of cybersecurity management, such as NIST CSF 2.0, Third-party Relationship Management, and more, download and watch our recent webinar, Protect, Detect, and Respond: Prioritizing Cybersecurity Management in 2024.

08 Mar 2024
The Crucial Role of Cybersecurity Management in 2024

The Crucial Role of Cybersecurity Management in 2024

The Crucial Role of Cybersecurity Management in 2024

As we reflect on the challenges of 2023 and the growing reliance on cloud providers in the financial industry, it is clear that cybersecurity management is more important than ever. With the increasing threat of cyberattacks and the need to protect customer information and financial transactions, community financial institutions must prioritize cybersecurity to ensure the safety and trust of their customers.

In our recent webinar, our IT and Information Security experts discussed cybersecurity management with areas of emphasis on the importance of understanding third-party risk management, the new version of the Conference of State Bank Supervisors (CSBS) Ransomware Self-Assessment Tool (RSAT 2.0), and lessons learned from exams and audits in 2023. This post explores some of the key highlights.

NIST Framework and the Arrival of CSF 2.0

The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a valuable resource for organizations to manage and reduce cybersecurity risk. This framework continuously integrates lessons learned and best practices while retaining its core functions: Identify, Protect, Detect, Respond, and Recover. The recently updated CSF 2.0 includes the introduction of a sixth function, ‘Govern,’ underscoring the importance of clear role definitions, policies, and risk prioritization procedures within cybersecurity programs. It also provides improved guidance on implementation, ensuring that organizations are equipped to address the latest cybersecurity challenges.

Critical Third-party Relationship Management

Third-party risk management is crucial as financial institutions are increasingly relying on third and fourth parties. Interagency guidance underscores the importance of understanding the impact and interaction levels of these relationships on operations and customers. Financial institutions are encouraged to establish sound methodologies for comprehensive oversight of the activities surrounding third parties. This includes a thorough understanding of third-party business processes and systems as well as an understanding of the risks and benefits before contract execution. As financial institutions move forward with third-party relationships, they must also exert pressure on their service providers to ensure adherence to strong cybersecurity standards to effectively safeguard the interests of the financial institution and ultimately its customers.

Importance of the Ransomware Self-Assessment Tool (RSAT 2.0)

The Ransomware Self-Assessment Tool (RSAT) version 2.0 represents a significant step forward in helping financial institutions fortify their defenses against ransomware attacks. The latest version is developed through the integration of feedback from institutions that have been impacted by ransomware, ensuring that the tool remains relevant and effective as this type of malware continues to evolve. With a focus on cloud-based service providers, RSAT 2.0 emphasizes the importance of understanding the flow of data, particularly in environments outside the U.S., and how it is subject to various privacy regulations like GDPR. Furthermore, RSAT 2.0 places increased emphasis on multifactor authentication (MFA) and employee cyber-awareness, reflecting the industry’s recognition of the critical role these factors play in strengthening cybersecurity postures.

Key Lessons Learned from Exams and Audits

A few of the biggest areas of scrutiny that we’re seeing from recent IT exams and audits include:

  • Asset Management – paying attention to asset lifecycles and end-of-life risks as well as implementing robust authentication methods that govern customers who are logging into electronic banking applications
  • Change Management – establishing baseline standards and auditable procedures for change requests and appropriate reporting for project management and cost overruns
  • Data Recovery – periodically rotating through your critical servers and restoring data so that you can ensure the effectiveness, integrity, and availability of that data
  • Increased Incident Response Testing and Training – conducting testing as frequently as possible over different threat scenarios, documenting those tests, and training the employees who are going to be involved in the actual response

For more lessons learned and emerging trends, watch the full webinar recording.

Community banks and credit unions must prioritize cybersecurity management to protect customer information and maintain operational resilience. Enhanced cybersecurity strategies are imperative, urging institutions to adopt a multidimensional approach that incorporates people, processes, and technologies. Regular assessments, third-party risk management, and adherence to cybersecurity frameworks contribute to a proactive defense against cyber threats.

If you have any questions or want to learn more about our complimentary information security review, please visit safesystems.com/review.

08 Feb 2024
The Importance of the ISO Role in 2024

The Importance of the ISO Role in 2024

The Importance of the ISO Role in 2024

The role of the Information Security Officer (ISO) in financial institutions continues to increase in responsibility and accountability year over year. The security challenges of community banks and credit unions are expanding as data breaches, targeted attacks, and cybersecurity threats become more pervasive. ISOs must be equipped to guide their institution through the complexities of addressing security threats in the current environment. The ISO job function—which should exist as a separate role within the institutions—should go beyond focusing on overall policy development, risk management, and working with high-level executives to also include visibility and accountability for technical activities on internal systems and with technology service providers (TSPs). This ensures that all security strategies are being implemented and managed according to organizational objectives.

Regulatory Expectations and Requirements

While the role can vary among different financial institutions, today’s ISO has leadership responsibilities that involve crucial areas like cyber risk assessment, regulatory compliance, business continuity planning, and incident response. Other key duties include the technology committee and board reporting and preparing for and responding to audits and exams.

In terms of regulatory expectations and requirements, today’s ISO is responsible for proving its institution has met all relevant regulatory requirements and is protecting all the data, records, and personal information of its customers/members. In addition, the Federal Financial Institutions Examination Council (FFIEC) requires all institutions to have a designated ISO that is responsible and accountable for implementing and monitoring the information security program. Although general information security management duties may be shared among various business lines, the ISO is responsible for providing stakeholders and decision-makers with sufficient information to support their oversight efforts.

Augmenting the ISO Role

As today’s ISOs expand their focus beyond conventional information security issues and duties, they will need more expertise and advanced tools to protect their institution against ever-changing cyber threats. The ISO will need to address more complex challenges relating to cloud security, artificial intelligence, and other technological advancements. Many ISOs with community FIs do not have the time, experience, or technology expertise to organize and manage these responsibilities. The good news is that financial institutions can augment any lack of expertise with a Virtual ISO (VISO) solution. A VISO does not remove the need for a resident ISO at the institution, but it can provide valuable expertise, perspective, and assurance that all periodic responsibilities are adequately addressed. Safe Systems’ virtual ISO solution, ISOversight™, offers access to a suite of applications, resources, reporting, and dedicated risk and compliance specialists to help community banks and credit unions manage the myriad of risk management and FFIEC Compliance responsibilities including accountability and visibility for anomalies and exceptions for technology and IT (Information Technology) security activities that could negatively affect non-public information and financial transactions.

Safe Systems is dedicated to sharing knowledge and providing training around this critical role. Our IT and Information Security Compliance experts have hosted numerous “ISO 101” classes and webinars that focus on the requirements of the role within today’s regulatory framework and the accountability factors among the various stakeholders. Our next webinar, “Protect, Detect and Respond: Prioritizing Cybersecurity Management in 2024” will discuss the regulatory trends we saw in 2023 and share real-life experiences to help you enhance cybersecurity management efforts and build resiliency. Join us on Wednesday, February 14 at 2:00 PM ET.

26 Jan 2024
Enhancing Security for Microsoft 365 Services

Enhancing Security for Microsoft 365 Services

Enhancing Security for Microsoft 365 Services

Many financial institutions depend on productivity products like Microsoft Teams, Exchange Online, OneDrive, and SharePoint to enhance their business operations. More specifically, a significant percentage of community banks and credit unions use Microsoft 365 (M365) and Exchange Online to provide email service for their employees, based on the findings of Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions survey.

This recent research indicates that more than 119 out of 144 respondents—83%—use M365 and Exchange Online for their email service. Despite the widespread adoption, some community banking institutions are not aware that when they leverage these cloud-based services, extra security measures must be implemented Therefore, some may not be utilizing all the available security settings or services to their fullest potential.

Multifactor Authentication

To protect their M365 infrastructure, institutions are customizing Microsoft’s out-of-the-box security services. For instance, 50% of 114 survey respondents use dual or multifactor authentication (MFA). An additional 40% of the same respondents supplement dual or MFA with security configurations such as conditional access policies (CAPs).

MFA is a crucial security measure because it can block 99% of account compromise attacks, according to Microsoft. But cybercriminals are launching more sophisticated attacks to exploit human error and bypass MFA requirements. Case in point: There are over 300 million fraudulent sign-in attempts to Microsoft’s cloud services every day—and cyberattacks are escalating. Financial institutions must remain vigilant and constantly modify their efforts to ensure the most effective use of MFA.

Conditional Access Policies

Banking institutions that use M365 services should also be aware that the implementation of additional security controls is their responsibility, not Microsoft or a licensed reseller. The use of Conditional Access Policies (CAPs) is a key strategy for securing Entra ID (formerly known as Azure AD) because they are the highest control layer for access (sign-ins) within Azure. Using multiple CAPs—those that target a mixture of MFA, applications, clients, locations, compliance status, and device types—is an ideal way to add protective layers within Azure.

Beyond covering M365 services, the survey offers valuable, peer-to-peer insights on these other important prevention and detection security layers, such as employee security awareness training and testing, vulnerability and patch management, email infrastructure, and cybersecurity preparedness.

Download our latest white paper to learn more about how your financial institution can enhance security when using Azure or any M365 services.

18 Jan 2024
Our Top Blog Posts of 2023

Top Blogs of 2023

Our Top Blog Posts of 2023

As we begin the new year, it’s a great time to revisit some of the most popular blogs we published in 2023. Our top blogs from last year covered a range of topics, including a cybersecurity outlook, updated third-party risk management guidelines, using conditional access policies (CAPs) and multifactor authentication (MFA) to enhance security within Microsoft Azure Active Directory (AD), and NetConnect 2023. If you didn’t have a chance to read these posts—or simply want to review them—here is a recap of each of them. They offer unique perspectives, best practices, and a wealth of insights that can help your financial institution prepare for greater success in the year ahead.

2023 Cybersecurity Outlook for Community Banks and Credit Unions

Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions revealed valuable peer-to-peer insights that can help financial institutions enhance their security posture. The survey highlights cyber preparedness and budget restraints as top security challenges of more than 50% of the 160 participating financial institutions. It also shared participants’ feedback on other important areas, including prevention and detection security layers; employee security awareness training and testing; and advanced firewall features. For instance, respondents use multiple layers of security, but less than 50% of them combine every security layer listed in the survey. Survey respondents also use a variety of security training—including resource-intensive individual instruction. In addition, most of the survey participants are taking advantage of advanced firewall features, although only 24% of 135 respondents leverage sandboxing technology to detect threats. Read more.

Updated Regulatory Guidelines on Third-Party Risk Management

In June, federal bank regulatory agencies issued updated guidelines to make it easier for financial institutions to manage third-party risks. This new guidance from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) impacts all banking institutions that use third parties. The majority of statements in the new guidance focus on the planning, due diligence, and contract phases with an emphasis on pre-engagement. Since auditors and examiners will be looking more closely at what happens during the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties. Not all statements in the guidance will apply to all institutions or relationships, so we have developed an interactive checklist designed to walk you through key regulatory requirements of the third-party relationship life cycle. Read more.

Using CAPs and MFA to Enhance Security within Microsoft Azure AD

There was a surge in successful phishing campaigns last year, including sophisticated schemes that were able to bypass MFA. MFA-resistant phishing is a significant threat since this type of attack could impact a vast segment of organizations that rely on Microsoft Azure AD (now known as Microsoft Entra ID) and Microsoft M365 services to support their operations. However, financial institutions can use a variety of measures to prevent cyberattacks, including Conditional Access Policies (CAPs). CAPs, which are foundational to safeguarding identities within Microsoft Entra ID, protect the initial step of the identification chain—the sign-in attempt. To maximize protection, institutions should stack multiple CAPs, such as requiring MFA, denying sign-ins from outside of the USA, and requiring device compliance. When designing CAP logic, they should take a broad approach to the scope of the CAP to impact as many areas as possible. Institutions can take a multi-layered approach to optimizing security by leveraging multiple security tactics, technologies, and resources. Read more.

NetConnect 2023—A Glimpse into the Future of Technology and Compliance

The 2023 NetConnect Customer User Conference brought Safe Systems’ customers, employees, and partners together in Alpharetta, Ga. to discuss banking industry trends, challenges, and innovations. NetConnect 2023 provided valuable insights into banking and technology’s vital role in shaping the industry’s future. With multiple informative sessions, the conference covered the significance of hope in business, changes relating to regulatory compliance, vulnerability management, and Microsoft Azure fundamentals. Read more.

Get the latest industry developments, insights, and trends delivered directly to your inbox. Subscribe now to the Safe Systems blog.

11 Jan 2024
Advanced Firewall Features Provide Critical Protection Against Cybersecurity Threats

Advanced Firewall Features Provide Critical Protection Against Cybersecurity Threats

Advanced Firewall Features Provide Critical Protection Against Cybersecurity Threats

With the risk of security breaches and data compromises constantly growing, traditional firewalls are not equipped with the capabilities financial institutions need to optimize their network security. Advanced firewalls—also known as next-generation firewalls (NGFWs)—have more complex features that can help institutions block unwanted traffic, prevent cyberattacks, and enhance their security posture. NGFWs go beyond the capacity of conventional firewalls by capitalizing on other network filtering functions.

Commonly Adopted Features Among Survey Respondents

Today many community banks and credit unions employ a variety of advanced firewall features to keep potential hackers at bay, according to the findings of Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions survey. As expected, a majority of the 135 survey respondents use (62%), TLS/SSL traffic inspection (54%), and (41%).

Underutilized Features – Sandboxing and Dynamic Threat Feeds

Surprisingly, only 24% of survey respondents indicate that they leverage sandboxing, which provides a secure, isolated location to test possible threats like files, codes, or patches. While a small percentage have adopted this advanced feature, other research shows that 87% of security professionals report that sandboxes arm them with important information.

Another underutilized feature —33% of 81 respondents—is dynamic threat feeds which allow good network traffic in and keep bad traffic out while ensuring critical processes continue to work. Dynamic threat feeds represent a real-time, continuous data stream that collects information related to cyber risks so that institutions can act on potential or current threats. The threat feeds incorporated into the threat engines can determine where traffic begins geographically and use that location as a deciding factor—even before evaluating if the information is allowed by a firewall policy. Applying this basic logic can help institutions save valuable time and resources while protecting their environment against locations that are known to produce more security threats.

In addition to covering advanced firewall features, the 2023 Cybersecurity Outlook for Community Banks and Credit Unions survey explores several other important areas, including employee security awareness training and testing, vulnerability and patch management, Microsoft 365 services, email infrastructure, and cybersecurity preparedness.

While it is encouraging that research indicates that financial institutions are using several advanced features of NGFWs, they can do even more to take advantage of this technology. To learn more about how advanced firewalls can provide critical defense for your institution’s network security, download the complete findings of the 2023 Cybersecurity Outlook for Community Banks and Credit Unions. Or read our white paper on “Improving Security Posture Through Next-Generation Firewall Features.”

07 Dec 2023
NetConnect 2023 – A Glimpse into the Future of Technology and Compliance

NetConnect 2023 – A Glimpse into the Future of Technology and Compliance

NetConnect 2023 – A Glimpse into the Future of Technology and Compliance

Safe Systems hosted its 2023 NetConnect Customer User Conference last month in Alpharetta, GA. After taking a hiatus due to the pandemic, Safe Systems customers, employees, and partners were eager to reconvene to discuss the latest trends, challenges, and innovations. This year’s conference provided insights into the evolution of banking and the critical role technology plays in shaping the industry’s future.

Here are some key highlights and insights shared at this year’s conference.

“I have been to several vendor conferences in the last 20 years, and I would say this is one of the best, if not the best, one I have been to. The sessions were informative and on-target. The presenters were all well qualified and engaging.” – Community banking CFO

Celebrating 30 Years of Excellence

NetConnect 2023 marked the 30th anniversary of Safe Systems’ journey in the banking technology landscape. The conference began by reflecting on the early days when our services primarily focused on PC and network policies, network installations, and troubleshooting. Safe Systems highlighted that our evolution and growth were driven by customer feedback and collaboration. Customers have always been the cornerstone of our success.

Randy Ross at NetConnect 2023

Keynote speaker Dr. Randy Ross

The Power of Hope in Business

Keynote speaker, Dr. Randy Ross, shared insights on the importance of hope in the workplace. Hope is not merely wishful thinking or passive optimism; it’s a dynamic motivational system tied to inspirational goal setting. The case for hope in business was backed by impressive statistics, including lower absenteeism, increased productivity, and enhanced morale and creativity. Dr. Ross also provided guidelines on how anyone can apply hope to make life happier, healthier, and more productive.

Regulatory Compliance in a Changing Landscape

Tom Hinkel, VP of Compliance Services, delved into the dynamic world of regulatory compliance. He discussed the latest statistics, including a surge in cyber insurance claims due to zero-day attacks and ransomware. Regulatory changes like third-party risk management (TPRM) guidance and FDIC InTREx updates were highlighted. The session also touched on the cyber incident notification rules approved by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC) in 2022 and the Conference of State Bank Supervisors (CSBS) updated R-SAT 2.0 (Ransomware Self-Assessment Tool).

Crowd at NetConnect

Brian Brannon, VP of Security Product Strategy, and James Minstretta, Endpoint Security Engineer, doing a live demo of Azure vulnerability settings.

Security and Vulnerability Management

Brian Brannon, VP of Security Product Strategy, addressed the critical topic of vulnerability management. He explained the proactive strategy of identifying, assessing, and mitigating network weaknesses, aligning it with the expectations of regulators. The session included a live demo to demonstrate the importance of effective vulnerability management.

Azure Security 101

Our Microsoft 365 Certified Technology DevOps Engineer took a deep dive into Azure fundamentals, including Entra ID, M365, and Resource Subscriptions. He explored how to mitigate risks using Conditional Access Policies, enabling multi-factor authentication (MFA), limiting geographic locations, and more. The session included interactive labs of the Entra ID Admin Center, SharePoint Online, and OneDrive to allow attendees to explore logs, manage settings, and review reports firsthand.

Panel Discussion on Regulatory Changes

The conference concluded with a panel of auditors and regulatory compliance specialists, who discussed topics such as the increasing importance of cyber insurance, the impact of AI on exams and audits, and third-party risk management. Attendees had the opportunity to ask questions and engage with experts on these vital topics.

Panel of experts at NetConnect 2023

Safe Systems’ former VP of Compliance Services Tom Hinkel hosting a panel of compliance experts that included Senior Compliance Specialist Paige Hembree (Safe Systems), Financial and Information Security Auditor Matthew Jones (Symphona), Wipfli’s Senior Manager Jim Rumpf, and Director for Supervision Kevin Vaughn (Georgia Department of Banking and Finance)

NetConnect 2023 offered a comprehensive overview of the current state and future prospects of banking technology and regulatory compliance. The industry continues to evolve, and staying informed and adaptable is key to success in this ever-changing landscape. Safe Systems remains committed to supporting financial institutions on their journey, as demonstrated by our 30 years of excellence and our forward-looking approach to technology and compliance.

30 Nov 2023
Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

According to the IC3 2022 Internet Crime Report, the FBI received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million. Moreover, 870 of these complaints indicated that organizations belonging to a critical infrastructure sector, such as financial services, were victims of a ransomware attack. This makes it imperative for banks and credit unions to employ a variety of measures to protect themselves against the growing threat of ransomware attacks. Yet many financial institutions that are leveraging anti-malware solutions are not using advanced features that can help protect against ransomware threats. According to Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions, advanced features for anti-malware/anti-ransomware solutions such as root cause analysis, advanced machine learning algorithms, and sandbox analysis only received 12% or less of the answers among the survey participants.

With advanced features, financial institutions can more effectively monitor security threats on endpoints and ascertain the source and extent of an attack. Institutions that want to enhance their ability to detect and respond to threats might consider expanding their cybersecurity budget to increase spending on advanced anti-malware and endpoint protection features.

Recovery Strategies

As part of their recovery strategies, more than one-third of 144 survey respondents say they have implemented notification measures, including notifications to customers, regulators, and applicable insurance carriers. This is critical given the recently finalized interagency Computer-Security Incident Notification Rule. It requires banking organizations to notify their primary federal regulator about any significant “computer-security incident” as soon as possible after a cyber incident happens. (A computer-security incident, as defined by the rule, is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.) Nearly 30% also leverage other important recovery strategies such as monitoring for the early detection of potential incidents and eliminating intruder access points.

Other Key Security Issues

In addition to shedding light on how institutions use advanced features for anti-malware/anti-ransomware solutions, our comprehensive survey highlights several other security issues, including Microsoft 365 services, email infrastructure, advanced firewall features, vulnerability and patch management, and more. Banks and credit unions must effectively address all of these areas to stay ahead of the constantly evolving cybersecurity landscape.

Download a copy of our latest white paper to read the complete survey findings, which can provide a deeper understanding of current cybersecurity concerns and best practices to enhance your institution’s security posture.

16 Nov 2023
What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

As cyber threats become more complex, aggressive, and prevalent, implementing cybersecurity mitigation strategies is becoming more critical in the financial services sector. Not surprisingly, cyber preparedness and budget restraints are the top security challenges for more than half of the financial institutions that responded to the Safe Systems survey, 2023 Cybersecurity Outlook for Community Banks and Credit Unions.

Our analysis presents input from approximately 160 participants who responded to 55 questions (including multiple-choice) based on how relevant each query was to their organization.* In addition to focusing on the top security challenges, the survey highlights respondents’ input on several other critical areas, including:

  • Prevention and Detection Security Layers: Modern operating environments require a more robust security strategy that goes beyond implementing a basic firewall or anti-malware solution to protect their information and infrastructure from the growing number of cyber threats. Survey respondents are implementing multiple security layers, including firewall, patch management, anti-malware, email encryption, employee training and testing, vulnerability monitoring, and security log monitoring. However, less than 50% of all respondents use every security layer listed in the survey, which indicates they can do more to protect themselves against cyberattacks.
  • Employee Security Awareness Training and Testing: 95% of all cybersecurity issues can be linked to mistakes made by individuals, with 43% of breaches attributed to insider threats, according to the 2022 Global Risk Report by the World Economic Forum, making employee security awareness training and testing critical for financial institutions. Accordingly, survey respondents are deploying multiple types of security training, including simulated phishing attacks, self-service online training and exercises, interactive classroom training, and more. Of the 144 participants responding to this question, 60% indicate they conduct individual training based on need, which is notable because this method of instruction normally requires more time and resources.
  • Advanced Firewall Features: A majority of the participants responding to this question indicate that they are using one or more advanced firewall (or next-gen firewall) features, such as intrusion prevention or detection systems (IPS/IDS), transport layer security (TLS)/secure socket layers (SSL), and Geo-IT filtering. Whether managed in-house or through an outside provider, these expanded capabilities can help institutions protect their network and institution against a broad array of threats. Sandboxing, for example, provides a safe, isolated environment to execute and observe potentially malicious code from unverified programs, files, suppliers, users, or websites. Out of 135 respondents, only 24% indicate they have sandboxing despite its ability to identify threats.
  • Cybersecurity Preparedness: Examiners recognize the increasing volume and sophistication of cyber threats and have an increased focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program. Out of 128 respondents, 52% confirm that the focus on information security, including cybersecurity, has increased during their IT audits and exams. IT examiners and auditors are also reviewing whether institutions have completed any of the common cybersecurity assessments (e.g., CAT, ACET, or CRI/NIST), and they are using them to evaluate institutions’ security posture during an exam. According to the same respondents, 43% say they had their cybersecurity assessment reviewed and used as part of their latest IT exam, and 39% indicate that they received recommendations based on it.

To access the complete survey and gain valuable peer-to-peer insights that can help your institution enhance its cybersecurity decision-making process, read “2023 Cybersecurity Outlook for Community Banks and Credit Unions“.

* The number of respondents varies per question. For multiple-choice questions, the Percent (Respondents) is calculated by dividing each answer count by the total unique respondents, and the Percent (Answers) is calculated by dividing each answer count by the total counts collected.

26 Oct 2023
The New Rules and Best Practices of Password Security

The New Rules and Best Practices of Password Security

The New Rules and Best Practices of Password Security

Passwords have always been a reliable option for digital security. In the early days, you simply provided something that only you knew to authenticate yourself, and voila, your identity would be confirmed. But the world of passwords has changed. Initially, they were easy―you had fewer of them; you often needed physical access to use them; and people were just nicer back then. At least, that’s the way I remember it.

But did people really change… or did the world just get smaller with the growth of the internet—giving bad actors greater access to our digital domains? One thing is clear, password security requires new rules and strategies to keep up with the fast-changing cyber landscape. In addition to following best practices for creating strong passwords, you also need to consider employing multifactor authentication (MFA) or adopting a password management solution.

Embracing MFA

Whenever possible, you should avoid relying solely on passwords. The better option is to implement MFA, which adds another layer of security. While there are MFA-resistant phishing attacks, enabling MFA significantly minimizes the risk of compromise. In recent years, MFA has evolved to become more robust and secure, and there are different levels of quality in MFA. For instance, Microsoft Modern MFA doesn’t merely require you to click “accept” on a device; you have to input a numerical code to confirm the login attempt. (Always use the most advanced and newest version that aligns with your user base’s tolerance.)

Using a Password Manager

There are situations where MFA is not available or does not make sense to use. In these cases, passwords may be your best or only option. This indicates the importance of using some type of password management solution. A password management tool can be an effective way to keep track of the plethora of passwords that most people have. The average person has more than 100 passwords, according to a study by Nord Pass. That’s too many passwords for anyone to remember.

As a low-tech solution, some people write their passwords down in a notebook. If the book is securely locked away, this method may be acceptable, but it’s not ideal. However, I recommend using a software-based password management system that allows the user to create one login to access all their passwords. Only use a digital password manager that offers MFA to access passwords. If you’re not sure which solution to choose, there are numerous resources to guide you like this article from CNET. However, the best option for you will depend on your specific needs and goals.

Best Practices for Creating Strong Passwords

Password best practices have changed over the years. But as a general rule, you should never—ever—recycle a password. An existing password may be easier to remember and more convenient to reuse. But it’s not worth the risk; if your password is stolen, every place you have used it could be compromised.

You should also avoid including personal details in passwords. For example, don’t create a password using your child’s initials and birth year—no matter how cleverly you format it. (I know, you’re thinking: “But I used lower and upper case and separated them with a comma.” Trust me, so did the database that is being run against your accounts.)

It’s also important to ensure that every site, application, etc. has a strong password. Here are a few techniques for crafting strong passwords:

  • Make them long. Aim for at least 14 characters—or even longer—since you can easily copy and paste them into your password management tool. Some sites and applications often have character restrictions for passwords. In these cases, focus more on creating a random password that will be more difficult for someone to guess.
  • In situations where you frequently use a password and copying it from a management program is not an option, consider using passphrases. Instead of choosing a simple password like “BillyJoe1998,” use “BillyJoeGraduatedIn1998.”
  • “i” and “l’s” became “1’s”
  • “a” became “@”
  • “e” became “3,” which looks similar to a backward capital “E”
  • Still, another option is to insert punctuation between words. If you added “!” to the previous password, it would read B111y!J03!Gr@du@+3d!1n!1998.

Using a combination of these approaches is the best way to make passwords more complex and secure. Ultimately, the key to protecting your passwords is to constantly adapt and remain vigilant in the ever-evolving world of digital security.

12 Oct 2023
Updated Regulatory Guidelines on Third-Party Risk Management

Updated Regulatory Guidelines on Third-Party Risk Management

Updated Regulatory Guidelines on Third-Party Risk Management

Earlier this year, federal bank regulatory agencies released new guidance designed to help banking organizations better manage risks related to third-party relationships. These latest guidelines, issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), have broad implications for virtually all financial institutions that employ third parties.

Fostering Safe and Sound Practices

The updated guidance offers more streamlined language and clarification to help institutions better identify and reduce risks relating to using third parties like vendors, suppliers, partners, contractors, and service providers—including financial technology companies. It covers risk management practices for the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The underlying impetus of regulatory agencies is to ensure that institutions have an effective third-party risk management process that supports safe and sound banking practices.

While the new guidance was just finalized in June, examiners are already increasing their questions and expectations regarding third-party risk management. Financial institutions should take proactive steps as soon as possible to address any potential issues. For example, they should broaden their consideration of what constitutes a “business arrangement.” The guidelines indicate that a third-party relationship may exist regardless of whether there is a formal contract or an exchange of compensation. Hence, institutions should be as inclusive as possible by factoring all business arrangements—no matter how insignificant—into their third-party risk management practices.

Important Areas to Consider

The current guidance encompasses a plethora of “statements”—more than 160 of them—that cover a variety of requirements, suggestions, and best practices. Almost 70% of the statements relate to how banking organizations should handle the planning, due diligence, and contract phases. Since these areas involve the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties because auditors and examiners will be looking more closely at what happens prior to engagement. The scrutiny should start at the early phase when bank management begins to consider a project, initiative, or even a concept.

Financial institutions also need to understand the strategic basis or purpose of a proposed business arrangement. They should identify and assess the benefits and risks associated with the arrangement and then verify that they align with their strategic objectives. They also must consider other crucial areas, including the institution’s ability to manage and oversee the relationship, the legal and regulatory compliance implications of the relationship, along with the third party’s financial condition, business experience, expertise of key personnel, and operational resilience. Additionally, institutions need to be cognizant of how third parties are managing their own subcontractors, which could ultimately impact the delivery of their services.

However, not all of the 160-plus statements in the new guidance apply to all institutions or all relationships, and some seem unattainable or overly burdensome. Institutions should identify the ones that are the most relevant and feasible and then prioritize their efforts accordingly.

In a joint press release in June, the Federal Reserve Board, FDIC, and OCC said they “plan to engage with community banks immediately and develop additional resources in the near future to assist them in managing relevant third-party risks.” In the meantime, institutions can download interactive checklists we designed to walk them through key regulatory requirements of the third-party relationship life cycle.

To learn more about how the revised guidelines may affect your financial institution, access our webinar on “New Third-Party Risk Managers Guidance.”

06 Oct 2023
2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

In the modern banking landscape, technology and cybersecurity are not just optional extras but fundamental necessities. For community financial institutions—which often operate with more limited resources than their larger counterparts—budgeting wisely in these areas is critical. Failure to properly invest could not only compromise efficiency and customer service but also expose institutions to potentially devastating cyber threats.

There are three categories that community banks and credit unions should consider when allocating budgets: cybersecurity, compliance along with its associated regulatory technology (RegTech), and general technology. Here are important considerations for each of these areas:

Cybersecurity

Cyber threats are ever-evolving, and no financial institutions are immune. Measures such as firewalls, encryption, and intrusion detection systems are basic requirements. Financial institutions also need to go further by investing in regular security audits and employee training. In today’s threat landscape, allocating a sufficient budget for cybersecurity measures is non-negotiable.

The best technology and cybersecurity measures are only as good as the people who use them. Community banks and credit unions should set aside funds for regular training programs to ensure staff are up to date with the latest technologies and security protocols. There are some great tools available that provide training and testing and run phishing simulations to see which employees may be your weakest links.

The odds are that at this point, your institution has an account in Microsoft’s cloud solution, Azure. OneDrive, Exchange Online, and many other Microsoft solutions are connected to Azure and may even be part of your Microsoft license. It is important to review the Azure tenant or management console to ensure you are dictating your security settings and not Microsoft. You can accomplish this through various ways including implementing conditional access policies (CAPS), which is the buzzword of 2023. If you are not using CAPs, you should immediately find out how to implement them and identify which ones are critical to your security. Also, Azure is a cloud-based management console, so if it is compromised, the ramifications can be detrimental. Monitoring key reports, accounts, and settings is critical for the long-term security of your institution.

Below are some real-life events and numbers that illustrate just how critical this type of management can be. (We discovered these events last year in our review of a small number of community financial institutions.)

Event: Number of Times:
Successful sign-in from outside the US: 674 times
Sign in from outside the US (valid password but MFA failed): 37 times
Mailbox settings like (access to email, send on behalf of, forwarded) changed: 1,970 times
OneDrive files shared externally: 708 times
Administrative roles assigned to user: 1,607 times
Large number of failed sign-in attempts for a user: 11,116 times

While some of the numbers above represent actual intentional changes, the sheer volume indicates that a large number of these events are not approved/intended actions made by the institution. Obviously, criminals are targeting these accounts. Hence, there is no option but to be proactive in monitoring and managing the security of your account with the appropriate settings, reports, alerts, and management. Also, note the multifactor authentication (MFA) stat. It only happened 37 times, but this signifies that there were 37 times MFA was the difference between protection and compromise. This underscores the urgent need to implement and maintain MFA.

Lastly, evaluate your firewalls. At this point, a next-generation firewall (NGFW) is a must. According to Gartner, NGFW are firewalls that have moved past just port/protocol inspection and have added application-level inspection. Advanced firewalls also have integrated intrusion prevention built into the solution, along with the ability to bring in intelligence from outside the firewall. A prime example of this is the FS-ISAC intelligence feed. Other advanced features may include sandboxing, SSL inspection, and other more advanced features to improve your cybersecurity posture. If you have an older firewall not based on NGFW, you simply may not have all of the features you need to effectively protect your network.

Compliance and RegTech

Regulatory requirements are becoming increasingly complex, and failing to meet them can affect both the institution and the people in charge of managing these risks. Investing in RegTech can automate and streamline compliance processes, making it easier for community banks and credit unions to adhere to pertinent laws.

These investments may take the form of a virtual information security officer (VISO) service, which has become extremely popular lately. The workload and expectations of an ISO have intensified in recent years. Many community financial institutions are looking for a virtual solution to augment the ISO responsibilities and processes. A benefit of VISO services is they provide continuity if and/or when there is a personnel change in this critical position inside the institution.

In June of 2023, regulatory agencies released new guidance for managing third-party risk, formally or often referred to as vendor management. Expect 2024 to be a year when the agencies expect these guidelines to be implemented at financial institutions. If you manage your vendor management/third-party risk management in-house, you could have some work to do to implement these changes. It may be time to consider an application to manage these ever-changing requirements for you. If you already use an application to manage third-party risks, be sure the needed changes have been updated and you are trained on how to use them.

General Technology

A key focus for technology today concerns what to move to the Cloud and when. Moving infrastructure to the Cloud is often a trade-off between operational versus capital expenditures as well as the benefits versus the perceived risks of the Cloud. Moving servers to the Cloud in 2024 will make sense for a lot of institutions. However, it is more likely that many institutions will receive their solutions via a cloud service provider. Most services and applications vendors have found it easier to manage the server themselves and offer the solution through the Cloud rather than have it installed on different hardware across their customer base. Expect this consolidation and movement to cloud-based solutions to continue and budget accordingly. If the vendor is transferring responsibility from you and your employees to themselves by hosting the service, expect the licensing or price to increase. Even if the licensing cost goes up, you may still gain a net benefit as you no longer have to maintain, upgrade, and manage hardware.

Another technology to consider moving to the Cloud is disaster recovery. There are very few solutions that allow for redundancy, recovery time, minimization of management/ownership challenges, etc., which is why cloud-based disaster recovery is an excellent option. A fully managed cloud recovery process can decrease your recovery time objectives by significant amounts and remove a lot of duplicated hardware. If your disaster recovery solution isn’t in the Cloud or if you are not convinced that what you have in place is as robust as you need it to be, consider the Cloud as a viable alternative.

Conclusion

Budgeting for technology and cybersecurity is a complex task that requires a keen understanding of current needs, future trends, and emerging threats. By allocating resources wisely across these critical areas, community banks and credit unions can secure their operations, enhance customer experience, and stay ahead in a competitive marketplace.

29 Sep 2023
Using Conditional Access Policies and MFA to Enhance Azure AD Security

Using Conditional Access Policies and MFA to Enhance Azure AD Security

Using Conditional Access Policies and MFA to Enhance Azure AD Security

Earlier this year, we saw a large influx of successful phishing campaigns, primarily due to attackers being able to circumvent multifactor authentication (MFA). Their schemes worked because they were able to trick users into clicking on a link and giving away their security token—essentially bypassing MFA. The human-error factor highlights the need for phishing simulation training to ensure users are more aware of security threats. With phishing attacks still running rampant—and becoming more complex and harder to detect—it’s imperative that financial institutions use multiple strategies and technologies to optimize security.

The implications of MFA-resistant phishing are huge; the attacks have the potential to affect numerous organizations that depend on Microsoft Entra ID (formerly Azure AD) and Microsoft Office/M365 services to support their operations. However, institutions can minimize account compromises by combining a variety of tactics to prevent cyberattacks from happening. For instance, conditional access policies (CAPs) are a key proactive measure that banks and credit unions can implement to enhance security.

CAPs—which are quickly becoming the baseline of security—are the cornerstone of protecting identities within Microsoft Entra ID. These policies protect the very first step of the identification chain, the sign in attempt. They govern the conditions for users to access Azure services and will grant or deny access based on configured logic. At a high level, this logic can be far reaching but even so, organizations will not rely on only a single CAP. No CAP can provide complete protection. Instead, financial institutions should stack multiple CAPs together to produce better overall coverage and security. For example, requiring MFA, denying sign ins form outside of the USA, and requiring device compliance or specific join status.

Not only will organizations look to stack multiple CAPs, but they will also look to utilize telemetry from multiple Azure services for their logic. Combining services means institutions must have the appropriate licensing for each respective Azure service. For example, to obtain device compliance information, organizations will be required to implement and license for Intune.

Additionally, when designing CAP logic, it can be helpful to take as broad of an approach as possible to the scope of the CAP. The objective is to try to affect as many areas as possible with a single stroke to maximize coverage and reduce gaps in logic. Gaps, or logic bugs, are the result of incorrect scope definitions which will leave an organization vulnerable or at risk when they believe otherwise. A good example of a logic bug is when an organization implements a CAP requiring MFA but not for all users. This leaves a subset of the user base at risk.

Generally, when it comes to creating gaps in logic for CAPs, the rule of thumb is to always create compensating controls. This is how organizations can create complex webs of conditions and still allow for business continuity while simultaneously reducing risk. The trade-off is the more complex an organization’s CAPs are, the harder they will be to design, assess at a glance, and to maintain.

By blending various security tactics and technologies, financial institutions can implement a layered approach to enhance their security posture. They can also partner with a third-party expert like Safe Systems to improve their ability to proactively detect and respond to phishing attacks and other threats. Our CloudInsight™ M365 Security Basics solution offers critical reporting and alerting to help institutions better gauge their security awareness. M365 Security Basics provides visibility into security settings for Azure AD and M365, making it easier for institutions to mitigate the impact of potential cyberattacks.

For more information about how to employ CAPS and modern MFA to minimize security risks, view our recorded webinar on “Securing Azure AD with Conditional Access Policies.

14 Sep 2023
How to Manage Vulnerability Effectively with V-Scan's New Features

How to Manage Vulnerability Effectively with V-Scan’s New Features

How to Manage Vulnerability Effectively with V-Scan's New Features

It’s critical for financial institutions to stay ahead of the potential vulnerabilities and risks that can jeopardize their information technology assets. But to adequately manage risks and vulnerabilities, institutions must be able to understand what they are, identify where they are, and remedy the situation.

Risk is a multifaceted concept that encompasses threat and vulnerability. The National Institute of Standards and Technology (NIST) describes risk as the probability that a particular security threat will exploit a system vulnerability. More specifically, it is a “measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of the adverse impacts that would arise if the circumstance or event occurs and the likelihood of occurrence.”

These circumstances can involve various sources and impacts. Generally, information system-related security risks arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential negative effects on organizational operations—including mission, functions, image, or reputation—organizational assets, individuals, and other organizations.

Managing Risks and Vulnerabilities

A vulnerability is a weakness in a system, an information system, system security, or even controls. Therefore, to manage their risks, financial institutions must also manage their vulnerabilities. To do this, institutions must know about their vulnerabilities and understand the context in which they exist.

Fortunately, financial institutions can use scanning technology to help with the daunting process of managing risks and vulnerabilities. Our V-Scan product, for example, is a comprehensive solution that analyzes IT assets, identifies vulnerabilities, and provides an extensive overview of the risks within the network environment. What’s more, V-Scan provides risk-prioritized data on all scanned IT assets.

V-Scan is designed to help institutions meet regulatory compliance. It performs weekly vulnerability scanning, which complies with the Cybersecurity Assessment Tool (CAT), developed by the Federal Financial Institutions Examination Council (FFIEC). Along with each weekly scan, the platform provides detailed reporting and a user-friendly dashboard that makes it easier to create an actionable plan to mitigate asset vulnerabilities. In addition, many cybersecurity insurance providers are requiring financial institutions to prove that they are managing known vulnerabilities. With V-Scan, institutions can provide reports that substantiate their weekly scans, assessments, and remediations.

Discovering Exploitable Vulnerabilities

Not only does V-Scan find current vulnerabilities in the environment, but it also uses numerous data points to measure the risk posed by those vulnerabilities. This information gives IT staff and oversight personnel timely details and the necessary context to maintain an effective vulnerability management program. One of the key ways institutions can use V-Scan is to discover assets that are at risk and weaknesses that should be resolved—particularly exploitable vulnerabilities. Being able to identify weaknesses that are known to have been taken advantage of allows institutions to prioritize their workload when securing their network.

For example, if the platform indicates that a Microsoft Windows security patch needs to be installed, V-Scan provides information needed to solve the problem, including which machines, devices, or assets are affected by the vulnerability. The product also allows filtered searches to be conducted based on the assets involved, such as domain controllers or printers. Having this enhanced capability further empowers IT staff to effectively manage vulnerability.

Contact us to learn more about how community banks and credit unions can leverage V-Scan to manage possible vulnerabilities and risks associated with their IT assets.

17 Aug 2023
The Advantages of Attending User Conferences for Banking Professionals

The Advantages of Attending User Conferences for Banking Professionals

The Advantages of Attending User Conferences for Banking Professionals

User conferences are dynamic events that community banks and credit unions can leverage to connect with industry experts and like-minded peers in an enriching environment. They provide a great opportunity for banking professionals to interact face-to-face with vendors; share ideas and experiences; and address their concerns about technology products, compliance, and other important industry issues. And unlike traditional industry tradeshows that are mainly designed to attract new business, user conferences have a broader purpose that translates into a host of benefits for attendees, including:

  • Training and education — User conferences provide access to valuable information that can help attendees keep up with the growing complexity of the financial services industry and technology. Participants can receive on-the-spot training through software demonstrations that allow them to see products in action. They can also enhance their knowledge through informative workshops, topic-based roundtable discussions, and other educational sessions. This allows them to learn from industry and subject-matter experts that can answer their questions, share insights, and impart best practices. This type of focused, in-person learning can make it easier for attendees to stay up to date with the latest technological advancements and other developments impacting their industry.
  • Networking opportunities — As another benefit, user conferences offer invaluable networking opportunities. Attendees can connect with their vendor’s team, ask specific questions, and learn better ways to use their products and services. They may even discover new tools for addressing some of the current challenges they are encountering. User conferences can also spark helpful interactions between colleagues who are using the same products; they can share strategies and best practices based on their respective experiences.
  • Relationship building — The personal connections that happen at user conferences can help reinforce the relationships that attendees have with their vendors. These events offer banking professionals a unique opportunity to learn more about the companies, products, and people they rely on to support their organization. For instance, participants can discuss the capabilities of software products directly with the people who built them and meet face-to-face with support staff they normally speak to on the phone.
  • Inspiration While people often learn about their software products virtually, in-person user conferences provide a much more engaging—and inspirational alternative. Connecting with industry peers and vendors’ staff outside the daily office routine can stimulate creativity. The live interactions that unfold at conference events generate energy, excitement, and enthusiasm that can send participants home full of fresh ideas.

Meeting Regulatory Expectations

However, the incentive to take part in user conferences goes beyond the practical benefits; it is expected by regulators. Examiners are increasingly placing more focus on how financial institutions manage their vendors, including capitalizing on the influence of user groups. For example, the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook’s Outsourcing Technology Services booklet states: “User groups are another mechanism financial institutions can use to monitor and influence their service provider. User groups can participate and influence service provider testing (i.e., security, disaster recovery, and systems) as well as promote client issues. Independent user groups can monitor and influence a service provider better than its individual clients.”

In addition, the FFIEC requires employees of financial institutions to engage in ongoing education and technical expertise to maintain compliance.

NetConnect™ User Conference

Safe Systems’ National Customer User Conference, NetConnect, creates the ideal setting for banking professionals and vendors to come together with their peers. This year’s NetConnect will take place in Alpharetta, Ga., just a few miles from our Georgia headquarters, on November 7-8, with a pre-conference training day on November 6.

NetConnect will bring together Safe Systems’ employees, customers, and strategic partners to exchange ideas and learn about the latest technology, compliance, and security trends in community banking. Each year, we hear positive feedback about the event from conference attendees.

Instructors were good about not letting folks get behind. A lot of ground covered in a day.
Instructors were top notch.
It says a lot to me that the entire conference content came directly from within Safe
Systems, and they all did a great job too!
A great time. I learned a lot and enjoyed myself while doing it.
The networking and social experience is top notch.
This conference is on my MUST ATTEND list!

So, whether you are a long-time or relatively new customer of Safe Systems, visit our NetConnect website to learn more about this year’s conference and how it can help you get educated, motivated, and up-to-date with the latest industry and technology trends.

27 Jul 2023
Leveraging Cloud Reporting Insights to Minimize Security Risk

Leveraging Cloud Reporting Insights to Minimize Security Risk

Leveraging Cloud Reporting Insights to Minimize Security Risk

Financial institutions face the constant threat of cyber security attacks. Yet many of them fail to realize the very real and significant security risks around the multitude of cloud-based services that support their organization.

Most banks and credit unions use Microsoft 365 (M365) and Azure Active Directory (AD) to enable employee communication (Exchange Online), collaboration (SharePoint/Teams), and productivity (PowerPoint/Word/Excel). Although these Microsoft cloud services work efficiently, their “always-on” nature exposes users to security risks. Cyberattacks are becoming more prevalent and destructive, with hackers unleashing more sophisticated kinds of ransomware, business email compromise, and phishing schemes. But attackers are targeting organizations of all types and sizes, which means even smaller institutions must be vigilant about protecting their data.

Cloud security is vitally important, as many companies end up with their users’ credentials for sale on the dark web. IBM’s Security X-Force research found almost 30,000 cloud accounts— between July 2020 and July 2021—potentially for sale on dark web marketplaces. In addition, threat actors continue increasing their efforts to defraud victims through ransomware. The Cybersecurity and Infrastructure Security Agency (CISA) indicates ransomware attacks strike a new target every 14 seconds, stealing information, upending operations, and exploiting businesses. Frequently, ransomware attackers target organizations that belong to a critical infrastructure sector, such as financial services. In 2022, critical infrastructure entities were the victims of nearly 900 of the 2385 ransomware complaints received by the FBI’s Internet Crime Complaint Center (IC3).

Leveraging Insights

To even begin to mitigate cyberattacks, financial institutions need insights that increase the visibility of security risks and reveal signs of compromise. Fortunately, Microsoft cloud services include a variety of auditing and reporting features that institutions can employ to minimize cybersecurity risks. For example, they can use these features to closely monitor configuration settings and user activity within M365, Exchange, and SharePoint. This can provide valuable insights into security configuration, threat protection, and identity and access management.

Here are some key aspects that institutions can track in Microsoft 365:

  • Azure AD account activity: Insights into abnormal user sign-in patterns, identity-based risks, and compromised user accounts.
  • Threat intelligence: Information on malware campaigns, suspicious URLs, and phishing attacks
  • Advanced threat detection: Information on security incidents, alerts, and vulnerabilities that can indicate potential security breaches or suspicious activities.
  • Data loss prevention: Visibility into policy violations, incidents, and user activity related to sensitive data.

Being able to analyze data from Microsoft’s reporting features gives financial institutions a powerful benefit. It makes it easier for them to identify potential security threats, detect suspicious activities, and take proactive measures to protect their organization. While reports can’t prevent cyberattacks, they can at least expose security risks, so IT administrators can address these gaps and vulnerabilities.

Partnering with a Cloud Expert

However, some institutions may lack the internal expertise to effectively leverage the data and insights relating to their Microsoft cloud services. Partnering with a company that has Microsoft 365-certified engineers can help. Safe Systems’ CloudInsight ™ family of products was created especially for community financial institutions by Microsoft 365-certified engineers. Banks and credit unions can use these services to access reports and alerts that can enhance their security awareness and posture. M365 Security Basics, for instance, offers vital visibility into security settings for Azure AD and M365 tenants. The insights give IT admins a crucial view of security-oriented metrics and configuration settings. This can make it easier to proactively discover common security risks, including compromised user accounts, unknown users and forwarders, unapproved email access, and targeted phishing or SPAM attacks. M365 Security Basics is the ideal solution for community banks and credit unions that want to increase their visibility of security risks and indicators of compromise.

29 Jun 2023
After the Disaster - How 3 Banks Survived

After the Disaster: How 3 Banks Survived

After the Disaster - How 3 Banks Survived

Calamities can range from the mundane—such as a server crash—to the catastrophic, like a devastating hurricane tearing through your headquarters. During such crises, a robust disaster recovery (DR) plan for your hardware and IT infrastructure can make the difference between chaos and resilience. Over the past decade, numerous community financial institutions have faced such trials, each demanding a unique response. We share three stories of real-life disasters faced by our customers, each demonstrating how powerful solutions can alleviate distress and ensure a speedy return to business as usual.

Story 1: Twister Trouble

In our first disaster, a tornado left a community bank in ruins, rendering the building unusable for several months. Luckily, the servers were untouched. After consulting with Safe Systems, it was decided that the simplest solution was to move the servers and routers to another location. Once communications and the core were in place, the bank’s operations resumed quickly from the new site. When the primary building was finally renovated, Safe Systems returned the servers and routers over a weekend and the bank was fully functional in its original location once again.

This story illustrates that even though the servers were operable after the disaster, the conditions around them made it important to evaluate all the recovery options. Having a trusted managed services partner who isn’t in the “eye of the storm” can help you objectively evaluate the circumstances to make the best decision—even if it diverges from your original DR plan.

Story 2: Silent Disaster

Not all disasters announce themselves as loudly as a tornado. Some, like this one, can be subtle without all the surrounding clatter. After business hours, Safe Systems received a distress call about a failed core router. We were able to quickly establish a site-to-site VPN tunnel to the institution’s DR router which was hosted by us. The issue was resolved within a few hours and most of the bank employees were unaware of the incident. The bank quickly returned to normal operations, never missing a beat in customer service.

Despite the nature or the timing of an unexpected business interruption, your DR plan must ensure business-critical data and applications are available. Having a fully managed provider with after-hours emergency protocols and a high-availability system for fast recovery of critical servers via the Cloud allowed this bank to recover as quickly and as quietly as the incident occurred.

Story 3: Lightning Strike

A lightning strike caused extensive damage to a bank’s switches and the physical server hosting most of their virtual servers. With the switches destroyed and no local backup of the virtual servers, the bank had to resort to a mobile hotspot. Safe Systems set up a VPN from their DR router to the Cloud where the DR servers were housed. The bank managed to operate Wi-Fi-accessible devices for over a week until a new switch and server were installed.

When physical damage is extensive and can take weeks versus hours to repair, it is critical to have a partner that can establish connectivity to your locations and key vendors through various connection types—mobile hotspots, satellite internet, internet lines at another location—all of which should be critical aspects of your recovery plan.

Our Approach to Disaster Recovery

Safe Systems has a comprehensive approach to disaster recovery that encompasses data, server, and communication needs in times of crisis. Typically, Safe Systems hosts a backup disaster router at our Tier 4 data center, while each server is mirrored as a virtual server in a secure cloud. Annually, these servers are brought up in test failover mode and core communication is rerouted during a DR test. This helps us to provide a detailed report on the results and readiness for disaster. These servers and routers stand by, primed to leap into action at a moment’s notice, facilitated by our dedicated DR team.

Each of these stories underscores the importance of having a robust and flexible DR solution in place. Regardless of the disaster’s type or scale, having a reliable partner like Safe Systems helps ensure business continuity and secure access to critical systems and data.

08 Jun 2023
Maintenance Best Practices to Enhance Azure Security

Maintenance Best Practices to Enhance Azure Security

Maintenance Best Practices to Enhance Azure Security

Financial institutions that use Microsoft Azure with Exchange Online, OneDrive, and SharePoint can apply good maintenance practices to enhance their security in the Cloud. They can employ a variety of Azure Active Director (AD) concepts to summarize their data and ultimately recognize anomalies to make the cloud environment more secure. Two of the main areas that institutions can examine to identify inconsistencies are users and devices.

Anomalies with Users

The primary Azure AD user properties to analyze are the user type, synchronization status, disabled status, and creation date. Within user type, if there are a significant number of guest users, this can raise an obvious red flag especially if there is no justification for guest users to exist. In this case, for guest users without a specific approved use case, the best option is likely to delete the user.

It can be more difficult to detect abnormalities within the synchronization status of some users, especially those being synchronized to Azure AD from on-premise AD. The key is to build a good baseline to use for comparative analysis. Because users are sourced on-premise, this number should be quite familiar. But if the number does not match expectations, it should be obvious and prompt further scrutiny.

Accounting for cloud users can also be challenging because they typically are not tracked as closely as on-premise users. But if the number of cloud users drastically changes, this may indicate an anomaly. In addition, IT administrators should be cognizant of modifications involving disabled users. If the number of disabled users changes, the situation should be reviewed to determine why.

Creation date is a unique kind of property in that it relates to both security and utility. Identifying an anomaly here should be fairly simple; the number of users should match expectations. For example, if the number of users spikes abnormally for a particular day, it definitely warrants investigation.

Inconsistencies with Devices

Another critical form of identity in Azure AD is devices, including desktops, laptops, phones, and tablets. In terms of device management, we can focus on Azure AD, Intune, and Exchange Online. Having access controls with devices makes it easier to recognize anomalies. With strict access policies, the number of devices connecting should not change significantly without an administrator’s knowledge.

Conversely, spotting anomalies becomes more difficult without stringent access policies. If IT administrators are relying on default settings, those default policies will allow users to enroll devices on their own. Administrators should build a baseline to see where their numbers are and monitor device enrollment accordingly.

Scrutinizing synchronization status can also reveal inconsistencies. IT administrators should remove devices that have not been synchronized in at least 30 days and those that have no sync data, which represents a gray area. Closely monitoring the synchronization status makes device management easier and more secure going forward.

The Maintenance and Security Connection

We have seen several real-life scenarios that illustrate the connection between maintenance and security. Here’s a common type of situation that involves the creation date and sync status: You notice that a new user was created unexpectedly, which is suspicious. You investigate, starting with the synchronization status, and find that the number of cloud users does not match. Next, you review Azure AD details based on the display names and do not see the new user. Then when you examine the users by creation date, there are only existing users.

This leads to an interesting question: Can you have more than one user in Azure AD with the same name? The answer: yes and no. There are a variety of name properties, however, the User Principal Name (UPN) must be unique. If you notice that the UPN of two users is ‘identical’ check again. Look for characters that might appear the same due to typography. It could indicate intentional obfuscation and represent a form of attack on your organization. In this case, if a user is already being created as a component of an attack, it would be safe to assume some form of administrative account has been compromised.

This type of attack could happen to almost any financial institution, and it shows the importance of using ongoing maintenance to discover irregularities. Good maintenance leads to better security in Azure AD, and Safe Systems’ CloudInsight™ family of products can assist in these efforts. They provide reports that make it easier for community banks and credit unions to catch anomalies, so they can improve their security posture. For more insights about this topic, watch our “Good Maintenance Leads to Better Security in Azure” webinar.

02 Jun 2023
The Virtual ISO: Best Practices for Maximum Effectiveness

The Virtual ISO: Best Practices for Maximum Effectiveness

The Virtual ISO: Best Practices for Maximum Effectiveness

The concept of a virtual information security officer (VISO) has been gaining more traction with regulators and financial institutions. In the past, regulators have said very little about institutions using a virtual ISO. But recently, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and Federal Reserve System have expressed at least conditional approval of the idea. They indicated that virtual ISOs can be a viable option—as long as their activities are subject to the same oversight requirements as in-house ISOs.

These regulators caution financial institutions to be careful when considering the risks and benefits of using a virtual ISO. They advise institutions to do their due diligence prior to choosing an external ISO partner, just as they would before selecting any other key vendor or critical service provider. These and other best practices can help institutions strategically leverage a third-party solution to maximize the effectiveness of the virtual ISO role for their organization.

Approaches to Implementation

There are three broad approaches to implementing a virtual ISO solution: do-it-yourself (DIY), hybrid, and off-load. These models come with specific benefits and responsibilities that institutions should carefully consider. Here is a summary of each approach:

  • DIY: This model typically provides some apps, tools, checklists, templates, and other pre-packaged components that allow institutions to fill in the blanks. One-on-one consultation with a human would be relatively limited and likely provided for an extra charge.
  • Hybrid: This approach often includes a complete set of tools: apps, templates, pre-configured reports, and sometimes pre-configured policies. Some consultation is also provided, which makes this model better suited to institutions that require a higher level of support.
  • Off-load: With this model, the virtual ISO vendor does most of the heavy lifting, providing extensive consultation, on-demand reporting, and other ISO requirements. However, as is the case with the hybrid model, the financial institution remains responsible for understanding and approving all actions taken by the vendor on behalf of the institution.

Our Virtual ISO Model

At Safe Systems, we offer a hybrid virtual ISO model—ISOversight™—that supports regulatory guidance on the ISO’s role as prescribed by the Federal Financial Institutions Examination Council (FFIEC). Our model is a moderately priced, middle-ground solution that is ideal for community banks and credit unions with limited internal resources. It combines a suite of integrated compliance apps with a dedicated lead consultant, allowing institutions to benefit from the expertise of our entire compliance department. What’s more, ISOversight provides institutions with a more objective, arms-length perspective on information security. The FFIEC Management Handbook states that “To ensure independence, the CISO/ISO should report directly to the board, a board committee, or senior management and not IT operations management.” Having these two critical roles formally separated makes it easier for the network administrator to be in more of a support function for any resident or virtual ISO, which can minimize audit or exam findings related to a possible “conflict of interest” or “concentration (or separation) of duties.”

Although the apps are useful tools that assist institutions with day-to-day tasks, the key to ISOversight’s effectiveness is the consultive and advisory piece provided by the ISOversight lead consultant. Our consultants are all information security subject matter experts, with decades of experience. We know what tasks need to be completed, with what frequency, and by what groups or individuals. We hold regular touchpoint meetings with the ISO, and often the network administrator and other third-party consultants, to ensure institutions stay on track. After each touchpoint, we also provide a comprehensive point-in-time summary report on the current status of their information security processes that the ISO can then present to the steering committee and the Board.

In addition, our consultants will often engage with clients as they prepare for and respond to an audit or exam, but it’s not unusual for us to consult directly with the auditor and examiner during the engagement. We encourage this, as it helps ensure the FI is providing auditors and examiners with exactly what they are requesting (no more and no less), which avoids unnecessary confusion, possible issue escalation, and over (or under) commitment by management. In addition to the advisory piece, the ISOversight apps keep things organized, making it easier for customers to manage their policies and procedures and all the associated documentation, and provide customizable email alerts when tasks come due.

To date, we have found that ISOversight has proven to be a great fit for many institutions and for many different reasons. For example, it is extremely helpful in situations where the IT administrator or ISO has recently left or has transitioned to a new role. Another good application for the virtual ISO role is when the size and complexity of the institution make the day-to-day information security responsibilities too burdensome, or when the institution just wants to free the existing admin or ISO from the uncertainty of the rapidly evolving regulatory landscape.

Whether it’s third-party risk management, business continuity management, cybersecurity, or strategic planning, guidance is clear that ISO’s have very specific responsibilities and should be held accountable for their completion. ISOversight assures all tasks the ISO is responsible for are addressed in a timely manner, that all current regulatory guidelines and best practices are met, and just as importantly that on-demand, stakeholder-specific documentation is available to confirm all related activities. Ultimately, selecting the right virtual model and the right vendor can often translate into “cleaner” audits and exams, resulting in a less stressful, more productive staff, a more compliant and more secure environment, and a better-informed management team.

To learn more about this topic, listen to our webinar on “The Virtual ISO: Best Practices for Maximum Effectiveness.”

11 May 2023
The Importance of Effective Third-party Management

The Importance of Effective Third-party Management

The Importance of Effective Third-party Management

As financial institutions increasingly rely on outsourced providers, third-party management is becoming a more critical aspect of managing risk. Institutions depend on third-party providers for a variety of essential services, including technology, operations, and marketing. And while these entities offer significant benefits, such as cost savings and improved efficiency, they also pose a substantial risk. We often refer to this as “inherited” risk, as institutions will inherit the residual risk of the third party. If not properly identified, measured, and addressed, inherited risk can expose financial institutions to threats such as regulatory non-compliance, operational downtime, and reputational damage. However, institutions can successfully mitigate many of these risks by ensuring that they thoroughly vet outside providers prior to engagement, properly structure contracts, and employ ongoing monitoring and reporting.

Key Elements

The Federal Financial Institutions Examination Council (FFIEC) has issued guidelines for managing vendor relationships effectively. These standards emphasize the importance of several key elements, including:

  • Due diligence: Financial institutions must evaluate vendors’ financial stability, reputation, and regulatory compliance prior to engagement. This includes assessing vendors’ security controls, data protection policies, and disaster recovery plans.
  • Contract management: Vendor agreements should clearly outline the scope of work, deliverables, and performance metrics. They should also include provisions for termination, dispute resolution, data disposal, and indemnification.
  • Ongoing monitoring: Financial institutions must regularly monitor their third parties to ensure that they continue to meet contractual obligations and regulatory requirements. This includes periodic risk assessments, reviewing vendor reports, and could even include conducting on-site visits.
  • Risk assessment: Institutions should assess the level of risk associated with each vendor relationship based on the services provided, the vendor’s access to sensitive data, and the potential impact of vendor failure. Doing so can help financial institutions allocate resources more effectively to minimize potential risks.
  • Board and management oversight: Third-party management should be an ongoing topic of discussion at the board and management levels. This includes not only approving policies and procedures, but also reviewing risk assessments and monitoring reports, and making decisions about initiatives that require new vendor relationships.

Common Misconception

Risk management requires first identifying the risk’s source before it can be measured and mitigated. To accomplish this, it’s important to separate the risks of the underlying initiative from the risks of the third party that supports the initiative. With the possible exception of reputation risk, most of the risks surrounding the evaluation and implementation of a new initiative are associated with the initiative itself, not the third party. Simply put, if the strategic, operational, and regulatory risks would be present in the initiative regardless of the third party selected, it does not belong to the third party, it belongs to the initiative or project. We’ve found this to be a fairly common misconception, even among auditors and examiners.

Effective Solutions

Once the risk source is confirmed as associated with the third party as opposed to the initiative, institutions must create a protocol for what risks to assess and how to assess them (the inherent risk), what specific controls to implement, and the effectiveness of those controls assuming they will be correctly implemented and operate effectively (the residual risk). This is where an app can significantly help standardize and streamline the process. An automated third-party risk management program will identify and assign specific controls according to the specific risks and risk levels identified.

With the increased focus on third-party risk management, more banks and credit unions are finding that auditors and examiners expect institutions to not just identify appropriate controls, but to actually request, receive, and review them. Particularly key control documents, such as contracts, financials, and audit reports, such as System and Organization Controls (SOC) reports. However, knowing what to look for (and where to look) in these documents can be challenging. Partnering with a third-party service to assist you can provide a second set of eyes and additional expertise to ensure that these documents are supplying the necessary controls.

Other key features to look for in an effective third-party risk management program include the ability to assign one or more vendor managers, email reminders when tasks are due or overdue, automatic Office of Foreign Assets Control (OFAC) checks, the ability to easily identify and track complementary user entity controls (CUECs), the ability to store key vendor documentation and notes. Also, a robust on-demand reporting feature is important to be able to provide stakeholders with timely, accurate updates on the status of your third-party risk management program.

By associating with the right partner, financial institutions can develop a strong third-party risk management program that aligns with guidance, keeps data private and secure, and minimizes the impact of third-party cyber threats. Safe Systems, for example, offers a wide range of vendor management solutions to help institutions ensure regulatory compliance.

20 Apr 2023
Best Practices for a Successful ISO Transition

Best Practices for a Successful ISO Transition

Best Practices for a Successful ISO Transition

It can be challenging for financial institutions to lose an information security officer (ISO)—particularly for smaller community banks and credit unions. Since ISOs have broad responsibilities relating to data security and other vital areas1, they play a critical role within the organization. Therefore, institutions must have a well-defined plan in place to keep an ISO’s transition or departure from adversely affecting their security posture.

There are many reasons an ISO may leave—retirement, a transfer to another role within or outside of the organization, or perhaps an unanticipated health issue. Whichever the circumstance, the reason for departure can significantly impact the transition process. For instance, if the position was vacated due to a planned retirement or staff reorganization, there can be a smooth transfer of duties between the outgoing and incoming ISOs. However, a sudden job change can result in a more complicated process.

There are two main facets of the ISO’s role that are critical to focus on during a transition: access to data and applications, and the continuity of the processes and responsibilities that the position encompasses.

1) Ensuring that access to data and applications is properly revoked, modified, and/or reallocated during an ISO transition is very similar to what happens when an IT Administrator leaves a financial institution. Although the IT and ISO roles (and their respective data access requirements) are different, the steps outlined in this article can help ensure information is protected when either role departs.

2) Some of the key areas of responsibility that must continue during an ISO transition include:

  • Infosec compliance, including regulatory guidance, written policies, written procedures, and documented practices
  • Oversight and coordination of data security efforts, including protecting the privacy and security of sensitive information belonging to the institution and its customers and members
  • Business continuity management and incident response programs, including exercises and tests
  • Third-party risk management (TPRM)
  • Cybersecurity assessments, gap analysis, action plans, and
  • Lead for steering committee meetings
  • Information security program status updates to the board of directors
  • IT audit and exam preparation, participation, and response

Planning Ahead

There are a number of strategies institutions can proactively implement to make an ISO’s job transition as successful as possible. A primary step to take is succession planning. This should be considered whether or not an ISO departure is anticipated. Regulators expect institutions to have a formal succession plan for all key leadership positions, and few roles are more critical than the ISO, as failing to maintain infosec continuity can leave an institution exposed and potentially more vulnerable to security issues.

Succession planning is often more problematic for smaller community banking institutions where employees typically wear multiple hats. Regulatory guidance requires that the ISO exist as a separate role within the institution. And while it is easy to designate an ISO successor on paper, an institution with limited staff may not have an employee with the appropriate knowledge, experience, and availability ready to step into the role. In addition, because of the potentially smaller talent pool in the geographic areas that community institutions serve, our experience is that smaller institutions often have difficulty finding good candidates.

However, if a solid succession plan is in place that includes both internal and external resources, the incoming ISO should at least have access to adequate experience and subject matter expertise to seamlessly step into the new role with minimal disruption. In a situation where there is seamless continuity, at least one of the following usually applies:

  1. The employee replacing the ISO has been given sufficient prior notice and preparation, including cross-training and job shadowing.
  2. Ideally, the incoming ISO has gained previous experience at a financial institution of similar size and complexity, or at minimum, managed information security in a regulated environment.
  3. The institution has partnered (or can partner) with a third-party provider to augment the role with a virtual ISO (vISO) solution.

Getting Help to Ensure a Seamless Transition

To be clear, transitioning between ISOs can be challenging whether the institution grooms an internal successor, hires a seasoned outsider, or partners with a third party (or a combination of the three). In all cases, there will be some type of learning curve. Either a promoted employee will need time to build proficiency in the position, or a hired replacement (individual or third-party provider) will need time to get familiar with the institution. Inevitably, the probability of security gaps will increase during this transition period, and IT auditors and examiners know this too. For this reason, employing a third-party provider is often an effective way to maintain infosec continuity during a transition, and ensure that all IT and information security tasks and related activities are completed on time and properly reported to the various stakeholders.

The bottom line: ISO transitions are inherently challenging—and seamless continuation is critical as they directly impact a financial institution’s audit and exam success as well as overall security posture. Whether the job change is planned or unexpected, institutions can apply effective succession planning to minimize the disruption. They can also address any deficiencies in their own internal knowledge and expertise by partnering with a third-party provider like Safe Systems. As an example, a bank in South Carolina used Safe Systems’ Virtual ISO service, ISOversight, to support succession planning for its retiring ISO. This resulted in multiple benefits, including an interrupted security posture, improved business continuity management, third-party management, and strategic planning.

1ISO responsibilities may consist of strategic planning, quality assurance, project management, InfoSec risk assessments, infrastructure and architecture security, end-user computing, and regulatory and legal compliance

05 Apr 2023
Evolution of Third-party Management

Evolution of Third-party Management

Evolution of Third-party Management

Pending interagency guidance on the management of third-party relationships will significantly alter how financial institutions (FIs) handle risks related to external service providers. The new guidelines will increase the complexity and responsibility of third-party management for banking organizations in the near future. These standards will apply to all financial institutions—including community banks—with third-party relationships.1

The updated guidance—proposed jointly by the Board of Governors of the Federal Reserve System (the Board), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—will consolidate2 the agencies’ separate rules into a single common guideline built around the OCC Bulletin 2013-29. The proposed guidance states that “the new framework is based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.”

Increased Regulatory Expectations

FIs s need to consider the key implications of increased regulatory scrutiny in this area, particularly where they expand on current expectations. For instance, regulators will expect them to do more due diligence on the pre-engagement side, which affects the initial selection and contract negotiation process. Institutions will also be held more accountable for understanding and predefining the termination process for outside service providers. This includes considering who owns data, how the data is returned, and how it is disposed of after the relationship with the provider ends.

From a regulatory perspective, third parties represent the biggest single source of noncontrollable risk to a bank or credit union. To a considerable extent, examiners will draw comparisons to overall enterprise risk management maturity from an institution’s third-party risk management program. In their words; “A banking organization’s failure to have an effective third-party risk management process that is commensurate with the level of risk, the complexity of third-party relationships, and the organizational structure of the banking organization may be an unsafe or unsound practice.” In addition, they will expect to see sufficient oversight at all levels, from the board to senior management, and ultimately the employees directly overseeing the individual relationships.

Vendor vs. Third Party

It is also critical for FIs to be aware of—and adjust for—the difference between the terms “vendor” and “third party.” While banks have historically used these words interchangeably, it is now clear that institutions will have to remove the term “vendor” from their vocabulary and substitute “third-party” in its place. The proposed guidance uses the term “vendor” only 4 times, while the term “third-party” is used 262 times!

The reason for the change is more than just semantic, it represents a significant shift in how a third party is defined. A third party can be any entity with which the institution has a business relationship, and neither a written contract nor monetary exchange is necessary to establish a business arrangement. A business relationship can include more obvious arrangements such as referral agreements and professional services providers like law and audit firms, but also less obvious companies such as maintenance, catering, and custodial service companies. Business arrangements have greatly expanded and become more varied and, in some cases, far more complex. FI’s should be prepared to expand the scope of their third-party risk management (TPRM) program.

Expansion of Third-Party Risk Assessment

Financial institutions will also need to expand third-party risk management beyond the scope of the Gramm-Leach-Bliley Act (GBLA) to comply with the new guidance. They should broaden their focus beyond non-public information (NPI) to include anything that may not be directly related to customer information, but still needs to remain confidential. This can include strategic plans, unaudited financial statements, HR and shareholder records, and committee meeting minutes. Regardless of the type of information, regulators will expect institutions to manage their risk by accurately assessing all third-party exposure to the storage, transmittal, and processing of information.

While institutions cannot directly control third-party risks, they will need to request and review certain documents—especially from critical parties. A few key third-party documents that institutions should examine prior to engagement3 include contracts, audit reports4, and financials. Depending on criticality, FIs may also need to maintain a list of potential alternate providers in case their primary provider fails or cannot complete the terms of their contract. Finally, institution management should be fully aware of any gaps or limitations in third-party contracts, so they can manage any increased residual risk effectively.

Another area likely to draw increased scrutiny is Complementary User-entity Controls (CUECs), included in the SOC report. These are the controls third parties require for you to utilize their products or service. The best practice strongly suggests you document these CUECs and adhere to them.

Financial institutions that may lack the internal time and/or expertise to review third-party contracts, financials, and SOC reports, can consider adding a solution like Safe Systems’ Vendor Management Document Review. The service enhances the control review process and makes it easier for institutions to meet the increased regulatory expectations for managing third parties. Read more about this topic by accessing our “Evolution of Third Party Management” webinar.

1 As of this date the NCUA has not indicated that they will be a signatory on this new guidance.

2 The Board’s 2013 guidance, the FDIC’s 2008 guidance, the OCC’s 2013 guidance and its 2020 FAQs.

3 Certain documents such as SOC reports may only be made available after a contract is in place.

4 Depending on the trust criteria selected, audit reports like the AICPA System and Organization Controls (SOC) 1 and SOC 2 should also include an auditor opinion on the information security and business continuity controls in place at the third party.

06 Mar 2023
MFA - Why You Can’t Set It and Forget It

MFA—Why You Can’t Set It and Forget It

MFA - Why You Can’t Set It and Forget It

Multifactor authentication (MFA) is not a static, set-it-and-forget-it process. Financial institutions must constantly monitor—and make necessary adjustments—to ensure effectiveness so that only authorized users are accessing their network, data, and services.

MFA Methods and Risk

Some of the most common MFA methods, particularly with Microsoft Azure are:

  • FIDO2 security key
  • Microsoft Authenticator app
  • Windows Hello for Business
  • OATH hardware/software tokens
  • Short messaging service (SMS)
  • Voice calls

FIDO2—the latest and greatest MFA—enables easy and secure authentication. It takes passwords out of the equation and instead uses public key cryptography for authentication to enhance security. The Microsoft Authenticator app is also capable of passwordless authentication in Azure, which is making it an increasingly popular option. This modern multi-factor authentication method can act as a FIDO2 key, send push notifications, and support user awareness by providing location and client data within the app.

Windows Hello for Business is another form of advanced authentication that is also capable of passwordless authentication. However, institutions should be careful when implementing this approach to MFA because it can entail unique stipulations.

Two of the riskiest types of authentication are MFA facilitated by either SMS or voice calls. SMS-enabled MFA, which combines the use of a text message and code, is one of the most frequently used methods of authentication. However, since text messages are not encrypted, they are vulnerable to telecom tower relaying interference. Because of this vulnerability and its wide adoption, SMS is a major target of attackers. Voice calling, which uses telecom services to call with the code, is another risky form of MFA because it is possible that someone else could intercept the phone call.

For any TOTP-based method of MFA, there is an inherent risk of users giving away the codes. This can be accomplished via clever phishing techniques or malicious applications on mobile devices.

Combining MFA with Other Defensive Layers

Today’s sophisticated cyberattacks often attempt to exploit weaknesses that are present in the MFA workflow. Unlike traditional attacks that sought to bypass basic authentication protocols, newer schemes tend to follow normal MFA workflows to exploit human behavior. Attackers are also using other creative strategies to effectively circumvent MFA requirements. For example, they may hijack an already MFA-authenticated session to gain unauthorized access.

To evade cyberattacks, institutions must go beyond taking a relaxed, set-it-and-forget-it stance for MFA. They must enhance MFA by adopting newer more modern methods for their users. They must also be cognizant of attacks that can effectively bypass MFA, as we have seen with MFA-resistant phishing scams. To compensate for these newer styles of attacks, institutions should seek to implement multiple layers of security. In Azure, this will mean the adoption of Conditional Access Policies (CAPs). Stacking multiple CAPs targeting various combinations of MFA, apps, clients, locations, compliance status, and device types is the best way to improve an organization’s security posture. For more information about this important topic, watch our webinar on “MFA–Why You Can’t Set It and Forget It.”

23 Feb 2023
Mitigating Sophisticated, MFA-Resistant Phishing Scams

Mitigating Sophisticated, MFA-Resistant Phishing Scams

Mitigating Sophisticated, MFA-Resistant Phishing Scams

Phishing attacks are becoming more complex—and successful—making them more problematic for companies to combat. As a prime example, a recent phishing scam has been circumventing multifactor authentication (MFA) to successfully breach multiple companies. The attacks, which seem to be targeting banks and credit unions, are a stark reminder of the constant cyber threats that financial institutions face and the importance of following effective risk mitigation tactics.

The recent email scam is a sophisticated scheme; it exploits weaknesses in MFA and essentially bypasses them to launch an attack. The attackers deploy deceptive emails to obtain employees’ Microsoft 365 (M365) usernames, passwords, and MFA codes, and then they use this information to try to wire money outside the institution. Not only are these assaults breaching the initial targets, but they are also using the victims to infiltrate other companies.

The phishing scheme can be particularly detrimental to institutions that are not employing Azure Active Directory (Azure AD) Conditional Access Policies to bolster their security in Azure. Since Azure AD manages login credentials for users allowing them to access multiple M365 services and internal accounts from anywhere online, it is critical to apply access controls that provide another layer of protection beyond MFA.

Addressing Phishing Threats

There are various steps banks and credit unions can take to address MFA-resistant phishing attacks. Since humans are the weakest link in cybersecurity, institutions should ensure their employees are immediately informed about this particular phishing attack. They should also train employees regularly to recognize phishing emails so they can avoid being deceived. The key: Make sure employees know not to input their username and password in any link they receive by email.

Although this specific threat has the potential to exploit weaknesses in MFA, financial institutions should still implement this authentication method as it remains one of the most effective at blocking account compromises. As previously mentioned, it is also important to increase protection against attacks by adding Azure Conditional Access Policies to the Azure environment. Another preemptive step is to employ a monitoring and reporting solution for the Azure tenant. Often once a system is breached, attackers go into the tenant and create new rules to cover their tracks. Visibility into security settings through proactive reporting and alerts can make it easier for institutions to detect any suspicious activity or changes with logins and email rules, helping them stay on top of potential threats.

How Safe Systems Can Help

It can be challenging for many institutions to effectively manage their access and security settings in Azure AD and M365. However, Safe Systems offers CloudInsight™ M365 Security Basics to make the task easier. The CloudInsight™ collection of products offers a variety of reports and alerts that are specially designed to help institutions enhance their awareness of the Cloud. M365 Security Basics provides visibility into security settings for Azure AD and M365 tenants to help institutions detect targeted phishing or SPAM attacks. It can also expose other common risks like compromised user accounts, unknown users and forwarders; unapproved email access; and the unknown use of sharing tools. With M365 Security Basics, community banks, and credit unions can receive the expert insights they need to minimize, limit, or stop sophisticated phishing attacks.

07 Feb 2023
Highlights from our Annual Look Back at Regulatory Updates

Highlights from our Annual Look Back at Regulatory Updates

Highlights from our Annual Look Back at Regulatory Updates

As 2023 continues to unfold, there are some important regulatory compliance tips, tricks, and trends that financial institutions should review from last year and consider in the future.

Looking Back

Two key issues to revisit from 2022 are the new Computer-Incident Notification Rule and updates to the 2018 Cybersecurity Resource Guide for Financial Institutions. The incident notification rule—approved in 2021 by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve System, and Office of the Comptroller of the Currency (OCC), went into full effect in April 2022. Under the rule, banking organizations must promptly notify their primary federal regulator of certain computer security incidents that rise to the level of a notification incident within 36 hours. Anything that could materially disrupt or degrade your critical operations could be classified as a notification incident. Most institutions should have already adjusted the policies and procedures of their incident response plan to comply with the new notification requirements. If they haven’t, they should do so immediately because this will undoubtedly be an issue in the next examination cycle.

The rule also obligates third parties to report certain events that occur, so financial institutions should cover this issue with new vendors and those renewing contracts. Institutions should ensure that all contracts specify under what conditions third parties must inform them of any incident. Contracts should also identify at least one contact person to notify within the institution if an event occurs.

Late last year, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Resource Guide, which is designed to help financial institutions meet their security control objectives and prepare to respond to cyber incidents. The revised guide features updated references and a list of ransomware-specific resources, which is well warranted given the increasing frequency and complexity of ransomware incidents. The guide now includes eight different cybersecurity assessment tools that institutions may use, along with the “gold-standard” Cybersecurity Assessment Tool (CAT) to combat the evolving threat of ransomware.

Looking Ahead

This year, ransomware will continue to be one of the key areas of focus for financial institutions—as well as auditors and examiners. Institutions should also start thinking of using the term “third-party risk management” instead of “vendor management” to match an impending shift in interagency guidance. The new terminology is more than just semantic, it represents a shift in how the agencies define anyone with whom you interact; including those with or without a contract, and with or without the exchange of compensation. Regulators will be releasing new guidance relating to the issue of third-party relationships and risk management. The stronger emphasis on third-party risk management is significant because it implies a broader and deeper scope of responsibility for institutions in terms of their engagement and oversight processes.

In addition, the guidance will likely propose a six-part, third-party risk management process. The process, for instance, will cover key areas like early planning, selection due diligence, and contract negotiation. It would be wise for institutions to begin contemplating these new expectations and how they will navigate the different aspects of third-party risk management in the future.

Anticipated Trends

There are also some potential trends that financial institutions should be aware of going forward. Based on their actual recommendations or observations, auditors and examiners expect institutions to:

  • Identify tolerances for processing and data recovery times for ransomware events—separately from the standard recovery times (RTOs) established in the business impact analysis.
  • Have a list of forensic experts available to call if they require assistance with cyber events. (Your cyber insurance provider may require you to utilize their associates, so it’s best to check.)
  • Formalize vendor information and ensure their management team is periodically updated about third-party risk management practices.
  • Have project management policies that address steps to request and approve new applications, including licensing, contracts, business justification, integration, and risk assessments.
  • Make provisions for succession planning for IT, which is a key component in the risk management program. (If necessary, smaller institutions might consider outsourcing the IT role to ensure an appropriate succession plan is in place.)

Read more about this topic by accessing our webinar on “Regulatory Tips, Tricks, and Trends—Looking Back and Ahead.” Or contact us for more information about how our compliance services are specially designed to help community banks and credit unions meet their regulatory requirements.

27 Jan 2023
What to Look for in a New Firewall Vendor

What to Look for in a New Firewall Vendor

What to Look for in a New Firewall Vendor

If your bank or credit union needs a firewall vendor, it’s important to know what to look for to meet your security and regulatory requirements. Maybe you are proactively searching for a new firewall provider or suddenly discovered that you need to replace your current one. Whatever the case, you should search for a firewall vendor that specializes in the financial industry. This will ensure your financial institution has access to expertise and insights that are more specific to banking regulations.

In addition, you should look for a vendor that can serve as a “one-stop-shop” that covers all the security angles. The company should provide an all-inclusive solution that encompasses firewall monitoring, and management as well as intrusion detection and prevention. It’s also important to find a firewall vendor that offers concise and digestible reporting, along with meaningful insights created specifically for the banking community.

It is also equally important to search for a firewall vendor that can meet your institution’s implementation time frame. Ideally, you should plan five to six months out for a firewall implementation to compensate for hardware lead times; however, this may not always be possible. For example, your institution may have encountered an unexpected problem with renewal and need to quickly pivot to another firewall vendor. In this case, you will need to look for a vendor that is capable of deploying a firewall within a tight timeline.

As a precautionary measure, financial institutions must stay on top of contract management. Institutions should have a good relationship with their vendors and review contracts well before they are scheduled to renew. They should closely examine the contract terms and ask questions to ensure they are aware of any upcoming revisions or new developments. This can help them avoid getting caught off guard by any last-minute contractual issues that may disrupt their operation.

So how can banks and credit unions find a prospective firewall vendor? They can consult peers in the banking industry and inquire if their current service providers also offer firewalls. Ultimately, financial institutions should make sure their selected vendor has the appropriate security layers and reporting needed to check all the boxes from an examiner’s perspective. Safe Systems’ Managed Perimeter Defense (MPD), for example, employs multiple layers of advanced tools to help financial institutions protect their IT security environment. MPD’s next-generation firewall capabilities provide deeper analysis and improved detection of modern threats, which makes it easier for institutions to enhance their security posture.

12 Jan 2023
Top Blogs of 2022

Top Blogs of 2022

Top Blogs of 2022

Last year, we covered a wide range of blog topics, including ransomware prevention and recovery; business continuity management and disaster recovery; and managing Microsoft Azure and Microsoft 365 settings. In case you missed them, here’s a synopsis of our top blogs of 2022. Reviewing these important issues can help your bank or credit union be better prepared for the challenges—and opportunities—that lie ahead in 2023:

1. Best Practices for Ransomware Prevention and Recovery

Ransomware attacks strike a new target every 14 seconds, disrupting operations, stealing information, and exploiting businesses, according to the Cybersecurity and Infrastructure Security Agency (CISA). However, financial institutions that consistently employ best practices can prevent or bounce back from a ransomware assault. As an optimal strategy for prevention, institutions should identify and address known security gaps that can allow a ransomware infection. Since human error is the primary reason for most security breaches, banks and credit unions should focus on providing ransomware awareness training to help employees identify, respond to, and minimize attacks. They can also limit cybersecurity risk by using intelligent network design and segmentation to restrict ransomware intrusions to only a portion of the network and by having overlapping security solutions to provide layered protection. If a ransomware incident does occur, financial institutions should have pre-defined procedures for response and recovery. Many smaller institutions may lack the expertise internally to implement ongoing best practices for ransomware prevention and recovery, but they can work with an external cybersecurity expert to augment their resources. Read more.

2. Your Guide to Business Continuity Management and Disaster Recovery Planning

It can be challenging for financial institutions to implement successful strategies for business continuity management (BCM) and disaster recovery (DR). But our compilation of key strategies and best practices can facilitate the process. BCM encompasses all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity, and it is an essential requirement for avoiding and recovering from potential threats. DR—the process of restoring IT infrastructure, data, and third-party systems—should address a variety of events that could negatively impact operations, including natural disasters, cyberattacks, technology failures, and even the unavailability of personnel. For successful disaster recovery, institutions should focus on four important “Rs”: recovery time objective (RTO), recovery point objective (RPO), replication, and recurring testing. In addition, leveraging a comprehensive cloud DR service can enhance redundancy, reliability, uptime, speed, and value. Using a cloud DR solution from an external service provider can give institutions the confidence of knowing their DR plan is being thoroughly tested and will work if a real disaster happens. Read more.

3. Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Microsoft Azure Active Directory (Azure AD) and Microsoft 365 have a distinct ecosystem. Understanding their services and settings is critical for IT administrators to manage security, identity, and compliance within their environment. Institutions can significantly bolster security by implementing some of the basic security settings under the free license level for Azure AD. Adjusting the security default setting, for example, can have a major impact. IT administrators can enable security defaults to enforce non-configurable conditional access policies as well as require multifactor authentication (MFA) registration for all users. IT admins should also review the identity architecture for their institution to ensure all users, devices, and apps connecting to Azure have an identity. Depending on their license level, institutions may be able to modify additional settings, such as allowing global auditing, blocking open collaboration, and restricting outbound email forwarding. Microsoft is constantly revising the features of Azure AD and M365, making it vital for financial institutions to stay on top of their ever-changing ecosystem. Read more to learn how to manage the complexities of customizing your Azure AD and M365 security settings.

Read about other important topics on cybersecurity, compliance, and technology. Subscribe now to the Safe Systems blog to have the latest updates on banking trends and regulatory guidance conveniently delivered to your inbox.

07 Dec 2022
Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

Overview

 

Businesses today encounter an ever-increasing volume of operational threats, so it’s critical for banks and credit unions to have adequate business continuity and disaster recovery (DR) procedures in place. Business continuity management (BCM) entails all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity—and it can enable an institution to keep operating if a disruption such as a cyberattack, natural disaster, or man-made event occurs.

We understand that BCM and DR planning can be challenging, so this guide provides some key strategies and best practices to help financial institutions execute them successfully.

BCP vs. DR: Key Differences

 

It is first important to understand the key differences between a business continuity plan (BCP) and a disaster recovery plan as these two terms are often mistakenly used interchangeably. The Federal Financial Institutions Examination Council (FFIEC) updated its Business Continuity Management IT Examination Handbook a few years ago to expand its focus from “business continuity planning” to “business continuity management.” The BCM process is one in which a financial institution must proactively plan for resiliency to disruptive events and recover from those events. The traditional business continuity plan is now a subset of the overall BCM process and will be referred to as business continuity management plan (BCMP) going forward. The BCMP outlines what needs to happen to ensure that key products and services continue to be delivered in case of a disaster. On the other hand, the DR plan outlines the specific steps to be taken to recover the interdependencies the institution must restore to return to normal operations after a disaster. The BCMP focuses on the continuation of critical functions, while the DR plan focuses on the restoration and recovery of the specific individual technology and third-party components necessary for those functions.

BCMP: A plan to continue the business operations necessary to ensure key products and services are delivered

DR: A plan for accessing required technology, infrastructure, and third-party components after a disaster

In the previous guidance, business continuity and disaster recovery were closely tied together, but the new guidance defines them as two separate concepts and states that “The business strategy, not technology solutions, should drive resilience.” It places a heavy focus on resilience and states that financial institutions cannot rely on technology alone to ensure resilience. Although technology can help provide resilience and offer significant advantages to your recovery capabilities, indeed in many cases technology could be what failed in the first place. Financial institutions must be able to offer products and services to their customers or members regardless of technology or third-party failure, and often that could mean using manual processes and procedures to accomplish this.

Finally, the latest BCMP guidance provided an important distinction between a “test” and an “exercise.” Simply put, a test focuses on demonstrating the resilience and recovery capabilities of your systems, and an exercise addresses the people, processes, and procedures. For example, where a test may focus on backup and recovery options of systems, data restoration, device replication and rebuild or replacement, an exercise would verify that your staff (and ideally third parties) are aware of and could execute those options effectively. Both exercises and tests are now a requirement, and together they provide a high degree of confidence that your recovery procedures will allow you to meet your pre-determined process for recovery time objectives (RTOs).

Business Continuity Management Planning

 

Business continuity management is an essential system for preventing and recovering from potential threats. As a part of the business continuity process, a compliant and successful BCMP should include risk management (business impact analysis and risk/threat assessment); continuity strategies (interdependency resilience, continuity, and recovery); training and testing (exercises); maintenance and improvement; and board reporting.

What CEOs Should Know about BCMP

 

To adhere to regulatory guidance, it is imperative for institutions to not only comprehend the entire business continuity management program but also employ a broad process-oriented approach that considers technology, business operations, testing, and communication strategies that are necessary for the entire organization—not just the information technology department.

Management should develop BCMPs with sufficient detail appropriate to the institution’s size and complexity. According to FFIEC guidance, “The BCMP should address key business needs and incorporate inputs from all business units.” The institution’s business continuity management program should align with its strategic goals and objectives. In addition, management should consider the entity’s role within and impact on the overall financial services sector when developing the program.

Key Steps to Developing a Compliant BCMP

 

BCM 10 Steps

To develop a successful, compliant BCMP, it is important to understand and follow the recent, more detailed view of the BCM lifecycle in the FFIEC Business Continuity Management IT Examination Handbook. This approach is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance. Here is a checklist consisting of the required elements of the new approach that may not be incorporated into your current program:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTOs) for each business process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst-case (low probability, high impact) scenarios?
  4. Do you use testing as employee training exercises to verify that personnel is knowledgeable of recovery priorities and procedures?
  5. Do you track and resolve all issues identified during testing exercises and use lessons learned to enhance your program? (Must be documented.)
  6. Does your board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

Tactics for Staying Ahead of Regulators

 

Although there are several tips, tricks, and tactics to enhance compliance, one of the main tactics financial institutions can apply to stay ahead of regulators is to focus on resilience. Resilience includes the ability to anticipate, prepare for, prevent, and adapt to changing conditions, and to respond to, withstand, and recover rapidly from deliberate attacks, accidents, or naturally occurring threats or incidents. Management should incorporate the concept of resilience into all areas, including their business continuity management process, vendor management program, third-party supply chain management, and information security program. The objective is to implement processes to minimize the possibility of disruption and reduce the impact of such an event if it happens.

Inconsistencies between procedures and practices will often result in exam findings. Mentioning outdated references or older terminology in policies is one of the most common offenses that institutions commit. For instance, referencing business continuity plan or planning (BCP) versus business continuity management plan or planning (BCMP). This would be a minor mistake because the term BCP is not necessarily obsolete, but it’s not consistent with the most recent guidance and could raise a “red flag” that leads examiners to wonder if the institution has properly updated its policies, resulting in further scrutiny. A tactic that financial institutions can use to minimize outdated references and other inconsistencies between procedures and practices is to implement automation. Technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

Disaster Recovery Planning

 

Disaster recovery—the process of restoring IT infrastructure, data, and third-party systems—should address a broad range of adverse events such as natural disasters, infrastructure failures, technology failures, unavailability of staff, or even cyberattacks. As part of the disaster recovery strategy, management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the business impact analysis. The FFIEC’s Business Continuity Management IT Examination Handbook states:

“Management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software… Disaster recovery should address guidelines for returning operations to a normalized state with minimum disruption.”

What CEOs Should Know about DR

 

Here are some important DR considerations for CEOs to consider to ensure their institution is taking an effective approach to disaster recovery:

  • Expect the Unexpected: A disaster can strike anytime and in a myriad of ways. Most people think of a disaster as being a situation created by an unexpected weather event, power outage, equipment failure, or cyberattack, but network downtime due to human error is also a common cause of disruption. The need for disaster recovery is a matter of when—not if. Therefore, CEOs should expect some type of disaster to affect their institution.
  • Be Proactive: Not having a sufficient disaster recovery plan in place can have major negative consequences: a loss of data, business functions, clients, and reputation—not to mention time and money. So, bank CEOs must ensure their management team is being preemptive about implementing effective disaster recovery strategies. These strategies should be reflected in the BIA, which can reveal gaps in critical processes that would hinder the institution’s disaster recovery and, in turn, business continuity.
  • Consider Outsourcing: More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyberattacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage, and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient, and cost-effective.

The 4Rs of DR Planning

 

For effective disaster recovery, there are four important “R’s” that institutions should focus on:

  1. Recovery time objective (RTO) – The longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens. Shorter RTOs require more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints.
  2. Recovery point objective (RPO) – The amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance.
  3. Replication – An exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster.
  4. Recurring testing – A variety of tests and exercises to verify the ability to quickly resume core business applications during a disaster situation. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback.

Why a Cloud DR Service Is Important

 

Institutions must have viable DR measures in place, and a comprehensive, cloud-based service is a cost-effective way to accomplish this. With DR in the cloud, institutions are always able to access their data—no matter what type of disaster happens. In addition, a cloud DR service offers a team of third-party experts who are available to advise on DR processes, ensure ongoing backups and regular testing are done in the correct timeframes, and serve as an extension of the staff when a disaster strikes.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. In addition, a cloud DR solution from an outside service provider can give institutions peace of mind from knowing their DR plan is being adequately tested and will work during a real disaster.

Our Solutions

 

Safe Systems offers a wide range of comprehensive services to help community banks and credit unions support their BCM and DR planning and other efforts. Whether it’s compliance services, such as BCP Blueprint, Vendor Management, or Information Security Program, or technology services, such as Managed Site Recovery, Managed Cloud Services, or CloudInsight, institutions can customize solutions to meet their specific needs and budget.

30 Nov 2022
Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Microsoft Azure Maintenance Basics

Financial institutions need to stay on top of Microsoft Azure maintenance to efficiently use Microsoft cloud services and have effective controls across identity and access. Azure maintenance is also a matter of regulatory compliance.

Microsoft Azure maintenance encompasses Azure Active Directory, M365 (formerly called Office 365), Microsoft Exchange Online, and other associated Azure cloud services. Many institutions may not realize they are leveraging cloud solutions because it’s not always obvious where different technology services originate. Regardless of how an institution obtains Microsoft Exchange or M365, it creates a Microsoft tenant with Azure AD. Institutions are ultimately responsible for these tenants and this includes properly securing and maintaining them.

The Federal Financial Institutions Examination Council (FFIEC) expects institutions to engage in effective risk management for the “safe and sound” use of cloud computing services. The council indicated as much in its statement on “Security in a Cloud Computing Environment,” saying: “System vulnerabilities can arise due to the failure to properly configure security tools within cloud computing systems. Financial institutions can use their own tools, leverage those provided by cloud service providers, or use tools from industry organizations to securely configure systems, provision access, and log and monitor the financial institution’s systems and information assets residing in the cloud computing environment.”

In addition, financial institutions are obligated to oversee third-party service providers and make sure that they use proper security controls. “Management should be responsible for ensuring that such third parties use suitable information security controls when providing services to the institution,” the FFIEC IT Handbook’s Information Security booklet stated. “Management should verify that third-party service providers implement and maintain controls sufficient to appropriately mitigate risks.”

Azure Active Directory

Azure Active Directory (Azure AD, AAD) is the primary identity platform across all Azure services. There are some standard maintenance objectives that financial institutions should meet with Azure AD.

Some of the key types of identities to review within Azure AD are users, devices, and enterprise applications. User maintenance is an area many people are familiar with, and it involves ensuring the list of users matches expectations. IT administrators should be on the lookout for new accounts; they should look for users who should not be there and delete or disable them if appropriate. For example, users may need to be purged from the list after they complete off-boarding procedures.

With device maintenance, it is important to be aware of all the devices that the organization has placed into Azure AD. IT administrators should ensure that, at least for Windows OS devices, they follow the established naming convention. They should delete “stale” or inactive devices and ensure that all devices—whether desktop or mobile—adhere to established compliance policies.

The maintenance for enterprise applications—objects with some form of connectivity with your Azure tenant—involves making sure various service apps meet expectations for functionality. Administrators should review the apps’ properties to ensure the best controls are being applied. For instance, this could include addressing apps that have an expired certificate.

Other important maintenance areas within Azure AD include reviewing privilege role assignments to ensure their validity, scrutinizing delegated administration partners to confirm their level of access, and “right-sizing” the number and types of licenses to avoid being over or under-provisioned.

M365 and Exchange Administration

SharePoint Online, Exchange Online, and OneDrive are core components of M365 and as such, they require strategic maintenance. Here are some important areas IT admins should address to maintain these services:

  • Usage reporting— Monitor usage reports to ensure they match the institution’s expectations. Anomalies in consumption and storage could indicate a possible security or compliance concern.
  • Cleaning up files— Delete old, unused files from OneDrive or SharePoint. Administrators can solicit help from users by notifying those who are approaching their limits.
  • File retention policy— Automatically delete files based on a set schedule or duration, such as anything older than seven years.
  • Exchange Online mailbox usage— Notice mailbox statistics before users reach their limit to avoid service disruptions—and complaints.
  • Distribution list review— Make sure distribution lists contain the appropriate members for the most effective targeting.
  • Exchange Online mobile devices— Keep track of the details about users’ mobile devices to gain additional insights for achieving maintenance objectives and compliance.

For more information, listen to our “Azure Maintenance —The Basics Every IT Administrator Should Know” webinar.

09 Nov 2022
Best Practices for Ransomware Prevention and Recovery

Best Practices for Ransomware Prevention and Recovery

Best Practices for Ransomware Prevention and Recovery

In the world of cybersecurity, an ounce of prevention is worth a pound of cure—especially when it comes to ransomware. Ransomware attacks hit a new target every 14 seconds, disrupting operations, stealing information, and exploiting businesses, according to the Cybersecurity and Infrastructure Security Agency (CISA). As a result of ransomware attacks, US Banks paid out nearly $1.2 billion in 2021, which is up by 188% from 2020 according to the Financial Trend Analysis report [PDF] on ransomware from the US Treasury’s Financial Crimes Enforcement Network (FinCEN). But banks and credit unions that consistently implement best practices can effectively prevent and recover from ransomware attacks.

Prevention Strategies

The ideal strategy is to keep ransomware assaults from happening in the first place, but prevention can be tedious and challenging. As a general practice, institutions should identify and address known security gaps that can enable a ransomware infection. (If there is a loophole, hackers will eventually find it.) Since human mistakes are the root cause of most security breaches, providing ransomware training for employees is a crucial step that institutions can take to reduce their cybersecurity risk. Ransomware awareness training can help staff identify, respond to, and circumvent attacks as well as test their knowledge in a safe environment. Institutions can also limit their security risk by adhering to the principle of “least access” to grant employees the minimum levels of access or permission needed for their job.

As another best practice, institutions can also take a stricter stance on the technical aspects of cybersecurity. They can employ intelligent network design and network segmentation to limit risk by restricting ransomware intrusions to a portion of the network instead of the whole system. Institutions should also have overlapping security solutions to provide layered protection for their systems and networks. Then if a single security element fails, another layer will be in place to compensate.

Response and Recovery Tactics

Even with multiple protective measures in place, there is only so much financial institutions can do to avert a ransomware attack. When a breach happens, the institution must respond immediately to mitigate the impact. This includes implementing pre-established processes for incident response, vendor management, business continuity, and other key areas. Bank management, for example, should have an incident response program to minimize damage to the institution and its customers, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet.

Having pre-defined procedures to declare and respond to an incident can be essential to effectively containing and recovering from a ransomware infection. While incident containment strategies can vary between different entities, they typically include the isolation of compromised systems or enhanced monitoring of intruder activities; search for additional compromised systems; collection and preservation of evidence; and communication with affected parties and often the primary regulator, information-sharing organizations, or law enforcement, according to the FFIEC.

In addition, restoration and follow-up strategies for incidents should address the:

  • elimination of the intruder’s means of access
  • restoration of systems, programs, and data to a “known good state” (using available offline or offsite backups)
  • the initiation of customer notification and assistance activities consistent with laws, regulations, and interagency guidance
  • monitoring to detect similar or further incidents

Another step in the recovery process might involve notifying an insurance carrier—if the institution has ransomware coverage. However, cyber insurance might not prove to be the ultimate remedy: A policy exclusion could keep the carrier from paying the claim. Or the settlement amount may not fully compensate for the institution’s intellectual property losses, revenue reduction, tarnished reputation, and other damages.

Augmenting Internal Resources

With the growing complexity of ransomware, it can be challenging for institutions to react to and recover from a cyberattack. However, those with limited internal resources can get help from a third-party cybersecurity expert to manage the process. Safe Systems, for instance, offers multi-layered security services that make it easier for community banks and credit unions to enhance their cybersecurity posture, so they can be better equipped to prevent, respond to, and recover from a ransomware attack. For more information about this critical topic, read our white paper on “The Changing Traits, Tactics, and Trends of Ransomware.”

27 Oct 2022
Social Engineering Scams - It Could Happen to You

Social Engineering Scams – It Could Happen to You!

Social Engineering Scams - It Could Happen to You

Many of us have heard the story about the fake printer repair person who shows up at the office to fix an issue with the intent to gain access to a secure area and collect confidential information. In reality, these things don’t really happen, right? At least not to small businesses or individuals…maybe this happened once to a large corporation and received a lot of press? This level of social engineering doesn’t really happen to someone like me, or does it?

Here’s What Happened to Me

My personal story involves a person visiting my house, a letter in the mail “from the government”, and a friend request on a popular social media platform from someone I knew 20 years ago. Each incident seemed innocent enough at the time, and on its own, did not raise any red flags. But as the events unfolded, I recognized a few mistakes that were made and realized that this was a coordinated effort and a scam!

It started with my doorbell ringing and my six-year-old yelling “Dad, someone’s at the door.” I answered the door to a well-dressed, very professional, middle-aged female with a smile and a government-issued badge around her neck. She promptly showed me the badge and explained she was there to ensure I had received a survey from the Department of Health and Human Services (DHHS). She explained it was important that I fill out the survey to provide the data needed for them to make decisions to properly serve their constituents.

I conduct many surveys at Safe Systems, so I empathized with her need for information and the effort it requires to get people to fill out surveys. I informed her that I had not received the survey she was inquiring about. She then handed me a sample copy of the survey and said that my actual form would have a randomly generated code to help them track when each family had filled out the survey. Even though the survey was anonymous, they used the code to track completion. When I stated again that I had not received the survey, she politely asked me to keep an eye out for it. She said she would check back next week to confirm I had received it. She complimented me on my house and walked away. Although I found the personal stop at my house odd, I didn’t notice any red flags at first. I simply thought this was similar to how they knock on doors for the census every 10 years.

Two days later, when checking the mail, I found a letter addressed to my wife and me. When I opened it, it included a survey that looked like the sample the lady had shown me a few days earlier, but this survey also had the randomly generated code that she told me about. I was still a little suspicious but planned on doing some research online to see if everything checked out.

A few days later, I received a friend invite on Facebook from someone I had not spoken to in 20 years. I’m not a big social media person but I do have a few accounts to keep up with different family affairs. Once I accepted the invite, this person started asking me about life and family. He didn’t ask anything personal, just general questions about how everyone is doing, jobs, etc. He seemed chattier than I remember him from 20 years ago, but we all change over time. I was cordial with my responses but not overly responsive. Over a few days, I got several short messages from him, then I get hit with this question, “have you filled out the DHHS survey?” He said he had seen my name on a list of people who had not completed it, and since he knew me, he thought he would reach out. RED FLAG!

The last I knew he didn’t work for the DHHS so how would he see my name on a DHHS survey list? And how could he be sure I was the same guy he knew 20 years ago living in a different town? Everyone who knows me, knows I go by my nickname. Very few people know my official birth certificate name, which is what was used on the DHHS survey. So, the odds of my name jumping off the page at him is unlikely. RED FLAG! I was curious about where this was going so, I continued the conversation, but guardedly. I admitted I had the survey but had not had a chance to fill it out yet.

Not wanting to let on that I was suspicious of him and the survey, I lied and said I would get around to it at some point. His response was the clincher for me that this was a scam. He said, “Great, just don’t want you to miss out on all the money I got from doing it.” Suddenly, there is money involved with filling out this survey which had not been mentioned anywhere. BIG RED FLAG! Also, it is very unlikely that someone filling out the survey would see a list of others who had received it, especially if it was supposed to be anonymous. RED FLAG!

I decided at this point, I wanted to know how far they would take this scam. I started chatting with him about some trip we went on years ago and how great it would be to do it again (but the truth was we never went on any trip). I never heard from him again, and his Facebook account was deleted and removed 2 days later.

It is important to discuss his Facebook page, as it not only had pictures of him and his family but also indicated that we had a single “mutual friend.” This was meant to convince me of his authenticity but should have also raised a RED FLAG considering how much overlap there was in the people we knew. Apparently, someone had stolen the pictures from his Facebook page and created a new account. I later recalled I was already friends with him on Facebook and compared his actual page to what I had seen on the fake account. They were identical if you just looked at the profile picture and the last post or two. There was almost no history on the fake account, but I had not paid attention to this RED FLAG at the time.

Social Engineering Can Happen to Anyone

In the grand scheme of things, I’m your average American stereotype. I live in a small neighborhood in suburbia with a minimal presence on the internet. Why would anyone have any interest in me? Yet, with no reason to target me, someone came to my house, mailed me a letter, set up a fake profile of someone I knew 20 years ago, and created an elaborate scheme to get me to fill out a survey that asked for personal information.

The moral of the story is if it can happen to me, it can happen to you, your family, and your business! Don’t assume these things only happen to others or large corporations. Social engineering schemes are very real, and they can work if you don’t have your guard up!

As we reach the end of Cybersecurity Awareness Month 2022, I thought this would be an appropriate story to share. As you can see from my story, social engineering can be very elaborate and can use means that are outside of the internet to deceive you into providing access to confidential or personal information and/or your computer systems. So, awareness is key. In the spirit of this month, I hope my story serves as a reminder to talk to your employees and customers about recognizing red flags and staying safe online.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

20 Oct 2022
Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

  • The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
  • The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

08 Sep 2022
What to Budget for in 2023

What to Budget for in 2023

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

  • Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
  • Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

01 Sep 2022
Addressing the Growing Ransomware Problem

Addressing the Growing Ransomware Problem

Addressing the Growing Ransomware Problem

Ransomware has become the leading cyber threat to businesses today—and it is growing at an alarming rate. Threat actors, who often work in groups, continue to evolve and create different ransomware strains. They rebrand themselves and resurface under new identities, making it difficult to curtail their criminal activities. Ransomware has continued its upward trend with an almost 13% rise—an increase as big as the last five years combined, according to the 2022 Verizon “2022 Data Breach Investigations Report.” And the FBI’s Internet Crime Complaint Center Annual Report stated recorded 3,729 ransomware complaints in 2021 with adjusted losses of more than $49.2 million.

The pervasive nature of the ransomware problem affects all types of companies, sectors, and industries worldwide. Approximately 37 percent of global organizations were targeted by a ransomware attack in 2021, based on the IDC’s “2021 Ransomware Study.” And in February 2022, the Cybersecurity and Infrastructure Security Agency (CISA) reported that fourteen of the 16 US critical infrastructure sectors had ransomware incidents.

The Impact

Ransomware is malicious software or malware that locks victims out of their computing devices or blocks access to files until they pay a ransom. More sophisticated versions can encrypt files and folders on attached drives and even networked computers, raising the stakes even higher. (In all cases, the FBI does not support paying a ransom in response to a ransomware attack.)

Typically, ransomware gets installed on a workstation using a social engineering technique such as phishing. It tricks people into clicking on a link or opening an attachment and disclosing their login information or even financial data. Regardless of the threat vector used, a ransomware infection can wreak havoc on victims, causing extensive business interruptions, legal expenses, and reputational damage. According to IBM’s Cost of a Data Breach 2022 report, the average cost of a ransomware breach, not including the ransom payment, declined slightly, from USD 4.62 million to USD 4.54 million. However, the frequency of ransomware breaches has increased — from 7.8% of breaches in the 2021 report to 11% in the 2022 study. In certain industries, an attack may be considered a data breach and involve even more negative consequences. For instance, financial institutions and other critical infrastructure agencies may be required to pay fines for an attack due to their failure to protect clients’ data.

Cybercriminals are shifting away from ransomware attacks that merely demand a payment to unlock the victim’s data or device. They are focusing on more multidimensional extortion methods to extract a larger reward. IBM Security’s 2022 “X-Force Threat Intelligence Index” report indicates that virtually all ransomware assaults today are “double extortion” attacks that demand a ransom to unlock data and prevent its theft. Some attackers opt to exfiltrate sensitive data, so they can present additional ransom demands in the future. They may also sell personal data—credit card numbers, email addresses, online credentials, or bank account information—to make the fraud even more lucrative.

Best Practices

Security is a complicated issue, which makes staying on top of threats and vulnerabilities challenging. Financial institutions must complete a myriad of time-consuming and complex tasks to maintain a strong security posture. Addressing ransomware can be particularly difficult for community banking institutions with limited internal technical expertise and resources. And there is only so much an institution can do to stay vigilant against ransomware threats.

However, institutions can reduce their risk by implementing some key security strategies such as:

  • Having a well-trained staff because most ransomware intrusions are caused by human error.
  • Having overlapping security products and or services to cover the protection of systems and networks.
  • Having well-designed network infrastructure with security in mind.
  • Having a proper incident response plan that can be adhered to in the event of a breach.

Using a Managed Service Provider

Financial institutions that put mitigating systems, processes, and practices in place will be better positioned to prevent, detect, and recover from a ransomware breach. However, many smaller institutions may lack the resources and knowledge in-house to close security gaps and circumvent attacks. They can remedy the situation by employing the products and services of a managed service provider to strengthen their security posture.

Safe Systems provides a wide range of layered security solutions to help institutions address the risk of ransomware. Our security offerings include behavior-based vulnerability monitoring, advanced endpoint protection, vulnerable systems patching, next-generation firewalls, email software security, and staff training. These products and services deliver essential overlapping protection, and they are specially designed to meet the needs of community banks and credit unions.

Also, stay tuned for our upcoming white paper that will provide more data on the current state of ransomware and how banking institutions can better minimize the risks of an attack.

05 Aug 2022
The Importance of Succession Planning

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

  • Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
  • Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
  • Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

27 Jul 2022
Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

  • BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
  • CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
  • Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
  • Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
  • Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
  • NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
  • Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
  • V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.