Category: Compliance

04 Apr 2024

Top 10 Benefits for Financial Institutions to Outsource Network Management

Ensuring that your network is up and running smoothly is crucial to the success of your community bank or credit union. However, managing today’s complex networks can be time-consuming and resource-intensive. This is where working with a managed service provider can offer tremendous benefits. Let’s explore the top 10 advantages of outsourcing your network management:

1. IT Expertise

You gain access to a team of IT professionals with specialized expertise in network administration for financial institutions. These experts can serve as an extension to your team and are available regardless of internal personnel shifts, such as vacations, sick days, short/long-term leave, etc. This creates continuity, ensuring your network always operates at peak performance.

2. Network Uptime

Network downtime can be detrimental when it disrupts customer service and normal business operations. Outsourcing can minimize this risk through proactive monitoring and faster response times. In addition, staff may be focused on other responsibilities and can miss alerts that could lead to a network disruption. With an outsourced solution in place, alerts are monitored, captured, and prioritized to prevent small issues from becoming larger.

3. Enhanced Reporting

Accessing customizable dashboards and real-time reporting offers your institution invaluable insights into the effectiveness of your controls. It also aids in the detection and resolution of potential issues. Leveraging a managed service provider well-versed in the financial landscape who can furnish appropriate reports enhances your readiness for exams and audits.

4. Event Log Monitoring

Manually monitoring and analyzing logs can be an overwhelming, if not impossible undertaking. A managed service provider can help you evaluate all event logs to determine which activities need further investigation or action to enhance network security.

5. Scalability

As your financial institution grows, so does the complexity of your network. An outsourcing partner can help you scale your network according to your institution’s changing needs and ensure it has the bandwidth to keep up with your organization.

6. Core Competencies

Outsourcing your network management allows you to focus on what you do best – serving your customers and your community. By delegating network-related tasks to outsourced professionals, your IT staff can spend less time on routine, repetitive tasks and have more time to help front-line employees and concentrate on core competencies.

7. Improved Security

Network security is of utmost importance for financial institutions as they handle sensitive customer information. A network management service equips you with a dedicated security team that is up-to-date with the latest security measures. They can put into place strong security protocols, conduct routine patch management, and respond quickly to security threats.

8. Cutting-Edge Technology

Keeping up with the rapidly evolving technology landscape can be challenging. Outsourcing means you can leverage tested state-of-the-art tools and technologies. A managed provider constantly updates their systems and stays on top of emerging trends, ensuring that your network is using the best technology available.

9. Regulatory Compliance

Financial institutions must adhere to strict regulatory requirements and a reputable managed service provider will help you review systems reports, discuss controls assessments, and prepare for exams and audits. You will have more confidence in knowing your network is properly adhering to its operational, security, and compliance policies and procedures.

10. Peace of Mind

Perhaps the most significant benefit of outsourcing your network management is the peace of mind that it brings. Knowing that your network is in capable hands allows you to worry less and focus more on your day-to-day banking activities.

From dedicated IT expertise and increased network uptime to substantial reporting capabilities and improved security and compliance, outsourcing network management allows your financial institution to focus on your core competencies. By entrusting network responsibilities to reliable experts, you can feel confident that your network will operate seamlessly, providing a reliable and secure platform for your customers and community.

NetComply One is a network management service that includes a dedicated strategic advisor to help with technical support, training, guidance, and regulatory compliance assistance. Learn more about outsourcing your network management solution.

14 Mar 2024

Strengthening Financial Cybersecurity: Navigating the Upgrades in RSAT 2.0

In today’s rapidly evolving digital landscape, cybersecurity remains a critical concern for financial institutions. With increasing reliance on technology and expanding risk of exposure through Third-party service providers and electronic banking services, the threat of ransomware attacks continues to pose significant risks to the security, confidentiality, and integrity of financial data. The Ransomware Self-Assessment Tool Version 2.0 (RSAT 2.0) emerges as an important resource for institutions seeking to strengthen their defenses against such cyber threats.

The updated version of RSAT is designed to reflect the latest developments and regulatory insights, incorporating feedback from previous ransomware victims to enhance industry-wide resilience. Key enhancements in RSAT 2.0 include a rigorous examination of cloud-based service provider relationships, an emphasis on multifactor authentication implementations, strategic employee cyber awareness training, and robust incident response testing.

Highlights of Key Enhancements:

These updates underscore the importance of a comprehensive approach in safeguarding against the dangers of cyberattacks and reflect regulatory expectations.

  • Cloud-based data management – The tool demands a broader understanding of cloud providers and data flows, especially concerning data housed in locations outside the U.S., as well as compliance with international privacy regulations like GDPR.
  • Multifactor authentication – Another notable emphasis is the expanded focus on multifactor authentication (MFA). RSAT 2.0 seeks specific details regarding the types of MFA in place, its application across systems, and plans for future enhancements. This reflects the increasing recognition of MFA as a critical defense layer against unauthorized access.
  • Employee cyber awareness training – A third area receiving heightened attention is cybersecurity awareness training. With human error being a significant factor in security breaches, RSAT 2.0 stresses the need for comprehensive and role-based cybersecurity training. Financial institutions are encouraged to tailor training to different audiences within the organization, ensuring relevance and effectiveness.
  • Incident response testing – The new version of the tool queries institutions on their incident response testing, particularly the involvement of executive management. This inclusion highlights the importance of leadership engagement in cybersecurity readiness and incident management. Additionally, procedures for validating clean data backups are underscored, emphasizing the role of data integrity and availability in recovery efforts.

Financial institutions are provided with a valuable opportunity to self-assess their readiness to deal with the threat of ransomware in the form of RSAT 2.0.

The enhanced RSAT 2.0 is not merely a checklist but a comprehensive framework that encourages financial institutions to delve deeper into their cybersecurity posture. This self-assessment can help institutions identify areas for improvement and make informed decisions about their cybersecurity management strategies.

For more information on the RSAT 2.0 and other critical factors of cybersecurity management, such as NIST CSF 2.0, Third-party Relationship Management, and more, download and watch our recent webinar, Protect, Detect, and Respond: Prioritizing Cybersecurity Management in 2024.

08 Mar 2024
The Crucial Role of Cybersecurity Management in 2024

The Crucial Role of Cybersecurity Management in 2024

The Crucial Role of Cybersecurity Management in 2024

As we reflect on the challenges of 2023 and the growing reliance on cloud providers in the financial industry, it is clear that cybersecurity management is more important than ever. With the increasing threat of cyberattacks and the need to protect customer information and financial transactions, community financial institutions must prioritize cybersecurity to ensure the safety and trust of their customers.

In our recent webinar, our IT and Information Security experts discussed cybersecurity management with areas of emphasis on the importance of understanding third-party risk management, the new version of the Conference of State Bank Supervisors (CSBS) Ransomware Self-Assessment Tool (RSAT 2.0), and lessons learned from exams and audits in 2023. This post explores some of the key highlights.

NIST Framework and the Arrival of CSF 2.0

The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is a valuable resource for organizations to manage and reduce cybersecurity risk. This framework continuously integrates lessons learned and best practices while retaining its core functions: Identify, Protect, Detect, Respond, and Recover. The recently updated CSF 2.0 includes the introduction of a sixth function, ‘Govern,’ underscoring the importance of clear role definitions, policies, and risk prioritization procedures within cybersecurity programs. It also provides improved guidance on implementation, ensuring that organizations are equipped to address the latest cybersecurity challenges.

Critical Third-party Relationship Management

Third-party risk management is crucial as financial institutions are increasingly relying on third and fourth parties. Interagency guidance underscores the importance of understanding the impact and interaction levels of these relationships on operations and customers. Financial institutions are encouraged to establish sound methodologies for comprehensive oversight of the activities surrounding third parties. This includes a thorough understanding of third-party business processes and systems as well as an understanding of the risks and benefits before contract execution. As financial institutions move forward with third-party relationships, they must also exert pressure on their service providers to ensure adherence to strong cybersecurity standards to effectively safeguard the interests of the financial institution and ultimately its customers.

Importance of the Ransomware Self-Assessment Tool (RSAT 2.0)

The Ransomware Self-Assessment Tool (RSAT) version 2.0 represents a significant step forward in helping financial institutions fortify their defenses against ransomware attacks. The latest version is developed through the integration of feedback from institutions that have been impacted by ransomware, ensuring that the tool remains relevant and effective as this type of malware continues to evolve. With a focus on cloud-based service providers, RSAT 2.0 emphasizes the importance of understanding the flow of data, particularly in environments outside the U.S., and how it is subject to various privacy regulations like GDPR. Furthermore, RSAT 2.0 places increased emphasis on multifactor authentication (MFA) and employee cyber-awareness, reflecting the industry’s recognition of the critical role these factors play in strengthening cybersecurity postures.

Key Lessons Learned from Exams and Audits

A few of the biggest areas of scrutiny that we’re seeing from recent IT exams and audits include:

  • Asset Management – paying attention to asset lifecycles and end-of-life risks as well as implementing robust authentication methods that govern customers who are logging into electronic banking applications
  • Change Management – establishing baseline standards and auditable procedures for change requests and appropriate reporting for project management and cost overruns
  • Data Recovery – periodically rotating through your critical servers and restoring data so that you can ensure the effectiveness, integrity, and availability of that data
  • Increased Incident Response Testing and Training – conducting testing as frequently as possible over different threat scenarios, documenting those tests, and training the employees who are going to be involved in the actual response

For more lessons learned and emerging trends, watch the full webinar recording.

Community banks and credit unions must prioritize cybersecurity management to protect customer information and maintain operational resilience. Enhanced cybersecurity strategies are imperative, urging institutions to adopt a multidimensional approach that incorporates people, processes, and technologies. Regular assessments, third-party risk management, and adherence to cybersecurity frameworks contribute to a proactive defense against cyber threats.

If you have any questions or want to learn more about our complimentary information security review, please visit

08 Feb 2024
The Importance of the ISO Role in 2024

The Importance of the ISO Role in 2024

The Importance of the ISO Role in 2024

The role of the Information Security Officer (ISO) in financial institutions continues to increase in responsibility and accountability year over year. The security challenges of community banks and credit unions are expanding as data breaches, targeted attacks, and cybersecurity threats become more pervasive. ISOs must be equipped to guide their institution through the complexities of addressing security threats in the current environment. The ISO job function—which should exist as a separate role within the institutions—should go beyond focusing on overall policy development, risk management, and working with high-level executives to also include visibility and accountability for technical activities on internal systems and with technology service providers (TSPs). This ensures that all security strategies are being implemented and managed according to organizational objectives.

Regulatory Expectations and Requirements

While the role can vary among different financial institutions, today’s ISO has leadership responsibilities that involve crucial areas like cyber risk assessment, regulatory compliance, business continuity planning, and incident response. Other key duties include the technology committee and board reporting and preparing for and responding to audits and exams.

In terms of regulatory expectations and requirements, today’s ISO is responsible for proving its institution has met all relevant regulatory requirements and is protecting all the data, records, and personal information of its customers/members. In addition, the Federal Financial Institutions Examination Council (FFIEC) requires all institutions to have a designated ISO that is responsible and accountable for implementing and monitoring the information security program. Although general information security management duties may be shared among various business lines, the ISO is responsible for providing stakeholders and decision-makers with sufficient information to support their oversight efforts.

Augmenting the ISO Role

As today’s ISOs expand their focus beyond conventional information security issues and duties, they will need more expertise and advanced tools to protect their institution against ever-changing cyber threats. The ISO will need to address more complex challenges relating to cloud security, artificial intelligence, and other technological advancements. Many ISOs with community FIs do not have the time, experience, or technology expertise to organize and manage these responsibilities. The good news is that financial institutions can augment any lack of expertise with a Virtual ISO (VISO) solution. A VISO does not remove the need for a resident ISO at the institution, but it can provide valuable expertise, perspective, and assurance that all periodic responsibilities are adequately addressed. Safe Systems’ virtual ISO solution, ISOversight™, offers access to a suite of applications, resources, reporting, and dedicated risk and compliance specialists to help community banks and credit unions manage the myriad of risk management and FFIEC Compliance responsibilities including accountability and visibility for anomalies and exceptions for technology and IT (Information Technology) security activities that could negatively affect non-public information and financial transactions.

Safe Systems is dedicated to sharing knowledge and providing training around this critical role. Our IT and Information Security Compliance experts have hosted numerous “ISO 101” classes and webinars that focus on the requirements of the role within today’s regulatory framework and the accountability factors among the various stakeholders. Our next webinar, “Protect, Detect and Respond: Prioritizing Cybersecurity Management in 2024” will discuss the regulatory trends we saw in 2023 and share real-life experiences to help you enhance cybersecurity management efforts and build resiliency. Join us on Wednesday, February 14 at 2:00 PM ET.

18 Jan 2024
Our Top Blog Posts of 2023

Top Blogs of 2023

Our Top Blog Posts of 2023

As we begin the new year, it’s a great time to revisit some of the most popular blogs we published in 2023. Our top blogs from last year covered a range of topics, including a cybersecurity outlook, updated third-party risk management guidelines, using conditional access policies (CAPs) and multifactor authentication (MFA) to enhance security within Microsoft Azure Active Directory (AD), and NetConnect 2023. If you didn’t have a chance to read these posts—or simply want to review them—here is a recap of each of them. They offer unique perspectives, best practices, and a wealth of insights that can help your financial institution prepare for greater success in the year ahead.

2023 Cybersecurity Outlook for Community Banks and Credit Unions

Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions revealed valuable peer-to-peer insights that can help financial institutions enhance their security posture. The survey highlights cyber preparedness and budget restraints as top security challenges of more than 50% of the 160 participating financial institutions. It also shared participants’ feedback on other important areas, including prevention and detection security layers; employee security awareness training and testing; and advanced firewall features. For instance, respondents use multiple layers of security, but less than 50% of them combine every security layer listed in the survey. Survey respondents also use a variety of security training—including resource-intensive individual instruction. In addition, most of the survey participants are taking advantage of advanced firewall features, although only 24% of 135 respondents leverage sandboxing technology to detect threats. Read more.

Updated Regulatory Guidelines on Third-Party Risk Management

In June, federal bank regulatory agencies issued updated guidelines to make it easier for financial institutions to manage third-party risks. This new guidance from the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) impacts all banking institutions that use third parties. The majority of statements in the new guidance focus on the planning, due diligence, and contract phases with an emphasis on pre-engagement. Since auditors and examiners will be looking more closely at what happens during the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties. Not all statements in the guidance will apply to all institutions or relationships, so we have developed an interactive checklist designed to walk you through key regulatory requirements of the third-party relationship life cycle. Read more.

Using CAPs and MFA to Enhance Security within Microsoft Azure AD

There was a surge in successful phishing campaigns last year, including sophisticated schemes that were able to bypass MFA. MFA-resistant phishing is a significant threat since this type of attack could impact a vast segment of organizations that rely on Microsoft Azure AD (now known as Microsoft Entra ID) and Microsoft M365 services to support their operations. However, financial institutions can use a variety of measures to prevent cyberattacks, including Conditional Access Policies (CAPs). CAPs, which are foundational to safeguarding identities within Microsoft Entra ID, protect the initial step of the identification chain—the sign-in attempt. To maximize protection, institutions should stack multiple CAPs, such as requiring MFA, denying sign-ins from outside of the USA, and requiring device compliance. When designing CAP logic, they should take a broad approach to the scope of the CAP to impact as many areas as possible. Institutions can take a multi-layered approach to optimizing security by leveraging multiple security tactics, technologies, and resources. Read more.

NetConnect 2023—A Glimpse into the Future of Technology and Compliance

The 2023 NetConnect Customer User Conference brought Safe Systems’ customers, employees, and partners together in Alpharetta, Ga. to discuss banking industry trends, challenges, and innovations. NetConnect 2023 provided valuable insights into banking and technology’s vital role in shaping the industry’s future. With multiple informative sessions, the conference covered the significance of hope in business, changes relating to regulatory compliance, vulnerability management, and Microsoft Azure fundamentals. Read more.

Get the latest industry developments, insights, and trends delivered directly to your inbox. Subscribe now to the Safe Systems blog.

07 Dec 2023
NetConnect 2023 – A Glimpse into the Future of Technology and Compliance

NetConnect 2023 – A Glimpse into the Future of Technology and Compliance

NetConnect 2023 – A Glimpse into the Future of Technology and Compliance

Safe Systems hosted its 2023 NetConnect Customer User Conference last month in Alpharetta, GA. After taking a hiatus due to the pandemic, Safe Systems customers, employees, and partners were eager to reconvene to discuss the latest trends, challenges, and innovations. This year’s conference provided insights into the evolution of banking and the critical role technology plays in shaping the industry’s future.

Here are some key highlights and insights shared at this year’s conference.

“I have been to several vendor conferences in the last 20 years, and I would say this is one of the best, if not the best, one I have been to. The sessions were informative and on-target. The presenters were all well qualified and engaging.” – Community banking CFO

Celebrating 30 Years of Excellence

NetConnect 2023 marked the 30th anniversary of Safe Systems’ journey in the banking technology landscape. The conference began by reflecting on the early days when our services primarily focused on PC and network policies, network installations, and troubleshooting. Safe Systems highlighted that our evolution and growth were driven by customer feedback and collaboration. Customers have always been the cornerstone of our success.

Randy Ross at NetConnect 2023

Keynote speaker Dr. Randy Ross

The Power of Hope in Business

Keynote speaker, Dr. Randy Ross, shared insights on the importance of hope in the workplace. Hope is not merely wishful thinking or passive optimism; it’s a dynamic motivational system tied to inspirational goal setting. The case for hope in business was backed by impressive statistics, including lower absenteeism, increased productivity, and enhanced morale and creativity. Dr. Ross also provided guidelines on how anyone can apply hope to make life happier, healthier, and more productive.

Regulatory Compliance in a Changing Landscape

Tom Hinkel, VP of Compliance Services, delved into the dynamic world of regulatory compliance. He discussed the latest statistics, including a surge in cyber insurance claims due to zero-day attacks and ransomware. Regulatory changes like third-party risk management (TPRM) guidance and FDIC InTREx updates were highlighted. The session also touched on the cyber incident notification rules approved by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC) in 2022 and the Conference of State Bank Supervisors (CSBS) updated R-SAT 2.0 (Ransomware Self-Assessment Tool).

Crowd at NetConnect

Brian Brannon, VP of Security Product Strategy, and James Minstretta, Endpoint Security Engineer, doing a live demo of Azure vulnerability settings.

Security and Vulnerability Management

Brian Brannon, VP of Security Product Strategy, addressed the critical topic of vulnerability management. He explained the proactive strategy of identifying, assessing, and mitigating network weaknesses, aligning it with the expectations of regulators. The session included a live demo to demonstrate the importance of effective vulnerability management.

Azure Security 101

Our Microsoft 365 Certified Technology DevOps Engineer took a deep dive into Azure fundamentals, including Entra ID, M365, and Resource Subscriptions. He explored how to mitigate risks using Conditional Access Policies, enabling multi-factor authentication (MFA), limiting geographic locations, and more. The session included interactive labs of the Entra ID Admin Center, SharePoint Online, and OneDrive to allow attendees to explore logs, manage settings, and review reports firsthand.

Panel Discussion on Regulatory Changes

The conference concluded with a panel of auditors and regulatory compliance specialists, who discussed topics such as the increasing importance of cyber insurance, the impact of AI on exams and audits, and third-party risk management. Attendees had the opportunity to ask questions and engage with experts on these vital topics.

Panel of experts at NetConnect 2023

Safe Systems’ former VP of Compliance Services Tom Hinkel hosting a panel of compliance experts that included Senior Compliance Specialist Paige Hembree (Safe Systems), Financial and Information Security Auditor Matthew Jones (Symphona), Wipfli’s Senior Manager Jim Rumpf, and Director for Supervision Kevin Vaughn (Georgia Department of Banking and Finance)

NetConnect 2023 offered a comprehensive overview of the current state and future prospects of banking technology and regulatory compliance. The industry continues to evolve, and staying informed and adaptable is key to success in this ever-changing landscape. Safe Systems remains committed to supporting financial institutions on their journey, as demonstrated by our 30 years of excellence and our forward-looking approach to technology and compliance.

30 Nov 2023
Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

Important Industry Insights on the Use of Anti-Malware and Advanced Features for Ransomware Protection

According to the IC3 2022 Internet Crime Report, the FBI received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million. Moreover, 870 of these complaints indicated that organizations belonging to a critical infrastructure sector, such as financial services, were victims of a ransomware attack. This makes it imperative for banks and credit unions to employ a variety of measures to protect themselves against the growing threat of ransomware attacks. Yet many financial institutions that are leveraging anti-malware solutions are not using advanced features that can help protect against ransomware threats. According to Safe Systems’ 2023 Cybersecurity Outlook for Community Banks and Credit Unions, advanced features for anti-malware/anti-ransomware solutions such as root cause analysis, advanced machine learning algorithms, and sandbox analysis only received 12% or less of the answers among the survey participants.

With advanced features, financial institutions can more effectively monitor security threats on endpoints and ascertain the source and extent of an attack. Institutions that want to enhance their ability to detect and respond to threats might consider expanding their cybersecurity budget to increase spending on advanced anti-malware and endpoint protection features.

Recovery Strategies

As part of their recovery strategies, more than one-third of 144 survey respondents say they have implemented notification measures, including notifications to customers, regulators, and applicable insurance carriers. This is critical given the recently finalized interagency Computer-Security Incident Notification Rule. It requires banking organizations to notify their primary federal regulator about any significant “computer-security incident” as soon as possible after a cyber incident happens. (A computer-security incident, as defined by the rule, is an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.) Nearly 30% also leverage other important recovery strategies such as monitoring for the early detection of potential incidents and eliminating intruder access points.

Other Key Security Issues

In addition to shedding light on how institutions use advanced features for anti-malware/anti-ransomware solutions, our comprehensive survey highlights several other security issues, including Microsoft 365 services, email infrastructure, advanced firewall features, vulnerability and patch management, and more. Banks and credit unions must effectively address all of these areas to stay ahead of the constantly evolving cybersecurity landscape.

Download a copy of our latest white paper to read the complete survey findings, which can provide a deeper understanding of current cybersecurity concerns and best practices to enhance your institution’s security posture.

16 Nov 2023
What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

What You Need to Know from the 2023 Cybersecurity Outlook for Community Banks and Credit Unions

As cyber threats become more complex, aggressive, and prevalent, implementing cybersecurity mitigation strategies is becoming more critical in the financial services sector. Not surprisingly, cyber preparedness and budget restraints are the top security challenges for more than half of the financial institutions that responded to the Safe Systems survey, 2023 Cybersecurity Outlook for Community Banks and Credit Unions.

Our analysis presents input from approximately 160 participants who responded to 55 questions (including multiple-choice) based on how relevant each query was to their organization.* In addition to focusing on the top security challenges, the survey highlights respondents’ input on several other critical areas, including:

  • Prevention and Detection Security Layers: Modern operating environments require a more robust security strategy that goes beyond implementing a basic firewall or anti-malware solution to protect their information and infrastructure from the growing number of cyber threats. Survey respondents are implementing multiple security layers, including firewall, patch management, anti-malware, email encryption, employee training and testing, vulnerability monitoring, and security log monitoring. However, less than 50% of all respondents use every security layer listed in the survey, which indicates they can do more to protect themselves against cyberattacks.
  • Employee Security Awareness Training and Testing: 95% of all cybersecurity issues can be linked to mistakes made by individuals, with 43% of breaches attributed to insider threats, according to the 2022 Global Risk Report by the World Economic Forum, making employee security awareness training and testing critical for financial institutions. Accordingly, survey respondents are deploying multiple types of security training, including simulated phishing attacks, self-service online training and exercises, interactive classroom training, and more. Of the 144 participants responding to this question, 60% indicate they conduct individual training based on need, which is notable because this method of instruction normally requires more time and resources.
  • Advanced Firewall Features: A majority of the participants responding to this question indicate that they are using one or more advanced firewall (or next-gen firewall) features, such as intrusion prevention or detection systems (IPS/IDS), transport layer security (TLS)/secure socket layers (SSL), and Geo-IT filtering. Whether managed in-house or through an outside provider, these expanded capabilities can help institutions protect their network and institution against a broad array of threats. Sandboxing, for example, provides a safe, isolated environment to execute and observe potentially malicious code from unverified programs, files, suppliers, users, or websites. Out of 135 respondents, only 24% indicate they have sandboxing despite its ability to identify threats.
  • Cybersecurity Preparedness: Examiners recognize the increasing volume and sophistication of cyber threats and have an increased focus on cybersecurity preparedness in assessing the effectiveness of an institution’s overall information security program. Out of 128 respondents, 52% confirm that the focus on information security, including cybersecurity, has increased during their IT audits and exams. IT examiners and auditors are also reviewing whether institutions have completed any of the common cybersecurity assessments (e.g., CAT, ACET, or CRI/NIST), and they are using them to evaluate institutions’ security posture during an exam. According to the same respondents, 43% say they had their cybersecurity assessment reviewed and used as part of their latest IT exam, and 39% indicate that they received recommendations based on it.

To access the complete survey and gain valuable peer-to-peer insights that can help your institution enhance its cybersecurity decision-making process, read “2023 Cybersecurity Outlook for Community Banks and Credit Unions“.

* The number of respondents varies per question. For multiple-choice questions, the Percent (Respondents) is calculated by dividing each answer count by the total unique respondents, and the Percent (Answers) is calculated by dividing each answer count by the total counts collected.

12 Oct 2023
Updated Regulatory Guidelines on Third-Party Risk Management

Updated Regulatory Guidelines on Third-Party Risk Management

Updated Regulatory Guidelines on Third-Party Risk Management

Earlier this year, federal bank regulatory agencies released new guidance designed to help banking organizations better manage risks related to third-party relationships. These latest guidelines, issued by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC), have broad implications for virtually all financial institutions that employ third parties.

Fostering Safe and Sound Practices

The updated guidance offers more streamlined language and clarification to help institutions better identify and reduce risks relating to using third parties like vendors, suppliers, partners, contractors, and service providers—including financial technology companies. It covers risk management practices for the stages in the life cycle of third-party relationships: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination. The underlying impetus of regulatory agencies is to ensure that institutions have an effective third-party risk management process that supports safe and sound banking practices.

While the new guidance was just finalized in June, examiners are already increasing their questions and expectations regarding third-party risk management. Financial institutions should take proactive steps as soon as possible to address any potential issues. For example, they should broaden their consideration of what constitutes a “business arrangement.” The guidelines indicate that a third-party relationship may exist regardless of whether there is a formal contract or an exchange of compensation. Hence, institutions should be as inclusive as possible by factoring all business arrangements—no matter how insignificant—into their third-party risk management practices.

Important Areas to Consider

The current guidance encompasses a plethora of “statements”—more than 160 of them—that cover a variety of requirements, suggestions, and best practices. Almost 70% of the statements relate to how banking organizations should handle the planning, due diligence, and contract phases. Since these areas involve the pre-engagement stage, institutions need to place more emphasis on scrutinizing potential third parties because auditors and examiners will be looking more closely at what happens prior to engagement. The scrutiny should start at the early phase when bank management begins to consider a project, initiative, or even a concept.

Financial institutions also need to understand the strategic basis or purpose of a proposed business arrangement. They should identify and assess the benefits and risks associated with the arrangement and then verify that they align with their strategic objectives. They also must consider other crucial areas, including the institution’s ability to manage and oversee the relationship, the legal and regulatory compliance implications of the relationship, along with the third party’s financial condition, business experience, expertise of key personnel, and operational resilience. Additionally, institutions need to be cognizant of how third parties are managing their own subcontractors, which could ultimately impact the delivery of their services.

However, not all of the 160-plus statements in the new guidance apply to all institutions or all relationships, and some seem unattainable or overly burdensome. Institutions should identify the ones that are the most relevant and feasible and then prioritize their efforts accordingly.

In a joint press release in June, the Federal Reserve Board, FDIC, and OCC said they “plan to engage with community banks immediately and develop additional resources in the near future to assist them in managing relevant third-party risks.” In the meantime, institutions can download interactive checklists we designed to walk them through key regulatory requirements of the third-party relationship life cycle.

To learn more about how the revised guidelines may affect your financial institution, access our webinar on “New Third-Party Risk Managers Guidance.”

06 Oct 2023
2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

2024 Budgeting for Technology and Cybersecurity in Community Banks and Credit Unions

In the modern banking landscape, technology and cybersecurity are not just optional extras but fundamental necessities. For community financial institutions—which often operate with more limited resources than their larger counterparts—budgeting wisely in these areas is critical. Failure to properly invest could not only compromise efficiency and customer service but also expose institutions to potentially devastating cyber threats.

There are three categories that community banks and credit unions should consider when allocating budgets: cybersecurity, compliance along with its associated regulatory technology (RegTech), and general technology. Here are important considerations for each of these areas:


Cyber threats are ever-evolving, and no financial institutions are immune. Measures such as firewalls, encryption, and intrusion detection systems are basic requirements. Financial institutions also need to go further by investing in regular security audits and employee training. In today’s threat landscape, allocating a sufficient budget for cybersecurity measures is non-negotiable.

The best technology and cybersecurity measures are only as good as the people who use them. Community banks and credit unions should set aside funds for regular training programs to ensure staff are up to date with the latest technologies and security protocols. There are some great tools available that provide training and testing and run phishing simulations to see which employees may be your weakest links.

The odds are that at this point, your institution has an account in Microsoft’s cloud solution, Azure. OneDrive, Exchange Online, and many other Microsoft solutions are connected to Azure and may even be part of your Microsoft license. It is important to review the Azure tenant or management console to ensure you are dictating your security settings and not Microsoft. You can accomplish this through various ways including implementing conditional access policies (CAPS), which is the buzzword of 2023. If you are not using CAPs, you should immediately find out how to implement them and identify which ones are critical to your security. Also, Azure is a cloud-based management console, so if it is compromised, the ramifications can be detrimental. Monitoring key reports, accounts, and settings is critical for the long-term security of your institution.

Below are some real-life events and numbers that illustrate just how critical this type of management can be. (We discovered these events last year in our review of a small number of community financial institutions.)

Event: Number of Times:
Successful sign-in from outside the US: 674 times
Sign in from outside the US (valid password but MFA failed): 37 times
Mailbox settings like (access to email, send on behalf of, forwarded) changed: 1,970 times
OneDrive files shared externally: 708 times
Administrative roles assigned to user: 1,607 times
Large number of failed sign-in attempts for a user: 11,116 times

While some of the numbers above represent actual intentional changes, the sheer volume indicates that a large number of these events are not approved/intended actions made by the institution. Obviously, criminals are targeting these accounts. Hence, there is no option but to be proactive in monitoring and managing the security of your account with the appropriate settings, reports, alerts, and management. Also, note the multifactor authentication (MFA) stat. It only happened 37 times, but this signifies that there were 37 times MFA was the difference between protection and compromise. This underscores the urgent need to implement and maintain MFA.

Lastly, evaluate your firewalls. At this point, a next-generation firewall (NGFW) is a must. According to Gartner, NGFW are firewalls that have moved past just port/protocol inspection and have added application-level inspection. Advanced firewalls also have integrated intrusion prevention built into the solution, along with the ability to bring in intelligence from outside the firewall. A prime example of this is the FS-ISAC intelligence feed. Other advanced features may include sandboxing, SSL inspection, and other more advanced features to improve your cybersecurity posture. If you have an older firewall not based on NGFW, you simply may not have all of the features you need to effectively protect your network.

Compliance and RegTech

Regulatory requirements are becoming increasingly complex, and failing to meet them can affect both the institution and the people in charge of managing these risks. Investing in RegTech can automate and streamline compliance processes, making it easier for community banks and credit unions to adhere to pertinent laws.

These investments may take the form of a virtual information security officer (VISO) service, which has become extremely popular lately. The workload and expectations of an ISO have intensified in recent years. Many community financial institutions are looking for a virtual solution to augment the ISO responsibilities and processes. A benefit of VISO services is they provide continuity if and/or when there is a personnel change in this critical position inside the institution.

In June of 2023, regulatory agencies released new guidance for managing third-party risk, formally or often referred to as vendor management. Expect 2024 to be a year when the agencies expect these guidelines to be implemented at financial institutions. If you manage your vendor management/third-party risk management in-house, you could have some work to do to implement these changes. It may be time to consider an application to manage these ever-changing requirements for you. If you already use an application to manage third-party risks, be sure the needed changes have been updated and you are trained on how to use them.

General Technology

A key focus for technology today concerns what to move to the Cloud and when. Moving infrastructure to the Cloud is often a trade-off between operational versus capital expenditures as well as the benefits versus the perceived risks of the Cloud. Moving servers to the Cloud in 2024 will make sense for a lot of institutions. However, it is more likely that many institutions will receive their solutions via a cloud service provider. Most services and applications vendors have found it easier to manage the server themselves and offer the solution through the Cloud rather than have it installed on different hardware across their customer base. Expect this consolidation and movement to cloud-based solutions to continue and budget accordingly. If the vendor is transferring responsibility from you and your employees to themselves by hosting the service, expect the licensing or price to increase. Even if the licensing cost goes up, you may still gain a net benefit as you no longer have to maintain, upgrade, and manage hardware.

Another technology to consider moving to the Cloud is disaster recovery. There are very few solutions that allow for redundancy, recovery time, minimization of management/ownership challenges, etc., which is why cloud-based disaster recovery is an excellent option. A fully managed cloud recovery process can decrease your recovery time objectives by significant amounts and remove a lot of duplicated hardware. If your disaster recovery solution isn’t in the Cloud or if you are not convinced that what you have in place is as robust as you need it to be, consider the Cloud as a viable alternative.


Budgeting for technology and cybersecurity is a complex task that requires a keen understanding of current needs, future trends, and emerging threats. By allocating resources wisely across these critical areas, community banks and credit unions can secure their operations, enhance customer experience, and stay ahead in a competitive marketplace.

17 Aug 2023
The Advantages of Attending User Conferences for Banking Professionals

The Advantages of Attending User Conferences for Banking Professionals

The Advantages of Attending User Conferences for Banking Professionals

User conferences are dynamic events that community banks and credit unions can leverage to connect with industry experts and like-minded peers in an enriching environment. They provide a great opportunity for banking professionals to interact face-to-face with vendors; share ideas and experiences; and address their concerns about technology products, compliance, and other important industry issues. And unlike traditional industry tradeshows that are mainly designed to attract new business, user conferences have a broader purpose that translates into a host of benefits for attendees, including:

  • Training and education — User conferences provide access to valuable information that can help attendees keep up with the growing complexity of the financial services industry and technology. Participants can receive on-the-spot training through software demonstrations that allow them to see products in action. They can also enhance their knowledge through informative workshops, topic-based roundtable discussions, and other educational sessions. This allows them to learn from industry and subject-matter experts that can answer their questions, share insights, and impart best practices. This type of focused, in-person learning can make it easier for attendees to stay up to date with the latest technological advancements and other developments impacting their industry.
  • Networking opportunities — As another benefit, user conferences offer invaluable networking opportunities. Attendees can connect with their vendor’s team, ask specific questions, and learn better ways to use their products and services. They may even discover new tools for addressing some of the current challenges they are encountering. User conferences can also spark helpful interactions between colleagues who are using the same products; they can share strategies and best practices based on their respective experiences.
  • Relationship building — The personal connections that happen at user conferences can help reinforce the relationships that attendees have with their vendors. These events offer banking professionals a unique opportunity to learn more about the companies, products, and people they rely on to support their organization. For instance, participants can discuss the capabilities of software products directly with the people who built them and meet face-to-face with support staff they normally speak to on the phone.
  • Inspiration While people often learn about their software products virtually, in-person user conferences provide a much more engaging—and inspirational alternative. Connecting with industry peers and vendors’ staff outside the daily office routine can stimulate creativity. The live interactions that unfold at conference events generate energy, excitement, and enthusiasm that can send participants home full of fresh ideas.

Meeting Regulatory Expectations

However, the incentive to take part in user conferences goes beyond the practical benefits; it is expected by regulators. Examiners are increasingly placing more focus on how financial institutions manage their vendors, including capitalizing on the influence of user groups. For example, the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook’s Outsourcing Technology Services booklet states: “User groups are another mechanism financial institutions can use to monitor and influence their service provider. User groups can participate and influence service provider testing (i.e., security, disaster recovery, and systems) as well as promote client issues. Independent user groups can monitor and influence a service provider better than its individual clients.”

In addition, the FFIEC requires employees of financial institutions to engage in ongoing education and technical expertise to maintain compliance.

NetConnect™ User Conference

Safe Systems’ National Customer User Conference, NetConnect, creates the ideal setting for banking professionals and vendors to come together with their peers. This year’s NetConnect will take place in Alpharetta, Ga., just a few miles from our Georgia headquarters, on November 7-8, with a pre-conference training day on November 6.

NetConnect will bring together Safe Systems’ employees, customers, and strategic partners to exchange ideas and learn about the latest technology, compliance, and security trends in community banking. Each year, we hear positive feedback about the event from conference attendees.

Instructors were good about not letting folks get behind. A lot of ground covered in a day.
Instructors were top notch.
It says a lot to me that the entire conference content came directly from within Safe
Systems, and they all did a great job too!
A great time. I learned a lot and enjoyed myself while doing it.
The networking and social experience is top notch.
This conference is on my MUST ATTEND list!

So, whether you are a long-time or relatively new customer of Safe Systems, visit our NetConnect website to learn more about this year’s conference and how it can help you get educated, motivated, and up-to-date with the latest industry and technology trends.

02 Jun 2023
The Virtual ISO: Best Practices for Maximum Effectiveness

The Virtual ISO: Best Practices for Maximum Effectiveness

The Virtual ISO: Best Practices for Maximum Effectiveness

The concept of a virtual information security officer (VISO) has been gaining more traction with regulators and financial institutions. In the past, regulators have said very little about institutions using a virtual ISO. But recently, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and Federal Reserve System have expressed at least conditional approval of the idea. They indicated that virtual ISOs can be a viable option—as long as their activities are subject to the same oversight requirements as in-house ISOs.

These regulators caution financial institutions to be careful when considering the risks and benefits of using a virtual ISO. They advise institutions to do their due diligence prior to choosing an external ISO partner, just as they would before selecting any other key vendor or critical service provider. These and other best practices can help institutions strategically leverage a third-party solution to maximize the effectiveness of the virtual ISO role for their organization.

Approaches to Implementation

There are three broad approaches to implementing a virtual ISO solution: do-it-yourself (DIY), hybrid, and off-load. These models come with specific benefits and responsibilities that institutions should carefully consider. Here is a summary of each approach:

  • DIY: This model typically provides some apps, tools, checklists, templates, and other pre-packaged components that allow institutions to fill in the blanks. One-on-one consultation with a human would be relatively limited and likely provided for an extra charge.
  • Hybrid: This approach often includes a complete set of tools: apps, templates, pre-configured reports, and sometimes pre-configured policies. Some consultation is also provided, which makes this model better suited to institutions that require a higher level of support.
  • Off-load: With this model, the virtual ISO vendor does most of the heavy lifting, providing extensive consultation, on-demand reporting, and other ISO requirements. However, as is the case with the hybrid model, the financial institution remains responsible for understanding and approving all actions taken by the vendor on behalf of the institution.

Our Virtual ISO Model

At Safe Systems, we offer a hybrid virtual ISO model—ISOversight™—that supports regulatory guidance on the ISO’s role as prescribed by the Federal Financial Institutions Examination Council (FFIEC). Our model is a moderately priced, middle-ground solution that is ideal for community banks and credit unions with limited internal resources. It combines a suite of integrated compliance apps with a dedicated lead consultant, allowing institutions to benefit from the expertise of our entire compliance department. What’s more, ISOversight provides institutions with a more objective, arms-length perspective on information security. The FFIEC Management Handbook states that “To ensure independence, the CISO/ISO should report directly to the board, a board committee, or senior management and not IT operations management.” Having these two critical roles formally separated makes it easier for the network administrator to be in more of a support function for any resident or virtual ISO, which can minimize audit or exam findings related to a possible “conflict of interest” or “concentration (or separation) of duties.”

Although the apps are useful tools that assist institutions with day-to-day tasks, the key to ISOversight’s effectiveness is the consultive and advisory piece provided by the ISOversight lead consultant. Our consultants are all information security subject matter experts, with decades of experience. We know what tasks need to be completed, with what frequency, and by what groups or individuals. We hold regular touchpoint meetings with the ISO, and often the network administrator and other third-party consultants, to ensure institutions stay on track. After each touchpoint, we also provide a comprehensive point-in-time summary report on the current status of their information security processes that the ISO can then present to the steering committee and the Board.

In addition, our consultants will often engage with clients as they prepare for and respond to an audit or exam, but it’s not unusual for us to consult directly with the auditor and examiner during the engagement. We encourage this, as it helps ensure the FI is providing auditors and examiners with exactly what they are requesting (no more and no less), which avoids unnecessary confusion, possible issue escalation, and over (or under) commitment by management. In addition to the advisory piece, the ISOversight apps keep things organized, making it easier for customers to manage their policies and procedures and all the associated documentation, and provide customizable email alerts when tasks come due.

To date, we have found that ISOversight has proven to be a great fit for many institutions and for many different reasons. For example, it is extremely helpful in situations where the IT administrator or ISO has recently left or has transitioned to a new role. Another good application for the virtual ISO role is when the size and complexity of the institution make the day-to-day information security responsibilities too burdensome, or when the institution just wants to free the existing admin or ISO from the uncertainty of the rapidly evolving regulatory landscape.

Whether it’s third-party risk management, business continuity management, cybersecurity, or strategic planning, guidance is clear that ISO’s have very specific responsibilities and should be held accountable for their completion. ISOversight assures all tasks the ISO is responsible for are addressed in a timely manner, that all current regulatory guidelines and best practices are met, and just as importantly that on-demand, stakeholder-specific documentation is available to confirm all related activities. Ultimately, selecting the right virtual model and the right vendor can often translate into “cleaner” audits and exams, resulting in a less stressful, more productive staff, a more compliant and more secure environment, and a better-informed management team.

To learn more about this topic, listen to our webinar on “The Virtual ISO: Best Practices for Maximum Effectiveness.”

11 May 2023
The Importance of Effective Third-party Management

The Importance of Effective Third-party Management

The Importance of Effective Third-party Management

As financial institutions increasingly rely on outsourced providers, third-party management is becoming a more critical aspect of managing risk. Institutions depend on third-party providers for a variety of essential services, including technology, operations, and marketing. And while these entities offer significant benefits, such as cost savings and improved efficiency, they also pose a substantial risk. We often refer to this as “inherited” risk, as institutions will inherit the residual risk of the third party. If not properly identified, measured, and addressed, inherited risk can expose financial institutions to threats such as regulatory non-compliance, operational downtime, and reputational damage. However, institutions can successfully mitigate many of these risks by ensuring that they thoroughly vet outside providers prior to engagement, properly structure contracts, and employ ongoing monitoring and reporting.

Key Elements

The Federal Financial Institutions Examination Council (FFIEC) has issued guidelines for managing vendor relationships effectively. These standards emphasize the importance of several key elements, including:

  • Due diligence: Financial institutions must evaluate vendors’ financial stability, reputation, and regulatory compliance prior to engagement. This includes assessing vendors’ security controls, data protection policies, and disaster recovery plans.
  • Contract management: Vendor agreements should clearly outline the scope of work, deliverables, and performance metrics. They should also include provisions for termination, dispute resolution, data disposal, and indemnification.
  • Ongoing monitoring: Financial institutions must regularly monitor their third parties to ensure that they continue to meet contractual obligations and regulatory requirements. This includes periodic risk assessments, reviewing vendor reports, and could even include conducting on-site visits.
  • Risk assessment: Institutions should assess the level of risk associated with each vendor relationship based on the services provided, the vendor’s access to sensitive data, and the potential impact of vendor failure. Doing so can help financial institutions allocate resources more effectively to minimize potential risks.
  • Board and management oversight: Third-party management should be an ongoing topic of discussion at the board and management levels. This includes not only approving policies and procedures, but also reviewing risk assessments and monitoring reports, and making decisions about initiatives that require new vendor relationships.

Common Misconception

Risk management requires first identifying the risk’s source before it can be measured and mitigated. To accomplish this, it’s important to separate the risks of the underlying initiative from the risks of the third party that supports the initiative. With the possible exception of reputation risk, most of the risks surrounding the evaluation and implementation of a new initiative are associated with the initiative itself, not the third party. Simply put, if the strategic, operational, and regulatory risks would be present in the initiative regardless of the third party selected, it does not belong to the third party, it belongs to the initiative or project. We’ve found this to be a fairly common misconception, even among auditors and examiners.

Effective Solutions

Once the risk source is confirmed as associated with the third party as opposed to the initiative, institutions must create a protocol for what risks to assess and how to assess them (the inherent risk), what specific controls to implement, and the effectiveness of those controls assuming they will be correctly implemented and operate effectively (the residual risk). This is where an app can significantly help standardize and streamline the process. An automated third-party risk management program will identify and assign specific controls according to the specific risks and risk levels identified.

With the increased focus on third-party risk management, more banks and credit unions are finding that auditors and examiners expect institutions to not just identify appropriate controls, but to actually request, receive, and review them. Particularly key control documents, such as contracts, financials, and audit reports, such as System and Organization Controls (SOC) reports. However, knowing what to look for (and where to look) in these documents can be challenging. Partnering with a third-party service to assist you can provide a second set of eyes and additional expertise to ensure that these documents are supplying the necessary controls.

Other key features to look for in an effective third-party risk management program include the ability to assign one or more vendor managers, email reminders when tasks are due or overdue, automatic Office of Foreign Assets Control (OFAC) checks, the ability to easily identify and track complementary user entity controls (CUECs), the ability to store key vendor documentation and notes. Also, a robust on-demand reporting feature is important to be able to provide stakeholders with timely, accurate updates on the status of your third-party risk management program.

By associating with the right partner, financial institutions can develop a strong third-party risk management program that aligns with guidance, keeps data private and secure, and minimizes the impact of third-party cyber threats. Safe Systems, for example, offers a wide range of vendor management solutions to help institutions ensure regulatory compliance.

20 Apr 2023
Best Practices for a Successful ISO Transition

Best Practices for a Successful ISO Transition

Best Practices for a Successful ISO Transition

It can be challenging for financial institutions to lose an information security officer (ISO)—particularly for smaller community banks and credit unions. Since ISOs have broad responsibilities relating to data security and other vital areas1, they play a critical role within the organization. Therefore, institutions must have a well-defined plan in place to keep an ISO’s transition or departure from adversely affecting their security posture.

There are many reasons an ISO may leave—retirement, a transfer to another role within or outside of the organization, or perhaps an unanticipated health issue. Whichever the circumstance, the reason for departure can significantly impact the transition process. For instance, if the position was vacated due to a planned retirement or staff reorganization, there can be a smooth transfer of duties between the outgoing and incoming ISOs. However, a sudden job change can result in a more complicated process.

There are two main facets of the ISO’s role that are critical to focus on during a transition: access to data and applications, and the continuity of the processes and responsibilities that the position encompasses.

1) Ensuring that access to data and applications is properly revoked, modified, and/or reallocated during an ISO transition is very similar to what happens when an IT Administrator leaves a financial institution. Although the IT and ISO roles (and their respective data access requirements) are different, the steps outlined in this article can help ensure information is protected when either role departs.

2) Some of the key areas of responsibility that must continue during an ISO transition include:

  • Infosec compliance, including regulatory guidance, written policies, written procedures, and documented practices
  • Oversight and coordination of data security efforts, including protecting the privacy and security of sensitive information belonging to the institution and its customers and members
  • Business continuity management and incident response programs, including exercises and tests
  • Third-party risk management (TPRM)
  • Cybersecurity assessments, gap analysis, action plans, and
  • Lead for steering committee meetings
  • Information security program status updates to the board of directors
  • IT audit and exam preparation, participation, and response

Planning Ahead

There are a number of strategies institutions can proactively implement to make an ISO’s job transition as successful as possible. A primary step to take is succession planning. This should be considered whether or not an ISO departure is anticipated. Regulators expect institutions to have a formal succession plan for all key leadership positions, and few roles are more critical than the ISO, as failing to maintain infosec continuity can leave an institution exposed and potentially more vulnerable to security issues.

Succession planning is often more problematic for smaller community banking institutions where employees typically wear multiple hats. Regulatory guidance requires that the ISO exist as a separate role within the institution. And while it is easy to designate an ISO successor on paper, an institution with limited staff may not have an employee with the appropriate knowledge, experience, and availability ready to step into the role. In addition, because of the potentially smaller talent pool in the geographic areas that community institutions serve, our experience is that smaller institutions often have difficulty finding good candidates.

However, if a solid succession plan is in place that includes both internal and external resources, the incoming ISO should at least have access to adequate experience and subject matter expertise to seamlessly step into the new role with minimal disruption. In a situation where there is seamless continuity, at least one of the following usually applies:

  1. The employee replacing the ISO has been given sufficient prior notice and preparation, including cross-training and job shadowing.
  2. Ideally, the incoming ISO has gained previous experience at a financial institution of similar size and complexity, or at minimum, managed information security in a regulated environment.
  3. The institution has partnered (or can partner) with a third-party provider to augment the role with a virtual ISO (vISO) solution.

Getting Help to Ensure a Seamless Transition

To be clear, transitioning between ISOs can be challenging whether the institution grooms an internal successor, hires a seasoned outsider, or partners with a third party (or a combination of the three). In all cases, there will be some type of learning curve. Either a promoted employee will need time to build proficiency in the position, or a hired replacement (individual or third-party provider) will need time to get familiar with the institution. Inevitably, the probability of security gaps will increase during this transition period, and IT auditors and examiners know this too. For this reason, employing a third-party provider is often an effective way to maintain infosec continuity during a transition, and ensure that all IT and information security tasks and related activities are completed on time and properly reported to the various stakeholders.

The bottom line: ISO transitions are inherently challenging—and seamless continuation is critical as they directly impact a financial institution’s audit and exam success as well as overall security posture. Whether the job change is planned or unexpected, institutions can apply effective succession planning to minimize the disruption. They can also address any deficiencies in their own internal knowledge and expertise by partnering with a third-party provider like Safe Systems. As an example, a bank in South Carolina used Safe Systems’ Virtual ISO service, ISOversight, to support succession planning for its retiring ISO. This resulted in multiple benefits, including an interrupted security posture, improved business continuity management, third-party management, and strategic planning.

1ISO responsibilities may consist of strategic planning, quality assurance, project management, InfoSec risk assessments, infrastructure and architecture security, end-user computing, and regulatory and legal compliance

05 Apr 2023
Evolution of Third-party Management

Evolution of Third-party Management

Evolution of Third-party Management

Pending interagency guidance on the management of third-party relationships will significantly alter how financial institutions (FIs) handle risks related to external service providers. The new guidelines will increase the complexity and responsibility of third-party management for banking organizations in the near future. These standards will apply to all financial institutions—including community banks—with third-party relationships.1

The updated guidance—proposed jointly by the Board of Governors of the Federal Reserve System (the Board), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC)—will consolidate2 the agencies’ separate rules into a single common guideline built around the OCC Bulletin 2013-29. The proposed guidance states that “the new framework is based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships.”

Increased Regulatory Expectations

FIs s need to consider the key implications of increased regulatory scrutiny in this area, particularly where they expand on current expectations. For instance, regulators will expect them to do more due diligence on the pre-engagement side, which affects the initial selection and contract negotiation process. Institutions will also be held more accountable for understanding and predefining the termination process for outside service providers. This includes considering who owns data, how the data is returned, and how it is disposed of after the relationship with the provider ends.

From a regulatory perspective, third parties represent the biggest single source of noncontrollable risk to a bank or credit union. To a considerable extent, examiners will draw comparisons to overall enterprise risk management maturity from an institution’s third-party risk management program. In their words; “A banking organization’s failure to have an effective third-party risk management process that is commensurate with the level of risk, the complexity of third-party relationships, and the organizational structure of the banking organization may be an unsafe or unsound practice.” In addition, they will expect to see sufficient oversight at all levels, from the board to senior management, and ultimately the employees directly overseeing the individual relationships.

Vendor vs. Third Party

It is also critical for FIs to be aware of—and adjust for—the difference between the terms “vendor” and “third party.” While banks have historically used these words interchangeably, it is now clear that institutions will have to remove the term “vendor” from their vocabulary and substitute “third-party” in its place. The proposed guidance uses the term “vendor” only 4 times, while the term “third-party” is used 262 times!

The reason for the change is more than just semantic, it represents a significant shift in how a third party is defined. A third party can be any entity with which the institution has a business relationship, and neither a written contract nor monetary exchange is necessary to establish a business arrangement. A business relationship can include more obvious arrangements such as referral agreements and professional services providers like law and audit firms, but also less obvious companies such as maintenance, catering, and custodial service companies. Business arrangements have greatly expanded and become more varied and, in some cases, far more complex. FI’s should be prepared to expand the scope of their third-party risk management (TPRM) program.

Expansion of Third-Party Risk Assessment

Financial institutions will also need to expand third-party risk management beyond the scope of the Gramm-Leach-Bliley Act (GBLA) to comply with the new guidance. They should broaden their focus beyond non-public information (NPI) to include anything that may not be directly related to customer information, but still needs to remain confidential. This can include strategic plans, unaudited financial statements, HR and shareholder records, and committee meeting minutes. Regardless of the type of information, regulators will expect institutions to manage their risk by accurately assessing all third-party exposure to the storage, transmittal, and processing of information.

While institutions cannot directly control third-party risks, they will need to request and review certain documents—especially from critical parties. A few key third-party documents that institutions should examine prior to engagement3 include contracts, audit reports4, and financials. Depending on criticality, FIs may also need to maintain a list of potential alternate providers in case their primary provider fails or cannot complete the terms of their contract. Finally, institution management should be fully aware of any gaps or limitations in third-party contracts, so they can manage any increased residual risk effectively.

Another area likely to draw increased scrutiny is Complementary User-entity Controls (CUECs), included in the SOC report. These are the controls third parties require for you to utilize their products or service. The best practice strongly suggests you document these CUECs and adhere to them.

Financial institutions that may lack the internal time and/or expertise to review third-party contracts, financials, and SOC reports, can consider adding a solution like Safe Systems’ Vendor Management Document Review. The service enhances the control review process and makes it easier for institutions to meet the increased regulatory expectations for managing third parties. Read more about this topic by accessing our “Evolution of Third Party Management” webinar.

1 As of this date the NCUA has not indicated that they will be a signatory on this new guidance.

2 The Board’s 2013 guidance, the FDIC’s 2008 guidance, the OCC’s 2013 guidance and its 2020 FAQs.

3 Certain documents such as SOC reports may only be made available after a contract is in place.

4 Depending on the trust criteria selected, audit reports like the AICPA System and Organization Controls (SOC) 1 and SOC 2 should also include an auditor opinion on the information security and business continuity controls in place at the third party.

07 Feb 2023
Highlights from our Annual Look Back at Regulatory Updates

Highlights from our Annual Look Back at Regulatory Updates

Highlights from our Annual Look Back at Regulatory Updates

As 2023 continues to unfold, there are some important regulatory compliance tips, tricks, and trends that financial institutions should review from last year and consider in the future.

Looking Back

Two key issues to revisit from 2022 are the new Computer-Incident Notification Rule and updates to the 2018 Cybersecurity Resource Guide for Financial Institutions. The incident notification rule—approved in 2021 by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve System, and Office of the Comptroller of the Currency (OCC), went into full effect in April 2022. Under the rule, banking organizations must promptly notify their primary federal regulator of certain computer security incidents that rise to the level of a notification incident within 36 hours. Anything that could materially disrupt or degrade your critical operations could be classified as a notification incident. Most institutions should have already adjusted the policies and procedures of their incident response plan to comply with the new notification requirements. If they haven’t, they should do so immediately because this will undoubtedly be an issue in the next examination cycle.

The rule also obligates third parties to report certain events that occur, so financial institutions should cover this issue with new vendors and those renewing contracts. Institutions should ensure that all contracts specify under what conditions third parties must inform them of any incident. Contracts should also identify at least one contact person to notify within the institution if an event occurs.

Late last year, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Resource Guide, which is designed to help financial institutions meet their security control objectives and prepare to respond to cyber incidents. The revised guide features updated references and a list of ransomware-specific resources, which is well warranted given the increasing frequency and complexity of ransomware incidents. The guide now includes eight different cybersecurity assessment tools that institutions may use, along with the “gold-standard” Cybersecurity Assessment Tool (CAT) to combat the evolving threat of ransomware.

Looking Ahead

This year, ransomware will continue to be one of the key areas of focus for financial institutions—as well as auditors and examiners. Institutions should also start thinking of using the term “third-party risk management” instead of “vendor management” to match an impending shift in interagency guidance. The new terminology is more than just semantic, it represents a shift in how the agencies define anyone with whom you interact; including those with or without a contract, and with or without the exchange of compensation. Regulators will be releasing new guidance relating to the issue of third-party relationships and risk management. The stronger emphasis on third-party risk management is significant because it implies a broader and deeper scope of responsibility for institutions in terms of their engagement and oversight processes.

In addition, the guidance will likely propose a six-part, third-party risk management process. The process, for instance, will cover key areas like early planning, selection due diligence, and contract negotiation. It would be wise for institutions to begin contemplating these new expectations and how they will navigate the different aspects of third-party risk management in the future.

Anticipated Trends

There are also some potential trends that financial institutions should be aware of going forward. Based on their actual recommendations or observations, auditors and examiners expect institutions to:

  • Identify tolerances for processing and data recovery times for ransomware events—separately from the standard recovery times (RTOs) established in the business impact analysis.
  • Have a list of forensic experts available to call if they require assistance with cyber events. (Your cyber insurance provider may require you to utilize their associates, so it’s best to check.)
  • Formalize vendor information and ensure their management team is periodically updated about third-party risk management practices.
  • Have project management policies that address steps to request and approve new applications, including licensing, contracts, business justification, integration, and risk assessments.
  • Make provisions for succession planning for IT, which is a key component in the risk management program. (If necessary, smaller institutions might consider outsourcing the IT role to ensure an appropriate succession plan is in place.)

Read more about this topic by accessing our webinar on “Regulatory Tips, Tricks, and Trends—Looking Back and Ahead.” Or contact us for more information about how our compliance services are specially designed to help community banks and credit unions meet their regulatory requirements.

12 Jan 2023
Top Blogs of 2022

Top Blogs of 2022

Top Blogs of 2022

Last year, we covered a wide range of blog topics, including ransomware prevention and recovery; business continuity management and disaster recovery; and managing Microsoft Azure and Microsoft 365 settings. In case you missed them, here’s a synopsis of our top blogs of 2022. Reviewing these important issues can help your bank or credit union be better prepared for the challenges—and opportunities—that lie ahead in 2023:

1. Best Practices for Ransomware Prevention and Recovery

Ransomware attacks strike a new target every 14 seconds, disrupting operations, stealing information, and exploiting businesses, according to the Cybersecurity and Infrastructure Security Agency (CISA). However, financial institutions that consistently employ best practices can prevent or bounce back from a ransomware assault. As an optimal strategy for prevention, institutions should identify and address known security gaps that can allow a ransomware infection. Since human error is the primary reason for most security breaches, banks and credit unions should focus on providing ransomware awareness training to help employees identify, respond to, and minimize attacks. They can also limit cybersecurity risk by using intelligent network design and segmentation to restrict ransomware intrusions to only a portion of the network and by having overlapping security solutions to provide layered protection. If a ransomware incident does occur, financial institutions should have pre-defined procedures for response and recovery. Many smaller institutions may lack the expertise internally to implement ongoing best practices for ransomware prevention and recovery, but they can work with an external cybersecurity expert to augment their resources. Read more.

2. Your Guide to Business Continuity Management and Disaster Recovery Planning

It can be challenging for financial institutions to implement successful strategies for business continuity management (BCM) and disaster recovery (DR). But our compilation of key strategies and best practices can facilitate the process. BCM encompasses all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity, and it is an essential requirement for avoiding and recovering from potential threats. DR—the process of restoring IT infrastructure, data, and third-party systems—should address a variety of events that could negatively impact operations, including natural disasters, cyberattacks, technology failures, and even the unavailability of personnel. For successful disaster recovery, institutions should focus on four important “Rs”: recovery time objective (RTO), recovery point objective (RPO), replication, and recurring testing. In addition, leveraging a comprehensive cloud DR service can enhance redundancy, reliability, uptime, speed, and value. Using a cloud DR solution from an external service provider can give institutions the confidence of knowing their DR plan is being thoroughly tested and will work if a real disaster happens. Read more.

3. Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Microsoft Azure Active Directory (Azure AD) and Microsoft 365 have a distinct ecosystem. Understanding their services and settings is critical for IT administrators to manage security, identity, and compliance within their environment. Institutions can significantly bolster security by implementing some of the basic security settings under the free license level for Azure AD. Adjusting the security default setting, for example, can have a major impact. IT administrators can enable security defaults to enforce non-configurable conditional access policies as well as require multifactor authentication (MFA) registration for all users. IT admins should also review the identity architecture for their institution to ensure all users, devices, and apps connecting to Azure have an identity. Depending on their license level, institutions may be able to modify additional settings, such as allowing global auditing, blocking open collaboration, and restricting outbound email forwarding. Microsoft is constantly revising the features of Azure AD and M365, making it vital for financial institutions to stay on top of their ever-changing ecosystem. Read more to learn how to manage the complexities of customizing your Azure AD and M365 security settings.

Read about other important topics on cybersecurity, compliance, and technology. Subscribe now to the Safe Systems blog to have the latest updates on banking trends and regulatory guidance conveniently delivered to your inbox.

07 Dec 2022
Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning

Your Guide to Business Continuity Management and Disaster Recovery Planning



Businesses today encounter an ever-increasing volume of operational threats, so it’s critical for banks and credit unions to have adequate business continuity and disaster recovery (DR) procedures in place. Business continuity management (BCM) entails all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity—and it can enable an institution to keep operating if a disruption such as a cyberattack, natural disaster, or man-made event occurs.

We understand that BCM and DR planning can be challenging, so this guide provides some key strategies and best practices to help financial institutions execute them successfully.

BCP vs. DR: Key Differences


It is first important to understand the key differences between a business continuity plan (BCP) and a disaster recovery plan as these two terms are often mistakenly used interchangeably. The Federal Financial Institutions Examination Council (FFIEC) updated its Business Continuity Management IT Examination Handbook a few years ago to expand its focus from “business continuity planning” to “business continuity management.” The BCM process is one in which a financial institution must proactively plan for resiliency to disruptive events and recover from those events. The traditional business continuity plan is now a subset of the overall BCM process and will be referred to as business continuity management plan (BCMP) going forward. The BCMP outlines what needs to happen to ensure that key products and services continue to be delivered in case of a disaster. On the other hand, the DR plan outlines the specific steps to be taken to recover the interdependencies the institution must restore to return to normal operations after a disaster. The BCMP focuses on the continuation of critical functions, while the DR plan focuses on the restoration and recovery of the specific individual technology and third-party components necessary for those functions.

BCMP: A plan to continue the business operations necessary to ensure key products and services are delivered

DR: A plan for accessing required technology, infrastructure, and third-party components after a disaster

In the previous guidance, business continuity and disaster recovery were closely tied together, but the new guidance defines them as two separate concepts and states that “The business strategy, not technology solutions, should drive resilience.” It places a heavy focus on resilience and states that financial institutions cannot rely on technology alone to ensure resilience. Although technology can help provide resilience and offer significant advantages to your recovery capabilities, indeed in many cases technology could be what failed in the first place. Financial institutions must be able to offer products and services to their customers or members regardless of technology or third-party failure, and often that could mean using manual processes and procedures to accomplish this.

Finally, the latest BCMP guidance provided an important distinction between a “test” and an “exercise.” Simply put, a test focuses on demonstrating the resilience and recovery capabilities of your systems, and an exercise addresses the people, processes, and procedures. For example, where a test may focus on backup and recovery options of systems, data restoration, device replication and rebuild or replacement, an exercise would verify that your staff (and ideally third parties) are aware of and could execute those options effectively. Both exercises and tests are now a requirement, and together they provide a high degree of confidence that your recovery procedures will allow you to meet your pre-determined process for recovery time objectives (RTOs).

Business Continuity Management Planning


Business continuity management is an essential system for preventing and recovering from potential threats. As a part of the business continuity process, a compliant and successful BCMP should include risk management (business impact analysis and risk/threat assessment); continuity strategies (interdependency resilience, continuity, and recovery); training and testing (exercises); maintenance and improvement; and board reporting.

What CEOs Should Know about BCMP


To adhere to regulatory guidance, it is imperative for institutions to not only comprehend the entire business continuity management program but also employ a broad process-oriented approach that considers technology, business operations, testing, and communication strategies that are necessary for the entire organization—not just the information technology department.

Management should develop BCMPs with sufficient detail appropriate to the institution’s size and complexity. According to FFIEC guidance, “The BCMP should address key business needs and incorporate inputs from all business units.” The institution’s business continuity management program should align with its strategic goals and objectives. In addition, management should consider the entity’s role within and impact on the overall financial services sector when developing the program.

Key Steps to Developing a Compliant BCMP


BCM 10 Steps

To develop a successful, compliant BCMP, it is important to understand and follow the recent, more detailed view of the BCM lifecycle in the FFIEC Business Continuity Management IT Examination Handbook. This approach is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance. Here is a checklist consisting of the required elements of the new approach that may not be incorporated into your current program:

  1. Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?
  2. Does the BIA produce sufficient information to establish the following?
    • Recovery point objectives (RPO)
    • Recovery time objectives (RTOs) for each business process (prioritized)
    • Maximum tolerable (or allowable) downtime (MTD/MAD)
  3. Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst-case (low probability, high impact) scenarios?
  4. Do you use testing as employee training exercises to verify that personnel is knowledgeable of recovery priorities and procedures?
  5. Do you track and resolve all issues identified during testing exercises and use lessons learned to enhance your program? (Must be documented.)
  6. Does your board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

Tactics for Staying Ahead of Regulators


Although there are several tips, tricks, and tactics to enhance compliance, one of the main tactics financial institutions can apply to stay ahead of regulators is to focus on resilience. Resilience includes the ability to anticipate, prepare for, prevent, and adapt to changing conditions, and to respond to, withstand, and recover rapidly from deliberate attacks, accidents, or naturally occurring threats or incidents. Management should incorporate the concept of resilience into all areas, including their business continuity management process, vendor management program, third-party supply chain management, and information security program. The objective is to implement processes to minimize the possibility of disruption and reduce the impact of such an event if it happens.

Inconsistencies between procedures and practices will often result in exam findings. Mentioning outdated references or older terminology in policies is one of the most common offenses that institutions commit. For instance, referencing business continuity plan or planning (BCP) versus business continuity management plan or planning (BCMP). This would be a minor mistake because the term BCP is not necessarily obsolete, but it’s not consistent with the most recent guidance and could raise a “red flag” that leads examiners to wonder if the institution has properly updated its policies, resulting in further scrutiny. A tactic that financial institutions can use to minimize outdated references and other inconsistencies between procedures and practices is to implement automation. Technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

Disaster Recovery Planning


Disaster recovery—the process of restoring IT infrastructure, data, and third-party systems—should address a broad range of adverse events such as natural disasters, infrastructure failures, technology failures, unavailability of staff, or even cyberattacks. As part of the disaster recovery strategy, management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the business impact analysis. The FFIEC’s Business Continuity Management IT Examination Handbook states:

“Management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software… Disaster recovery should address guidelines for returning operations to a normalized state with minimum disruption.”

What CEOs Should Know about DR


Here are some important DR considerations for CEOs to consider to ensure their institution is taking an effective approach to disaster recovery:

  • Expect the Unexpected: A disaster can strike anytime and in a myriad of ways. Most people think of a disaster as being a situation created by an unexpected weather event, power outage, equipment failure, or cyberattack, but network downtime due to human error is also a common cause of disruption. The need for disaster recovery is a matter of when—not if. Therefore, CEOs should expect some type of disaster to affect their institution.
  • Be Proactive: Not having a sufficient disaster recovery plan in place can have major negative consequences: a loss of data, business functions, clients, and reputation—not to mention time and money. So, bank CEOs must ensure their management team is being preemptive about implementing effective disaster recovery strategies. These strategies should be reflected in the BIA, which can reveal gaps in critical processes that would hinder the institution’s disaster recovery and, in turn, business continuity.
  • Consider Outsourcing: More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyberattacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage, and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient, and cost-effective.

The 4Rs of DR Planning


For effective disaster recovery, there are four important “R’s” that institutions should focus on:

  1. Recovery time objective (RTO) – The longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens. Shorter RTOs require more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints.
  2. Recovery point objective (RPO) – The amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance.
  3. Replication – An exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster.
  4. Recurring testing – A variety of tests and exercises to verify the ability to quickly resume core business applications during a disaster situation. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback.

Why a Cloud DR Service Is Important


Institutions must have viable DR measures in place, and a comprehensive, cloud-based service is a cost-effective way to accomplish this. With DR in the cloud, institutions are always able to access their data—no matter what type of disaster happens. In addition, a cloud DR service offers a team of third-party experts who are available to advise on DR processes, ensure ongoing backups and regular testing are done in the correct timeframes, and serve as an extension of the staff when a disaster strikes.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. In addition, a cloud DR solution from an outside service provider can give institutions peace of mind from knowing their DR plan is being adequately tested and will work during a real disaster.

Our Solutions


Safe Systems offers a wide range of comprehensive services to help community banks and credit unions support their BCM and DR planning and other efforts. Whether it’s compliance services, such as BCP Blueprint, Vendor Management, or Information Security Program, or technology services, such as Managed Site Recovery, Managed Cloud Services, or CloudInsight, institutions can customize solutions to meet their specific needs and budget.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Security Awareness Training: Safe Systems has partnered with KnowBe4, a market leader who is in the business of training employees to make smarter security
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

20 Oct 2022
Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

  • The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
  • The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

08 Sep 2022
What to Budget for in 2023

What to Budget for in 2023

What to Budget for in 2023

Marty McFly (the lead character in “Back to the Future”) could not have predicted the world we live in today. Though the movie’s portrayal of flying cars, floating hoverboards, and shoes that lace themselves may have been a little far-fetched, we now have IoT, the Internet of Things. This powerful networking capability connects everything in our lives to a single electronic device that can be held in the palm of our hands. I can open my garage door, adjust the temperature of my house, set my alarm system, and even check the status of the clothes in my dryer—all from my mobile phone. Predictions are always a synthesis of art, science—and uncertainty. None of us truly knows what tomorrow will bring. We just know it will look a little different than it did today. With that in mind, it’s almost budgeting season, so here are my predictions for the top areas your bank or credit union should consider budgeting for in 2023:

1. Compliance Services

Compliance continues to be a strong focus for many community financial institutions. It’s important to be able to evaluate all your policies and programs to see where you may need assistance before your next exam. If you aren’t sure if your policies and programs are keeping up with regulations, you may want to hire a third party to provide an objective perspective. Companies like Safe Systems will often conduct a review as a courtesy or for a nominal fee.

You should also consider investing in these two popular compliance services that have gained traction in recent years:

  • Virtual ISO: There are several service models available, so make sure you find the one that matches your institution’s needs. (Check out our recent webinar that walks you through the pros and cons of three virtual ISO models.) For instance, Safe Systems’ ISOversight service includes a dedicated compliance specialist, along with a suite of online compliance applications to help you develop and manage your vendors, business continuity plan, Cybersecurity Assessment Tool, and information security program.
  • Vendor Management: Your assessment of a vendor should define what controls are needed to effectively mitigate risks posed by each vendor. Some critical or high-risk vendors may require reviewing documents like contracts, financials, or SOC 2 audit reports. Evaluating these documents can feel daunting because it can be time-consuming and understanding each type of document can require a different skill set. Many institutions are offloading the document review process to third-party companies to help them identify the key information in each document and better manage risk.

2. Supply Chain Issues

The supply chain issues that started during the middle of the pandemic have continued through 2022. Servers, switches, firewalls, and other hardware devices are still in limited supply. For 2023, continue to plan and order hardware well in advance of your needs. If you wait until you need it, you may encounter delays. Six months is the current lead time for certain devices. Also, when replacing a workstation in 2023, evaluate whether a laptop or desktop computer would be the best replacement. While laptops introduce some new risks due to their mobility, they also allow flexibility for users. If a laptop will enable an employee to work remotely during a disaster or pandemic, it may be more beneficial to switch to this laptop to optimize your hardware investment.

3. Cloud Security

Cloud security should continue to be top of mind. Although the Cloud offers plenty of advantages, it comes with numerous control settings, management tools, and security options that must be effectively configured and maintained to ensure the highest level of protection. This should be a key area of concern for not only institutions with infrastructure in the Cloud, but also those with M365 licenses—which include Exchange Online, SharePoint, OneDrive—or those using Microsoft Azure Active Directory as an authentication platform through a third-party provider. Too often institutions only think about hosting servers in the Cloud when it comes to cloud security. While moving infrastructure to the Cloud is a current trend, almost all institutions store some information there. Safe Systems has worked with several institutions with assets ranging from $100 million to multi-billion dollars and found that almost all of them had gaps in their cloud security when it comes to their cloud tenants. Some institutions had their email or user accounts compromised while others had the wrong M365 security settings in place, which left the door open to future compromises. Safe Systems’ CloudInsight suite of products includes M365 Security and Utility Basics solutions to detect common risks and help institutions better manage the increasing array of M365 security settings and controls. These reasonably priced options deliver a substantial amount of value, so contact us for a quote to determine if our CloudInsight solution will fit into your budget next year.

4. Cybersecurity

Cybersecurity must stay top of mind for both your institution and its employees. If you do not have a solution to train and test your staff on information security best practices, consider investing in one next year. These are typically not expensive solutions, and they provide exceptional value—as well as critical protection. It is estimated that cyberattacks are 300 times more likely to be targeted against financial services firms than other companies. If that isn’t enough to keep you up at night, then consider that Cybersecurity Ventures expects global cybercrime costs to reach $10.5 trillion annually by 2025—and will be more profitable than the global trade of all major illegal drugs combined. Remember, where the money is, the crooks will follow. Every year you must evaluate your current security layers and decide if they are still effective and if you have enough of them in place.

“If it were measured as a country, then cybercrime—which is thought to have inflicted damages totaling $6 trillion USD globally in 2021—would be the world’s third-largest economy after the U.S. and China.”

Preparing for next year requires you to first evaluate where you are this year. You could decide to simply “rinse and repeat” what you did this year, but that would be a missed opportunity to really understand what is working, what isn’t, and what can be improved. Also, consider your institution’s short- and long-term plans. Sometimes what makes sense today doesn’t make sense when compared to your future plans for growth, increased redundancy, and more. While you can’t predict the future, you can at least ensure your 2023 budget reflects your best guess for where your institution is headed.

05 Aug 2022
The Importance of Succession Planning

The Importance of Succession Planning to IT and Information Security Resiliency

The Importance of Succession Planning

Change can be challenging—especially when it involves the transition of IT management and other key personnel. That’s why it’s imperative for banks and credit unions to be proactive about succession planning.

While regulators expect institutions to have a formal succession plan for key leadership roles, having a strategy for filling critical positions is a matter of practicality. If an IT administrator or information security officer (ISO) is not in place, or not available to complete the tasks, reports, and other responsibilities of these roles, then it could lead to cyberattacks and other security issues. This, in turn, can have dire consequences on a financial institution’s operations, risk-profile compliance, and reputation.

Succession Planning Strategies

Institutions can ensure IT and information security resiliency by having an effective plan for managing the absence of key security-related personnel. Depending on their size, type, and goals, they can adopt any of these approaches to succession planning:

  • Proactively assess internal talent and then orient the most suitable individual to serve as an alternate or backup for various IT admin or ISO responsibilities. The ISO alternate, for instance, should train with the existing ISO, attend ISO oversight meetings, and present appropriate information to executive management and the board. If the ISO leaves, the backup individual should be equipped to assume the role temporarily or even for the long term if necessary. Training a staff member to perform IT or information security duties is not only pragmatic, but it complies with regulatory guidance.
  • Implement an internal committee or team approach to managing IT and information security during a temporary or permanent personnel change. The committee can facilitate the IT and information security program in several ways. It can maintain processes until an outside replacement is installed or support an internal successor who is transitioning into the position. The committee can also provide coaching to keep the replacement from becoming overwhelmed by the complexity and assortment of tasks required.
  • Partner with a trusted third party to obtain the additional expertise needed to meet IT and information security benchmarks. This approach provides an accountability partnership role and a regular framework that clearly defines key responsibilities and streamlines processes. This strategy can ensure institutions have suitable resources to ease the transition of key personnel to enhance IT and information security resiliency.

Leveraging a Virtual ISO

A virtual ISO can be an ideal solution for institutions seeking to enhance IT and information security resiliency. This third-party service can not only support succession planning, but it can also serve as an extension of the internal ISO providing an external layer of oversight and an objective point of view — which allows institutions to approach risk more strategically and proactively.

ISOversight from Safe Systems, for instance, is a complete solution that makes it easier for community banks and credit unions to master information security and compliance online. This virtual ISO solution—which is especially for financial institutions—offers valuable access to applications and resources, cyber risk reporting, and compliance experts. With ISOversight, banks and credit unions can be confident that all their ISO-related requirements are completed on time, documented properly, and reported to the appropriate parties. Learn more about how to enhance your institution’s security posture during tough times. Read our white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

27 Jul 2022
Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

  • BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
  • CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
  • Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
  • Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
  • Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
  • NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
  • Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
  • V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

16 Jun 2022
Choosing a Virtual ISO (VISO)

Choosing a Virtual ISO (VISO)

The ISO’s role is becoming increasingly more complex and challenging due to growing cyber security threats, the ever-changing technology environment, and expanding regulatory expectations. It can be difficult for banks and credit unions to stay on top of information security issues. That’s why today even the smallest institutions often engage a trusted third party for help. A virtual information security officer (VISO) service can help institutions effectively manage information security so that nothing gets missed or falls through the cracks.

Common Types of VISO

The most common types of virtual ISO solutions available to institutions are the “do-it-yourself” (DIY), “hybrid,” and “offload” models. The DIY option is designed for institutions that have a solid grasp of the ISO’s job functions and just need some basic tools and limited consultation to enhance their efforts. This model is the least expensive but also requires more of a time commitment from your internal resources. The hybrid model may typically include an assortment of apps, templates, pre-configured reports, and other tools, along with a broader and deeper level of consultation. Resource requirements from the institution side are greatly reduced compared to DIY, but typically greater than offload. Accordingly, costs for a hybrid approach are somewhere between the two other models. The hybrid model also tends to be the most flexible and is designed to evolve with the changing needs of the institution. Finally, the offload approach attempts to provide a “turn-key” solution wherein the virtual ISO partner effectively assumes most or all the responsibilities of your internal ISO. This approach requires the least involvement from your institution (which could introduce other challenges…see the “Examiner Support” section below), but it is usually also the most expensive. As this model is the most inclusive, the knowledge and experience of the third-party provider are your most important consideration. The offload approach typically includes unlimited consultation, on-demand reporting, participation in committee meetings, etc.

Key Factors to Consider

When choosing a virtual ISO, there are some important aspects to consider to ensure your institution selects the best option. Keep in mind that each virtual ISO model comes with a certain level of flexibility and engagement for a specific price. The key is to carefully balance the service and costs against your specific internal resource gaps to determine the best solution for your situation. Ideally, whatever solution you choose should have the flexibility to dial up or down the level of service, depending on how your situation may change in the future.

Whatever virtual ISO solution you opt for, it should provide documentation and reporting in a form that the various stakeholders can understand. Each one of the many ISO responsibilities has one or more reports or documents that support the requirement to hold the ISO accountable for its responsibilities. The board of directors, the steering committee, the IT auditors, and examiners, all have different perspectives and comprehension levels and may require different degrees of detail for the same information. For instance, boards and examiners might require higher-level data, whereas steering committees and IT auditors might require more detailed documentation for their purposes. You should have access to on-demand reporting with relevant, actionable, up-to-date information that matches the level of engagement for the various stakeholder groups.

The regulatory guidance on ISO responsibilities includes terms such as “engaging with” and “working with” management in the individual lines of business to understand the risks of various initiatives. They also expect the ISO to “implement” the information security strategy as defined by the board, and to periodically “inform” the board and senior management on the status of the program. In the case of a virtual ISO, your hybrid or offload third-party partner needs to have an excellent understanding of enterprise-wide strategic objectives, and a good working relationship with management in all lines of business and within the different departments within your organization.

Remember, as with all outsourced activities, even though you can delegate some (or even most) of the heavy lifting to a virtual ISO, you cannot outsource responsibility. Your institution still must maintain a strong oversight effort to ensure that all ISO duties are completed, documented, and reported appropriately. Higher levels of third-party reliance require correspondingly higher levels of oversight. According to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services booklet you are obligated to oversee all activities, whether you perform them, or a third-party performs them on your behalf.

Examiner Support

The examiner feedback we have seen to date strongly supports the idea of financial institutions implementing a virtual ISO solution “…as long as it’s done correctly.” That means focusing on all the responsibilities and accountabilities of the role and making sure sufficient documentation and appropriate oversight and reporting are built-in. Doing it correctly also means making sure the in-house ISO is not so detached from the processes and procedures that they cannot authoritatively explain them to a stakeholder, which can be the primary downside of the “offload” model. The decision-making process is the most important concern for regulators. Your solution should allow you to offload enough to make the ISO’s job easier and more organized, but not so much that they become disconnected and lose operational awareness of their current threat and control environment.

In conclusion, choosing the right type of virtual ISO service allows institutions to provide the appropriate level of insight and oversight for their in-house ISO. This can help them to be better equipped to manage information security activities, meet evolving industry standards, and adjust to tightening regulatory requirements, all in an increasing cyber threat environment.

At Safe Systems, we offer a virtual ISO service based on the above-described hybrid model. ISOversight™, is a VISO service that is flexible to accommodate the changing needs of community banks and credit unions. The ISOversight service includes a full suite of applications to manage everything from vendors to business continuity, along with all associated information security policies and risk assessments. This is a cost-effective, comprehensive, and flexible solution that makes information security management much more efficient. For more insight about the most common virtual ISO models and how to determine which one may be right for you, view our webinar on “Is a Virtual ISO Right for You?”

09 Jun 2022
Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

Planning for Safety, Soundness, and Resiliency

With the rise in cybercrimes and increased regulatory scrutiny, having a board-approved IT Strategic Plan is often not enough to ensure cyber resiliency. It’s essential for financial institutions to develop a robust IT management and information security infrastructure. The following excerpts from our recent white paper on “Building IT and Information Security Resiliency in Chaotic Times,” show how institutions can strengthen and support these key management roles to make better technology and security decisions, improve visibility, and reduce vulnerability. In addition, institutions can use strategic partners and risk management solutions to bolster resources they already have in place and enhance their overall cyber resilience.

1. Separating ISO Duties

Examiners have a strong interest in the IT administrator and ISO roles, which are interconnected and integral to an institution’s safety and soundness. However, many community banks and credit units still struggle with meeting the FFIEC requirements for segregating these positions. The importance of separating ISO duties relates to creating additional oversight to verify activities and maintain accountability to management and the board. Separating these functions also helps to build a clear audit trail to ensure risk is being accurately assessed and reported to senior management. While the ISO functions in an oversight capacity of the IT administrator, the ISO also relies heavily on the administrator to share data that can be used to recommend steps to improve the institution’s security posture. Therefore, the IT admin-ISO relationship must also be cooperative to ensure their daily activities support the organization’s policies and procedures.

2. Being Proactive about Succession Planning

Regulators expect financial institutions to have a formal succession plan for the ISO, IT administrator, and other key leadership roles, as indicated by the uptick in exam findings related to this issue. Depending on their size, type, and goals, institutions may employ different approaches for succession planning. They can identify and train someone to serve as an alternate or “backup” for various IT or ISO responsibilities, incorporate an internal committee or team approach for managing IT and information security, or use the support of a trusted third party to maintain IT and information security standards.

3. Partnering with a Trusted Third Party

An outside expert can provide an objective perspective that can help institutions think beyond the day-to-day issues and consider risk more proactively and strategically. Bringing in a technology partner on the front end—when things are going well—can also position institutions to be stronger and more successful in the future. For instance, a virtual information security officer (VISO) can expand an internal ISO’s capabilities and increase the likelihood that all ISO-related tasks are completed in a timely and efficient manner. A VISO can also provide an external layer of oversight to enable the required separation of duties.

ISOversight®, our virtual ISO service, makes it easier for financial institutions to master information security and manage compliance online. ISOversight is a comprehensive solution with a full suite of applications and resources, cyber risk reporting, and dedicated compliance specialists. It’s uniquely designed to help banking institutions enhance their strategies to improve IT management, information security, and compliance. With ISOversight, community banks and credit unions can ensure that no information security issues fall through the cracks—especially during challenging times.

For more information about how to enhance your institution’s security posture, read the full white paper on “Building IT and Information Security Resiliency in Chaotic Times.”

26 May 2022
Community Banks Use CloudInsight M365 Security Basics to Increase Security

Community Banks Use CloudInsight™ M365 Security Basics to Increase Security

Community Banks Use CloudInsight M365 Security Basics to Increase Security

To meet the challenges of escalating cyber threats and constantly evolving technology, organizations must have appropriate security measures in place to protect their network, data, and other assets. Financial institutions that use Microsoft Azure Directory and M365 can capitalize on CloudInsight™ M365 Security Basics to ensure they have the right security, identity, and compliance settings to keep their information safe in the Cloud. The product fills a critical need because Microsoft is always enabling and disabling features in Azure AD and M365, which can make it difficult for institutions to maintain the best security settings.

M365 Security Basics increases the visibility of potential security risks through three main services:

  • Reporting — The delivery of user-friendly Microsoft data
  • Alerting — Notifications of common indicators of compromise
  • Quarterly Reviews — Expert analysis and consultations

Here are two case study summaries to show how different institutions are using CloudInsight M365 Security Basics to gain better visibility into their cloud security and Microsoft settings:

Affinity Bank

Atlanta-based Affinity Bank wanted to get a better handle on potential security threats—particularly those relating to email. It implemented CloudInsight M365 Security Basics to prevent compromised user accounts, unknown users and forwarders, unapproved email access, and other risks. “Being able to receive alerts when attempted logins from outside of the country come through is a big reason why we were interested in the product,” said Senior Vice President and Chief Operations Robert Vickers. Just having the ability to put in preventative features blocking employees from sending or setting up a forward to an external email address was another plus for Affinity Bank. With almost $800 million in assets, three locations across Georgia, and a long-term relationship with Safe Systems, Affinity Bank anticipates significant improvement in its cloud security and overall security posture thanks to M365 Security Basics’ monitoring, alerting, and other tools. Aside from the tools that M365 Security Basics provides for Affinity Bank, the real advantage given to the bank is the relationship with Safe Systems. “The team at Safe Systems has been able to provide us with great expertise on exactly where we need to go, what we need to do, and best practices to get us there,” said Vickers. “Almost immediately after we signed on for CloudInsight, they gave us recommendations we could implement straight away.” Read more.

Franklin Bank & Trust Company

Since its inception in 1958, Franklin Bank & Trust Company has prioritized adapting to constant changes in technology to maintain its security. M365 Security Basics proved to be the ideal solution for the Franklin, Kentucky-based community bank, which has $700 million in assets and five branches across the state. Since implementing CloudInsight M365 Security Basics, the bank achieved improved efficiencies in its cloud security and settings. After the initial meeting with the new service, reports came back with deficiencies that the bank didn’t even know it had and that could expose them to potential data breaches and threats. They were able to tighten up privacy settings, including the bank’s Microsoft OneDrive, and impose conditional access policies to ensure data was protected. “Adding CloudInsight M365 Security Basics to our roster has really shone a light on our whole Microsoft cloud footprint. It has shown us which areas we need to shore up and, in turn, has made our bank more efficient and secure,” said IT Project Manager Aaron Miller. Read more.

Learn More

CloudInsight M365 Security Basics is a flexible, cost-effective solution that institutions can incorporate based on their specific priorities and requirements. While Affinity Bank used M365 Security Basics to primarily address email management, Franklin Bank & Trust Company wanted to gain better overall visibility into Microsoft security settings. In both cases, M365 Security Basics fit the bill. Depending on their license, financial institutions can use M365 Security Basics to customize a wide array of security settings in Azure AD, M365, and Exchange Online. This includes OneDrive and SharePoint Sharing; Teams and External Collaboration; and the Protection, Security, Compliance, and M365 Admin centers. Institutions can further enhance cloud security by adjusting the settings associated with Azure AD Premium P1, Intune, and Azure Information Protection. They can also apply conditional access policies, password protection, and a myriad of other security features.

For more information about how your institution can optimize Microsoft security settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

19 May 2022
The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

The Relationship Between the ISO and IT Administrator

IT administrators (IT admins) and information security officers (ISOs) have independent yet interdependent roles that are critical to their financial institution’s security, regulatory compliance, and overall success. Both individuals must maintain a separation of duties yet work closely together to achieve a common goal: ensuring their organization’s day-to-day activities appropriately support its policies and procedures.

ISO Responsibilities

ISOs oversee everything from network security (including cybersecurity) to vendor management, to strategic alignment of IT initiatives, to general information security regulatory compliance, all of which require having on-demand access to relevant, timely, and actionable information.

ISOs rely heavily on IT administrators to share data about the network, so they can translate that data into the information that will allow them to perform their duties effectively. Therefore, reports are an integral aspect of the IT admin-ISO relationship. ISOs depend on the data provided by IT admins to complete the enterprise-wide thinking and strategic planning that is needed to protect the bank’s information and other assets.

For example, an IT admin might extract data about the number of devices that have been updated with the latest patches and report this information to the ISO. The ISO would certainly be interested in the status of all devices but would most keenly be interested in the exceptions—the devices that have not been patched—as even a single unpatched device could represent a significant risk to the organization. In addition, the ISO must further evaluate the root cause behind the exceptions: do they represent a predictable lag between patch rollout and installation that will be resolved during the normal course of reboots; or do they represent a procedural deviation or deficiency? If the latter, the ISO could make a recommendation to revisit patch management procedures and practices

IT Admin Responsibilities

IT administrators are responsible for a variety of tasks, including managing computer systems, IT personnel, information systems, data backups, and network security—and providing ISOs with essential information on all those activities. Since IT admins may have a small staff—or might be the only IT person in the department—and have privileged access to the network, institutions must closely oversee their position. According to the FFIEC Information Security Handbook, Section II.C.7(c) Segregation of Duties:

“System administrators, for instance, have the most powerful role in the user access process and have unlimited access to an institution’s information assets and technology. Given this extensive access, management should evaluate the process for determining which individuals should be granted system administrator privileges. Such access should be appropriately monitored for unauthorized or inappropriate activity.”

The ISO in combination with the IT Steering Committee provides an important checks-and-balances process to ensure all systems are being effectively managed and maintained, and that status reporting is reliable.

ISO and IT Admin Cooperation

It’s important to remember that although the ISO and IT admin roles must be independent, they are also complementary since both entities are responsible and accountable for making sense of the vast amount of data flowing through their institution.

Because ISOs must utilize the information supplied by IT admins to produce the reporting necessary to periodically update senior management and the Board, and to authoritatively interact with IT auditors and IT examiners, this relationship must be cooperative. By maintaining a close working relationship, ISOs and IT administrators can make sure their actions support the institution’s IT strategic plan. Done properly, a successful ISO- IT admin relationship should in no way be adversarial, it should be mutually beneficial to both parties, as well as to the institution as a whole.

Obtaining Third-Party Support

Regulators place a high priority on the continuity and consistency of leadership for effective information security. At times, financial institutions will have ISOs and IT administrators leave their position either temporarily or permanently. When this happens, it can be beneficial to employ an internal committee/team or a trusted third party to help manage IT and information security.

A third-party partner can provide additional support while the ISO position is vacant, help a new employee transition into the role, or simply provide another set of eyes and an external layer of oversight to supplement what they already have in place. Collaborating with an external information security expert cannot only help the institution think more objectively, strategically, and proactively about risk during a time of transition but also when things are running smoothly. This can prevent problems later and position the institution to be stronger and more successful in the future.

Financial institutions can take advantage of a wide range of external resources designed to support the ISO and IT administrator roles. For example, ISOversight™, our virtual ISO service, offers community banks and credit unions a complete solution to help them master information security and manage compliance online. With ISOversight, institutions can make sure nothing gets overlooked, so they stay on track—which is vital with the complexities and constant changes in the technology and security environments.

30 Mar 2022
Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

Get Prepared for the New Computer-Security Incident Notification Rule

As of April 1st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)

Understanding the Regulations

To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:

  1. The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incidentthat rises to the level of a “notification incident.”
  2. The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.

  • A computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
  • A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
  • its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
  • its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
  • its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.

Recognizing the Gray Areas

The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.

In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.

Preparing for the Unknowns

At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:

FDIC institutions:

  • Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at:

OCC Institutions:

  • Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email ( or phone (800) 641-5925.

Federal Reserve Institutions:

  • Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to or by telephone to (866) 364-0096.

Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.

Steps to Take Now

There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.

  • Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
  • Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
  • Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.

For more information about this important topic, access our webinar on “New Cyber Incident Notification rules: How to Get Prepared”, or this recent blog post from Compliance Guru.

17 Feb 2022
Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Microsoft Azure and 365 Security Basics

Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Financial Institutions that employ Microsoft 365 (also known as M365 and formerly branded as Office 365) are in the Cloud, and therefore, face a growing number of cyber threats. Consider this: The FBI’s Internet Crime Complaint Center (IC3) has seen a 400-percent increase in cybersecurity complaints since the pandemic started.

The surge in cybercrimes means financial institutions that use M365 need to focus on protecting their assets in the Cloud. Our CloudInsight™ M365 Security Basics makes it easy and affordable for institutions to start the process. M365 Security Basics provides visibility into security settings for Microsoft Azure Active Directory (Azure AD) and M365. Banks and credit unions can leverage this multi-faceted solution to get ahead of cyber threats and enhance cloud security.

Importance of Customizing Your Azure AD and M365 Settings

Your financial institution likely has a Microsoft tenant with Azure AD, whether you realize it or not. This is partly because every exchange online and M365 implementation requires the creation of a Microsoft tenant and Azure AD, even if the services are managed through a third party. There are also many other scenarios requiring the creation a Microsoft tenant, making it rare for most institutions not to have one.

It is important to understand whether you have a Microsoft tenant with Azure AD because the tenant belongs to your institution—not the licensing reseller—it is your obligation to know how to manage the security settings in these systems, including Azure AD, M365, and Exchange Online. This can be challenging because Microsoft’s default settings might conflict with your institution’s security and compliance requirements. Therefore, you must customize these settings to create more sophisticated and appropriate security, identity, and compliance policies for your institution. This should entail building policies around what users are allowed to do, what your institution’s risk assessment defines, what your institution’s compliance policies dictate, and what users will tolerate.

Once your institution has sufficient policies in place, it is essential to monitor for exceptions with reporting and alerting. And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

How M365 Security Basics Can Help

Microsoft is constantly adjusting its platforms and automatically enabling new features to adapt to an ever-evolving security environment, making it difficult for banks and credit unions to keep up. Partnering with a value-added technology expert like Safe Systems can help you better manage your M365 tenant. Our M365 Security Basics service identifies cloud security blind spots and common risks such as compromised user accounts, enabled insecure protocols, and targeted phishing or SPAM attacks.

M365 Security Basics key services:

  • Reporting – Collects Microsoft data that may not be readily available to institutions and assembles it in a user-friendly format
  • Alerting – Delivers notifications for the most common indicators of compromise in Microsoft M365 tenants
  • Quarterly reviews – Provide a vital, objective look at M365 Security Basics reports to help institutions determine the optimal security settings for their requirements

The Importance of MFA

An invaluable security control financial institutions should also consider implementing is multi-factor authentication (MFA). MFA applies a combination of factors to validate people’s identity before giving them access to sensitive data, account information, and other assets. MFA offers effective, low-cost protection against cyberattacks and other threats; and not implementing this security feature in Azure AD is risky. According to Microsoft, 99.9 percent of account compromises can be blocked with MFA, but the overall MFA adoption rate we have seen in the financial industry is only around 46 percent.

The bottom line: Microsoft is constantly enabling and disabling features in Azure AD and M365—, therefore, financial institutions must be able to manage the complexities of optimizing their security, identity, and compliance settings. To learn more about how your institution can customize Azure AD and M365 settings to enhance cloud security, read our “Azure and M365 Security Basics” white paper.

02 Feb 2022
Compliance Review and Tactics

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”

19 Jan 2022
Balancing Strategy and Compliance

Balancing Strategy and Compliance: Addressing the Strategic Needs of Your Institution While Remaining Compliant

Balancing Strategy and Compliance

Banks and credit unions require a complex interconnected infrastructure to support their employees, serve customers, and maintain their operations. This entails an array of owned and outsourced elements: hardware, software, controls, processes, and evolving technologies such as cloud, artificial intelligence (AI), machine learning, and more. In addition, effective data governance and data management are fundamental to maintaining the confidentiality, integrity, and availability of information. The data management process is highly regulated and financial institutions are under increasing pressure when trying to balance the strategic needs of their organization with the increased demands for remote employees and online customers.

Evolving Remote Workforce and Customer Base

Over the past couple of decades, advancements in communication and technologies have allowed for a more mobile workforce and customer base, and the ongoing COVID-19 pandemic quickly intensified this trend. During the first year of the pandemic, Gartner conducted a survey that found 82% of businesses intended to allow remote work at least part of the time, with 47% of companies allowing it full time. Although 2o20 represented a significant increase in remote work and digital engagement, the trend seems to be continuing for the foreseeable future. According to Upwork’s Future Workforce Report 2021, 40.7 million American professionals, nearly 28% of respondents, will be fully remote in the next five years, up from 22.9% from the last survey conducted in November 2020.

This trend requires adding more technology and devices to enable online access to financial services, and to enable secure access to the information and other resources needed for remote workers to perform their duties away from the office. Banking customers want convenient access to financial services, whether through a physical location, the internet, or a mobile app, and institutions need the tools and techniques to keep them secure. With more devices in the hands of employees and customers, there are many more vectors for cyberattacks and way more endpoints to secure. Even institutions that have been trying to avoid the risks that come with enabling remote engagement are forced to reevaluate the costs and benefits.

Increasing Regulatory Requirements

Privacy and data security have become key compliance issues for financial institutions as they adapt to accommodate employees and customers who prefer to work and bank remotely. From a regulatory standpoint, the Federal Financial Institution Examination Council (FFIEC) has always expected financial institutions to have data management controls in place to protect data in physical and digital forms wherever the data is stored, processed, or transmitted. This includes any data relating to the organization, its employees, and its customers. “The data management process involves the development and execution of policies, standards, and procedures to acquire, validate, store, protect, and process data,” states the FFIEC IT Handbook’s Architecture, Infrastructure, and Operations booklet. “Effective data management ensures that the required data are accessible, reliable, and timely to meet user needs.”

The FFIEC requires institutions to follow a wide range of other guidelines and procedures, which are reflected in various FFIEC booklets and include:

  • Governance – Management should promote effective IT governance by establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution’s information and systems.
  • Know-your-customer – Financial institution management should choose the level of e-banking services provided to various customer segments based on customer needs and the institution’s risk assessment considerations.
  • Resilience – Financial institutions are responsible for business continuity management (BCM), which is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

Strategic Compliance Solutions

With so many compliance issues to address, it can be difficult to balance the needs of your financial institution, your remote workers, and your customers. Safe Systems has a team of compliance experts and a broad range of compliance solutions to help you manage government regulations, information security, and reporting efficiently. Our team of compliance experts are trained in banking regulations, hold numerous certifications, and are laser-focused on delivering the tools and knowledge to give you compliance peace of mind.

30 Dec 2021
Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

Subscribe to our blog


08 Dec 2021
5 Compliance Lessons Learned in 2021 to Bring into the New Year

5 Compliance Lessons Learned in 2021 to Bring into the New Year

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

  • Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
  • Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
  • Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site,, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

05 Nov 2021
Minimize Examiner Scrutiny by Automating Compliance Processes

Minimize Examiner Scrutiny by Automating Compliance Processes

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

21 Oct 2021
The Importance of Cybersecurity, not Just in October—but All Year Long

The Importance of Cybersecurity, not Just in October—but All Year Long

The Importance of Cybersecurity, not Just in October—but All Year Long

Do Your Part. #BeCyberSmart.

With October being Cybersecurity Awareness Month, it’s the opportune time for everyone to focus on online safety and to become more cyber savvy. This month, the Cybersecurity & Infrastructure Security Agency (CISA) and National Cyber Security Alliance (NCSA) are encouraging all Americans to do their part and be cyber smart. This means organizations and individuals need to own their role in protecting cyberspace, which requires taking personal accountability and proactive steps to enhance cybersecurity.

The first step to increasing cybersecurity is to understand its importance. Cybersecurity, according to the CISA, is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring the confidentiality, integrity, and availability of information. And the importance of applying effective strategies to keep computer systems and electronic data secure is growing as cybercrime rises. But the key to enhancing cybersecurity is to recognize the hazards that can threaten online safety: malware erasing an entire computer system; a hacker breaking into a system and altering files; someone using another person’s computer to attack others; or an intruder stealing credit card information and making unauthorized purchases.

To minimize the risk of cyberattacks, organizations should consider implementing these best practices from the CISA:

  • Keep software up to date by installing software patches to prevent hackers from taking advantage of known problems or vulnerabilities.
  • Run up-to-date antivirus software to automatically detect, quarantine, and remove various types of malware.
  • Install a firewall to prevent cyberattacks by blocking malicious traffic before it can enter a computer system.
  • Employ multi-factor authentication (MFA) to validate users’ identity.
  • Change default usernames and passwords, which are readily available and can be used by malicious actors.
  • Select strong passwords that will be difficult for attackers to guess and use different passwords for different programs and devices.
  • Beware of suspicious emails that may be engineered to steal information and money or install malware on devices. 

While taking precautions cannot guarantee complete protection against hackers, improving cybersecurity practices can certainly help. It’s also important to become more knowledgeable about effective strategies for reducing cybersecurity risks, which is a major goal of Cybersecurity Awareness Month. In addition, Cybersecurity Awareness Month, formerly called National Cybersecurity Awareness Month, strives to ensure that individuals and organizations have the resources they need to be safer online. People can take advantage of the CISA’s cybersecurity tips, cyber essentials, and other information to become more cyber smart—not just this month, but throughout the year.

Safe Systems also offers a wide range of resources to help financial institutions enhance their cybersecurity and protect the confidentiality, integrity and availability of their information. Our multi-layered security suite, which is designed to protect vulnerability points inside and outside the network, includes DNS filtering, endpoint protection, next-generation firewall, security event log monitoring, and vulnerability monitoring. Community banks and credit unions can implement these security services to improve their cybersecurity posture, prevent cyberattacks and keep their operations running smoothly.

19 Oct 2021
What Makes a Successful Business Continuity Management Plan (BCMP)?

What Makes a Successful Business Continuity Management Plan (BCMP)?

What Makes a Successful Business Continuity Management Plan (BCMP)?

Minimizing the impact of disruptions of any kind, natural or man-made, or cyber should be a priority when it comes to the overall security of your institution. But how do you know if you’ve checked off all the important boxes?

A compliant and successful business continuity plan has the following components: Risk management (Business Impact Analysis, Risk/Threat Assessment); continuity strategies (Interdependency Resilience, Continuity, and Recovery); training and testing (aka Exercises); maintenance and improvement; and board reporting. In addition, the expanded FFIEC BCM IT Examination Handbook calls for all “entities” to rethink their approach to business continuity and be prepared to make appropriate plan revisions to meet these expectations.

To comply with regulatory requirements, it is important for institutions to not only understand the BCM process but also focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. It seems like a lot, but the risks an institution could face by not having a compliant and effective plan in place can be even more costly.

Don’t know where to start? We’ve developed a blog that walks you through the key requirements of BCMP, provides insight into the new guidance and the specific changes you may need to make to meet these expectations, and helps you ultimately determine what to include in the plan. View the original blog post here.

13 Oct 2021
Stories from the Front Lines

Stories from the Front Lines: How Real Financial Institutions Handled an O365/M365 Cloud Security Compromise

Stories from the Front Lines

Microsoft 365 (formerly Office 365) comes with an array of settings that customers can modify to enhance their security controls. When these settings are not effectively adjusted though, serious cloud security compromises can ensue. Our M365 Security Basics solution helps financial institutions detect and respond to potential problems. From our recent webinar, here are real-life stories about financial institutions (whose names have been changed) that had their cloud security compromised. See how they handled each situation, so you can learn what to do and not do to secure your O365/M365 account.

Loan Officer – Email Forwarding

Luke, a loan officer, is constantly emailing people inside and outside his organization. He often sends sensitive information but uses encryption to protect his outbound emails and multi-factor authentication (MFA) to protect his identity. Somehow his email account was compromised—for eight whole months—before the problem was discovered. Our M365 Security Basics reporting indicated there was an issue with his email being forwarded to an external domain. We worked with the IT administration team to confirm that a suspicious Yahoo address was not an authorized send-to address for the emails Luke had been receiving. The intruders’ cunning scheme involved a modified mailbox setting that predated Luke’s MFA setup and the other precautions Luke had implemented. We were able to resolve the compromise by removing the forwarding property. Moving forward, Luke’s IT team needs to keep a close watch to ensure the organization’s email accounts are protected.

IT Administrator – Global Auditing

Han works at a smaller organization and wears multiple hats as an IT, compliance, and security administrator. While he’s not well versed in cloud security, Han thinks the cloud is the best option for his organization. He selects various Microsoft cloud resources and works with a vendor to establish a tenant in Azure Active Directory (Azure AD), which is a requirement for O365/M365. Han provisions his account administrative rights in Azure, synchronizes users and passwords, and gets help training end-users on Microsoft 365 services like OneDrive, SharePoint, and Teams. Then he notices an Azure AD account that he and his team have never seen—and the name of the account is strangely almost identical to an existing end-user. Han called our support staff for assistance and learned that his global administrator account had been compromised. To make matters worse, Han had left his security settings at defaults and had not enabled global auditing, which meant there was no way to determine what the attacker had changed in the system. The best solution was to move the organization’s data, email, and identities to a brand new Microsoft tenant. This extensive migration project could have likely been avoided if Han had enabled MFA and the proper audit settings.

HR – External Document Sharing

Human resources vice president Leah employs a variety of technologies to facilitate working from home and the office. Leah relies on the Cloud, and desktop and mobile apps to access documents on all her devices and enjoys using Teams to share files with others in her organization. Using these technology services has caused her to inadvertently place the company at risk of exposure and identity compromise because her IT administration team had not implemented the appropriate security controls for all their organization’s licensed technology services, creating a security gap. Luckily, the IT team received an M365 Security Basics alert for a file being shared externally in OneDrive, which is a common alert that we see. There was also enough data in the alert to indicate the multiple bad security, identity, and compliance practices that Leah has. The IT team resolved these issues by reducing the default sharing levels of SharePoint Online and OneDrive and retraining Leah on good and bad practices for security, identity, and compliance.

CEO – Multifactor Authentication

As the CEO of his organization, Chewy’s contact information is very public; his email address is prominently displayed on the company’s website, LinkedIn, and other social media platforms. Chewy uses multiple devices to get work done in the office and at home. He often signs into whatever computer is handy, whether it’s his or his wife’s laptop. Chewy’s account is under attack in Azure AD from a Russian IP. M365 Security Basics Alerting was able to notify his IT team of this by way of the Large Number of Failed Sign Ins for a Single User alert. Unfortunately, the IT department did not require MFA registration for most of the organization’s users, including Chewy, even after being alerted to the attack. The Russian attackers eventually compromised Chewy’s account. Once they did, our alerting engine promptly notified the IT team of a successful sign-in from outside of the USA, which they promptly responded to, limiting the amount of time the account was compromised.

Listen to the full stories or watch the complete webinar.

11 Oct 2021
What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

  • Employee training to ensure adequate, effective, and safe practices
  • Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
  • Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

01 Sep 2021
FIs Must Plan Ahead for IT Projects to Get Hardware in Time

FIs Must Plan Ahead for IT Projects to Get Hardware in Time

FIs Must Plan Ahead for IT Projects to Get Hardware in Time

The coronavirus pandemic has fueled ongoing inventory and material shortages in a number of industries and IT is no exception. Many components, such as servers, routers, firewalls, network switches, phones, keyboards, microphones, webcams, and more are still in relatively short supply. We’re seeing lead times for hardware delivery lasting four to six months—and the situation could get worse with the Delta variant. So, it’s crucial for financial institutions to plan ahead when ordering IT equipment.

There’s a combination of factors driving these hardware shortages and delivery delays. With more people working from home, there’s an increased need for hardware, and the rise in demand for electronic devices has placed an extra load on the semiconductor industry. Semiconductors, commonly referred to as computer chips or chips, are a core element in almost everything electronic. The semiconductor market is also consolidated with only three manufactures who can produce the most advanced chips. These factors account for some of the reasons why chips are becoming scarce during a time of heightened demand. Currently, semiconductor lead times are stretching to more than 20 weeks—almost three times the pre-pandemic norm, according to Bloomberg.

Another key factor in hardware shortages is the just-in-time production (JIT) model that many companies, including those that manufacture chips, use to turn out small batches of products instead of creating huge inventories. While this lowers their production costs, it can cause supply chain problems when there’s a rapid surge in demand. Employee shortages worsened by the pandemic have only helped to strain hardware supply chain output even further.

If you’re planning to make upgrades or replace any end-of-life (EOL) equipment, you should order it now to help ensure your institution gets what it needs in time. Another issue is not about ordering the hardware; it’s about having time to properly execute the implementation. For instance, if you need new servers, routers, or phone systems, you need ample lead time to design the project, sufficient time for deployment, and additional time to ensure everything works properly post-implementation. Thinking ahead will make the hardware acquisition and implementation much easier to manage in the long run.

Potential Impact of Not Planning Ahead

Lack of effective planning for hardware purchases could result in serious complications. For instance, if you need a new phone system, you might not be able to secure phones, switches, and routers in time for your scheduled implementation. The delivery delay could be several months which not only impacts deployment but also results in a disruption to your current business functions.

In addition, a delay in installing new equipment could lead to security problems. Often, the new version of software will not install on old hardware, which could leave your institution using obsolete software that doesn’t get the appropriate patches and updates. So, actively researching any EOL issues that could lead to this problem is critical, (Incidentally, Microsoft Server 2012 is coming up on its EOL.)

Keeping hardware and software properly updated is also a matter of regulatory compliance for financial institutions. Management should implement policies, standards, and procedures to identify assets and their EOL time frames to track assets’ EOLs and to replace, or upgrade, the asset, according to the FFIEC Examination Handbook’s Architecture, Infrastructure, and Operations booklet. The guidance states, “Failure to maintain effective identification, tracking, and replacement processes could have operational or security implications (e.g., unavailable or unapplied security updates [patches] that make technology vulnerable to disruption).”

The bottom line is: If you need any IT equipment, it could be months before it’s available. So, plan your project accordingly and order the hardware as soon as possible to ensure the success of your implementation timeline. If you need assistance with researching lead times on hardware such as servers, routers, firewalls, network switches, and more or would like support with EOL products and planning for what is ahead, Safe Systems has experts on hand to help.

18 Aug 2021
How Banks and Credit Unions Are Responding to Emerging Cybersecurity Threats

How Banks and Credit Unions Are Responding to Emerging Cybersecurity Threats

How Banks and Credit Unions Are Responding to Emerging Cybersecurity Threats

Cybercriminals are always looking for new ways to bypass defense measures and exploit emerging weaknesses. Today, financial institutions are fending off security threats that are more ubiquitous, complex, and costly.

As more employees than ever before engage in remote work and online collaboration, this presents a host of potential security gaps. Unsecured home Wi-Fi networks, remote servers, mobile devices, a lack of encryption, and inadequate intrusion detection software are just a few of the factors that contribute to a spike in cyber attacks.

From an internal operations standpoint, it’s equally as important for financial institutions to secure data from basic human error, as 85 percent of data breaches involve a human element, according to the Verizon 2021 Data Breach Investigations Report. Employee awareness training can be the first (and best) defense against emerging cybersecurity threats like business email compromise which is designed to trick people into processing a payment or sharing valuable information.

Leveraging the Latest Technology

Next-generation firewalls (NGFWs) and cloud platforms can also support organizations’ efforts to combat cybersecurity threats. NGFWs offer advanced features that make risk easier to detect, manage and eliminate. SSL/TLS inspection can ensure that encrypted traffic is safe to transmit over the firewall. In addition, threat feeds can help firewalls effectively analyze traffic and route potentially dangerous traffic to a virtual “sandbox,” where it can be processed securely. Automated log analysis is then used to enhance the difficult job of managing voluminous logs and resolving security issues. To learn more about how these advanced features work, listen to our recorded webinar, “Firewall Chat: A Panel Discussion on the Technical Advances in Firewalls”.

Cloud computing is also providing benefits to financial institutions to enhance their security resources. While cloud technology is nothing new, innovations from major platforms like Microsoft, Amazon and Google offer enticing advantages to moving data and business processes into the cloud. But it’s important to keep in mind that employing cloud services requires institutions to use different security practices in order to minimize data breaches and other cyber threats.

Growing Need for Insurance and Expertise

As another developing trend, more companies are adding cyber insurance to their security toolbox. A cyber insurance policy can be an effective way to mitigate risk related to financial losses from cyber attacks. But with more cybercrime happening, organizations can expect to see higher premiums, decreased limits, and changes in exclusions for certain losses.

As cybersecurity threats become more frequent, sophisticated and expensive, financial institutions need to apply more vigilance and expertise to keep hackers at bay. Safe Systems can help ensure that community banks and credit unions have the technical resources they need to effectively address the latest security issues. Managed Perimeter Defense (MPD) offers a combination of professional IT solutions, including device monitoring and management, sandbox analysis, dynamic threat feed analysis, and SSL/TLS inspection.

09 Aug 2021
Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Implementing a technology-enhanced information security program doesn’t have to be a daunting task. Working with a third-party expert can make the process easier and smoother than managing all the requirements completely in house.

Effective information security (InfoSec) allows organizations to safeguard key IT assets, business processes and data from potential threats. It involves the broad measures that ensure the confidentiality, integrity and availability of the information being processed and stored by computer systems. Most financial institutions, especially those with limited IT resources, can benefit from having an outside vendor provide additional technical expertise and solutions to enhance their existing InfoSec program.

First State Bank Improves InfoSec with Safe Systems

First State Bank of Blakely, Ga. is a prime example of how a financial institution was able to tap external resources to expand its InfoSec program. The bank, which has about 100 employees and 10 branches, was handling most of its InfoSec requirements in house. But when First State Bank’s InfoSec consultant retired, the bank opted to expand its vendor management relationship with Safe Systems to include information security.

Safe Systems made the implementation quick and easy, recommending strategic tweaks that significantly streamlined the process. Consequently, First State Bank was able to avoid “reinventing the wheel” by importing some of its existing information. And since the program elements are web-based and accessible through any internet browser, it will be easy for the bank to make future edits.

First State Bank’s IT Manager, William Barnes, specifically references Safe Systems’ expertise, saying: “The knowledge and experience of the experts I worked with during implementation were very helpful. It is good to know they are there to consult with. I think overall, we are in a good place with the new information security program.”

In addition, the program provides an easy-to-follow guide for securing the First State Bank’s operations and processes. The program is reviewed at least annually, which serves as a reminder of important security requirements. “It helps us stay on top of the risks within the bank and has all the available forms that we need for most policies and procedures,” Barnes says.

Benefits of Technology-Enabled InfoSec

Having a technology-enabled InfoSec program offers a host of benefits for institutions like First State Bank. In general, an automated security program can help banks better support the hardware, software, policies, procedures, and information assets needed to accomplish their business objectives. More specifically, incorporating technology can simplify an InfoSec program; it can streamline the process of identifying and classifying the vast number of assets institutions often have scattered across multiple branches and geographic locations. And a built-in risk assessment tool can provide pre-determined default risks for different assets based on commonly known threats and vulnerabilities.

All of this can reduce the need to create huge spreadsheets to maintain the amount of data typically required for an InfoSec program. As a result, financial institutions can have more accurate security-related information, enhanced board reporting, and better decision making and governance.

Consulting with a trusted vendor like Safe Systems allows institutions to immediately expand their information security expertise and resources. Safe Systems includes three applications in their service including Risk Assessment, Policy Manager, and Enterprise Modeling, to help banks and credit unions centralize and automate their InfoSec program. These powerful applications can make it easier for institutions to enhance their processes for assessments, notifications, reporting, policy/procedure updates and regulatory compliance so they can optimize their security posture.

04 Aug 2021
Technical Advances in Firewalls and How FIs Can Make The Most of Them

Technical Advances in Firewalls and How FIs Can Make The Most of Them

Technical Advances in Firewalls and How FIs Can Make The Most of Them

Firewalls have been a critical first line of defense in network security for decades. Over the years, they have evolved beyond simply filtering traffic between internal and external networks to offering more advanced features. Today banks and credit unions can capitalize on the technical innovations of next-generation firewalls (NGFW) to significantly enhance their network security.

NGFW Features

NGFWs offer a combination of advanced elements that can help financial institutions better manage incoming and outgoing traffic. Encryption is one example and is a key defensive weapon—but it can be a two-edged sword. While encryption is designed to ensure that only the intended audience can see the data being sent, a network’s security system may not be able to properly view, examine, and identify the encrypted traffic.

When a firewall receives encrypted traffic, it has to unscramble it into readable, usable, plain text. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) inspection are required to allow this unscrambling. Without these next-gen inspection features, it is estimated that more than 80% of internet traffic will traverse the firewall uninspected. This means encrypted web traffic can deliver malware to the client without the firewall ever knowing it. Additionally, many advanced firewalls employ “sandboxing,” which ensures suspicious traffic is processed in a secure alternative environment without posing risks to the production network.

Many NGFWs also use what are known as “dynamic” and “static” threat feeds. These lists of potential and current threats enable the firewall to determine whether certain traffic will be passed through or denied. Suspicious traffic gets flagged and remains in the database to support future evaluations.

With threat feeds, a static list is generally used for a small number of IP addresses – in part because it requires more manual labor for maintenance and updating. A dynamic list is typically automated from the cloud, which makes it less user-intensive, easier to keep updated, and more effective than a static list. Geo IP filtering, for example, is just one type of dynamic feed that institutions can use to block certain countries from accessing their outbound or inbound traffic.

Website whitelisting and cross-site hosting are additional tactics for managing and troubleshooting firewalls. Whitelisting allows access to websites that have been blocked by the firewall, and cross-site hosting comes into play when a different but related site is requested.

When it comes to advanced firewall devices, logs and log analysis are especially critical. Logs provide records of every action and event that happens on a network and provide valuable insight into identifying issues that impact performance, compliance, and security. As data logs can surpass millions of lines from just a single 24-hour period, manually analyzing this data is an overwhelming undertaking. With NGFW features such as automated log collection and analysis, institutions can improve data gathering and log management to detect and address potential security problems more effectively.

So which NGFW features are the most important? All of them are important. They’re intended to complement each other and work together toward a common goal: enhancing network security.

There are a few additional, important aspects to consider when implementing a firewall, such as ingress vs. egress rules, cloud services, or content delivery networks, protecting a remote workforce, and ongoing employee training. To learn more about these and all the advanced firewall features, listen to our webinar, “Firewall Chat: A Panel Discussion on the Technical Advances in Firewalls.”

29 Jul 2021
2021 Hot Topics in Compliance

2021 Hot Topics in Compliance: Mid-Year Update

2021 Hot Topics in Compliance

While the COVID-19 pandemic certainly isn’t over, financial institutions have learned valuable lessons so far. In retrospect, the pandemic’s impact on community banks and credit unions hasn’t been as catastrophic as examiners had initially feared—at least not financially. Key impacts have been mostly operational, involving risk related to temporary measures taken to weather the crisis. For instance, examiners will want to know what modifications institutions have made to their operational processes to accommodate an increasingly mobile customer and member base and remote employees, and whether they accounted for additional fraud, cyber threats, or other risks as a consequence. If institutions implemented new products or services, they would need to also account for the operational risk associated with these changes—especially if additional third-party providers were involved. That said, throughout the pandemic, the overall industry demonstrated a very high level of resilience.

In addition to the post-Pandemic lessons, there are other important compliance trends and new regulatory guidance that institutions should anticipate as we approach the rest of the year:

Emphasis on Ransomware Cybersecurity

Recently, ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely ramp up going forward. This will be reflected, in part, by the number of (and types of) assessments that they may expect financial institutions to perform on an annual basis, including the familiar Cybersecurity Assessment Tool (CAT) and newer, non-compulsory Ransomware Self-Assessment Tool (R-SAT) developed partly by the State regulatory bodies.

In addition, at the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) has recently developed its Cyber Security Evaluation Tool. This tool is not specific to the financial industry but rather designed to apply to multiple industries. And the National Credit Union Association (NCUA) decided earlier this year to move away from using its version of the CAT, known as the Automated Cybersecurity Evaluation Toolbox (ACET). It’s now prioritizing a modified InTREx for Credit Unions (InTREx-CU), which is designed to enable credit unions to identify and remediate potential high-risk areas, including within the cybersecurity controls domain.

Changes with Cyber Insurance

Major shifts are also happening with cyber insurance. Because of excessive losses by the insurance industry, there will very likely be increased deductibles, increased exclusions, and decreased limits for covering cyber losses. Cyber insurance coverage—which is not an absolute requirement by regulatory agencies—is going to be more difficult and expensive to obtain. So, the lesson is: As insurance policies come due, don’t automatically renew before you assess what has changed in terms of the coverages, exclusions, and limitations, and make sure you’ve documented your cost-benefit decision.

New Guidance on Architecture, Infrastructure, and Operations

In June, the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. The updated guidance, which replaces the “Operations” booklet issued in July 2004, acknowledges the inextricable link between an institution’s operations, architecture, and infrastructure. Or as a recent FFIEC press release states:

“The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers, along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet provides a fresh take on several concepts: It recognizes different treatments for smaller or less complex institutions and adopts a different approach to data classification by factoring in value with criticality and sensitivity. All entities—not just credit unions and banks but also non-financial, third-party service providers—are expected to adhere to the guidance.

In addition, there are also pending new rules for incident notifications for banks, service providers, and core providers, which isn’t surprising with all the recent cybersecurity attacks. Finally, examiners are also expecting more detailed board reporting, such as showing how an institution’s business continuity management plan, business strategy, and risk appetite are all aligned.

For more information about the latest expectations, compliance trends, and regulatory guidance, listen to our “2021 Hot Topics in Compliance: Mid-Year Update” webinar.

22 Jul 2021
How Financial Institutions Can Enhance Board Reporting and Governance with Technology

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

As financial institutions face greater expectations for corporate accountability from regulators, effective board reporting and governance are becoming even more essential in the banking sector. While board members aren’t generally involved in the day-to-day operations, they are ultimately responsible for the success of their institution. Proper reporting can enable the board to make decisions without having to be involved in routine activities, and technology can help institutions enhance their board reporting and, in the process, help directors exercise the care, skill, and diligence required for good governance.

Five Essential Elements of Reporting

Board members need access to a range of financial and non-financial information relating to their organization’s products and services. In order to function effectively as a feedback tool for the board and senior management, the FFIEC Management Handbook states that information systems reporting should meet five essential elements:

  • Timeliness: To facilitate prompt decision-making, an institution’s information systems should be capable of providing and distributing current information to appropriate management or staff
  • Accuracy: A sound system of automated and manual internal controls should exist to ensure the validity of the information and should include appropriate editing, balancing, and internal control checks
  • Consistency: To be reliable, data should be processed and compiled uniformly. Variations in data collection and reporting methods can distort information and trend analysis
  • Completeness: Reports should contain the necessary information to inform decision-makers without voluminous detail
  • Relevance: Information systems should provide current, applicable, and actionable information

Reporting that contains the essential elements above can provide decision-makers with facts that support and enhance the overall decision-making process and can also “…improve job performance throughout an institution.” At the board and senior management level, information systems reporting provides the data and information to help the board and management make strategic decisions. At other levels, information systems reporting allows management to monitor the institution’s activities and distribute information to staff, customers, and members of management.

Applying Technology

Advances in technology have increased the volume of data and information available to management and directors for planning and decision-making. Converting that data into actionable knowledge is essential for the board to provide a “credible challenge” to management, which involves being actively engaged, asking thoughtful questions, and exercising independent judgment. Integrating technology into their InfoSec efforts, institutions can create a comprehensive system to generate, collect, and analyze data to support a more effective process for board reporting and a more knowledgeable board.

Heather Helms, CFO and Information Security Officer of Mount Vernon Bank, knows firsthand the importance of having an application that supports board reporting. “Before we started our partnership with Safe Systems, we were not up to par with the industry standards of reporting. Since redoing our Information Security Program and moving away from a paper-based model to automated applications, we’ve seen noticeably better results in our board reporting and regulatory updates,” said Helms. “When trying to wear numerous hats within a small community bank and stay on top of a topic so huge in a regulatory world, solutions like Safe Systems’ Information Security Program makes all of the difference.”

There are several advantages to financial institutions using technology solutions to automate and optimize board reporting and governance. The primary advantage is the ability to generate on-demand reporting on all aspects of information security management; from managing projects, to risk assessments (including risk appetite), to managing critical vendors, to mitigating operational risk through business continuity planning. Reporting should allow just enough detail to enable the board to fulfill their responsibilities, but not be so detailed that they struggle to comprehend. Ideally, technology should support high-level reporting, with the ability to “drill down” as necessary. The emphasis should be on quality, not quantity.

Another potential advantage of technology in reporting is the ability to aggregate business intelligence from multiple sources enterprise-wide. This not only gives the board a more complete picture of risk but can also stimulate internal collaboration and deeper insights, giving directors more meaningful information for analysis. The importance of timely, accurate, relevant, complete, and consistent information cannot be overstated, as the success or failure of management is often defined by the decisions they make. As the FDIC states, “The extreme importance of a bank director’s position is clearly emphasized by the fact that bank directors can, in certain instances, be held personally liable.” By having a comprehensive system in place for optimal decision-making, institutions can improve the quality of the information flowing from management to the board, and then from the board to other internal and external stakeholders—helping directors not only improve governance, but also enhance regulatory compliance and possibly even reduce lawsuits, monetary fines, and other negative consequences from inadequate board reporting.

Technology not only optimizes board reporting and decision-making but also makes it easier for directors to access the information they need to perform their due diligence and oversight obligations. It all boils down to implementing technology to exercise better accountability—ensuring sound policies are in place to promote strategic objectives and regulatory compliance.

Safe Systems offers a wide range of compliance-centric, innovative solutions that can help financial institutions take advantage of technology to improve their board reporting and governance.

01 Jul 2021
Benefits of Integrating Technology into Your InfoSec Program

Benefits of Integrating Technology into Your InfoSec Program

Benefits of Integrating Technology into Your InfoSec Program

Information security (InfoSec) is a critical aspect of keeping an organization’s computers, networks, sensitive information, and users safe from potential threats. Integrating technology into a financial institution’s InfoSec program can make it easier to manage risk and protect their information and infrastructure assets. Institutions can utilize automation to capitalize on a variety of other benefits, including:


Banking is a complex business. Banks and credit unions maintain a wide assortment of information technology devices, systems, and applications to support their operations. They also have multiple personnel, partners, and third-party providers spread across different geographic areas. The interconnectivity of their operations can make it even harder for institutions to protect the hundreds (and in some cases, thousands) of assets they must maintain. An automated system can make it easier for institutions to inventory and classify their assets—without having to create enormous, time-consuming spreadsheets. It provides a centralized solution for tracking the criticality, location, and risk exposure level of each asset. Identifying the source of risk is the essential first step to effective risk management. Technology and various Software as a Service (SaaS) applications can greatly simplify the process of inventorying assets, assessing the risk, and selecting controls. Technology can also create automatic updates to ensure that all policies and procedures are current and based on industry standards and regulatory requirements. Additionally, on-demand stakeholder reporting can be generated to provide the requisite documentation to management committees, board of directors, and regulatory authorities, respectively.

Completeness and Transparency

Integrating technology can help financial institutions get a clearer sense of their security posture, so they can develop a more complete InfoSec program. Automation makes it easier to identify and categorize each asset, along with its related risks, threats, and controls. This can enable institutions to make a more accurate assessment of where their security risks actually lie. With enhanced transparency, institutions can determine the most appropriate level of protection for each of their assets. As a result, they can more effectively use, manage, and secure these assets. Proactively identifying risks, threats and controls can also better position them to minimize the impact of security incidents in the future.

Better Intelligence and Insights

Some financial institutions rely on manual spreadsheets to manage the vast amount of information and other assets in their InfoSec program. But manual spreadsheets are not always the most effective tracking and reporting mechanism. People can inadvertently feed the wrong data into spreadsheets and produce unreliable results (“garbage in, garbage out”). Plus, since creating spreadsheets is such a repetitive and time-consuming process, information may be infrequently updated—which can make it less timely and thus less useful. However, integrating technology can help institutions enhance the accuracy of the intelligence that supports their InfoSec program. In turn, their board and management can have better insights into the important issues that impact the information security of their organization, which in turn empowers them to make better decisions.

Enhanced Reporting

To make the best decisions for their institution and perform their fiduciary oversight duties, boards and management committees need accurate, relevant, and timely information. By incorporating technology in their InfoSec program, institutions can put an efficient process in place to generate, collect, and analyze data to support board and committee reporting. This can enhance the overall quality of the information being reported to the board, shareholders, and auditors, and regulators. Optimized, on-demand reporting can improve governance, foster compliance, and potentially reduce negative consequences from inadequate board reporting.

Resource Collaboration and Augmentation

InfoSec resources are limited at many financial institutions, and most community banks and credit unions do not have a dedicated InfoSec specialist in-house. Additionally, information security officers (ISOs) tend to wear multiple hats and are often stretched thin by their broad range of responsibilities. An automated application can create a centralized solution that creates a multi-user approach to allow the ISO to leverage internal resources wherever and whenever possible. For example, a department head or process owner can be a valuable internal resource for assessing vendors impacting the department’s functionality. Similarly, the process owner (and not necessarily the ISO) would be the most logical choice to perform the process Business Impact Analysis. In this way, InfoSec becomes an “all hands on deck” operation, with all personnel sharing ownership of the process. Outsourcing additional aspects of InfoSec via a virtual ISO solution can provide an institution with additional subject matter expertise and solutions to further support their designated ISO and the overall security of their systems and information.

Read more about the benefits of integrating technology into your information security. Download our white paper on “How Financial Institutions Can Use Technology to Build an Automated, FFIEC-compliant Information Security Program.”

24 Jun 2021
Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program: How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.

There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.

These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:

“… both the CAMELS composite and Management component ratings have significant predictive power for features of the distribution of banks’ return on assets (ROA), non-performing loans (NPL), stock returns, stock return volatilities, and market-to-book ratios.”

Advantages of Automation

Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.

As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.

Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.

Our Unique Approach

At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!

Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.

Positive Feedback

Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.

For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”

10 Jun 2021
Resource Center

Technology, Compliance, and Security Best Practices – All in One Place

Resource Center

A few years have passed since we launched the Safe Systems online Resource Center, which provides community banks and credit unions access to a centralized knowledge base of materials that help you learn more about technology, compliance, and security best practices.

With a wide variety of content, ranging from videos to white papers to case studies, the Resource Center allows you to stay current with the latest trends and insights in the industry. For example, visit the Resource Center to view our latest webinar, infographic, or a short and timely blog. Come back often, as we add new content every week!

Just in case you missed our Resource Center reveal, or you would like a few more details on what it has to offer, please view the original blog post here.

27 May 2021
Kids on Banking – 3 Years Later…

Kids on Banking – 3 Years Later…


Kids on Banking – 3 Years Later…

It’s been almost 3 years since our 25th anniversary, and thus, the introduction of our Kids on Banking project. Designed to give us a refreshing perspective on banking from the minds of children, Kids on Banking offers a little comedic relief in stressful times. Who knew banking concepts could be so fun?!

While we are so grateful to have spent the last 28 years serving more than 600 financial institutions and managing more than 20,000 network devices, we are even more excited to see what the next 28+ have in store.

In case you missed our original Kids on Banking reveal, view the blog (and adorable video!) here.

13 May 2021
Is Your Financial Institution BCM Compliant?

Is Your Financial Institution BCM Compliant?

Is Your Financial Institution BCM Compliant?

It’s been a few years since the FFIEC updated its BCM IT Examination Handbook and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM).” While most financial institutions should already be aware of the updates to the handbook, it’s always beneficial for banks and credit unions to refresh their plan to remain up to date and compliant when it relates to business continuity.

In a recent post, Safe System’s compliance expert, Tom Hinkel, discusses five key points to keep in mind when evaluating your Business Continuity Management plan:

  • Resilience
  • Entities vs. Institutions
  • MAD vs. MTD
  • Exercises and Tests
  • Guidance vs. Requirements

In case you missed the full blog, view it here

22 Apr 2021
Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.