Compliance Archives - Page 3 of 4

10 Jan 2019

Banks, Compliance, Credit Unions Chuck Copland 0 comment

Overcoming Common Challenges when Communicating with the Board

The Board of Directors for any bank or credit union sets the tone and direction for the institution, including how the institution leverages information technology. While these Directors are generally not directly involved in the day-to-day operations, they are still responsible for ensuring that the institution operates in a safe and sound manner. The Board is expected to not only set strategy for the institution’s IT Risk Management program, but to also monitor how well the ITRM program is working and to provide a “credible challenge” to management.

Effective communication is crucial to this process but presenting complex information security and cybersecurity information to the Board can be challenging. Here are four common challenges you might encounter when reporting to your Board or Steering Committee, as well as some strategies to help overcome each:

Time Constrained

Board meeting agendas are jam-packed with important business, so you may not have much time to communicate your portion. Often, the Board cannot dedicate more than 15-20 minutes to ITRM, and this is precious little time to fully explain complex or nuanced topics.

Focus on high-level summary information. Whenever possible, consider featuring charts and graphs to help visualize data.
Highlight both the shortfalls and positives. Often a traffic-signal approach can be helpful here by highlighting positives in green and issues in red.
Show your work! Information presented in a brief manner may minimize the importance of the topic or work involved. Explain why your topic is important to the bigger picture, and brag on your team for their hard work.

Automating Your Compliance Processes with Technology Get a Copy

Over-Engaged

This type of Board is one that desires to know and understand every little detail. Deep engagement with IT is a wonderful problem to have, but it can quickly derail a presentation.

Save questions for the end. If your Board is open to this, it will help you make it through all your material in the time allotted.
Be open to follow-up discussions. When a discussion strays too far into the fine details, consider gently suggesting a follow-up meeting to discuss the topic in further detail.
Anticipate likely questions. Be prepared for questions such as:
- How did it get this way?
- What are we doing about it?
- Can we do this internally, or do we need to bring in a third party?
- Why do we have to do this?
- How do we compare to our peers?
- What does that mean?

Laser-Focused Perspective

Some Boards tend to steer any discussion toward a certain topic or key metric near and dear to their heart. Regardless of if this topic is related to cost, culture, legal, customer service, or any other concern, if it matters to your Board then it matters to you.

Frame your presentation in the Board’s terms. How can you fit your topic into the context of what resonates with the Board?
Don’t bury the lead. Start your presentation with the topic that matters to your Board in order to capture their attention and make them more receptive to the rest of your presentation. If, for example, your Board is sensitive to costs, then don’t keep the Board waiting on the price tag for a new initiative.
Seek Director assistance. If a Board member is a subject matter expert in an area, then ask for their (brief) input while planning your presentation. This approach helps streamline conversations during meeting, and may help your message resonate better with the rest of the Board.

Not Tech Savvy

Boards have a wide range of responsibilities and cannot be experts in every area. Your Board may not be well-versed in technology concepts, especially emerging technologies and cyber threats.

Education is key. The Board meeting is not the right time for in-depth training, but you can throw in small reminders as to why metrics like patch status or backup success matter to the bottom line. ISO’s should also make educational materials available for the Board to review at their convenience or arrange separate training sessions for the Board on critical topics. Another option is to reserve training time on the standard agenda for a monthly topic or Q&A (if you can get it).
Utilize subject matter experts. Experts may be better armed to explain a topic or field questions. Don’t be afraid to call on your coworkers or trusted third parties as reinforcements to help get the message across.
Relate topics to real world examples. You don’t have to look far to find news of the latest data breach or ransomware attack – these all make excellent cautionary tales to underscore the importance of preventative measures.

To efficiently and effectively support the Board at your institution, you need to know your audience. Board members are not always experts in information technology and cybersecurity, but a “rubber-stamp” approach to these topics is no longer adequate for regulators. Your Board needs the right information in the right context to make the right decisions and provide that all important “credible challenge”.

19 Dec 2018

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Safe Systems Launches “Banking Bits and Bytes with Brendan” Educational Video Series

Safe Systems launched a new educational video series, “Banking Bits and Bytes with Brendan,” to help educate and inform customers and the financial services industry on trends and issues the industry is dealing with on a day-to-day basis. Banking Bits and Bytes with Brendan will showcase our Chief Technology Office, Brendan McGowan, who is an expert in all things related to banking technology.

Each video is a small bite of information (approximately 2-3 minutes in duration) that teaches viewers complex technology, compliance, and security topics. The videos will be sorted by topic and can be watched at the viewer’s own pace and convenience.

This video series is a way for us to help educate our customers by leveraging the expertise gained from 25 years serving community financial institutions. As the industry continues to change and evolve at a rapid pace, our knowledgeable staff serves as a valuable asset to guide our customers and help them ensure compliance, streamline processes and provide superior service in their communities. Brendan’s expertise, knowledge, and insights in banking technology will ensure each video is a valuable resource for the industry.

Here at Safe Systems, Brendan oversees the development of strategic technology solutions that support key banking initiatives for community banks and credit unions and enhance their ability to manage IT in an effective and compliant manner. In 2016, he was named to Georgia Southern University’s 2016 40 Under 40 List, which highlights professionals who represent the best young leaders under the age of 40.

The first Banking Bits and Bytes with Brendan video series focuses on Managed Cloud Services, a broad topic where Brendan addresses common questions, dispels myths, and offers advice on the best way to think about and implement a cloud strategy. Each video is hosted on YouTube as well as this website.

The first two video lessons in the Managed Cloud Services series are now live on our website. View the video below or visit the Banking Bits and Bytes with Brendan page to watch other videos.

12 Dec 2018

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Developing the Right IT Structure For Your Financial Institution in 2019

The quality and involvement of the Board and senior management is probably the single most important element in the successful operation of a financial institution. While senior management (and certainly the Board) may not typically be involved in day-to-day IT operations, they must be knowledgeable about what is happening in the department and what the institution needs to be successful and to meet regulatory expectations.

The Role of the Board

The Board of Directors plays a crucial role in setting the tone and direction for an institution’s use of IT. In fact, board engagement is now more important than ever as both the FFIEC Management Handbook and the Information Security Handbook focus specifically on the responsibility and accountability of the Board as it relates to information technology oversight. Boards that do not heed these new standards run the risk of penalties, lowered CAMELS Scores and audit rankings, and in extreme circumstances, individual director financial accountability. In a recent conversation with an examiner, we learned that 80% of the deficiencies they are now seeing are management-related. The Board of Directors and senior management cannot just simply “delegate-and-forget” their responsibility when it comes to IT, just as they can’t for lending, deposit operations, funds management, or any other banking activity. They (especially the Board) are expected to be a vocal participant in the process and provide a “credible challenge” to management. This means the Board must be “actively engaged, asking thoughtful questions, and exercising independent judgment”. And to do that requires accurate, timely, relevant, and ultimately actionable, information.

Developing a Strategic Vision

Managing Risk with Truly Secure Vendor Management Program Get a Copy

The success of any institution begins with a solid shared understanding of the institution’s mission, vision, business model, risk profile, risk appetite, positive influences (strengths, opportunities) and adverse influences (weaknesses, threats). Once the Board of Directors establishes the strategic vision, it is shared with senior management who develops the policies and procedures. All policies and procedures must align with the strategic plan and vision of the organization. These written policies and procedures are passed on to a steering committee, who implements them into the institution, monitoring and managing to assure that actual day-to-day practices adhere to the written plan.

Along the way, the management team and Board of Directors must stay abreast of any necessary regulatory changes that may require adjustments to policies, or policy deviations that may require modifications to practices. This process is often provided by a steering committee, and this committee may be managements only window into IT. To be effective, the committee requires accurate and timely reporting and an understanding of how any changes and/or deviations may negatively impact the institutions ability to achieve its shared objectives. If adjustments are required, management must not only know what it takes to get back on (and remain on) course, they must also understand the consequences of inaction. Once again, all of this requires accurate, timely, relevant, and actionable information.

Financial institution management is bombarded with data from all sides, and this trend will continue (and accelerate) in 2019. The challenge is to sift through that data to extract the information which, when combined with knowledge, are necessary to manage the institution to the satisfaction of shareholders, customers, and regulators. Reports alone are no longer sufficient; they must be combined with an understanding of what the reports actually say, what conclusions can be drawn, and what actions should be taken. And along the way, the board and senior management must be kept informed and involved.

05 Dec 2018

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

More Kids on Banking

This year marks our 25th Anniversary and to honor the occasion, we developed Kids on Banking, which is designed to let us reminisce about our own childhood memories of going to the bank with our parents. While the banking industry has changed quite a bit since we were kids, and most trips to the bank and ATM have been replaced with the use of online banking and the simple use of an app, we were left wondering what it was like to see the banking environment through the eyes of kids today.

So, we asked a few, ranging in age from 5-11 years old for their unscripted opinions on banking and what exactly they think happens in a bank. They were very creative and had some insightful opinions that provided us with enough content to develop not one — but two — videos!

One of the questions we asked was, “How much money is inside the safe at a bank?” Apparently, banks today house a “thousand trillion billion dollars,” or “$399,” or maybe just “$100 or $50.” When it comes to saving money, we learned that “mostly money is saved for college or toys, but mostly toys!”

According to the kids, ATMs are for giving out money. All you have to do is put in a card, type a long random number and then “about a trillion dollars will start coming out.” If only this were true.

According to these kids, the president of the bank is responsible for signing papers and writing a lot of words, controlling the money and taxes, keeping the money safe, telling everyone when to “shut the door in case of a robber” and “people even come to the president to deliver grilled cheese.”

The pneumatic air tube is a favorite piece of banking equipment. It is “the thing that goes Fwsshhh straight up to the man upstairs!” It also is the thing that delivers lollypops and bills.

The kids really got us laughing and reminiscing about how we thought about banking when we were younger.

Check out our second video, More Kids on Banking, for a good laugh and help us celebrate a quarter century of serving community banks and credit unions.

For the last 25 years Safe Systems has worked with more than 600 financial institutions and managed more than 20,000 network devices. Safe Systems has found great success in helping community financial institutions significantly decrease costs, increase IT performance, enhance cybersecurity processes and improve their compliance postures.

28 Nov 2018

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2019

As 2018 winds down, banks and credit unions are thinking ahead to 2019. They are determining the new solutions, products, and enhancements needed to meet their strategic plans in 2019 and beyond. In addition, they are evaluating what needs to be updated or upgraded and the processes that can be improved upon.

There are three key areas banks and credit unions should focus on during budgeting season – technology, security and compliance. While lines that separate technology, security, and compliance are blurry at best, 2019 budgeting items for operations fall largely into these three buckets.

Compliance

While the focus of many examiners has shifted back to financial aspects of institutions, the top three findings our customers report relate to:

Vendor Management – Typically the current vendor management solution (if it exists at all) is deemed inadequate or insufficient. Often the solution doesn’t cover all vendors or provide a way to adequately assess these vendors.
Business Continuity Planning (BCP) – In the mid to late 2000’s many banks and credit unions updated their Business Continuity Plan. However, for many institutions, these plans have remained relatively unchanged for a decade now. Technology and business processes on the other hand, have changed rapidly over the last decade. The Federal Financial Institutions Examination Council (FFIEC) has also updated their guidance to address the current challenges of BCP. If the institution’s plan has not been thoroughly updated in a while, the institution may be at risk of a finding on a future exam.
With both of these findings there may be an additional finding of inadequate management or board oversight. Often these findings happen on the same exam and are followed with a concern with oversight. Many of the calls Safe Systems gets after an exam relate to these issues.

Avoid finding yourself under a Memorandum of Understanding or a Matters Require Attention by budgeting to ensure your compliance processes are up to date.

Vendor Management solutions can run from $2,500 to more than $6,000 per year. Business Continuity Plans can range more significantly from a couple of thousand to more than seven thousand dollars per year. Do some research and find some solutions that would meet your institution’s needs and identify their year one cost and annual cost thereafter.

Security

With attacks on the rise and businesses continually falling victim to cybercrime, security needs to be an institution’s priority. There are innovative solutions coming to market every day to help address security risks. These solutions can help mitigate the risks that your institution faces, but they can also cause confusion on where you should focus your attention. For the next several years, it is in the institution’s best interest to continually focus on the impending security landscape and verify that your budget reflects your strategy.

One place to start is to review your current solutions. Verify that your current investments are still applicable for your ever-changing environment. Upon investigation, you might find features that are available as an add-on to your current solution to help mitigate risk. You may also find holes in your current strategy that may need to be rectified.

Moving Beyond Traditional Firewall Protection to Develop an Integrated Security Ecosystem Get a Copy

As of October 2018, 90% of web traffic accessed through Chrome, the most popular web browser, was encrypted. These numbers have been increasing rapidly over the last few years. Many firewalls can only inspect unencrypted web traffic. This was a small risk when encrypted websites were less common. With the sudden rise of encrypted web traffic, many firewalls are NOT equipped to scan this data. It is possible to scan encrypted web traffic, but for many institutions this will require changes and additional investment. The risk of not scanning this encrypted web traffic significantly increases the chances of your institution becoming a victim of a malware outbreak or a data breach. Examiners in some regions have started to pick up on this security hole, and they are encouraging institutions to address this issue.

Another area of concern for institutions is new and emerging threats. Attackers are continually innovating and improving their attack methods, and basic security solutions may not be enough to detect and prevent these advanced attacks. Newer solutions specifically designed to analyze the growing attack techniques have been developed. The use of sandbox technology and machine learning are being tasked to make it more difficult for attackers to be successful. In many instances, these solutions can be imbedded within your perimeter firewall solution. These types of defenses can vastly increase the effectiveness of your security landscape.

Even though your firewall is viewed as a technical security device, it is also the device that grants users access to the internet. The internet has quickly become a business-critical service. When strategizing about upcoming budget aspects, the institution should consider the business risks involved when an internet device causes downtime. There are ways to mitigate internet downtime using high availability solutions. High availability involves having two firewall devices configured in a cluster. If one device fails, the second device seamlessly takes over responsibility so that downtime is avoided.

Additional devices and licensing will also affect the budget. These changes can be small or very large depending on the scope and goals of your strategy. Going forward, have a plan and strategy to deal with the ever-changing security landscape.

Technology

The biggest move in technology over the last half decade has been the move to the cloud. This will continue to be the case in 2019. The cloud offers benefits such as low maintenance, high availability and rapid disaster recovery that can’t be easily or affordably addressed with in-house solutions. The future likely means more servers and business functions moving to the cloud. This likely is where technology spend will move over the next 5 years. Another term for this is Infrastructure as a Service (IaaS). There are three likely situations that will lead to this move and determine how your institution makes the transition.

Your institution desperately needs high availability and/or disaster recovery and is willing to incur the cost of moving from a hardware-based solution to a cloud-based solution.
Your institution’s hardware infrastructure is reaching the end of its life and it is time to purchase all new hardware or move in a new direction. This can be a good time to evaluate your current setup and what is best for the future.
Your institution has some regular hardware turnover scheduled for next year and wants to evaluate slowly moving to the cloud. Instead of buying a new server, it may be time to evaluate what the future of your infrastructure will look like and if the cloud is a long-term solution.

Everything You Need to Know About the Cloud Get a Copy

Some vendors pitch the move to IaaS as a cost savings move. There are cost savings involved. No more hardware to buy and maintain; no more electricity to run the devices; no more cooling to keep hardware cool; and the ability to achieve high availability is easier and more efficient. However, the move to IaaS is typically not a cost savings, but a feature advantage. Most institutions will be lucky if they break even with moving to an IaaS model, but they will gain great redundancy, uptime, reliability, and disaster recovery capabilities.

Generic cost estimates are impossible due to the fact that everyone has different infrastructure, needs, wants, etc. But if flexibility and added freedom is something your institution wants or needs, start investigating what IaaS might cost for your institution. This technology has matured greatly over the last few years and continues to evolve, making it viable now and likely the wave of the future.

In moving into 2019, focus on two things. Are my current processes and products adequate? Not have they passed exams this year, but are they mitigating the current risks to the institution? Too often measuring by exams leaves the institution open to a false sense of security and potential exam issues in the future. For compliance, ensure the institution’s processes are thorough, up to date, and adequate to meet the needs of the institution. For technology, consider what the long-term goals of the institution are and start working on a plan to implement these changes. Security is going to need new investments each year for the foreseeable future. The historical solutions for security problems have been successful which has forced criminals to find ways around them. It’s time to realize that the threats have changed, and it is time to address the new threat landscape.

26 Nov 2018

Identifying Top Priorities for 2019 - IT Outlook Survey

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Identifying Top Priorities for 2019: Participate In Safe Systems’ Annual IT Outlook Survey for Banks and Credit Unions

Identifying Top Priorities for 2019 - IT Outlook Survey We want to hear from you for our annual industry report examining how community banks and credit unions plan to meet their IT, compliance and security needs in 2019.

To better understand banks’ and credit unions’ current IT situation, we have been surveying community banks and credit unions for the last 3 years. Our previous reports highlighted top IT priorities, IT challenges, security concerns and compliance issues, as well as what technologies and investments banks and credit unions plan to leverage in the coming year. We share the information gathered by publishing a white paper; last year’s was “2018 IT Outlook for Community Banks and Credit Unions.” The report is designed to provide community banks and credit unions with valuable peer data that can provide guidance for key IT, compliance and security decisions.

Looking back on 2018, some of the trends we saw included:

Cybersecurity and Information Security Continue to Challenge Banks and Credit Unions

Cybersecurity was the greatest security challenge banks and credit unions foresaw for the year ahead and information security was also a top challenge.

Compliance Continues to be a Challenge

Managing strict, ever-changing government regulations and guidelines is the greatest IT compliance challenge, which has led to the increasing trend of outsourcing compliance needs.

Outsourcing Remains Beneficial and Important for Smaller Institutions

Technology Investment Continues

Community financial institutions continue to recognize the need for investing in new technologies and services.

Both Community Banks and Credit Unions Have the Same Pain Points

The results indicated that both credit unions and community banks experience many of the same issues related to compliance, IT challenges and staffing constraints.

Other areas the survey focuses on include IT management issues, audit and exam preparation, additional technology challenges, vendor management, business continuity planning, reasons for change and implementation of new services and cloud usage.

We hope you will participate in the 2019 IT Outlook by taking our survey. By completing the survey, you will gain access to this comprehensive year-end report. Your anonymous responses will be aggregated to provide detailed graphs, charts and plenty of insight amongst your peers in the community financial industry.

Participate in the 2019 IT Outlook Report

31 Oct 2018

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Preparing for the Future: The Value of Safe Systems’ NetConnect Customer User Conference

NetConnect 2018

Safe Systems hosted its 2018 NetConnect Customer User Conference October 2-4 in St. Simons Island, Georgia. The three-day conference was designed to bring customers, employees, and vendor partners together to exchange ideas and learn about key technology, compliance, and security best practices and solutions. Banks and credit unions from around the country attended to listen to inspiring keynote speakers and attend sessions designed to educate, motivate, and drive success. The event also included a tradeshow made up of a dozen vendor partners offering additional products and services to Safe Systems’ customers. One of the most critical meetings held during the event is the customer advisory meeting, where the Safe Systems management and product development teams gather feedback from a subset of customers on existing and future products and services.

A key goal of this year’s conference was to provide our banking and credit union customers with the necessary tools and guidance to develop comprehensive cybersecurity programs; meet stringent regulatory demands; and build successful institutions. The event began with an entire day of pre-conference training focused on information security threats, including cyber threats. As these threats continue to evolve, the need for effective IT management and efficient risk management increases. This professional development opportunity helped cultivate the skills needed to effectively create and maintain a comprehensive information security program; communicate effectively with the board; and improve vendor management processes.

NetConnect 2018

This year’s keynote speaker was Bill Treasurer, CEO of Giant Leap Consulting, and author of numerous books about courageous leadership. His speech, “Leading with Courage”, focused on practical strategies for building courageous workers that seek out leadership opportunities, how to step up to challenges, offer innovative ideas, passionately embrace change, and become more productive.

In addition, one of the guest speakers, Erich Kron, a security awareness advocate, led a session on “Hacking the Users: Developing the Human Sensor and Firewall,” which focused on how banks and credit unions can turn people into effective attack sensors and human firewalls. He discussed the real goal of security awareness training, the politics of phishing your users, and how to deal with repeat offenders.

NetConnect provided an atmosphere where customers could exchange ideas and learn more about the latest technologies and trends in the financial services industry. Safe Systems’ product managers led educational sessions, focused on the company’s solutions and services customers use every day, to provide expert training and share tips and tricks to help streamline processes. Safe Systems’ compliance and security teams also led informative sessions and interactive workshops on relevant compliance topics and trends, including how to manage or push back on examiners; steps to take after completing the cybersecurity assessment tool (CAT); and how to respond to and recover from a cyberattack.

NetConnect 2018

During the conference, Safe System’s employees and customers celebrated the company’s 25th anniversary. For more than two decades, Safe Systems has worked with more than 600 financial institutions and managed more than 20,000 network devices. Safe Systems has found great success in helping community financial institutions significantly decrease costs, increase IT performance, enhance cybersecurity processes and improve their compliance postures. With our expertise and experience in the industry, we have a solid understanding of what is coming down the pipeline, how to anticipate trends and have gained a unique perspective into what our customers need. Our talented employees work hard to build strong relationships with our clients and pride themselves on the quality customer service they provide.

Safe Systems strives for the NetConnect event to be an engaging and educational experience where bankers and credit union professionals can gain valuable knowledge on technology, compliance, and security. The company values the customer partnership and the opportunity to seek their direct feedback on current and future services which will ensure success for both parties. Safe Systems continues to provide products and services to help community banks and credit unions strengthen their institutions and build success. Our solutions, combined with our customer service and advisory, arm our customers with the resources they need to succeed in today’s financial environment and beyond.

25 Jul 2018

Banks, Compliance, Credit Unions Chuck Copland 0 comment

Trust, but Verify: What to Look for in Your Third-party Vendors’ SOC Report

What to Look for in Your Vendors SOC

More and more community financial institutions are turning to third-party vendors for expertise, services and IT support. These relationships help community banks and credit unions streamline processes and offer more services to their customers and members. However, working with third-party providers can also open the institution to security risks. To ensure outsourced activities are completed in a safe and compliant manner, community financial institutions must perform comprehensive due diligence prior to entering into an agreement with an outsourced provider.

The due diligence process includes reviewing and assessing the vendor’s financial health; assessing the vendor’s knowledge and familiarity with the financial services industry and banking regulations; and verifying that information security controls are in place as well as the vendor’s ability to recover from breaches or disasters.

One of the strongest tools to help financial institutions perform due diligence is the System and Organization Controls (SOC) 2 report, designed to report on controls that are relevant to the security, availability and processing integrity of the systems used by service organizations. This is essentially a knowledgeable, qualified, and unbiased third-party auditor performing a deep review of the vendor’s policies, procedures, and practices, and then issuing a formal opinion that the vendor’s controls are adequate. In other words, a financial institution isn’t just taking the vendor’s word at face value because it has someone else confirming the vendor’s assertions. The strength of the SOC report comes from the fact that the vendor does not have the ultimate authority on the content and opinions of the report.

Since an audit report is such a strong control, it is often one of the first things a bank will seek from any potential vendor. As part of the vendor management process, financial institutions must actively review the reports, understand them and document that they adequately address all concerns.

Understanding the SOC 2 Report

There are seven critical elements financial institutions should look for in every SOC 2 report.

Products and Services – Does the report address the products and services you’ve contracted for?
Criteria – Which of the 5 Trust Services Criteria (privacy, security, confidentiality, availability and data integrity) are included in the report?
End-user Considerations/Controls – Does the report contain specific actions that must be taken by the end-user?
Sub-service Providers – Does the report cover (inclusive) or exclude (carve-out) the subcontractors (subservice providers) of the vendor?
Type I or Type II – Does the report address the suitability and effectiveness of the controls (Type II), or only the suitability of controls (Type I)? A Type II report is more comprehensive and considered much stronger than a Type I.
Auditor Exceptions – Is the report “clean?” Does it contain any material exceptions?
Report Date – The date of the report should be within 12-18 months of the current date.

While there is nothing in regulatory guidance stating financial institutions must obtain a SOC 2 report from a vendor before entering into an agreement, it is a good step to take to ensure a solid vendor management program. With the increased use of vendors, paired with a recent uptick in cybersecurity incidents, financial institutions must conduct due diligence on all vendors to ensure they are addressing security gaps. Reviewing the provider’s SOC 2 report can provide that extra level of assurance and protection.
For more information, download our white paper, Managing Risk with Truly Secure Vendor Management Program.

18 Jul 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Community Neighbor Bank Eliminates Stress of Vendor Management and Enhances Compliance Posture

It is more important than ever for financial institutions to manage vendors efficiently, but many struggle with the best way to successfully accomplish this. Most community financial institutions do not have a formal department dedicated to vendor management, and some still perform this process manually (on a spreadsheet for example), potentially leaving the institution vulnerable.

Camden, Alabama-based Community Neighbor Bank recognized the shortcomings of using a spreadsheet to track and manage its nearly 40 vendors. This method also made preparing reports for auditors cumbersome and time consuming. In response, Lisa Dailey, Assistant Vice President and IT Manager at Community Neighbor Bank, sought a solution to automate and streamline the vendor management process and help the bank to more efficiently manage contracts, renewals and other critical activities such as risk assessments.

“As our vendor list grew and cybersecurity risks increased, we realized that we needed a better way of calculating risk, identifying critical vendors, and tracking contracts and reports,” said Dailey. “We wanted to ensure our institution was efficiently managing all our outsourced relationships.”

After careful consideration, the bank determined that Safe Systems’ vendor management solution represented the most cost-efficient, proven method to control and manage its third-party risk.

Improved Risk Assessment and Due Diligence

Prior to implementing Safe Systems’ vendor management solution, compiling a complete list of all vendors and accurately performing the risk assessment on all vendors was a complicated task for bank staff.

“Performing the risk assessment on each vendor and understanding our inherit risk had been a challenging process,” said Dailey. “Safe Systems helped us understand how to manage the various risk levels of our vendors and the level of due diligence needed for each level.”

In addition to a more efficient risk assessment and due diligence process, the bank also benefits from the ability to proactively manage vendor renewals; a centralized location for all documents so staff and management and can easily access them; and detailed information for audit purposes and executive summaries for board review.

Enhanced Compliance Posture

The industry has seen regulators more closely scrutinizing the vendor management process within financial institutions, and it was often difficult for the bank to provide the level of vendor reporting that regulators required based solely off of a spreadsheet. Safe Systems’ vendor management solution has enabled the bank to more easily provide the proper documentation to examiners in a timely manner — enhancing the bank’s ability to meet regulatory requirements and increasing its compliance posture.

“We have received positive feedback from regulators since we made the switch from a manual to an automated process,” said Dailey. “Working with Safe Systems has improved our ability to meet the evolving regulatory requirements, and we’ve significantly reduced the amount of time spent monitoring and managing our vendors.”

“We are fully confident going into all exams because we can easily provide any reports requested, and we have a comprehensive view of all our vendors,” continued Dailey. “Safe Systems is truly a valued extension of our team.”

For more information, download our complimentary white paper, “Managing Risk with Truly Secure Vendor Management Program.”

09 Jul 2018

Kids on Banking Blog Featured Image Behind the Scenes

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Behind the Scenes: Kids on Banking

Kids on Banking, The Ocean

Stream Now

There were many activities leading up to March 17, 2018, including pre-production meetings, casting calls and location scouts. The whole idea started a full year earlier, when the Safe Systems’ marketing team attentively listened to two very famous speakers, Morgan Spurlock (documentary filmmaker) and Seth Godin (author) encourage the audience to create content that was not about their own products or even their own company. As it so happened, Safe Systems was approaching the milestone achievement of 25 years in business, so this was the catalyst to build a business case and move forward with the experts’ advice.

The production crew came from as far as Akron, Ohio and assembled at the Greenville Center for Creative Arts in Greenville, SC at 6:30 am. The day was carefully orchestrated with mothers, fathers and kids arriving every hour. While in the waiting room the kids were drawing pictures about banking topics to get them in the right mindset. After going through hair and makeup they were finally brought in for their on-camera interviews. Of course, the whole project was a gamble as it was totally unscripted. We really did not know if the kids would say anything funny at all. As it turned out, we were laughing the entire day and are so excited about the finished product. The now infamous Kids on Banking video has been viewed and shared more than 26,994 times so far across various platforms.

Here’s a peek behind the scenes!

Behinds the Scenes, Kids on Banking

How would they spend $50?

You may recall we asked the kids on camera if they had $50 how they would spend it. At the end of each interview, each child was surprised with a Safe Systems wallet and $50 bill. So, we thought it would be fun to find out how the kids actually spent the money. (Did they really buy a water park and put it in their backyard?) Well, no, but there were several nice stories sent in to us that we want to share.

Most kids saved a portion of their earnings and then made some strategic purchases with the “disposable income.” Max and Zoe are siblings…and as they stated in the video, purchased Lego® sets. Cohen bought new Pokémon© cards and Sarah Spratlin (her ambition was to buy a private jet and fill it full of puppies) bought a book about the history of The Avengers for her 11 year old brother as a birthday gift.

Chloe loves unicorns! Her shopping trip resulted in the acquisition of 2 new stuffed unicorns, 1 unicorn pen, and a toy for her hamster.

Chloe, Kids on Banking

Hudson and Caleb are brothers. As you may recall they both wanted to purchase animals (maybe even all the animals in the world). Well…they did buy a new snake (and a car racing kit) but also divided up their earnings to save for the future and give to others in need.

Caleb and Hudson, Kids on Banking

We have enough footage from that day to create another video. Watch our website, social media pages, and your inbox for the upcoming release of Kids on Banking 2 coming to YouTube this fall. In the meantime, we highly recommend you watch (and share often) the first video so you won’t be lost in the upcoming sequel.

#kidsonbanking #safesystems25

Browse Our Services

16 May 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Common Roadblocks Financial Institutions Face When Developing a Business Continuity Plan

A bank’s Business Continuity Plan (BCP) is the crucial blueprint for guiding it through the recovery from a business outage and is instrumental in ensuring that people, process, and technology elements are all properly coordinated and restored. These plans have evolved from early plans that were one-or two-page outlines for banks to follow in times of disaster to a large, step-by-step detailed instruction manual for everyone in the financial institution to follow should a disaster strike. For the past several years, examiners have been closely looking at these plans not only to verify that banks have a compliant plan in place, but to also ensure that they are able to successfully execute it.

While most institutions have some sort of BCP in place, many community banks and credit unions find it challenging to produce a current and comprehensive BCP that meets examiner expectations. Some of the challenges institutions face when producing a current and compliant BCP include:

Understanding Plan Deficiencies

Today, most financial institutions have some sort of BCP in place and are not drafting a plan from scratch. Yet many struggle with understanding the difference between where their plan is now and where they need to be to have a compliant and comprehensive plan. Understanding the plan’s deficiencies can be challenging if it hasn’t been routinely updated and if the financial institution does not truly understand the FFIEC guidance on BCP. The BCP should be a living, functional document that keeps pace with any changes in infrastructure, strategy, technology and human resources. Financial institutions that do not regularly update their plans or keep up with FFIEC regulations might not pass exams in the future.

Determining What to Include in the BCP

Each organization has a unique operating model based on its specific services, organization, processes, and technologies. The first step to creating a comprehensive BCP is to have a thorough understanding of all the functions and processes that make up those operations, which involves breaking the institution into departments and determining the team members responsible for each of these areas. Having representatives from each department contribute to the BCP ensures the technologies and responsibilities for each area are accurately represented. It is difficult for a single individual to have all of the knowledge required to put together the BCP.

Properly Testing the BCP

The BCP process is not complete until the plan is thoroughly tested. Testing verifies the effectiveness of the plan, helps train the team on what to do in a real-life scenario, and identifies areas where the plan needs to be strengthened. Testing exercises help identify errant assumptions and gaps in the plan to make sure what is on paper matches the most likely threat scenarios. While regulators require proof of testing annually, more frequent testing may be necessary if a previous test uncovered significant gaps in the plan or if there are significant internal changes to processes or infrastructure.

Revising the BCP Based on Test Results

Simulated testing scenarios are helpful in determining what adjustments and changes need to be made to the plan to enhance recoverability of the bank’s processes and functions. However, many financial institutions do not take the time to make necessary revisions. It is important to review and update the full plan on a regular basis, especially when new services and technologies are implemented and as regulatory guidance and best practices change.

Overcoming Challenges

To streamline this process, community banks should integrate business continuity into all business decisions, assign responsibility for periodic reviews of the plan, and perform regular testing. The importance of the BCP should be communicated to the entire organization and everyone should understand his or her unique role and responsibility. The board, senior management and other stakeholders should also be kept up-to-date on the status of the BCP, review test results, and approve plan updates.

In today’s regulatory environment, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply have some variant of a BCP plan in place. All financial institutions must have a solid understanding of the FFIEC guidance to ensure their plan is comprehensive and that it adequately addresses all areas. It must be updated, accurate and tested routinely. A comprehensive BCP limits the impact that a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what type of disaster may strike.

At Safe Systems, we have been working with community financial institutions to manage their business continuity planning process for more than 25 years. With our knowledge of banking applications, technology, and compliance we can help you ensure your plan will meet your objectives while also satisfying all regulatory requirements. Our hope is that it isn’t needed, but should a disaster strike, we want our customers to be prepared and recover quickly.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

09 May 2018

Touchmark National Bank Streamlines Cybersecurity Processes and Improves Exam Ratings

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Banks Are Streamlining Cybersecurity Processes and Improving Exam Ratings

Banks Streamlines Cybersecurity Processes and Improves Exam Ratings

As cyber-attacks become increasingly more sophisticated, community banks struggle to ensure their institutions are adequately protected and in compliance with regulatory requirements and expectations. Regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. The Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT), which was released in June 2015 and is designed to ensure banks are prepared in the event of a cybersecurity attack, is not a requirement to complete but it is what regulators are using to examine institutions and determine their level of cybersecurity preparedness.

This has led many banks to complete the CAT and examine their cybersecurity preparedness. Although the assessment is beneficial, it can also be a time-consuming task to understand and successfully manage. As a result, bankers are seeking a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environments.

One senior vice president of a national bank, found himself in this exact situation. He was manually completing the CAT and pulling reports but quickly found this process to be quite challenging and cumbersome. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and examiner expectations.

The CAT Application

The bank began looking for a more user friendly and repeatable solution that captured the process of filling out the CAT in an application and provided compliance guidance about how to improve its cybersecurity processes. As a long-time customer of Safe Systems, the bank ultimately decided to implement its cybersecurity service, Cybersecurity RADAR, that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment.

“When I learned that Safe Systems offered a service that included an application along with compliance consulting to help us improve our cybersecurity posture, I knew it would be the right solution for our bank,” said the senior vice president. “Safe Systems’ team of experts guided us through the installation process and provided us with the knowledge and support to ensure a more streamlined assessment.”

Improved Exam Ratings

For this particular bank, Cybersecurity RADAR streamlined the process of filling out the CAT, generated detailed reports, and successfully prepared the bank for exams. With the ECAT application, the bank significantly reduced the amount of time spent completing the CAT from weeks to less than 2 hours.

“The reports generated in the Safe Systems ECAT application have been extremely beneficial to us,” said the senior vice president. “In one of our last exams, an examiner even commented on how user-friendly, complete and easy to understand the reports were. In the past, gathering all the reports and manually tracking the data took us weeks to complete, but now we are able to prepare for exams in a matter of hours.”

The Cybersecurity RADAR solution Safe Systems offers can be a great value to any bank wanting to improve operational efficiencies, strengthen cybersecurity and increase their confidence with compliance and security.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

02 May 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What’s Next After Completing the FFIEC’s CAT? Take Action on the Results

What's next after completing the CAT

In response to the increased occurrence of cybersecurity breaches and attacks, the Federal Financial Institution Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness. Since its introduction, the CAT has become the baseline that many examiners are now using to evaluate cybersecurity, so completing it positions financial institutions to better address risks and meet examiner expectations with greater confidence.
While financial institutions recognize that completing the CAT is an important part of maintaining compliance, in truth this represents just the first step that financial institutions should take.

Phases of the CAT Enforcement

Phase one of the CAT roll out was largely focused on examiners verifying that financial institutions were aware of the CAT and encouraging them to complete it. While this varied by institution, state, and governing body, the first year offered the most leeway for financial institutions.

Most examiners are operating in phase two of the CAT enforcement process today. In this phase, many financial institutions’ primary question during their exam was, “have you completed the CAT?” With cyber risks becoming a more common and pervasive problem, this cannot be the long-term expectation for examiners in regards to financial institutions. So while most institutions can answer “yes” during phase two, the examination process will eventually have to evolve to require financial institutions to do more.

Phase three of the CAT requires regulators to ensure that financial institutions are actively taking steps to respond to the CAT findings. Financial institutions that are not remedying cybersecurity lapses or vulnerabilities discovered in the CAT will likely be cited and potentially receive poor compliance ratings. There is pressure on regulators to take this step as they can be called before Congress when the next banking cyberattack happens to explain why enforcement has not been working. So moving forward, financial institutions will need to not only complete the CAT, but clearly demonstrate the steps they have taken in response to their CAT findings.

Next Steps After Completing the CAT

The good news is that the majority of financial institutions have successfully completed the CAT, so the key is in making those results actionable and taking steps to remedy any issues that arise.

The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.

Safe Systems developed its Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. This is paired with a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

25 Apr 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

6 Common Misunderstandings of the FFIEC Cybersecurity Assessment Tool

Since its introduction three years ago, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) has been the focus of much attention within the financial services industry. The CAT can help financial institutions identify their risks such as gaps in IT security and determine their cybersecurity preparedness to determine areas for improvement.

While many financial institutions have completed the CAT, there are still some widespread misunderstandings about the assessment. Six of the top misconceptions we have seen include:

Filling out the CAT improves an institution’s position against a cyber-threat

While completing the CAT helps identify areas of risk and levels of cybersecurity maturity, after completing the assessment, the institution’s risks must then be compared to its maturity level. Thus, financial institutions must identify areas where risks are not mitigated appropriately. If your institution filled out the assessment but has not done a gap analysis between your risks and your maturity, you are not done.

Additionally, if you have filled out the assessment and have not yet changed your security posture based on the results, you are not done.

Filling out the Cybersecurity Assessment Tool is all that is required

Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind.

The CAT doesn’t have to be completed anytime soon

At this point, many examiners are simply asking most financial institutions if they have filled out the CAT. If your institution has not yet done so, you should consider completing it soon to ensure you institution meets examiner expectations. When you are finished, it is important to establish a timeline and action plan outlining how you will incorporate your responses and assessment findings into your cybersecurity plan.

The CAT can be completed by just one person

Completing the CAT is not a one person job because it requires input from a variety of departments within the institution. The 59-page assessment spans several job roles making this a cumbersome task for one individual to complete and can result in inaccurate responses. It is recommended that key personnel in all departments fill out the assessment together to ensure an accurate view of the institution.

I completed the CAT and passed my exam so I don’t need to do anything in regards to the CAT for my next exam

Time after time, examiners write up institutions in areas that they have previously done well on in past examinations. The bad news is that once regulators write up a bank for one infraction, they typically examine other areas more closely leading to additional findings. Don’t just assume because your examiner was content with your assessment in the past that there aren’t other areas where you can improve. Fill out the assessment; review your inherent risk profile and cybersecurity maturity level; and look for ways you can enhance your compliance processes to increase your institution’s cybersecurity preparedness.

The CAT is not a requirement

When the CAT was initially released, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. While it is true you do not have to use the CAT, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. If your assessment is different than what the examiner expects, it could lead to more questions or more scrutiny. While a better way to assess cybersecurity might exist, going down your own beaten path with assessing your risks is a little like taking a small row boat out into uncharted water.

The CAT is now the baseline many auditors or examiners are using, so completing it enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. However, while it is important to complete the CAT, the key is in making those results actionable and remedying any issues that arise.

Safe Systems developed the Cybersecurity RADAR solution, which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

07 Feb 2018

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

5 Highlights from 2018 Community Bank and Credit Union Information Technology Outlook Survey

2018 IT Outlook

In our second annual IT outlook report, we surveyed community banks and credit unions to better understand their current IT situations, top IT priorities and challenges, security and compliance issues and to get an idea of key technologies and investments they plan to make in the year ahead. The data collected in our 2018 report analyzes survey feedback on 54 questions from approximately 110 respondents representing a range of community banks and credit unions across the country with asset sizes from $100 million to more than $1 billion.

One big difference to note is this year marks the first time that the survey includes responses from credit unions. The survey shows that both credit unions and community banks are experiencing many of the same issues related to compliance, IT challenges and staffing constraints.  

Five highlights from the 2018 Community Bank and Credit Union Information Technology Outlook reveal the following:

Cybersecurity and Information Security Continue to Challenge Financial Institutions

Cybersecurity remains the greatest security challenge banks and credit unions foresee for the year ahead according to 80% of survey respondents. Information Security continues to be a top challenge for community financial institutions, according to 81% of survey respondents, which has led to 74% of survey respondents claiming they have increased their IT-related security spending in the past 18 months.

Compliance Continues to be “Top of Mind” 

Managing strict, ever-changing government regulations and guidelines is the greatest IT compliance challenge today for 32% of survey respondents. This has led approximately 40% of respondents to outsource their compliance needs. In addition, preparing for an exam has become a time consuming task as agencies are requesting more and more documents and reports before the exam even begins. According to survey results, approximately 60% of respondents have been asked to prepare more than 40 items for each exam or audit.

IT Staffing Struggles Continue

For the second consecutive year, personnel resource restraints and in-house expertise are cited as significant pain points for many financial institutions. According to the survey, approximately 31% of respondents have only one employee in their IT department and 26% have just two IT employees, emphasizing that many community banks and credit union’s IT departments continue to be understaffed.

Outsourcing Continues to be Beneficial

With limited internal resources and expertise, community financial institutions continue to augment their IT departments with outsourced service providers who are able to help them navigate the IT changes and meet examiner expectations. According to survey results, 76% of respondents outsource the management of their IT network to a technology service provider. 86% of bank and credit union respondents outsource their security monitoring, given the increase in security breaches the industry has seen this past year.

Technology Investment Continues

Community financial institutions continue to recognize the need for investing in new technologies and services. Nearly 81% of survey respondents claim their technology spending has increased in the past 18 months.

Other areas the survey focused on include IT management issues, audit and exam preparation, additional technology challenges, vendor management, business continuity planning, reasons for change and implementation of new services and cloud usage. The complete report provides executives with peer-to-peer information to better understand the current IT environment within community banks and credit unions nationwide, while also helping improve decision making within their own institution in 2018 and beyond.

To gain more insights into the key challenges, goals and opportunities facing community financial institutions today, please download the full report here.

2018 Community Bank IT Outlook

Primary Research and Analysis of Your IT Priorities in 2018

24 Jan 2018

Banks, Compliance, Credit Unions Safe Systems 0 comment

Safe Systems Helps Southern Bank & Trust Recover from Hurricane Irma with Continuum Disaster Recovery Service

Safe Systems Helps Southern Bank & Trust Recover from Hurricane Irma

The potential damage that storms can cause underscores the importance of disaster recovery solutions, especially for local community banks and credit unions. When Hurricane Irma hit Georgia in September 2017, many were left without power for an extended period, including Southern Bank & Trust’s main branch in Clarkesville, Ga. This presented a significant challenge for the bank because its main server is run from that branch. The bank’s other full-service branch in Blairsville, Ga. (along with its loan production office in Dahlonega, Ga.) still had power but were unable to run while the server was down. The bank needed a way to access its server from Blairsville and Dahlonega to continue to serve its customers.

Managing Disaster Recovery

When the staff at Southern Bank & Trust learned the severity of the power outage in their town, they made the difficult decision to declare a disaster, and as a customer of Safe Systems, leveraged the company’s Continuum Disaster Recovery Service to respond to the situation. Continuum is a fully managed and secure data replication and failover solution designed to help community banks and credit unions adhere to regulations and ensure business critical data and applications are available in the event of an unplanned business interruption.

Using Continuum, Safe Systems established a site-to-site Virtual Private Network (VPN) between the branch in Blairsville and the Continuum site hosting the recovered servers to get operations back up and running quickly. Displaced employees could remotely access the network, and the bank was able to leverage Continuum for two full days until power was restored at all branches and the production servers were powered back on.

A Trusted Partner

Working with Safe Systems’ Continuum service, Southern Bank & Trust was able to avoid a complete shutdown of all of its branches. The bank’s staff knew the importance of serving their customers and providing them with access to their money, even during a disaster, and Continuum allowed them to achieve that.

“Safe Systems’ experience and guidance helped us keep things in perspective,” said Brenda Speed, Senior Vice President at Southern Bank & Trust. “When something like this happens, it affects every line of our business, and Safe Systems provided us with the resources we needed at every step of the way. They are familiar with our network, our products and our business values, truly making them an important part of our team.”

To learn more about how Safe Systems helped Southern Bank & Trust, download our case study.

Southern Bank & Trust Case Study

10 Jan 2018

Banks, Compliance, Credit Unions Chuck Copland 0 comment

Internal Audits are a Necessity — Better Done In-House or Outsourced?

Internal Audits are a Necessity

In the world of financial services, where institutions are governed by regulations and information security is of utmost importance, internal audits play a significant role in assuring an institution’s practices are aligned with business objectives, security protocols are in place and all regulations and government mandates are met.

The Institute of Internal Audits defines the process as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps improve risk management, security and controls by evaluating the procedures and processes of the organization.

The internal audit system at a community financial institution should be specifically designed to provide:

Independence and objectivity
Qualified personnel to conduct audits
Adequate monitoring of internal controls
The testing and review of information systems
Documentation of tests, findings and corrective actions, and
Verification that management and the board of directors reviewed the findings and addressed necessary changes.

The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.

In-House Internal Audits

Community financial institutions can choose to conduct internal audits themselves if they have an in-house auditor who is qualified, competent, independent from bank management and has a sense of objectivity. Ideally, a community financial institution has someone on staff with an accounting or business degree, professional industry experience, and the appropriate training to conduct a comprehensive, independent internal audit. One of the benefits of an in-house employee conducting the audit is the internal knowledge that person(s) has about the institution’s network and daily operations.

An in-house internal auditor must complete training conducted by industry organizations, such as the ICBA’s Community Banker University ®, to prove they understand the trends, issues, procedures and practices related to the financial services industry. Additionally, this demonstrates that the internal auditor function is taken seriously by the financial institution, which in turn, is important to government agencies and regulators.

Outsourcing

Smaller institutions that don’t have the budget or the staff to dedicate personnel to the internal auditor role must outsource this responsibility. While outsourcing this function can prove to be the most effective and efficient solution for any institution, selecting the right outsourced auditor can provide the additional benefit of helping maintain the overall health of an organization and better prepare a bank or credit union for its next regulatory examination.

Some of the advantages of outsourcing internal audits include:

Access to a team with a high level of expertise that is not cost-effective to maintain in house
Management has more time to work on strategic projects and focus on other revenue-generating activities
Issues associated with staffing and competitive compensation for in-house employees are eliminated, and
The issue of loss of objectivity is eliminated.

Whether done in-house or outsourced to a service provider, conducting internal audits is essential to ensure effective monitoring of security controls and to verify an institution’s ability to quickly correct significant IT and compliance vulnerabilities. At Safe Systems, our strategic advisors work with each client to perform quarterly self-assessments or internal audits to gauge IT performance and evaluate emerging risks to the institution. We also leverage this opportunity for the strategic advisor to educate bank personnel on new or changing government regulations to help the institution maintain compliance and be adequately prepared for IT audits and examinations.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

14 Dec 2017

Banks, Compliance, Credit Unions Holly Hooks 0 comment

Importance of A Cybersecurity Risk Appetite Statement

As cybersecurity threats continue to increase in the financial services industry, banks and credit unions must work harder to meet regulatory expectations. Regulators are taking a deeper look at financial institution’s policies and procedures to ensure that these institutions can effectively safeguard confidential and non-public information. This includes ensuring financial institutions have a Board approved Cyber Risk Appetite Statement.

Regulators are not only looking to ensure financial institutions have a cyber risk appetite statement in place, but that it is being used to monitor and manage the institution’s cyber risk. In fact, risk appetite is mentioned more than 6 times in the FFIEC’s Cybersecurity Assessment Tool (CAT). The Overview for CEOs and Board of Directors released with the CAT by the FFIEC, states it is the Board or an appropriate Board committee’s responsibility to “engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.”

What is Cyber Risk Appetite? Safe Systems’ Compliance Guru gives us a good working definition of risk appetite: “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level is acceptable. Residual risk is the risk remaining after controls have been applied. Before the Board can define a cyber risk appetite statement they must have clear understanding of the institution’s risk profile. This will allow them to clearly define their risk tolerance. This is then used to inform management’s decision making. For example before an institution begins offering a new service, management should validate that the amount of risk after controls have been applied (residual risk) are within the defined risk appetite. If not, management should determine if additional controls can be applied to bring the risk within acceptable limits or reevaluate the service.

Failure to have a cyber risk appetite statement not only puts a financial institution in risk of violating regulatory requirements but can also lead the institution to improperly manage its cyber risk. Defining your cyber risk appetite allows an institution’s Board of Directors to set the tone for risk management throughout the financial institution.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

06 Dec 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

Honey Pots: $2,500+

A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

Expired in 2017 and should be replaced or upgraded

Windows Vista
Symantec Endpoint 10.x
Microsoft Office and Exchange 2007
Backup Exec 2015
Adobe Acrobat XI

Expires in 2018 and should be replaced or upgraded

ESXi/vCenter 5.5 expires 9/19/2018

Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

29 Nov 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Combatting Cybercrime: Change Your Cybersecurity Mindset to Enhance Your Institution’s Strategy

Targeting Employees - How to Prevent Phishing

Cyber-attacks are becoming more sophisticated as cyber criminals find alternative ways to target financial institutions and their data. Most recently, there has been an increase in phishing scams that specifically target bank employees, attempting to obtain sensitive information such as usernames and passwords. The ultimate goal is to trick bank employees into clicking on links or opening attachments that redirect them to fake websites where they are encouraged to share login credentials and other personal information.

With access to your employees email accounts, cyber criminals have the ability to read your bank’s critical information, send emails on your employees’ behalf, hack into the employee’s bank and social media accounts, and gain access to internal documents and customer financial information. This can result in both financial and reputational risks for the institution and its employees.

To help protect your institution’s data, here are two key ways to prevent phishing scams and increase security for your community bank or credit union:

Employee Training is the Number One Priority

Without proper training, it is very easy for employees to fall victim to a variety of email phishing scams. Financial institutions must have a policy of on-going testing and training to ensure employees understand security procedures and are equipped to identify phishing emails and other security threats. It is also important to establish a security culture within your organization to ensure that all employees recognize that they have a personal responsibility to safeguard against breaches.

Community banks and credit unions can also leverage an outside security company to conduct security training and checks to verify how employees interact with suspicious emails. This allows network administrators to look at different levels of risk based on whether an employee ignored the email, opened the email, or clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.

Stop Email Phishing Attacks with Multifactor Authentication

A proven way to protect your bank’s network is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.

While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include:

Something the user knows, like a password or PIN;
Something the user possesses, like a smart card, token or mobile phone; and
Something the user is (i.e., biometrics), such as a fingerprint or retina scan.

Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When an employee tries to login to their email account, they would first type in their username and password. Then, as a second factor, they would use a mobile authentication app, which will generate a code or PIN to enter on the screen and would then be given access to the account. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts even if a password or security answer is stolen.

To combat today’s cyber threats, financial institutions must stay up to date on the latest phishing strategies and verify that the security policies and solutions in place can reduce potential threats. It is also vitally important that employees understand the types of attacks they may face, the risks, and how to address them. Implementing a combination of employee training and multifactor authentication strengthens your institution’s security strategy and can make the difference when (not if) cybercriminals attempt to hack into your employee accounts.

08 Nov 2017

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Your 2018 Plan: Identifying Top IT Priorities for Community Banks & Credit Unions

To help small financial institutions get a better understanding of what their peers are spending and planning for technology, compliance and security, we survey community banks and credit unions across the country annually. Last year, our 2017 Community Bank Information Technology Outlook Survey provided valuable data including top IT priorities, IT challenges, security concerns and compliance issues.

Looking Back at 2017

Looking back at last year’s survey, bankers and credit union executives were acutely focused on:

Cybersecurity was one of the greatest security challenges for 2017 according to 94% of respondents.
Nearly 77% of respondents claimed they were spending more on technology than they had in the past.
Banks found it challenging to keep pace with the rapid rate of technological change that is influencing and impacting the banking industry.
71% of respondents reported outsourcing their network management and 63% outsourced their IT support.
Compliance issues were top-of-mind as many community banks indicated that regulators were more aggressive as examiner expectations and demands continued to increase. This resulted in approximately 59% of participants spending more on their IT and compliance needs headed into 2017.

What Has Changed

What are community banks and credit unions evaluating most headed into 2018? In this year’s survey, we will focus on compliance and security concerns, IT management issues, vendor management, audit and exam preparation and implementation of new services, among others. Each year, the data we gather provides valuable peer data from financial institutions across the country t0 use as guidance for their own key IT, compliance and security decisions in 2018 and beyond.

We hope you will participate in the 2018 survey by visiting http://info.safesystems.com/2018-community-bank-credit-union-it-outlook-survey. By completing the survey you will receive access to this comprehensive year-end report. Your anonymous responses will be aggregated to provide detailed graphs, charts and plenty of insight amongst your peers in the community financial industry.

01 Nov 2017

Are Regulations Killing Community Banks and Credit Unions?

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Are Regulations Killing the Community Bank and Credit Union?

Are Regulations Killing Community Banks and Credit Unions?

Community banking has been an essential part of the financial backbone of the United States for over a century. Community bankers have funded the ideas and dreams that helped launch countless businesses across the country – businesses that sometimes grew to employ thousands of local residents and generate millions for local economies.

For many banks and credit unions today, the commitment to serve the local community is still very real. The mega banks are often looking for a “mega” deal and not the small business loan that a local company needs to get started. As a result, community banks and credit unions are vitally important to small and medium sized businesses that are often ignored by larger institutions.

Herein lies the problem, because over the last decade, the number of community banks has decreased by 27% while credit unions have decreased by 40%. Some of this, of course, is attributable to the Great Recession, but of the nearly 2,000 banks that have disappeared, only about 500 were shut down during the down turn, meaning the majority of the decline is not entirely based on this specific event. So, if the economic calamity of the last decade is not entirely to blame, what is?

While there are several factors that have led to the decrease in smaller institutions, one has had perhaps the most significant impact: the increase in regulatory requirements. Regardless of location and size, small community banks are subject to largely the same regulations as larger institutions. Regulatory agencies are continuously changing and increasing guidance around a variety of issues, including cybersecurity, vendor management, and disaster recovery, among others. The increase in regulatory requirements does two things:

It Creates a Challenging Environment to Run a Community Financial Institution

For many community banks and credit unions, meeting new regulatory requirements takes a considerable amount of time, effort and knowledge to execute successfully. Small community institutions that manage this function internally often struggle to keep up with the ever-changing regulatory landscape and provide the proper documentation to examiners. Without the right compliance expertise, it can be very difficult to ensure the institution’s processes and procedures are in line with federal regulations.

It Increases Operational Costs

Each new regulatory guidance, update, change, and interpretation requires additional expertise and more employee resources. It’s a never ending cycle. The last decade has brought about an increase in compliance changes including: the Patriot Act, the Bank Secrecy Act (BSA), new information security regulations and more requirements for lending and liquidity. All of these changes have increased compliance spending and forced institutions to redirect valuable employee time away from customer service and more revenue generating activities.

In the past, the core vendor has been the one to fill in the gaps between what banks can manage internally and areas where they required outsourced help. Historically, the core vendors helped community banks and credit unions with tasks to support everything from teller functions, to lending, to direct mail, as well as provide services such as remote deposit capture and mobile banking. Today however, many core vendors are very large and not agile enough to stay on top of the consistent changes in regulatory guidance.

This pressure in the market is forcing institutions to either hire additional in-house talent to keep up with all the new regulatory expectations or look beyond their core providers for outsourcing regulatory and compliance needs. Many that have tried to fill the gap with additional in-house expertise find that recruiting and training qualified staff to manage regulatory requirements demands considerable time and energy from a bank’s management team, which redirects valuable resources needed to support customers and banking operations.

So what’s the answer? The future of community banking depends on community financial institutions surviving in this new regulatory environment. The reality in today’s market is that the task of meeting all requirements laid out by regulatory agencies is becoming too much of a challenge for banks and credit unions – and even their trusted core providers — to manage alone. Working with a trusted IT and compliance partner that specializes in regulatory compliance can provide your institution with the regulatory expertise and knowledge to successfully meet compliance goals and provide the best banking experience to your community.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

04 Oct 2017

Banks, Compliance, Credit Unions Darren Bridges 0 comment

What Is RegTech and Why Is It Important for My Organization?

What is RegTech and Why is it Important for My Organization

The financial services industry is continually evolving, especially when it comes to regulatory and compliance changes. The number of regulatory changes a bank has to manage on a daily basis has increased from 10 in 2004, to 185 in 2017. To stay abreast of these changes more than a third of financial firms continue to spend at least a full work day each week tracking and analyzing regulatory changes, according to recent research by Thomson Reuters. Regulatory compliance efforts have become a resource consuming, expensive inefficiency within financial institutions, which has led to the development of a new technology product category: regulatory technology, or RegTech.

What is RegTech?

A relatively new term, RegTech, refers to a set of companies and solutions that address regulatory challenges through innovative technology. RegTech is a subset of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than traditional compliance processes.

RegTech helps financial services organizations automate compliance tasks and reduce operational risks associated with meeting regulatory requirements and reporting obligations. In addition, the technology empowers organizations to make informed choices based on the actual data provided through the system. This data highlights the actual compliance risks the organization faces and how it mitigates and manages those risks.

Why is RegTech Important?

The relationship between compliance and technology is nothing new; however, it is becoming more important as the sheer number of regulatory changes rises along with an increased focus on data and reporting. U.S. financial institutions now spend more than $70 billion annually on compliance, and the market for regulatory and compliance software is expected to reach $118 billion by 2020.

Key Benefits of RegTech to Financial Institutions:

Reduced cost of compliance efforts by simplifying and standardizing compliance processes and reducing the need for manual intervention
Increased flexibility and growth opportunities due to the efficiency gains RegTech solutions provide;
Data analytics enables regulatory information to be analyzed, helping organizations proactively identify risks and issues and remedy them in an efficient manner;
RegTech enables risk and control frameworks that can be seamlessly linked.

Attributes of RegTech Solutions

Due to the complexity and momentum of regulatory changes, RegTech solutions must be customizable and easy to integrate into a variety of environments. No two institutions are alike but properly designed RegTech solutions should help to guide institutions to a better overall compliance posture.

RegTech solutions are usually cloud-based, providing the ability to maintain, manage and back-up data remotely, while ensuring all data is secure in a cost-efficient manner. The level of agility that cloud-based solutions offer ensures a high level of security and control over an institution’s compliance data. Overall, the technology is designed to reduce implementation time, enabling financial institutions to spend more time focusing on revenue-generating activities.

What do regulators think of RegTech?

Regulators around the world have been encouraging the adoption of RegTech. Many RegTech solutions enable financial institutions to not only streamline their reporting, but also have better oversight of their data. This makes it easier for regulators in the event they need to review time-sensitive information.

The need to ensure compliance and regulatory requirements are met has spawned new activity in the financial services arena. The use of technology to help streamline and automate the time-consuming processes of monitoring compliance and regulatory changes, risk monitoring and regulatory reporting will continue to gain momentum as regulations evolve and regulators expectations grow. RegTech solutions are quickly becoming standard operating tools for all financial organizations.

Safe Systems has combined compliance and technology to create RegTech solutions for financial institutions for over 25 years.

23 Aug 2017

Banks, Compliance, Credit Unions Chuck Copland 0 comment

Disaster Recovery Planning: How to Prepare Your Bank for Fall Storm Season

Disaster Recovery Planning - How to Prepare Your Bank for Fall Storm Season

The potential damage that storms can inflict underscores the importance of Business Continuity Planning and disaster preparation, especially for local community banks and credit unions. A single disaster event, be it a hurricane, tornado, earthquake, severe thunderstorm, etc., has the potential to devastate communities by disrupting thousands of businesses and organizations and impacting millions of lives. While disasters do not take any seasons off, historically some of the worst storms actually hit during the fall months. A lack of proper planning and preparation could be particularly devastating for a financial institution impacted by a fall storm, as their customers will expect prompt access to their money in the aftermath of such an event. Moreover, regulators have expectations of their own, and financial institutions could face poor examination scores, fines, or increases in FDIC insurance costs. But who has the time to undertake such a big project? BCP/DR planning is especially challenging for smaller community financial institutions who often lack the staff and resources of larger institutions.

It is imperative that financial institutions have a solid Business Continuity Plan (BCP) and Disaster Recovery (DR) procedures in place and are able to implement them, as required by Federal Financial Institutions Examination Council (FFIEC) guidelines. These plans are instrumental to make sure that people, process, and technology elements are all properly coordinated to efficiently recover from disasters or business interruptions. In a disaster situation there is a stark difference in the reaction from financial organizations who have a disaster plan in place and those that do not. A solid and actionable BCP can literally be the difference between a temporary outage, and an institution closing its doors forever.

Preparing for Fall Storms

Aside from having a BCP and associated DR plan in place and the skills necessary to execute those plans, there are several additional steps your financial institution can take to adequately prepare for storms, natural disasters, and any other business outages, including:

Evaluating all backups and ensuring any redundant equipment critical to recovery is up-to-date and working;
Utilizing Uninterruptable Power Supplies (UPS) for short-term outages in power or preemptively shutting down servers and all IT equipment in anticipation of an extended outage;
Ensuring that the server room is locked with separate key access and that all equipment and sensitive documentation is otherwise secure if facilities must be vacated for an extended period;
Validating the procedures outlined in BCP/DR plans through functional testing; and
Ensuring that employees, vendors, and customers are aware of the proper communication protocols and contacts through educational efforts.

Common Issues and Solutions

Banks and credit unions that try to manage their own technology solutions, including backups, email, and server management, often get mired in day-to-day operational concerns. This leaves precious little time for the institution to make plans for potential disasters. The result is often a plan that does not truly consider all the processes and functions that go into running the business. This can leave significant gaps in recovery capabilities that might remain hidden to internal stakeholders without proper testing.

These issues can be avoided by working with an IT service provider who understands the unique needs each financial institution has when preparing for and recovering from a natural disaster. To ensure your institution is prepared for storm season and doesn’t run into the common issues mentioned above, partner with an IT service provider that offers the following:

Recovery plan testing on an annual basis;
Remote and secure back-ups;
Compliant data recovery practices; 
Readily available staff and engineers; and 
Proactive communication.

Fall storms and natural disasters cannot be prevented, but proactively knowing where to go, who to contact, and what critical functions to restore first can provide confidence when responding to a disaster. Developing, implementing, and regularly testing disaster recovery procedures as part of your business continuity plan is crucial in today’s banking environment. At Safe Systems we have been working with banks and credit unions for more than 20 years. Our proven experience enables us to provide the services and assistance necessary to help our customers weather the storm with minimal business interruption.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

15 Aug 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Bank Compliance: How to Efficiently Respond to IT Exam Findings

Bank Compliance How to Efficiently Respond to IT Exam Findings

Community banks and credit unions have grown accustomed to the strenuous review processes of regulatory agencies on their practices and procedures. These reviews are designed to help ensure the stability of the organization and the adherence to laws and regulations and are thorough in scope. As a result, preparing for an exam can be an extremely time consuming and stressful process to complete and, for many institutions, providing accurate responses to the review findings in a timely manner can be quite a challenge.

Upon the completion of the on-site visit, the reviewing agent will provide the financial institution with his or her findings in a review report or a notice. This report requires a response from the bank or credit union outlining the institution’s plan for correcting or improving specific findings from the review. Some proven tips for writing a response include:

Make your responses clear and concise
Respond directly to the finding and recognize any recommendations the reviewer suggests
Outline specific actions that the financial institution commits to take to correct the finding
Assign who is directly responsible for the implementation and oversight
Exclude information that is not pertinent to the finding or its corrective action plan
Provide a specific — and realistic — timetable for implementation.

Typically, a regulatory agency will not revisit the findings again until the next review. It is up to the financial institution to address each point and provide the proper documentation to show these items have been corrected before the next meeting. For example, if the bank’s antivirus was listed as out of date on the findings report, the institution would have to update each machine, run a report, and include this information in the findings package to be reviewed by the regulatory agency during the next visit. To complete the process efficiently, banks must keep up with who is in charge of each specific action item, when the item is due for completion, and which reports should be included in the findings package.

Organize Your Efforts to Complete Review Findings

Safe Systems’ Audit Trail application helps financial institutions efficiently respond to the reviewing agent’s feedback and ensure each finding is completed in a timely manner. The application allows the user to input review findings into the system, customize reporting fields, assign each finding to specific team members and include due dates to ensure all updates are completed. This allows banks to automate the review finding process as opposed to a manual process such as a spreadsheet, providing a more effective, centralized way to address this complex project.

The Audit Trail application also allows the user to attach relevant documents and reports to each finding, making it easier to verify that each item has been corrected. In addition to this, all documents are housed in one centralized location to avoid reliance on one person for documents and reports usually stored on an individual computer. The document library helps to reduce the risk of data loss due to computer failure and ensures that all important information is readily available to complete the findings package.

Responding to review findings can be challenging, time consuming and stressful! However, working with Safe Systems can provide your financial institution with the right tools to keep this process organized and meet regulatory expectations. Streamlining this process helps community banks and credit unions improve on IT and compliance procedures in a timely manner and effectively demonstrate how the institution has addressed the reviewing agent’s feedback.

08 Aug 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

How to Beat IT Exam Stress and Boost Efficiency for Your Bank

External audits and exams have become a fact of life for financial institutions of all sizes. Community banks and credit unions undergo strenuous reviews of their procedures and practices anywhere between six and 18 times a year. While these reviews are designed to help ensure the stability of the organization and the adherence to laws and regulations, preparing for these events can be an extremely time consuming and stressful process to complete.

Most reviews consist of two phases – preparation and findings. At the beginning of the process the reviewing agent typically sends financial institutions a list of items that they want to review, certain areas they plan to examine and items they plan to discuss with the organization. This list normally includes a number of reports and documentation the financial organization must prepare ahead of the review and provide to the reviewing agents before the on-site visit. Some only require a handful of reports to prepare up-front, but others can request more than 60 different reports. Some of the reports and information that may be requested include:

Organizational Charts
Financial Reports
Business Continuity Plans
Disaster Recover Plans and Test Results
Vendor Management Policies
Security Policies

Often there is one person in charge of the review and they must work with each department to gather information by the designated due date. All files must then be stored in a central location, follow the template the reviewing agents have requested and be in a format that can be transmitted securely to the requesting party. Gathering all this information and ensuring all documents are complete and accurate can be a challenging task for smaller community banks and credit unions with limited in-house resources and staff.

Streamline the Pre-Exam Preparation Process

The Safe Systems’ Audit Trail™ application is designed to help financial institutions efficiently manage the preparation process. The application allows the user to import a variety of file types and formats, utilize the field matching wizard, and easily standardize items across the system despite the varied nature of the templates provided by the different agencies. To eliminate the mundane task of collecting the same documentation over and over, the application allows you to pull system reports directly from a variety of other Safe Systems’ services housed in theSafe, and store them in a central library so they are easily accessible the next time you need them.

All preparation reports are housed in the Audit Trail solution, meaning there is no duplication of documents; reports do not need to be saved in various folders; and the financial institution has peace of mind in knowing the most accurate and up-to-date information is sent to the reviewing agent. In addition, once all the preparation documents have been completed, a preparation item package is created in the form of a zip file, which makes it easier to input all the documents designated for the review into the reviewing agent’s delivery system. A report or manifest of documents attached to each audit is created, giving the financial institution a record of each review.

Preparing for an audit or exam can certainly be a headache! However, working with Safe Systems can provide your financial institution with peace of mind by ensuring you are well prepared and can feel confident for any upcoming review. Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to a seamless and time efficient preparation process.

02 Aug 2017

Banks, Compliance, Credit Unions, Security, Technology Safe Systems 0 comment

How to Stay Vigilant with Technology and Compliance Issues During the Summer Vacation Months

For many community banks and credit unions, keeping up with the ever-changing regulatory requirements and expectations can be a challenge, especially during the summer months when employees are taking time off to enjoy the warm weather and travel for summer vacations. The Federal Deposit Insurance Corporation (FDIC) actually encourages mandatory vacation time for bank employees of all levels. However, this can be a challenging time for many community institutions that have a small staff and rely on key individuals to make sure all activities related to technology, compliance and regulatory requirements are completed. So, what happens when the person(s) responsible for these crucial aspects of the institution goes on vacation?

Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal technology and compliance resources. The right third-party solution provider can serve as a true partner and work alongside current staff to manage the technology, compliance and regulatory aspects of the institution. When the technology or compliance staff is out or unavailable, outsourcing select business processes helps fill the personnel gap and provide added stability for the institution and peace of mind to all. 

A service provider can help automate and manage many of the administrative functions that normally fall to the technology or compliance department, making it less daunting for employees to take time away from the office. These service providers can automate technology functions that are required to stay vigilant with compliance and security procedures, such as patch management and reporting, vulnerability remediation, proactive network monitoring and issue resolution, vendor management, business continuity planning, cybersecurity, and compliance-focused documentation and reporting.

The right service provider should offer your financial institution full support for the demands of today’s technology, compliance and regulatory requirements. At Safe Systems we understand the complexity of community bank and credit union operations and the associated regulatory expectations. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We want to provide you with assurance that your institution is functioning securely and is in compliance with industry regulations at all times; but, especially when your institution’s key technology or compliance personnel are out of the office.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

26 Jul 2017

Banks, Compliance, Credit Unions Holly Hooks 0 comment

Top 4 Missing Declarative Statements in the FFIEC’s Cybersecurity Assessment Tool

Top 4 Missing Declarative Statements in the FFIECs Cybersecurity Assessment Tool

With the heightened risk of cybersecurity attacks for financial institutions, many community banks and credit unions are completing the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) to assess their cybersecurity preparedness, determine their next steps to strengthen their maturity and better meet examiner expectations. The assessment consists of two parts, Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile assesses the risk posed by Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Then, Management evaluates the Cybersecurity Maturity level for five domains.

According the FFIEC’s Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors, “Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness.” Declarative statements within each domain are assessed on maturity levels ranging from baseline to innovative. Financial institutions determine “which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.”

Since the introduction of the CAT in 2015, we have been assisting community banks and credit unions with completing this process. Based on our experience, which consists of more than 100 reviews of the CAT to date, we have identified four declarative statements that community financial institutions are struggling to complete:

Domain 4 – External Dependency Management – Connections

Data flow diagrams are in place and document information flow to external parties.”

According the FFIEC’s Information Security Handbook, “these diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems.” Regulators are looking for financial institutions to demonstrate solid understanding of where data is going and what type of data is being transmitted to third-parties.

Domain 1 – Cyber Risk Management and Oversight – Training and Culture

“Customer awareness materials are readily available” (e.g., DHS’ Cybersecurity Awareness Month materials)

Customer awareness materials, according to the FFIEC Information Security Handbook, are used to “increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.” These materials should “consider both retail and commercial account holders.” It is important for community banks and credit unions to communicate effective risk management strategies to their customers. The declarative statement references the US Department of Homeland Security’s website. The Stop.Think.Connect Toolkit has resources Financial Institutions can utilize to provide awareness material to customers.

Domain 3 – Cybersecurity Controls – Preventative Controls

“Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise.”

DNSSEC is a technology developed to digitally ‘sign’ data to ensure it is valid and from a trusted source. By enabling this, an institution would be less susceptible to DNS spoofing attacks. However based on the experience of Safe Systems engineers, DNSSEC may cause issues throughout an organization’s systems. There are other technical tools financial institutions can implement that will enable them to meet the spirit of the statement without deploying troublesome tactics.

Domain 1 – Cyber Risk Management and Oversight – Oversight

“The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.”

Regulators are looking to ensure financial institutions have a cyber risk appetite statement in place that has been approved by the Board. In fact, risk appetite is mentioned more than 17 times in the CAT. Cyber risk appetite is an assessment of how much cybersecurity risk management is willing to accept to meet the goals and objectives of the institution’s strategic plan. To read more on how to develop a cyber risk appetite, visit the Compliance Guru Blog.

Financial institutions should review their current CAT responses, specifically the declarative statements in the Baseline maturity level that have been answered “No” or that they are struggling to complete to determine if there is a way to implement a compensating control. Adding in compensating controls may allow them to answer the question in the affirmative and ensure the institution is in compliance with regulatory requirements.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

20 Jul 2017

Banks, Compliance, Credit Unions Christine Ray 0 comment

Lumbee Guaranty Bank Streamlines Cybersecurity Processes with Safe Systems’ Cybersecurity RADAR Application

The number of cyber-attacks directed at financial institutions of all sizes is continuing to grow and cybersecurity experts expect the trend toward increasingly sophisticated cyber-attacks to continue. Community banks and credit unions are prime targets for cyber criminals due to the sensitive data they house. As consumers and businesses continue to use electronic devices such as computers, tablets, and smartphones to perform financial transactions online, vulnerabilities continue to increase. A cyber breach can be devastating due to the costly ramifications, not to mention compromised customer confidence and reputational damage.

As a result of this heightened risk of cybersecurity attacks, regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. While not yet a requirement, the FFIEC’s Cybersecurity Assessment Tool (CAT) serves as the key guidance used to determine whether an institution is adequately prepared for a cybersecurity incident and in full compliance with federal regulations. In response, many banks and credit unions are now completing the assessment to assess their cybersecurity posture, determine their next steps to strengthen cybersecurity processes and better meet examiner expectations.

While completion of the assessment has proven itself beneficial, many financial institutions find the 100+ page assessment to be too cumbersome of a task to successfully manage and fully understand. As a result, they decide they need to find a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environment.

This was the case for Pembroke, N.C.-based Lumbee Guaranty Bank. To ensure his institution maintained compliance, Austin Maynor, Information Security Officer at Lumbee Guaranty Bank, manually filled out the CAT with the help of a spreadsheet, but quickly found this process to be an extremely time-consuming project to complete. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and where they needed to be in order to maintain compliance.

Streamlined CAT Completion Solution

As a long-time customer of Safe Systems, the bank decided to implement the Cybersecurity RADAR™ solution, a cybersecurity product that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application. The solution allows staff to quickly generate reports, document notes and save examination results to review each year.

For Lumbee Guaranty Bank, Cybersecurity RADAR streamlined the process of filling out the CAT and helped the bank improve its cybersecurity processes. With the automated application, Lumbee Guaranty Bank significantly reduced the amount of time spent completing the CAT from days to less than 4 hours. In addition, Safe Systems’ evaluation of the bank’s responses helped clearly illustrate to the bank where they were in regards to compliance and baseline expectations.

“The Cybersecurity RADAR solution has been a great addition to our bank, helping us gain meaningful operational efficiencies while continuing to grow and strengthen our cybersecurity program. We are grateful to have a true partner like Safe Systems helping us navigate the latest compliance guidelines and effectively streamline our most important processes.”

For more information, download our cybersecurity case study, “Lumbee Guaranty Bank Streamlines Cybersecurity Processes.”

Lumbee Guaranty Bank Streamlines Cybersecurity Processes

Learn how they increased cybersecurity preparedness and streamlined the CAT

12 Jul 2017

Banks, Compliance Jamie Davis 0 comment

How to Better Understand Your Bank’s Results from the CAT

The Federal Financial Institutions Examination Council (FFIEC) published the Cybersecurity Assessment Tool (CAT) in June 2015 to help financial institutions better identify and evaluate their cybersecurity risk awareness and readiness. The tool consists of a comprehensive set of questions to evaluate the cybersecurity risk of a financial Institution and is designed to encourage consistent analysis, evaluation, and examination of cybersecurity risks for financial institutions.

The CAT essentially consists of two parts, 1) Inherent Risk Profile and 2) Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before security measures have been implemented. It is a stage approach in which, once the Inherent Risk Profile has been determined, financial institutions then focus their attention on the Cybersecurity Maturity section.

Successful completion of the CAT for Inherent Risk and Cybersecurity Maturity provides financial institutions with practical insight in two specific areas:

Risk Grade

Completion of the Inherent Risk Profile gives financial institutions a risk grade in each potentially vulnerable security area, such as payments, teller processes and online banking operations. This gives the financial institution insight into how examiners are likely to see their relative risk exposure.

Gap Analysis

Completing the Cybersecurity Maturity section helps financial institutions form a gap analysis to better identify missing controls and process. To increase the level of cybersecurity maturity, financial institutions should continually implement changes and monitor their progress, and the gap analysis is the first step in this process.

The CAT also enables financial institutions to review their Inherent Risk Profile in relation to their Cybersecurity Maturity results, which will indicate if they are aligned. As one might expect, as inherent risk rises, an institution’s maturity level should also increase. However, an institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change, making it necessary for institutions to complete the CAT periodically or when making adjustments to their organizations.

It is important to note that while there are online tools available to complete the CAT, the key is in making those results actionable, which may require third-party expertise. That is why Safe Systems developed the Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

The CAT is now the baseline many auditors are using, so completing it (and more importantly, understanding the results) enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in its CAT assessment reviews and reporting, leading to a better understanding of regulatory expectations to help enhance their cybersecurity posture. Safe Systems can help financial institutions manage their cybersecurity program in a more time-efficient manner to ensure they meet their compliance needs.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

28 Jun 2017

Banks, Compliance, Credit Unions Darren Bridges 0 comment

The CAT Isn’t Mandatory, So Why Should We Complete It?

The CAT Isn’t Mandatory, So Why Should We Complete It

Due to the increasing volume and sophistication of cyber threats financial institutions are facing, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness with a repeatable and measurable process. The CAT helps financial institutions weigh specific risks such as gaps in IT security, versus controls or solutions aimed to prevent, detect and respond to these threats and determine areas for improvement. Each institution is then responsible for identifying its own risk appetite and establishing its desired level of maturity. Using the CAT, financial institutions can understand where their security practices fall short and how to effectively address those gaps.

When the CAT was initially released in 2015, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. However, regulatory agencies including the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) have announced plans to incorporate the assessment into their examination procedures. Today, many examiners are using the tool to assess an institution’s cybersecurity readiness and have already begun to issue citations to financial institutions that have lapses or are not meeting expectations.

Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins.

In addition to meeting examiner expectations, completing the CAT benefits financial institutions by helping them:

Determine whether controls are properly addressing their identified risks
Identify cyber risk factors and assessing cybersecurity preparedness
Make more informed risk management decisions
Demonstrate the institution’s commitment to cybersecurity and
Prepare the organization for an upcoming audit.

When using the CAT correctly, it can provide a cost-effective methodology to help improve security, instill client trust, and avoid losses from a breach. For it to provide the greatest positive impact it should be completed periodically on an enterprise-wide basis, as well as when significant operational and technical changes occur. Completing the CAT helps community banks and credit unions understand the key risks they face and what controls they need in place to protect the institution’s data, leading to increased knowledge of regulatory expectations and a stronger, more compliant cybersecurity program.

For more information, please download our complimentary white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

17 May 2017

Compliance, Credit Unions Darren Bridges 0 comment

Evaluating and Selecting Third-Party Vendor Relationships – What your Credit Union Needs to Know

Choosing a Credit Union Vendor

The majority of credit unions rely on third-party service providers for specialized IT services and technology that improve the overall quality and efficiency of the organization and for mission-critical software and hardware to actually run their business. As such, third-party providers have become an essential component of day-to-day operations, but it is important that credit unions understand the operational and reputational risks they assume if they do not select and manage these relationships and providers appropriately.

Some of the potential risks of using a third-party service provider include:

Compliance risks including violations of laws, rules or regulations or non-compliance with policies and procedures;
Reputational risks including dissatisfied members or regulation violations that lead to public enforcement actions;
Operational risks including losses from failed processes or systems, or losses of data that result in privacy issues;
Transaction risks including problems with service or delivery; and
Credit risks if a third-party is unable to meet its contractual obligations.

To help eliminate some of the risk that comes when working with third-party providers, there are several steps a credit union should take and processes that should be put into place before entering into an agreement with an outsourced provider. Before entering into a third-party relationship, credit unions should:

Determine whether the relationship complements their credit union’s overall mission and philosophy;
Document how the relationship will relate to the credit union’s strategic plan;
Design action plans to achieve short-term and long-term objectives;
Perform proper due diligence on all vendors;
Assign authority and responsibility for new third-party arrangements; and
Weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house, if possible.

Once a vendor is selected, credit unions should:

Adopt risk management processes to coincide with the level of risk and complexity of its third-party relationship;
Implement an effective risk management process throughout the life cycle of the relationship including: plans that outline the credit union’s strategy, identification of the inherent risks of the activity, and detailing of how the credit union selects, assesses, and oversees the third-party;
Have written contracts that outline the rights and responsibilities of all parties;
Implement a process for ongoing monitoring of the third-party’s activities and performance;
Have a contingency plan for terminating the relationship in an effective manner; and
Have clear documentation and reporting to meet NCUA regulations and requirements.

Following all of these steps and ensuring third-party relationships are managed correctly can be a time-consuming, often cumbersome responsibility for credit union staff. In response, credit unions are looking for ways to more efficiently perform due diligence and manage their outsourced vendors, protect themselves from risk, and maintain NCUA compliance and requirements. Credit unions often determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. When implemented correctly, automated vendor management solutions can save a tremendous amount of time and money, reduce risks and eliminate potential compliance issues.

For more information please download our white paper, Why Automation is the Answer to Credit Unions’ Vendor Management Challenge

Why Automation is the Answer for Credit Unions’ Vendor Management Challenge

How confident are you in the management of your vendors?

10 May 2017

Compliance, Credit Unions Chuck Copland 0 comment

Six Ways to Strengthen your Credit Union’s Vendor Management Program

Credit unions rely on third-party providers to offer specialized services and technology assistance to keep their operations running smoothly and help improve the overall quality and efficiency of their organizations. Vendor management has always been an important issue for credit unions, but with increased scrutiny from the NCUA, they now run greater risk of getting fined for not adequately managing their third-party vendors. In response, many credit unions are looking for ways to more effectively manage their roster of outsourced vendors while protecting themselves from the associated compliance risk.

Here are six steps to more efficiently monitor and manage third-party providers, ultimately strengthening a vendor management program:

Perform Thorough Due Diligence

The due diligence process ensures that a credit union has a consistent and reasonable approach to vetting its vendor relationships — especially if the vendor is providing a core business function or has access to personal confidential information. It’s not enough to perform due diligence during the initial vetting stage. Conducting diligence throughout the relationship, especially with mission-critical vendors, is essential to avoid being blindsided. Properly vetting and managing vendors will reduce risk for the credit union, while also ensuring all FFIEC and NCUA regulations and requirements are met.

Develop Consistent Risk Assessment

To properly assess risk exposure for vendors/services, establish consistent criteria to appropriately weigh the risk each poses to the credit union. This will help you grade or designate a level of criticality and risk for each service and each vendor. For example, will a vendor have access to private member data? Will it operate with our core system? The criticality will have a significant impact on the review process, as a more critical service or vendor will ultimately require more due diligence to be performed.

Incorporate Vendor Management into the Business Continuity Plan

If a credit union does not thoroughly analyze its vendors as part of the business continuity planning (BCP) process, it opens itself up to the risk of extended downtime. It is crucial for credit unions to know exactly how they are going to recover if their vendor goes down. Business Continuity/Disaster Recovery capabilities should be reviewed to determine if they align with the credit union’s Recovery Time Objectives. Regulators expect and mandate that credit unions have alternative procedures and processes in place in the event of disruption of service from a mission-critical provider.

Board of Director Involvement

The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the credit union’s Board of Directors and its senior management. It is typically the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the Board and helping manage the process. In order to effectively communicate the need for comprehensive vendor management to the board, the ISO must first thoroughly understand exactly what examiners are looking for. NCUA’s Supervisory Letter 07-01 is designed to help credit unions better understand and manage the risks associated with outsourcing. This should not be a one-way line of communication. Board members are expected to understand the process and risks clearly enough to provide a credible challenge to the ISO when appropriate.

Monitor and Control the Vendor Relationship

Proper Vendor Management is cyclical. Staying abreast of important key dates, contract changes and upcoming vendor reviews and contract renewals is a key step in a vendor management program. Not doing so can end up costing you significantly, not to mention the added burden of inefficiencies if the process is not handled well.

Implement an Automated Vendor Management Solution

Many credit unions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain FFIEC compliance. Oftentimes, credit unions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. Moreover, an automated solution helps hold vendor managers accountable to a process that often gets “put on the backburner.” A complete vendor management system also ensures your Board of Directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.

Leveraging the skills and experience of third-party service providers can help credit unions better meet their members’ needs while accomplishing their strategic goals. Those that implement a solid vendor management program — and actively manage those relationships — will have the greatest level of success.

04 May 2017

Banks, Compliance Tom Hinkel 0 comment

Why Enterprise Risk Management is a Key Part of Establishing a Strong Compliance Culture

Assessing and managing enterprise risk is crucial for the success of today’s financial institutions, and whenever new ventures are considered, this involves weighing the benefits of the new ventures, such as new programs, vendors, and initiatives, against the strategic, reputational, operational and regulatory risks that might be involved in taking on that venture.

As an example, many community banks and credit unions may have already implemented (or are looking to implement) mobile banking and mobile capture to remain competitive with larger financial institutions. Before moving forward with the initiative however, the bank must go through several stages to ensure it truly understands the enterprise risks involved. At the conceptual stage, the bank wrestles with the question of whether or not to move forward with the initiative. If the bank chooses not to do it, it may lose business to a competitor who offers this service. If it elects to move forward with the initiative, what then are the assumed risks and what are the next steps in mitigating these?

Four Enterprise Risks

Before implementing a new initiative at the bank, financial institutions should evaluate four main categories of enterprise risk:

Reputation risk – The risk that negative publicity regarding an institution’s business practices can adversely affect the financial institution’s ability to establish new relationships or services, as well as affect its ability to continue servicing its existing relationships.
Strategic risk – The importance that this process holds in the context of the overall enterprise. In other words, how important is the execution of the process to achieving the goals and objectives of the institution’s overall strategic plan.
Regulatory/Legal risk – The risk arising from potential violations of, or nonconformance with, laws, rules, regulations, prescribed practices, or internal policies and procedures.
Operational risk- Simply put, operational risk is the risk that the processes supporting the initiative fail. Practically speaking, this includes the extra overhead, or additional burden, that alternative procedures, practices and personnel required for manual or alternate methods (the work-arounds) of performing the processes add to the normal day-to-day operations. Operational risk should also consider the potential relocation of personnel from their primary job duties which could, in turn, result in reputational risk.

Of note is that adequate management of enterprise risk continues for as long as the initiative is in place at the institution.

What Can Banks Do To Improve Enterprise Risk Management?

Financial institutions can ensure that enterprise risks are addressed by building a culture that routinely evaluates and discusses enterprise risk and has incorporated it into day-to-day operations. Banks can do this by ensuring their employees understand the key risks to evaluate and how each one should be addressed.

This starts with the board and senior management understanding and supporting information security and providing appropriate resources for developing, implementing, and maintaining the information security program. The result is a program in which management and employees are all committed to integrating risk management best practices into the institution’s lines of business, support functions, and third-party management programs. In addition, management and employees should be held accountable for complying with the institution’s information security program.

The FFIEC Information Technology Examination Handbook explains that introducing new business initiatives, including new service offerings or applications, is the true test of the maturity of and degree to which information security and enterprise risk management are part of the institution’s culture. An institution with a strong security culture generally integrates information security into new initiatives from the onset and throughout the lifecycle of its services and applications.

Ensuring that strong security and compliance practices are deeply embedded in the institution’s culture contributes to the overall effectiveness of the information security program. When high compliance standards are established within a financial institution, all employees recognize that they have a personal responsibility to truly understand the risks their institution faces as well as ways to safeguard against them.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

29 Mar 2017

Banks, Compliance Tom Hinkel 0 comment

Roadmap to Recovery: Cyber Resilience is More Than Just a Business Continuity Plan

Cyber Resilience

With the increasing frequency of cyber-attacks in the financial industry, community banks need an effective strategy to measure and control these risks, and a program of cyber resilience may just fit the bill. The concept of cyber resilience provides a different way of thinking about an institution’s information security processes. Rather than simply focusing only on preventive controls, cyber resilience also focuses on corrective controls, such as having solutions in place to continue business operations should an attack occur. Cyber resiliency ultimately refers to the preparations that an organization makes in regard to preventing threats and vulnerabilities (the defenses that have been developed and deployed), the responsive controls available for mitigating a security failure once it occurs, and its post-attack recovery capabilities (or corrective controls).

More than a BCP

While the Business Continuity Plan (BCP) has become a de facto framework for guiding an institution through the process of recovery from any unplanned event, including a cyber-attack (the word “cyber” is mentioned 49 times in the FFIEC BCP Handbook), cyber resiliency is far more than just developing and executing your bank’s BCP. Business recovery plans are often ill prepared to address non-traditional disasters. For example, continuity plans often rely on the geographic separation of production and backup facilities in the event of a natural disaster. Cyber attacks, however, are not geographically specific and can (and will) affect facilities and operations located anywhere in the world. Attacks can target both the financial institution directly as well as its backup facility, located elsewhere; or a financial institution along with its third-party service providers (TSP) simultaneously. All of these situations require special consideration and preparations that go well beyond traditional BCP planning.

Common Cyber Risks

The cyber risk and threat landscape is broad and continually changing. Some of the most common cyber risks financial institutions should be prepared for include:

Malware
Insider Threats
Data or Systems Destruction and Corruption
Communication Infrastructure Disruption, and
Simultaneous Attack on Financial Institution and Third-Party Service Provider

Recommended Controls

Being truly cyber resilient is essential for community banks and their vendors. According to Appendix J of the FFIEC’s BCP Handbook, financial institutions should implement the following controls to successfully achieve cyber resiliency:

Data backup architectures and technology that minimize the potential for data
destruction and corruption
Data integrity controls
Independent, redundant alternative communications providers
Layered anti-malware strategy
Enhanced disaster recovery planning to include the possibility of simultaneous attacks
Increased awareness of potential insider threats
Enhanced incident response plans reflecting the current threat landscape, and
Prearranged third-party forensic and incident management services

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

The Keys to Cyber Resilience

Prevention and recovery are the keys to being truly cyber resilient! Cyber threats will continue to challenge financial institutions, but having the proper preventive and corrective controls in place can greatly minimize the impact. Cyber resilience requires banks to bring together all the areas of information security, business continuity, vendor management and incident response in a coordinated effort.

01 Mar 2017

Banks, Compliance Tom Hinkel 0 comment

What is Cyber Resilience Anyway?

Cyber Resilience

As the role technology plays in today’s financial services environment has grown, this has also introduced a range of new risks and vulnerabilities that must be recognized and acknowledged, placing cybersecurity high on the agenda for financial services executives and IT staff. The new 2016 FFIEC Information Security Handbook states:

“…because of the frequency and severity of cyber attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.”

With financial institutions becoming more reliant on third-party service providers to help support important bank functions such as: loan servicing, collections, item processing, payments, and IT network management, to name just a few, regulators have expressed increased concern that these third-parties could present a weak link that cyber attackers can exploit. And the more third-parties the institution uses, the greater the risk. All institutions, but especially Community banks, ultimately bear this responsibility, and must be aware of – and successfully manage — their service providers’ cyber risks.

Cybersecurity vs. Cyber Resilience

Regulations define cybersecurity as:

“…the process of protecting consumer and bank information by preventing, detecting, and responding to attacks.”

Cyber resilience then, is:

“The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.”

While cybersecurity (or protecting from an attack) is vitally important, it is not the only thing that matters. In order to minimize the risks and vulnerabilities in the evolving digital landscape, cyber resilience (or bouncing back from an attack) must be taken into consideration as well. Cyber resilience is an evolving perspective that essentially brings the areas of information security, business continuity and organizational resilience together. Ultimately it refers to the preparations that an organization makes in regard to threats and vulnerabilities, the defenses that have been developed and deployed, the resources available for mitigating a security failure once it occurs, and their post-attack recovery capabilities.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

One of the primary differences between the two is that although both cybersecurity and cyber resilience require effective third-party management, resilience requires an even greater focus on outsourced technology providers. This is particularly challenging because you must be prepared to recover from an event you couldn’t foresee, could not prevent, and cannot control. The initial stages of a cyber incident require a rapid assessment of the impact of the incident as soon as possible after detection. When the incident occurs at a third-party, you are relying on the vendor to notify you, which means your reaction time (and recovery capability) is entirely dependent on when (or if) you are notified. A recent report by the FDIC Office of the Inspector General found that most institutions have not fully considered and assessed the potential impact that third-parties may have on the bank’s ability to manage its own business continuity planning and incident response.

Compliance Expectations

Regulators expect financial institutions to be not just cyber-secure, but cyber resilient, and that requires close cooperation with all their critical third-parties. Assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions regardless of where they may occur, requires financial institutions to have proven plans in place to meet regulatory expectations. The FFIEC has issued specific guidance on how it expects organizations to manage this process. The FFIEC IT Examination Handbook’s “Outsourcing Technology Services Booklet“, as well as the Information Security and the Business Continuity Booklets address expectations for managing due diligence, incident response, business continuity and the ongoing monitoring of outsourced third-party relationships.

Community banks should remain vigilant in the monitoring of emerging cyber threats or scenarios and consider their potential impact to operational resilience. The good news is that financial institutions can and should simulate and test their response to a cyber event just as they do for natural disasters. They should also make a point to include any significant third-parties in their testing. The financial industry is investing significant amounts of time and resources to defend against cyber-attacks and strengthen resiliency, and there are many resources available today that can help streamline and automate the entire process of cybersecurity and resilience planning, testing and execution.

22 Feb 2017

Jumping through hoops for vendor management

Banks, Compliance Christine Ray 0 comment

Northside Bank Enhances Compliance Posture with Safe Systems’ Vendor Management Solution

Vendor management has always been an important issue for bankers but with increased regulatory demands, examiners are now citing financial institutions for not adequately managing their third-party vendors. In response, many financial institutions are looking for ways to more effectively manage their roster of outsourced vendors while protecting themselves from the associated compliance risk.

Georgia-based Northside Bank is just such an example, as it wanted to streamline its vendor management program to more efficiently monitor and manage its third-party providers. The bank began researching vendor management solutions to find a partner that could adequately meet its compliance needs, and after careful evaluation, selected Safe Systems’ industry-specific, automated vendor management solution. As a result, the bank is now able to cost-effectively execute its vendor management initiatives despite its lean IT staff.

“We needed help simplifying our vendor management processes to better meet regulatory requirements,” said Kim Grimes, VP, Director of Information Systems at Northside Bank. “With only one internal IT resource at the bank, Safe Systems helped us more efficiently manage our third-party vendors and successfully achieve our IT, security and compliance goals.”

Improved Compliance and Streamlined Processes

The products and services Safe Systems provides have enhanced the bank’s ability to meet regulatory needs and provide the necessary technology to both its staff and customers. The bank reports that Safe Systems’ application and support services have also produced meaningful time savings, allowing bank staff to focus more time and energy on additional revenue-generating activities.

“Working with Safe Systems has really simplified our vendor management process,” said Grimes. “Not only are the manual, time-consuming responsibilities now fully automated, but our exam process has been much smoother and regulators have been impressed with our program. In fact, our auditors and examiners have even commented that the Safe Systems solution is such a comprehensive product.”

A Trusted Partner

While the bank originally selected Safe Systems for NetComply, through the years it has added additional Safe Systems solutions including, Continuum and C-Vault disaster recovery services, SafeSys Mail hosted email along with the Vendor Management Solution.

“We consider Safe Systems to be a true partner to our bank and we greatly value their knowledge and support,” said Grimes. “Working with the Safe Systems team enables our bank to thrive in today’s challenging environment. They truly understand our business and what examiners require from us, and have the staff and products to support, meet and exceed those expectations.”

08 Feb 2017

Banks, Compliance, Security, Technology Christine Ray 0 comment

3 Top Challenges Community Banks Will Face in 2017

To get a better understanding of financial institutions’ current IT situation, we surveyed approximately 100 bankers to identify their top IT priorities, IT challenges, security concerns and compliance issues, as well as what technologies and investments they plan to leverage in the coming year. We recently published the findings in our white paper, “2017 Community Bank Information Technology Outlook,” to provide community banks with valuable peer data that can provide guidance for key IT, compliance and security decisions in 2017 and beyond. Here are some highlighted trends from the results:

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities
in 2018

Increasing Technology

Mountain Top In today’s banking environment, community banks recognize and embrace the use of technology and remain committed to investing in new technologies and services moving forward. In fact, nearly 77% of respondents claim they are spending more on technology today than they have in the past. However, the challenge often lies in trying to keep pace with the rapid rate of change that is influencing their business. Community banks are continuing to explore ways to enhance and augment their IT departments, as many institutions struggle to maintain adequate personnel needed to manage the complex activities required of the IT department. To counter this, 71% of respondents have turned to outsourcing their network management and 63% have outsourced their IT support.

Cybersecurity is the Greatest Security Challenge for 2017

According to the survey, 94% of respondents foresee cybersecurity as their greatest security challenge in the coming year. No doubt this is in response to a seemingly constant stream of news about security breaches and the possible enforcement of the Cybersecurity Assessment Tool (CAT). Community banks must have procedures in place to secure customer and confidential data and recover critical business processes regardless of the source or nature of the threat. Having a thorough understanding of the CAT and how to properly complete it will help banks to improve their cybersecurity processes and better meet examiner expectations.

Compliance Concerns

Compliance issues are top-of-mind as many community banks are challenged to keep up with constantly changing regulatory requirements. This is reflected in the approximately 40% of respondents that have chosen to outsource their compliance needs. This number is on the rise and is likely to continue to increase as respondents indicate that regulators have been more aggressive as of late and examiners’ expectations and demands continue to increase. Approximately 59% of participants say they now spend more on their IT compliance needs as a result.

Other areas including vendor management, business continuity planning, information security, cloud, and email continue to provide financial institutions with room for improvement. To achieve this, community banks are increasingly turning to their peer groups when seeking recommendations to help guide their decisions regarding new technology and services. The majority, approximately 90% of the survey respondents, consistently leverage their peer network when researching a new solution or vendor.

To gain more insights into the key challenges, goals and opportunities facing community banks today, please download the full report here.

25 Jan 2017

Banks, Compliance Tom Hinkel 0 comment

Is Your Business Continuity Plan Really Recoverable?

Is Your BCP Recoverable?

For many community banks, developing a business continuity plan can be a time-consuming process that requires careful evaluation of the institution’s critical processes, functions, and the interdependencies that support them. Even after you determine the strategic direction of your recovery plan, establish Recovery Time Objectives, define recovery priority, detail key recovery procedures, and Board approve the document, your BCP process is not complete until you thoroughly test your plan. Testing verifies the effectiveness of your plan, helps train your team on what to do in a real-life scenario, and identifies areas where the plan needs to be strengthened. Examiners are reviewing business continuity plans more closely to verify that banks not only have a well-crafted, compliant plan in place, but are also able to successfully execute it. Without proper testing, how will you know if your team can successfully follow these strategies for recovery?

Test Your Business Continuity Plan

Every test should start with a realistic scenario designed to simulate your institution’s top threats. From there, the FFIEC suggests 4 different test methods of increasing intensity from a Tabletop Exercise/Structured Walk-Through Test through a Full-Interruption/Full-Scale Test. While initial testing of a plan can be relatively small-scale and straightforward, the institution should strive to extend the scope/severity of the exercise with each subsequent test. Running the very same test every year will not satisfy examiners.

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities in 2018

Business Continuity is much bigger than simply the IT department. The FFIEC guidance states that:

“The business continuity planning process involves the recovery, resumption, and maintenance of the entire business, not just the technology component. While the restoration of IT systems and electronic data is important, recovery of these systems and data will not always be enough to restore business operations.”

It is important to make sure that all functional areas of the institution are involved in testing. This means that in addition to the Senior Management and Information Security roles defined in your plan, the team should also consist of key department heads with detailed operating knowledge of the processes and functions impacted by your scenario. These individuals must be aware of how to quickly recover and adequately support customer needs, regardless of whether normal operating procedures are available. Therefore, tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. Although technology is important, the disaster response must not hinge on waiting for technology glitches to be resolved. Your departmental specialists know how to do their job under normal circumstances, but including them in testing allows them to gain familiarity with their alternate procedures in a specific emergency scenario.

One of the primary objectives of testing is to validate that the recovery time objectives for each process are achievable. Testing exercises help identify errant assumptions and gaps in the plan to make sure what you have on paper matches your most likely threat scenarios. According to the 2017 Community Bank Information Technology Outlook Study, a survey conducted by Safe Systems in Q4 2016, 78% of respondents reported formally testing their BCP plan every 12 months. While regulators require proof of testing annually, more frequent testing may be indicated if a previous test uncovered significant gaps in your plan or if there are significate internal changes to your processes or infrastructure.

Finally, don’t forget to include significant third-parties in your testing. The guidance states:

“Third parties provide important services to many financial institutions and as such should be included within the financial institution’s enterprise-wide business continuity testing program.”

Stay Current: Review and Update the Plan

While simulated testing scenarios are helpful in adjusting your plan to enhance recoverability of your bank’s processes and functions, it is also important to review and update the full plan on a regular basis. The BCP must be regularly updated as new services and technologies are implemented internally and as regulatory guidance and best practices change. According to the Safe Systems study, 75% of survey respondents indicated they are already in the habit of reviewing and updating their Business Continuity Plan every 12 months, but only 12% are taking the extra step to update their Business Continuity Plan whenever a new vendor, application or process is added.

To streamline this process, community banks should integrate business continuity into all business decisions, assign responsibility for periodic reviews of the plan, and perform regular testing and third-party reviews. The importance of the BCP should be communicated to the entire organization. The board, senior management and other stakeholders should also be kept up-to-date on the status of the BCP, review test results, and approve plan updates.

Meet Examiner Expectations and Ensure Recoverability

In the current regulatory climate, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply test restoring the same key systems annually; instead, you must test that the entire BCP plan is actionable and realistic. A comprehensive Business Continuity Plan limits the impact a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what disaster may strike.

Your BCP should provide specific instructions for employees to follow, and testing makes sure those instructions can actually be followed. At Safe Systems, we have been working with community banks to manage their business continuity planning process for more than 20 years. With our knowledge of banking applications, technology, and compliance we can help you ensure your plan will meet your objectives while also satisfying all regulatory requirements.

23 Jan 2017

Banks, Compliance Chuck Copland 0 comment

Vendor Management – The Importance of Management and the Board of Directors

Vendor Management Board

Financial institutions rely heavily on third-party service providers to offer specialized expertise and services to ensure the institution is successful – something reflected by the results of Safe Systems’ recent 2017 Community Bank Information Technology Outlook Study. In fact, when you add up the number of third-party providers associated with a single institution, the total can be staggering. Results of the study indicate that 32% of respondents currently manage 1-25 vendors; 31% manage 26-50; and 28% manage between 51-100 vendors.

The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the institution’s board of directors and senior management. It is the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the board and helping it manage the process. Unfortunately, sometimes senior management and/or the board may not fully understand the need for comprehensive vendor management, or the pitfalls of neglecting due diligence of service providers.

In order to effectively communicate with the board, the ISO must first thoroughly understand exactly what examiners are looking for. Federal regulators have issued guidelines recently to help institutions better understand and manage the risks associated with outsourcing a bank activity (including functions that support a bank activity) to a service provider. The FFIEC IT Examination Handbook was revised to help guide banks, their boards of directors and management on how to properly establish and maintain effective vendor and third-party management programs.

Understand Examiner Expectations for the Board and Senior Management

Lack of board and management involvement has direct consequences. Inability to prove board oversight can lead to a poor CAMELS score (and subsequent FDIC insurance premium increase), enforcement actions such as an MOU (Memorandum of Understanding), or financial penalties. Examiners expect the board and senior management to develop and implement enterprise-wide policies to govern the outsourcing process consistently. These policies should address outsourced relationships from an end-to-end perspective, including establishing the need to outsource a function, selecting a provider, negotiating the contract, monitoring the vendor regularly, and discontinuing the business relationship. Examiners also expect to see evidence that an institution’s higher-risk vendor relationships receive additional scrutiny above and beyond providers that present less risk to the institution.

2018 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities
in 2018

Streamline Vendor Management Oversight

While it is more important than ever for the board of directors and management to oversee and manage the risk associated with vendors, many continue to struggle with the best way to efficiently and successfully accomplish this. According to the survey, 48% of respondents are still using a basic spreadsheet to manage their vendors. While this may have worked in the past, regulators now expect all vendors to be assessed, easily overwhelming the manual process. In addition, spreadsheets provide no proactive alerting mechanism for expiring contracts and upcoming vendor reviews. They also do not provide the ability to collaborate across the organization and make producing management reports and documentation more challenging than it should be.

Many financial institutions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain government compliance and regulatory requirements. Oftentimes, financial institutions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions built around the specific needs of all of the key players within the financial institution saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. A complete vendor management system ensures your board of directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.

Communicating with the board of directors and upper management can be a daunting task, but it is extremely important for financial institutions to ensure the appropriate people are involved in their vendor management program. Doing so not only saves the financial institution time in the long run by helping to focus resources, but also helps protect financial institutions from future poor exams, penalties, fines and additional regulatory scrutiny. Ultimately, it is the Board of Director’s responsibility to protect itself and its sensitive data. Having buy-in and participation from the Board and Senior Management helps ensure that this important Information Security process gets the attention it requires.

For more information please download our complimentary white paper, 2017 Community Bank Information Technology Outlook Study.

18 Jan 2017

Banks, Compliance Chuck Copland 0 comment

What is a Business Impact Analysis?

What is a BIA?

What is a Business Impact Analysis (BIA)?

A bank’s business continuity plan has evolved to become the crucial blueprint for guiding a financial institution through the process of recovering from a business interruption. Examiners are reviewing these plans more closely looking for proof that banks not only have a well-crafted plan in place, but are also able to successfully execute it. Banks must thoroughly understand and evaluate their critical processes, functions, and the interdependencies that support them in order to develop a solid plan the institution can implement effectively in the event that a disruption occurs.

One of the first steps in the BCP process is completing a Business Impact Analysis (BIA). The BIA is designed to help banks determine and evaluate the potential effects of any interruption to critical business operations as a result of a disaster, accident, or emergency. However, there has been some confusion among financial institutions regarding exactly what a BIA is and why it is important to the overall plan. Some financial institutions may confuse conducting a BIA with completing a Risk Assessment (RA). While the two go hand-in-hand and are both important steps in the continuity planning process, it is important to note that they are two completely different exercises.

The Difference Between Risk Assessment and Business Impact Analysis

Simply put, conducting a risk assessment will outline different threat scenarios the bank could face that would negatively impact normal operations. This includes both natural and man-made disasters listed in Appendix C of the FFIEC’s Business Continuity Planning booklet – think flooding, fire, pandemic illness, looting, vandalism, loss of communications, hardware failure, etc. As part of the RA, risks are assessed on their probability and impact to the institution. The Risk Assessment should result in a list of top threats to the institution, its customers, and the financial market it serves. This list can then be used to inform testing priorities.

On the other hand, a BIA focuses on the different processes within the bank rather than the threats to them. How badly will the inability to complete a process harm your institution, regardless of why that process was interrupted? Completing a BIA includes performing a workflow analysis of all business functions and processes that must be recovered. The BIA will help rank the criticality of your different processes, determine how quickly you need to recover the different areas of your bank, and ultimately result in a ranked list of recovery priorities. This analysis should be a dynamic process that identifies the interdependencies between critical operations, departments, personnel, and services.

BIA Defense

How to Complete a Business Impact Analysis for Your Bank

To conduct the BIA, financial institutions should review each individual business process and function that goes into completing that process. Participants evaluate the risks associated with the loss of each process due to a non-specific outage event.

There are four main categories of enterprise risk that should be evaluated for each process to determine an accurate assessment of the total business impact:

Regulatory/legal risk
Reputation risk
Strategic risk
Operational risk

Evaluating these categories allows the BCP team to prioritize and sequence time-sensitive or critical business processes, functions, and the interdependencies that support them. These interdependencies include technology components, personnel, and outsourced relationships. The BIA helps the bank make sense of all these moving parts, and which are more crucial than others. The end result of the BIA is a consensus list of processes, the Maximum Allowable Downtime (MAD) and Recovery Time Objectives (RTO) for each, the amount of data that must be restored (Recovery Point Objective, or RPO), and an order in which those functions should be recovered (recovery priority). This information provides the strategic direction of the recovery plan, and should be referenced when defining recovery procedures.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

Why the Business Impact Analysis is a Crucial Part of Your Bank’s BCP

Completing the BIA enables the financial institution to really define and understand what it is they do and how important those processes are to their operation. While the findings are different for each bank, there are some similarities. For example, most retail banks have a teller system that must be operational, as well as an ATM system and core processing network. However, the MADs and RTOs assigned to each function are often different for each financial institution. It is not uncommon today for regulators to demand that all RTOs be based on a methodical analysis of the tolerance for downtime for each process, and NOT simply a subjective value. Financial institutions need to be able to show how and why they have assigned rankings to each function. It is crucial to have representatives from all areas of the financial institution involved in the BIA process. Not doing so, or not completing the BIA at all, could lead to a misallocation of resources at minimum, or possibly violation of regulatory requirements (and a lower exam score), and potential reputational damage in worst case scenarios.

At Safe Systems, we understand that conducting a BIA has become a very time consuming yet necessary part of operating a compliant, resilient, and recoverable financial institution. Therefore, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the process by automating processes that have previously been done manually, eliminating the need for cumbersome spreadsheets, and time consuming data gathering and reporting activities. The careful evaluation of individual business process and support functions enables the bank to better understand objectives regarding continuity of operations.

For more information download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks.

11 Jan 2017

Banks, Compliance Jamie Davis 0 comment

5 Consequences of Doing Nothing: Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

In today’s fast-paced banking environment, most financial institutions use a number of third-party vendors to keep bank operations running smoothly. In a recent banking survey, 47 percent of banks cited the use of spreadsheets to help keep track of their third-party providers. While many banks have systematized vendor management and implemented new vendor management software, there are still a large number of banks that do not actively manage their vendors at all. Further still, there are some institutions who view “vendor management” as simply knowing who their vendors are based on a review of the bank’s accounts payable report.

While an accounts payable report allows the bank to keep track of each vendor partner and the services they provide, this is not what regulators are looking for when evaluating an institution’s vendor management program. According to the FFIEC IT Examination Handbook, having a comprehensive list of vendors means nothing if it is not being used to identify risks and manage compensating controls of those risks for each third party service provider. Without a proactive approach to vendor management, banks are opening themselves up to increased levels of risk that can have a negative impact on the institution’s financial standing, compliance posture and overall ability to serve its customers.

Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

Here are the top 5 consequences your bank could face by not having a solid vendor management program in place:

Missing Yearly Opt-out Dates

Today, too many banks are taking a reactive approach to vendor management which can lead to some major problems for these institutions down the line. For example, a bank may be unhappy with its current vendor and want to look for other alternatives, but in this reactive approach, the bank is really only managing its vendors when there is an immediate issue. When it comes to vendor management, proactively monitoring third-party providers and fully understanding the parameters of the vendor contract can help alleviate this by preventing an institution from being locked into a contract with a vendor that is not performing up to standards.

Unnecessary Costs

Contract management represents a major component of effective vendor management and overall budgeting and profitability. We’ve found that once banks begin an efficient vendor management program, they have a better picture of how their money is being spent, as many discover that they’ve been spending money on services that their bank is no longer using. A common, simple example is a bank that had been spending $45 monthly on a phone line for a fax machine that was no longer in the branch. While by itself, this is a relatively small expense, when bundled with other incremental savings, it can lead to meaningful savings.

Loss of Critical Bank Services

What would happen if your bank’s item processing provider went out of business without warning? For many community banks, this could lead to weeks of researching new vendors, evaluating each choice, and negotiating new contracts. For many banks, being without a critical service is not an option, so it is imperative that banks closely monitor their vendor’s financial statements and have alternative options in place.

Vendor Cybersecurity Events

Without a solid vendor management program, financial institutions may actually be opening themselves up to increased cybersecurity risk. Community banks should understand that their cybersecurity posture is only as good as the cybersecurity of their vendors. Often, a third-party service provider can unknowingly provide a back entrance to hackers who are looking to steal sensitive customer data. Having a procedure in place to identify the risks associated with each vendor will help banks to effectively research third-party providers and help mitigate potential risks to the institution

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

Non-compliance With Government Regulations

Today, bank vendor management processes must align with examiner expectations or the institution runs the risk of being written up and receiving a low CAMELS score. If you are not properly tracking, reviewing, and heavily monitoring your vendors, your bank could be sitting on a time bomb. Some financial institutions haven’t received a written warning from examiners yet only because they haven’t had to update their processes for some time, or because the regulator was focused on another process at the time of the last review. In our experience however, a bank is rarely written up for just one offense. If an examiner sees that the bank isn’t following through on vendor management, they may begin to look more closely into its business continuity plan or cybersecurity procedures as well.

Why a Proactive Approach to Vendor Management Should Be a Top Priority for Your Bank

Since regulators have placed higher importance on how community banks manage their vendors, it can be extremely difficult (or impossible) to gain the required level of insight from a list or a spreadsheet. Simply knowing who your vendors are is not what regulators are looking for. Examiners expect banks to take appropriate steps to mitigate risk and keep the institution safe. Therefore, it is important to have a good understanding of which vendors have access to your institution’s data and how that impacts the banks’ ability to function on a daily basis.

Financial institutions can take a more proactive approach by including non-disclosure agreements, tracking vendor contracts, having a third-party audit their vendors, and analyzing the existing – and emerging — risks. Banks should also confirm that their vendors have the right controls in place to serve the institution properly and have a backup plan in place should that vendor fail to perform. Proactively managing vendors allows banks to better meet regulatory demands, prepare for the unexpected and maintain their good reputation.

19 Dec 2016

Banks, Compliance Safe Systems 0 comment

Safe Systems Helps First Federal Bank Weather Hurricane Matthew with Ease

First Federal Bank ($170, 413,000 in assets) is one of the oldest locally-owned financial institutions in North Carolina, employing a staff of 60 and serving the communities of Angier, NC; Benson, NC; Clayton, NC; Dunn, NC; Erwin NC; and Fuquay-Varina, NC. The bank has a proven history with Safe Systems, originally selecting the company as a vendor partner in 2003 to help it navigate the fast paced change of its business and regulatory environment.

As the industry has continued to evolve and technology has become more advanced, First Federal Bank built on this relationship by adding many of Safe Systems’ solutions and services, including NetComply, Vendor Management, CVault, Safe SysMail, and ultimately, Safe Systems’ disaster recovery (DR) solution, Continuum.

Disaster Strikes the US Eastern Seaboard

In October 2016 Hurricane Matthew wreaked havoc on the Eastern Seaboard of the US, disrupting thousands of businesses and organizations, and impacting millions of people’s lives, including those who worked for First Federal Bank. As the news of the upcoming hurricane became more threatening, the bank and its BCP team began preparing for a possible disaster. While First Federal Bank’s location was forecasted to miss the brunt of the storm, the bank still reviewed its BCP and DR plans and ensured all designated personnel in each branch were fully prepared.

On Wednesday, October 5, Safe Systems was proactive in contacting First Federal Bank to help them manage their BCP process and support the bank’s preparedness for potential disruption. After reviewing all backups to ensure everything was working properly, the bank’s designated strategic advisor at Safe Systems guided bank staff through the entire process, outlining what they needed to do prior to the storm, helped with shutting down servers, ensured the server room was secure, and reinforced the proper communication protocols and contacts were correct and understood.

“Safe Systems served as a true partner for us through the storm and was there to guide us through the entire process, giving peace of mind to all,” said Leigh Barbour, vice president/IT Manager for First Federal Bank.

On Saturday, October 8, the storm hit North Carolina with a lot more force than the forecast predicted, and torrential rain and wind resulted in fallen trees and power lines. While the impact of the storm was more severe than expected, there was no physical damage at any of the bank locations, aside from the fact that the majority of the locations were without power.

On Monday morning, which was a bank holiday, the bank had a conference call with Safe Systems to update them on the situation and discuss the next steps in recovering from the storm. Later that day, the power was restored in most of the bank’s branches except for the Dunn branch and the Corporate Center. The power company said it would be five or seven days before the power would be restored. This news required the disaster recovery team to contact Safe Systems and begin implementing the BCP plan and procedures. Once contacted, the Safe Systems Continuum team worked with the bank to seamlessly switch to the disaster recovery environment. This enabled the bank’s technical environment to be restored remotely, giving them the ability to remotely access its network. Safe Systems colocation then became the actual environment for First Federal Bank, enabling it to securely run all of its solutions from a remote location.

Working together, the disaster recovery teams for First Federal Bank and Safe Systems had the bank ready to operate normally on Tuesday, October 11. Fortunately however, the power was restored Monday evening, so the full Continuum process was not executed.

While the bank and Safe Systems did work hard to ensure the Continuum environment was ready to operate, First Federal Bank reported that the stress of working to recover its network was greatly reduced due to the proactive BCP and DR testing it routinely conducts.

“The last test was completed on August 1, so we felt confident going into the storm that the plan would work and we would be able to resume business as normal in an efficient and timely manner,” said Barbour. “During our test we did cut the connection to our core processor and operated solely from the Continuum environment, which gave us the peace of mind knowing that it was operational and ready to go.”

“Even though we did not execute the full Continuum process, working with Safe Systems through the preparation was very helpful and reassuring,” continued Barbour. “Safe Systems was with us every step of the way to guide us and assure that our systems and processes were working and tested correctly. It is good to know that in the event of a disaster we have a reliable alternative until our environment is restored and a valued partner to support us.”

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

07 Dec 2016

Banks, Compliance Darren Bridges 0 comment

Small Town Bank Maintains Compliance Posture with Safe Systems’ Cybersecurity RADAR Application

Cybersecurity Defense

Compliance and regulatory issues, especially as they relate to cybersecurity, are top of mind concerns for financial institutions. For many community banks keeping up with the ever changing regulatory requirements and expectations can be a challenge. One area of concern for many banks is the Federal Financial Institutions Examination Council’s (FFIEC) CAT, which was released in June 2015 and is designed to ensure banks are prepared in the event of a cybersecurity attack. Although regulators said they would not require banks to complete the CAT, they began using this set of criteria to examine institutions and determine their level of cybersecurity preparedness.

This was the case for Small Town Bank, a $215 million institution headquartered in Wedowee, Ala., that serves East Central Alabama and its surrounding communities. To comply with the FFIEC’s cybersecurity requirements, Small Town Bank began implementation of the new CAT requirements. However, the bank’s IT department found the 123-page assessment to be a time consuming and cumbersome task for the bank to manage and understand. The bank was unclear on what they needed to do to improve their cybersecurity processes and understood they needed to find a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environment.

The Solution – Safe Systems’ Cybersecurity RADAR Application

Small Town Bank began looking for a solution that could simplify this process and provide guidance on exactly what the staff needed to do to improve its compliance posture. When the bank heard about Safe Systems’ new automated cybersecurity tool, the staff was excited to learn more about its key features and functionality and how this product could help them achieve their long-term goals for cybersecurity. The Cybersecurity RADAR solution combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. After reviewing the information about the Cybersecurity RADAR product, Small Town Bank knew it would have a knowledgeable team to provide expert knowledge and support to ensure a more streamline assessment process.

The Results – Improved IT Examination Results

Working with Safe Systems, Small Town Bank was able to realize significant operational efficiencies in its CAT assessment reviews and reporting and reduced the time its staff spent on completing the CAT from days to hours.

For more information on how Safe Systems helped Small Town Bank, please download our complementary case study, Small Town Bank Improves IT Examination Results.

Small Town Bank Improves Their IT Examination Results

Learn how Jennifer Dendinger, Information Technology Officer at
Small Town Bank, reduced the time needed to complete the CAT

14 Nov 2016

Banks, Compliance, Security, Technology Jamie Davis 0 comment

What Community Banks Should Budget for in 2017

Many financial institutions are entering their 2017 budget season. Creating a budget is essential in helping you execute your strategy and plan for the future, however, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, Security and Compliance budget items that are often overlooked. Since we work with more than 300 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints, and offer some points for consideration in your budgeting for 2017.

In 2016, regulatory agencies have seemed to be more aggressive. We are consistently hearing from institutions that traditionally pass exams with ease that they have now been cited for new issues or have been asked to go above and beyond their normal remediation steps. We are now seeing that it is not uncommon for institutions to be cited for their handling of Cybersecurity Assessments, Business Continuity Planning and/or Vendor Management. 2016 was also the year of malware, and examiners are now focusing more attention on it as a pervasive problem in the industry. In addition, multiple institutions have been encouraged, if not “required,” to have a forensic analysis performed if the institution did not do a thorough job of performing their incident response procedures during a malware outbreak.

Often, once regulators cite an institution for one item, they dig deeper into other processes as well. Rarely have we seen an institution written up for one issue. The shift to a more proactive approach, including better preparation for and addressing of concerns or potential regulatory issues prior to an exam, is a much more efficient course of action and one that more financial institutions are adopting.

Community Bank Budgeting Money

With these ideas in mind, here are some areas financial institutions should consider when budgeting for 2017:

Malware/Ransomware Layers: $1,500 – $5,000

While the price will depend on the layers you choose and how many you choose to add, you should really consider taking a more aggressive step in your fight against malware. If 2016 taught us anything, it is that malware, and specifically Ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past. Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers. It’s now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.
Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity has come under increased regulatory focus, and with the latest Cybersecurity Assessment Tool being released this year, it promises to be a hot topic for the foreseeable future. You need to make sure you keep your security, business continuity and vendor management policies and procedures up to date.
Business Continuity Planning and Testing: $3,000 – $8,000

You must ensure that your business continuity policies, procedures and practices are in compliance with constantly changing regulations. A business continuity plan (BCP) should be a living, functional document that keeps pace with any changes in your infrastructure, strategy, technology and human resources. Be sure to budget for the following:
- BCP updated to meet current regulations
- Annual plan testing to validate
- Training for gaps found during test or updates to the plan
Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this.
New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:
- Windows® Server 2003
- VMWare ESX nodes 5.1 or lower (end of support August 24, 2016)
- SQL 2005 or earlier instances (end of support April 12, 2016)
- Domain replication from FRS to DFSR
- Extending warranties on hardware more than 3 years old
- VEEAM Backup & Recovery version to 8 or higher
Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.
Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

09 Nov 2016

Banks, Compliance Darren Bridges 0 comment

How an Automated Solution Can Enhance Your Cybersecurity Posture

Our industry has seen the frequency and severity of cybersecurity attacks continue to increase, with recent attacks involving extortion, destructive malware and compromised credentials. In fact according to the FDIC, Information Security Incidents were up 48% in 2014, and we expect similar increases this year. In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) in 2015. The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s cybersecurity risks and preparedness.

What Do Examiners Expect You to Demonstrate?

While use of the CAT by financial institutions is voluntary, examiners expect all financial institutions to use some sort of framework or risk assessment process to demonstrate cybersecurity preparedness. This is important not only for the health of the institution, but also for the financial industry as a whole. Moreover, careful consideration of cybersecurity risk is absolutely critical when complying with regulatory requirements, as the new cyber elements will be added to future IT examinations. For many bankers, responding to an IT examination has become so time-consuming that it is essentially full time job. Having a user-friendly automated tool would certainly help streamline the assessment process, but to date, the FFIEC has not indicated that it intends to release an automated version of the CAT.

So, increasingly bankers are investigating their options when it comes to automating the assessment and reporting process. A well-designed automated solution should help financial institutions take a more informed, proactive approach to managing periodic FFIEC cybersecurity assessments. It should help bankers easily identify and resolve any cybersecurity gaps in an efficient manner, while also meeting examiner expectations. Such a solution enables the financial institution to collect, summarize, and report on its cybersecurity posture coherently (and consistently) and be better prepared for the actual IT exam.

Your cybersecurity compliance solution should enable your institution to:

Simplify the initial assessment by providing plain-English clarification for confusing questions;
Provide a way to actually track responses from one assessment to the next, which helps with reporting back to regulators in terms of consistency and in better articulating progress over time;
Develop thorough reports for the Board and other stakeholders, as well as a clearly articulated action plan;
Be more proactive vs. reactive in managing cybersecurity risks, by including items such as incident response testing and Board reporting;
Reduce the possibility of misinterpretation of information or questions, which can impact the accuracy of the entire assessment; and
Better understand or predict what to expect from regulators in the future.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

An Automated Solution for Community Banks

At Safe Systems, we understand that managing cybersecurity has become very time consuming and stressful for financial institutions. To help streamline this process, we have developed Cybersecurity RADAR. This comprehensive compliance solution couples compliance expertise with access to our Enhanced Cybersecurity Assessment Tool (ECAT) application. We’ve transformed the FFIEC’s 123-page Cybersecurity Assessment Tool into a much more user-friendly digital interface. The web-based ECAT application is designed to capture and document periodic changes to an institution’s risk and maturity, empowering you to measure the state of your cybersecurity risks and controls within the FFIEC’s framework, and easily generate reports in preparation for Board meetings or exams.

In alignment with the ECAT, our compliance consultants will help you complete the assessment, identiy and resolve cybersecurity gaps, complete cyber Incident Response testing, and report to the Board, and train employees. This combination helps community banks and credit unions clearly demonstrate Cybersecurity preparedness and ensure a smoother IT exam process.

26 Oct 2016

Banks, Compliance Tom Hinkel 0 comment

The Importance of Integrating Vendor Management and Business Continuity Planning for Community Banks

In today’s banking environment, most financial institutions rely on third party service providers (or vendors) to conduct business on a day to day basis. In fact, without the help of third party service providers, a bank’s ability to provide products and services to customers would be severely impacted. When banks choose to outsource key bank functions to a service provider, however, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations in a desired timeframe in the event of a disruption.

When creating a business continuity plan, financial institutions have to be able to account for all interdependencies within the institution and evaluate the risks. Interdependencies can be classified into assets, or things you own, and vendors, or things you outsource. The FFIEC recently issued new BCP Guidance in the form of an addendum to the IT Handbook on Business Continuity Planning. It is titled “Appendix J: Strengthening the Resilience of Outsourced Technology Services”, and it has significant implications for both financial institutions and service providers. The guidance requires institutions to have certain controls in place to mitigate these risks and discusses a few key points regarding the management of third party providers:

“Third-party management addresses a financial institution management’s responsibility to control the business continuity risks associated with its TSPs and their subcontractors.”
“Third-party capacity addresses the potential impact of a significant disruption on a third-party servicer’s ability to restore services to multiple clients.”
“Testing with third-party TSPs addresses the importance of validating business continuity plans with TSPs and considerations for a robust third-party testing program.”

Why Does VM Come into Play When Talking About BCP?

As banks evaluate vendors, they are assessing several key elements, but mainly, the criticality of the product or service the vendor provides. In doing so, bankers should be asking: How important is this vendor to what we do? If they fail, how many of our services fail? Criticality is expressed in terms of Recovery Time Objectives (RTOs). Each bank must determine their own unique RTOs for their institution, and must also assign the same RTO to the third-party vendor. Banks then assign the criticality rating to the vendor based on the criticality of the service that the provider supports. This helps ensure the vendor is equipped to adequately perform their agreed upon task so the bank can conduct business as usual. If the provider is not up and running, then the bank can’t be up and operating either, at least not without work-arounds in place.

When doing BCP planning, the financial institution must look at all areas of the bank and the services and products provided – teller services, lending services, ATMs, accounting, etc. and identify all of the interdependencies or third parties necessary to make these services happen. BCP also looks at RTOs for the entire process. So, if the bank assigns an RTO of one day to the teller process on the BCP side then everything that process requires, including a third party provider, also now inherits that same RTO on the vendor side. There must be a tight cohesion between the vendor management process and the BCP.

Successfully integrating vendor management and business continuity planning is critical for financial institutions, especially when adhering to the FFIEC regulations and guidance. While this can be a tough assignment for bankers, it is a necessary process that has a direct impact on the health of the institution.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

14 Oct 2016

Banks, Compliance Safe Systems 0 comment

When Disaster Strikes – BCP and Disaster Recovery Lessons in The Wake of Hurricane Matthew

Hurricane Matthew

Last week, we all watched as Hurricane Matthew unleashed its fury on the Eastern Seaboard of the US, disrupting thousands of businesses and organizations, and impacting millions of people’s lives. The damage that the storm inflicted underscores the importance of disaster planning and preparation – time and again, we see a stark difference in the reaction from businesses who have a disaster plan in place and those that don’t. The same applies to financial institutions, especially community banks and credit unions. The lack of proper planning and preparation could be particularly devastating for a bank in terms of disaster recovery, and is even more challenging for smaller community financial institutions who often lack the staff and resources of larger institutions.

When disasters like Hurricane Matthew strike, it is imperative that financial institutions implement their Business Continuity Plans and Disaster Recovery plans, as required by FFIEC guidelines. These plans are instrumental in outlining the specific steps and processes the institution must take to be prepared and efficiently recover from disasters or business interruptions.

Preparing for Natural Disasters and Similar Events

First and foremost, community banks and credit unions should have an existing plan in place and execute that plan when conditions dictate it. Beyond this, there are several additional steps we at Safe Systems recommend each financial institution take to adequately prepare for natural disasters and similar events, including:

Double check all backups and ensure offsite copies are up to date and working. If using an on premise backup solution, make sure all hardware and backups are moved offsite to a safe location.
Uninterruptable Power Supplies (UPS) are designed for short term outages in power. If expecting longer power loss, preemptively shut down servers and all IT equipment. If equipment is not properly shut down, it can result in failures and malfunctions.
Ensure the security of the server room. Make sure the server room is locked with separate key access and all equipment is secure.
Ensure everyone is following the procedures in the BCP and DR plans and is aware of the proper communication protocols and contacts.

Common Issues

Many banks today try to manage their own technology solutions, including backups, email systems and server management. Some outsource these responsibilities to local providers who may not be experts in the financial services industry. Some issues financial institutions may run into when working with a local provider include:

Email Outages

Working with a local provider who hosts the email server locally means the server might be down due to possible power outages. This is also true if the bank hosts email internally.
Backups

If backups are stored with a local provider, that provider is likely also affected by the storm, meaning they might also be suffering from damage and loss that they need to recover before being able to help their customers. Furthermore, if using an on premise backup solution, it brings into question whether backup media will be accessible and/or if it is damaged in the storm.
Evacuation

As we saw last week, some communities may be forced to fully evacuate, which includes bank IT staff, and the staff of the local service provider. The true damage and loss won’t be known until they are allowed to return and start attempting to power back up.

Options for Outsourcing

These issues can be avoided when working with an IT service provider. Safe Systems is the leader in providing compliance-centric IT and security solutions exclusively to community banks and credit unions, and as such, we understand the unique needs each financial institution has when preparing for — and recovering from — a natural disaster. Financial institutions working with Safe Systems benefit from:

Remote and Secure Back-ups and Data Recovery Practices

Our backups are in two redundant remote facilities making sure your data is always protected. In addition, our NetComply One solution provides proactive alerting when a backup has failed or has issues, allowing time to rectify the situation and ensure all information is stored appropriately. Also, we annually test our customers’ disaster recovery plans and the integrity of backups to ensure customers can recover files and networks as documented in their BCP.
Available Staff and Engineers

No evacuated IT personnel! All IT personnel are able to handle situations remotely and our team is available to help 24 hours a day/7 days a week. In addition, during Hurricane Matthew, for any customers that may have been impacted, Safe Systems ensured additional engineers were available to help immediately.
Guidance

With our unique CRM software, we were able to target our customers who might be affected by the storm. We contacted them to guide them through the preparation process and are on standby to help when and if issues arise. Also, this included verifying our customers had current backups by performing a thorough review of all protected systems.
Offsite Hosted Email

SafeSysMail, powered by Microsoft Office 365™ email, eliminates the burden of running Microsoft Exchange™ internally; meaning email is not disrupted in the case of a natural disaster. As a vital part of your institution, your email solution needs to function smoothly and consistently in order to support your business functions, even during a disaster. Working with Safe Systems gives you access to an email solution that, while powered by Microsoft’s cloud email solution, is designed exclusively for financial institutions and includes extra layers of protection.
Continuum

With our disaster recovery solution, Continuum, we can restore a bank’s technical environment remotely, giving them the ability to remotely access their network. Our colocation becomes the actual environment for clients, enabling them to run all their solutions from a remote location, our colocation facility.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

You simply cannot prevent or anticipate every disaster, but proactively knowing where to go, who to contact and what critical functions need to be backed up and restored can provide confidence to you and your employees when responding to a disaster. Developing, implementing, and regularly testing disaster recovery and business continuity plans is crucial in today’s banking environment. At Safe Systems we have been working with banks and credit unions to manage their disaster recovery process for more than 20 years. Our hope is that it isn’t needed, but should it be, our proven experience enables us to provide the services and assistance necessary to ensure our customers are prepared for a disaster and able to quickly recover from one.

12 Oct 2016

Banks, Compliance Chuck Copland 0 comment

Simplify Business Continuity Planning for Your Bank with a Structured and Repeatable Approach

A bank’s Business Continuity Plan (BCP) has evolved to become the crucial blueprint for guiding an institution through the process of recovering from a business outage. Examiners are looking at these plans closely to verify that banks not only have the right plan in place, but are also able to successfully execute it. Many banks choose to keep continuity planning in-house and manually develop their plans. With increased levels of regulatory scrutiny, innovative bankers are embracing technology to make BCP a more efficient and streamlined process.

Many institutions take a qualitative approach to continuity planning, and this requires coordinating meetings between various stakeholders to come to consensus decisions. To create a more efficient BCP process, bankers should be looking to implement an application that will help their financial institution follow the FFIEC-prescribed process and facilitate the collaborative elements of BCP. The end result should include a complete and comprehensive plan that meets regulators’ expectations and equips the financial institution to handle and recover from possible disasters in a timely and efficient manner.   

Enterprise Modeling – The First Step to a Successful Business Continuity Plan

Each bank has a unique operating model based on its specific services, organization, processes, and technologies. Before an institution can figure out how to sustain or recover operations, it must first have a thorough understanding of all the functions and processes that make up those operations. At Safe Systems, we refer to this information gathering step as Enterprise Modeling. This involves breaking the institution into departments (aka Functional Units) and determining the team members responsible for each of these areas. Each department is responsible for one or more business processes, and each of those processes is comprised of multiple functions.

Enterprise modeling can streamline the BCP process and give bankers the ability to assign those most knowledgeable with their department’s operations the task of developing the recovery plan. It is difficult (if not impossible) for a single individual to have all of the knowledge required to recover operations for every department and process. Involving additional people, if not managed properly, can create an even more complex process. By starting with an Enterprise Modeling step, the institution will directly map required functions to those individuals responsible for accomplishing those functions. Organizing the process in this manner will simplify the gathering of business recovery information from each department head, ensure that all processes are addressed, and help institutions develop a more accurate assessment of their risks.

Automating Your Bank’s Manual BCP Processes

Business Continuity Planning is cyclical and assessments should be revisited regularly. Automating repetitive portions of BCP process eliminates the need to update cumbersome spreadsheets, and can carry over information from time-consuming data gathering and reporting activities completed in previous assessments. An automated BCP solution will help guide financial institutions through the entire process of BCP — from assigning department heads, documenting key activities, services, and applications, assessing critical recovery times, testing procedures, and staying on top of key updates related to the plan.  
 
It is crucial to ensure the BCP will meet regulatory scrutiny while providing an efficient and simplified process for the institution. Community banks, in particular, should have a business continuity plan that is easy to understand, easy to use, and developed specifically for their institution. An automated application should provide the necessary structure to keep banks on track, but should also allow for customization as each institution sees fit.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

At Safe Systems, we understand that BCP can be a very time consuming and stressful process for banks. To help streamline this process, we have developed a Business Continuity Plan application, BCP Blueprint, to help facilitate and automate the BCP process. This application helps financial institutions move from a pieced together set of recovery procedures to a cohesive enterprise-wide approach for continuity planning. The end result will include a complete and comprehensive plan that meets regulators’ expectations and equips financial institutions to better respond when disaster strikes. For more information please download our complimentary white paper, Taking Business Continuity Planning to the Next Level: A Better Way for Banks, by clicking the image above.

05 Oct 2016

Banks, Compliance, Security, Technology Christine Ray 0 comment

Building Success in the Banking World – Safe Systems’ 2016 NetConnect Conference Recap

Safe Systems hosted its 2016 NetConnect Customer Success Summit on September 13th in Athens, Georgia. The theme of the three-day conference was focused on customer success. Safe Systems brought together 73 financial institutions from around the country to hear inspiring key note speakers, attend informative educational sessions, and obtain key banking industry insights designed to help them build the best financial institutions for their communities.

A key goal of this year’s conference was to provide our banking clients with the necessary tools and guidance to build successful institutions and meet stringent regulatory demands. Safe Systems presented a short tongue-in-cheek skit that began with an FDIC examiner knocking on the front door of a bank, ready to do a full analysis. The bank felt confident that it would meet the examiner’s expectations, but ended up with less than satisfactory results. The examiner emphasized the need for the senior management and board’s involvement in all areas of exam preparation to ensure success, including cybersecurity, vendor management, business continuity planning and more. This example became an important topic of conversation and a key point that Safe Systems highlighted throughout the day.

Sticking with the theme of success, Safe Systems’ President, Darren Bridges, provided opening remarks encouraging banks to not only know what they do and how they do it, but to also have a strong understanding of why. This is an important part of creating a successful institution because the “why” is what makes a bank stand out from competitors and connect with the critical needs of its customers. During the keynote session, Dr. Randy Ross gave an energetic and memorable speech on designing a remarkable culture within financial institutions. He emphasized that culture is the single most important differentiator for community banks and sets the tone for how customers interact with the institution.

Safe Systems’ vice president of Compliance, Tom Hinkel, rounded out the day’s activities with an engaging presentation, where he highlighted some of the compliance challenges banks are facing today and provided helpful advice on how they can successfully manage this complex function.

Customer feedback sessions during the conference provided insights into current IT, security and compliance issues and trends bankers are most interested in and helped to identify areas where they will need the most support. Community bankers today wear many hats, and it can be daunting to keep up with all of the changes occurring in the world of IT. One big concern for bankers at the conference was being able to manage networks effectively and ensure that all activities are running smoothly for their institutions. Other major topics included understanding cybersecurity, managing new regulations, providing proper IT training for employees, and communicating effectively on IT issues with the board and senior management at the bank.

Taking Business Continuity Planning to the Next Level:
A Better Way for Banks

Learn how examiners are increasing their focus on BCP, the risks involved in relying on a single individual, and better ways to develop your plan.

Safe Systems also worked to create an atmosphere where customers could exchange ideas and learn more about the latest technologies and services in the financial services industry. The conference featured many trusted partners and vendors, who either sponsored the summit, exhibited during the trade show, or both. These companies included:

Thigpen, Jones, and Seaton
Banc Intranets, LLC
Consolidated Banking Services, Inc.
Rebycsecurity
iTransit Solutions
Porter Keadle Moore, LLC
Bitdefender
Jack Henry & Associates
CashTrans
ATM Response
Kaseya
Intronis

Overall, last month’s NetConnect Conference was an engaging and educational experience where bankers received invaluable knowledge and advice regarding technology, compliance, and security. Safe Systems continues to enhance its products and services to help community banks strengthen their businesses and build success! We look forward to the next event to grow and create new opportunities for our clients.

← Previous 1 234 Next →