Category: Credit Unions

01 Dec 2020
Why Documentation is an Essential Priority During the COVID-19 Pandemic

Why Documentation is an Essential Priority During the COVID-19 Pandemic

Why Documentation is an Essential Priority During the COVID-19 Pandemic

While financial institutions have spent the last nine months focused on pandemic response and ensuring critical services remain available to their customers and members, there are other key areas of consideration to ensure their institutions remain compliant and can thrive in the future, including documentation. Unfortunately, few financial institutions are adequately documenting their efforts and new strategies as they are being implemented. Below are three key reasons why they really should.

1. Regulatory Expectations

Examiners will expect to see how financial institutions have handled the pandemic and that all of the lessons learned are reflected in their business continuity management plans (BCMP).

Some key questions regulators may ask regarding pandemic response include:

  • What have you learned from this event?
  • What have you done to enhance your pandemic plan based on those lessons learned?
  • Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time?
  • Have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access?
  • If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

2. Key Lessons Learned

All banks and credit unions must take a different approach to pandemic planning that fits well with their institution’s unique needs. They need to consider all of the challenges they’ve faced throughout the pandemic and apply key lessons learned to enhance their operations, including the importance of cross-training staff, enhancing security measures, succession planning, or improving technology for an employee to work at home. Until the pandemic passes, financial institutions should continue to reference their business continuity plans and document the entire process to create a blueprint for reference if a similar situation arises again in the future.

3. Strategic Planning

According to the FFIEC, an entity’s strategic planning should be developed to address all foreseeable risks, and these risks should cover the potential impact on personnel, processes, technology, facilities, and data. Throughout the pandemic, financial institutions should track what they are doing, how they are doing it, and whether any new procedure should be included in their existing crisis management or response plan.

The key is for institutions’ steering or strategic planning committee to stop periodically and document—or backfill information after the fact (at least a month or a quarter later.) Failing to document this process will result in institutions returning to business as usual after the crisis subsides and potentially making serious mistakes if a pandemic situation occurs in the future.

To learn more about pandemic response and key priorities for financial institutions, download our latest white paper, “Navigating the Coronavirus pandemic: Best Practices for Pandemic Planning and Key Lessons Learned for Community Banks and Credit Union.”

19 Nov 2020

3 Key Concepts to Incorporate into Your Business Continuity Management Plans

3 Key Concepts to Incorporate into Your Business Continuity Management Plans

The 2019 FFIEC Business Continuity Management Handbook represented a significant change in how bank and credit union examiners will assess your business continuity planning efforts going forward. Here are 3 concepts to make sure you’ve incorporated into your Business Continuity Management Plan (BCMP):

1. Likelihood and Impact

According to the Federal Financial Institution Examination Council’s (FFIEC) Business Continuity Management Handbook, “management should evaluate the likelihood and impact of disruptive events. Risks may range from those with a high likelihood of occurrence and low impact such as brief power interruptions to those with a low probability of occurrence and high impact such as pandemics. The most difficult risks to address are those that may have a high impact on the entity but a low probability of occurrence.”

Performing a risk assessment helps financial institutions identify all potential risks and classify them based on probability and impact. They should also quantify the impacts and define loss criteria as either quantitative (financial) or qualitative (e.g., impact to customers, reputational impact). However, to efficiently assess these risks, banks and credit unions need to be able to visualize them and plan accordingly. One way to do this is to use a four-quadrant matrix to scatter graph and plot the likelihood and impact of every threat.

Likelihood and Impact Graph

There are many other ways to do this, but whichever method you choose, examiners expect financial institutions to be able to document both probability and impact, and not only for the high probability and high impact threats, but also for the low probability high impact threats.

Although the Handbook lists Pandemic as an example of a low probability, high impact event, you may want to adjust the probability (and possibly the impact) rating upward based on the COVID 19 event. At this point, it is a certainty that everyone has been impacted somehow.

2. Resilience

Resilience is the ability to prepare for—and adapt to—changing conditions, and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The first step to resiliency is to identify your proactive measures for mitigating the risk of a disruptive event such as:

  • Off-site repository of software (Data vaulting)
  • Appropriate backups of data
    • Cloud-based disaster recovery services may be considered as part of resilience programs
  • Off-site/redundant infrastructure (Hardware, data circuits, etc.)
  • Third parties (Alternate vendors/suppliers)
  • Key personnel (Succession planning)
  • Cybersecurity assessment tool
    • Annual process of considering changes in inherent risk and how your evolving in maturity

These are things you probably are already doing. If so, you can use your calculations to show that you already have proactive resilience measures in place.

Make sure to incorporate any adjustments made and lessons-learned from the recent Pandemic into your inventory of resilience measure against the next pandemic.

3. Inherent vs. Residual Impact

Although the residual risk rating is often used as the measure of the effectiveness of your risk management program, best practices mandate that management should use inherent risk ratings to guide their recommendations for (and use of) mitigating controls. However, when calculating residual threat impact, you can factor in any existing impact mitigation measures you already have in place. For example, if you use forewarning, duration, and speed of onset to calculate impact, any measures taken to reduce those 3 factors can also reduce your impact rating:

  • Example 1: Smoke detector & Fire detection equipment decreases the impact of fire by increasing the forewarning factor
  • Example 2: Auxiliary power decreases the impact power outage by decreasing the duration factor
  • Example 3: Good project management practices decrease impact of strategic risk by slowing the speed of onset factor

This is how you can take advantage of the existing measures you already have in place to decrease the residual impact of an event. You don’t have to do anything new, just take into account all of things you’ve already done to build resilience into your business continuity plan. Then simply add on where residual risks are still above your risk appetite!

For more information, watch our webinar recording, “The New Business Continuity Guidance Requires a Whole New Approach.”

12 Nov 2020
The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

In response to the Coronavirus pandemic, many financial institutions have implemented new technologies and made modifications to their IT infrastructure to better serve customers, members, and employees during this time. These changes may have increased the institution’s inherent risk profile, however, making it necessary to review the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) or National Credit Union Association’s Automated Cybersecurity Examination Tool (ACET). When adjustments are made to the organization, community banks, and credit unions must evaluate their risks and perform a gap analysis to ensure the institution is protected from cyber threats.

What is a Cybersecurity Gap Analysis?

A cybersecurity gap analysis starts evaluating the results of the CAT or ACET, (which is simply a snapshot in time of where you are with your risks (inherent risk profile) and controls (cybersecurity maturity) and then comparing “where your institution is” to “where you need to be.” In almost every case, there is some degree of misalignment between the two. Some common questions financial institutions ask are “Could we be doing more to oversee our cloud providers?” or “Should we be doing more to manage our internal administrators or third parties?” The idea of the gap analysis is to take your risk areas and determine what set of controls are most effective against those specific risk areas.

Completing the Cybersecurity Maturity section, for example, helps financial institutions better identify missing controls and processes. So, in order to increase the level of cybersecurity maturity, institutions should continually implement changes even if their inherent risk profile doesn’t change. Conducting a gap analysis is the first step in this process.

Continuous Improvement

Why should institutions strive to continuously improve their security posture even if their risk profile doesn’t increase? Simply put, because the threat environment is constantly evolving. New threats (and new twists on old threats) require constant vigilance and continuous improvements to existing controls. Standing still means you’re probably falling behind. On the other hand, making steady, incremental progress on your control maturity demonstrates a proactive, forward-thinking approach to cybersecurity.

Key Areas of Focus

First, financial institutions must determine if their controls and risks align – no small task as there are roughly 30 risk elements and nearly 500 control maturity elements in the assessment. Attempting to improve all of these areas in the CAT can be challenging and expensive for any institution, but especially smaller community banks and credit unions. While all control maturity domains are important, if your financial institution has limited resources, there are two key domains that you should focus your attention on when developing the gap analysis.

  • Domain 4: External Dependency Management
  • This domain involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships that provide access to the institution’s technology and information. Most financial institutions have a host of outsourced relationships that they rely on to keep operations running. Evaluating the interdependencies and associated security gaps from third-party vendors should be a key part of your analysis process.

  • Domain 5: Cyber Incident Management and Resilience
  • This domain focuses on establishing, identifying, and analyzing cyber events, as well as the ability to prioritize, contain, and mitigate during cyber events. The institution should also have the ability to properly inform the appropriate stakeholders in response to a cyber event. Cyber resilience includes both planning and testing to maintain and recover ongoing operations during — and following — a cyber incident. In the current security environment, it’s not if a cyber event will occur but when. Financial institutions should have an effective cyber incident response plan to control, contain, and recover from a potential cyber incident.

For more information, watch our Banking Bits and Bytes episode, “What is a Cybersecurity Gap Analysis?”

05 Nov 2020
How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

Banks and credit unions of all sizes experience some level of turnover or unexpected absence that can affect internal positions. When the IT administrator role is impacted, it can cause the most disruption, especially for smaller community institutions, as many have limited resources and may rely on only one employee in the role. When an IT administrator leaves, he or she takes with them the institutional knowledge and expertise gained through working with the FI’s unique IT infrastructure and network management processes. To lessen the impact, it’s up to the institution to effectively build continuity into its IT strategy and pay attention to the strategic decisions being made by the IT team.

In a recent Safe Systems webinar, we discussed the importance of continuity in IT and ensuring effective management of the network through transition periods. In this blog post, we highlight three key areas of focus to achieve continuity and keep the institution operating efficiently.

1. Strategic Decisions

We have seen financial institutions fall victim to the “power of one”, where the IT admin has all the knowledge and authority to make IT strategic decisions alone. Then when they leave, the rest of the institution doesn’t have a clear view of what’s been done to the network and how to properly maintain it.

Some IT admins prefer to try new technologies and add more automation to the institution’s processes. While others might stick to their comfort zone and not push for new IT tools. While it’s important to provide an appropriate level of autonomy to the IT admin, it is critical to also have a system of checks and balances in place and to examine the benefits and consequences of these decisions closely to ensure the institution has the right tools to succeed .

2. Strategic Management

For IT personnel to be successful, it is important to outline what your institution wants the IT admin to accomplish and let them know what success will look like when they achieve these goals. Some key questions to consider include: What are the desired outcomes you’re expecting from IT? Is the goal to spend their time and budget on efficiency projects, redundancy projects, or security projects? In other words, what is your tolerance for downtime, security risks, or ineffective and slower processes? How will these goals be measured?

Once these expectations are established, the IT admin should be given the freedom to do what they need to do to achieve the institution’s goals but there should also be a clear chain of command to provide oversight and to evaluate their work.

You do not want to let an employee’s expertise (or lack thereof) impact your technology or for the institution’s security to be affected negatively. Define clear objectives for your IT personnel, whether that’s uptime, recovery time objectives (RTOs), redundancy, budgeting, or specific controls you’d like to have in place to ensure the institution is operating securely.

3. Strategic Plan

Make sure the expectations and objectives you set for IT personnel align with your strategic plan. According to the Federal Financial Institution Examination Council (FFIEC), “strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution’s technology plans are consistent and aligned with the institution’s business plan. Effective strategic IT planning can ensure the delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace. The IT strategic plan should address the budget, periodic board reporting, and the status of risk management controls.”

When discussing the strategic plan with management, it’s important to identify the key areas of improvement and provide information on price, level of risk, and what exactly the institution is trying to accomplish. Sometimes having an outside perspective can help push key initiatives along and get them into the budget for the year ahead.

To learn more, download the recording of our webinar, “Understanding The Lifecycle of the IT Administrator: Ensure Effective Management of Your Network.”

02 Nov 2020
The Impact of Digital Banking During the Coronavirus Pandemic

The Impact of Digital Banking During the Coronavirus Pandemic

The Impact of Digital Banking During the Coronavirus Pandemic

The coronavirus (COVID-19) pandemic has drastically reshaped the way banks and credit unions operate today. While financial institutions value face-to-face interactions with their customers and members, social distancing requirements and other safety precautions have caused retail banking to go almost entirely digital. This change impacts not only how financial institutions conduct their business and interact with customers and members, but also how they keep their institutions secure.

In this blog post, we outline 3 key ways the pandemic has impacted the industry and consumers, and how financial institutions are managing these changes in real-time while ensuring they continue to operate effectively for their employees, customers, members, and other stakeholders.

1. Know Your Customer

For banks and credit unions, know-your-customer (or member) procedures are a key function to establish a customer or member’s identity, understand their financial activities, and evaluate the level of risk to the institution. Traditionally, before opening an account, completing a transaction, and/or sharing private information, many financial institutions have relied on at least some face-to-face interactions. For community financial institutions, know-your-customer has gone well beyond best practice to become a competitive advantage. Many (if not most) community institutions pride themselves in knowing their customers by name!

However, due to the COVID-19 pandemic, financial institutions need to find ways to verify their customers’ identities and retain that personal touch using digital channels. Consumers want a frictionless banking experience where they feel trusted and can quickly receive the products and services they need, but they also want to avoid feeling like just another number. Institutions must balance managing remote transactions that could increase their security posture, against technology and policies that positively identify customers without alienating them. As a result, some financial institutions are leaning towards increased security by starting to adopt a “zero-trust” stance where every individual and transaction is considered suspicious unless proven otherwise.

2. Technology Updates

To protect customers and members during the pandemic, banks and credit unions have moved from in-branch, face-to-face interactions to using remote channels such as online, telephone, ATM banking as well as the drive-through to serve their customers. Our experience has been that many institutions that may have technology upgrades on their roadmap two or three years down the road have had to accelerate those projects. Others have added new initiatives to increase their remote capabilities and enhance their electronic services. However, all this likely requires tighter security protocols for customer verification. This can be challenging for smaller financial institutions that rely on more traditional in-branch visits to provide services to their customers or members, particularly if branches are closed or observing limited hours and services. It is up to these institutions to find the right balance of physical and digital solutions to ensure customers and members receive the same level of service they were accustomed to prior to the pandemic.

3. Digital Adoption

The COVID-19 pandemic has driven consumers to rely more heavily on digital channels for their banking needs. This has accelerated digital transformation for financial institutions in the U.S. as their customers demand solutions that allow them to quickly and easily complete transactions remotely. To meet this demand, financial institutions have reevaluated their traditional strategies, implemented and even accelerated digital initiatives, and are more inclined to not just enable but encourage digital capability for their customers. As they encourage consumers to adopt new solutions and remote tools, it will be critical to assess the risk of these solutions and develop controls to keep the network safe and protect sensitive, financial information.

Banks and credit unions must be able to provide the products and services their customers and members need all while keeping information secure, even in the midst of a pandemic. Having a solid plan to guide how you manage operations can make all the difference. One final thought, when the dust settles and things go back to “normal”, the steps you’ve taken to enable digital engagement with employees and customers will be considered resilience measures to mitigate the impact of a future event of this nature. Resilience will be a focus for regulators in future examinations.

To learn more about pandemic planning and best practices, download our latest white paper, “Navigating the Coronavirus Pandemic: Best Practices for Pandemic Planning and Key Lessons Learned.”

22 Oct 2020
Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Why Safe Systems Made the Switch from Java to Amazon Corretto for Network Management

Java is a programming language and computing platform first released by Sun Microsystems in 1995. On April 16, 2019, Oracle (who owns Java and its development) changed its client-based Java model from free to fee-based. This created a huge issue in the marketplace because so many businesses, consumers, applications used Java and based their code off of Java. So now, to get Oracle’s version of Java requires a fee per device. Many companies are facing an update and licensing management issue as they are forced to track who in their organization has Java; who needs it; and whether there are enough licenses. At this point, they must update only the computers who have purchased licenses.

It seemed like overnight, supporting and updating Java went from “not a big deal” to a headache for a lot of IT people. Luckily several companies saw the issue and began creating their own Java client based on the open source code that was released for Java. Several major players like IBM, Amazon, and even Oracle started creating their own versions of Java. Safe Systems researched which of these versions would be supported by the core providers and software vendors in the financial industry, and Amazon Corretto emerged as a top choice because it is free to use and is backed by a reputable company.

What’s Next?

At the end of December 2020, Safe Systems has decided to no longer support the fee-based version Oracle offers of Java as we now have no way to confirm if a license has been purchased or not. Instead, we have worked with financial institutions and have adopted Amazon Corretto as a supportable alternative to the Oracle fee-based version. Safe Systems will support, update, and report on Amazon Corretto as part of our third-party patching program with NetComply™.

Safe Systems did not make this decision lightly. We worked with multiple institutions using various banking applications to ensure that this could be a widely accepted switch in the industry. We spent hundreds of man hours testing and implementing the appropriate changes to ensure this is a smooth transition. We are happy to say that we can successfully support Amazon Corretto as a key application that in turn supports your critical banking applications.

NetComply is built around monitoring, alerting, automation, and supporting your machines, but it is also about keeping key applications fully patched so that your network is as secure as possible. We encourage each of you to confirm all of your applications work with Amazon Corretto before switching. If they do, there is nothing left to do but sit back and let NetComply take it from there.

15 Oct 2020
Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

When an incident occurs, it is critical for financial institutions to have proper logging tools in place to contain and control the incident and provide evidence to key external stakeholders such as law enforcement, third-party forensics teams, cyber insurance companies, etc. However, not all financial institutions have an advanced centralized logging system to perform perfect, historical investigations to understand malicious activity on their networks.

Ideally, community banks and credit unions embrace the fundamentals of a layered approach to security and understand the capabilities and tools that they already have at their disposal that can prove useful and actionable.

In this blog post, we’ll discuss some of the most common questions our customers have when investigating threats and the key tools we reach for that provide the evidence and conclusive answers to those questions.

Firewall - Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

1. Network Firewall

We often reach for this tool when a financial institution is working to determine if one of their employees may have received a phishing email or clicked a malicious link. They want to know: who got the email; which user was an entry point for a piece of malware; or when did they connect to it? Relying on the memory of the user often doesn’t provide the detailed information needed to take action and find the true source of the problem. Logs, however, offer deeper insights. If we know the specific workstation or outside IP address, we can then look it up and decipher the entire transaction.

Firewalls, by their nature of design, generate a significant number of logs. The downside is that the sheer volume of logged content is very high and it’s difficult for any human to monitor and manage this amount of data effectively on their own without automated tools. Many community financial institutions are outsourcing firewall management to third-party providers that have created logging infrastructure just for the firewall to store the logs and make the data searchable and readable.

Antimalware - Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

2. Endpoint: Antimalware

Antimalware and antivirus agent tools help financial institutions track down the precise point from which malware and viruses originated. Some of these have better logging capabilities than others, but many of them feature impressive investigative tools. We often reference this tool when a customer says: “I think someone might have opened an attachment they weren’t supposed to,” or “I think we might have some sort of infection that might be spreading, can you check it out for us?” With our antimalware tools, we’re able to track down exactly where it originated; who clicked what; and identify the actual origin point. The tool also enables us to break up the data and show a graphical representation of events.

Server Security Logs - Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

3. Server Security Event Logs

Security event logs record user logins and network access. We reach for these tools when we get questions from customers wanting to know which user logged into a certain application or who may have access to information that they shouldn’t. One of the most important areas to monitor are administrative logging events. If a bad actor gets into your network and gains access to your active directory, they then have the proverbial “keys to the kingdom” with the ability to create accounts, or even worse, admin accounts. However, the one thing they can’t hide is all of the activity they’ve done on the network as long as you’re monitoring these logs.

IT personnel are required to have some mastery of security event logs on the servers and especially on domain controllers to meet examiner expectations, but it requires expertise and research to understand which events are important. For example, with each new version of Windows comes a new set of alerts and often, alerts that were important in a previous version get replaced by something new. This is very challenging to manage along with other important IT activities. Working with a third-party provider can help you stay on top of the latest Windows updates and emerging threats with alerts and reports to proactively monitor the network and effectively thwart attacks.

Cloud - Top 4 Security Solutions for a Layered Approach to Cyber Incident Response

4. Cloud – O365

Most financial institutions use Microsoft O365, but they may not be taking full advantage of all the capabilities it has to offer as there is a host of fantastic logging and audit capabilities that are not turned on by default. So, if you’re an O365 subscriber, you need to review all security settings and make sure you have them turned on.

At Safe Systems, we do this when we onboard customers to our managed O365 offering to protect against e-mail-borne threats. A few key items we make sure our customers are monitoring include:

  1. Email Forwarding – IT admins should make sure that user mailboxes don’t have forwarders set up that point to any other mailbox, especially not an external email address. Without multi-factor authentication turned on, bad actors can access your mailbox; set up forwarding; and monitor correspondence between you and a customer undetected.
  2. Delegated Permissions – IT admins should also check delegated permissions to look for unauthorized access to employee mailboxes. Bad actors often use this tactic to spy on email communications between financial institution staff and customers.

We encourage all financial institutions to implement these four tools for cyber incident response and make sure you understand how to collect important logging information to have conclusive evidence right when you need it.

For more information, watch our recorded webinar, “Not If, But When: Best Practices for Cyber Incident Response.”

08 Oct 2020
Best Practices for Developing a Compliant Cyber Incident Response Program

Best Practices for Developing a Compliant Cyber Incident Response Program

Best Practices for Developing a Compliant Cyber Incident Response Program

If you think a cyber incident won’t impact your financial institution, you are seriously underestimating the lengths cybercriminals will go to steal your customers’ or members’ non-public information. According to a new report from NuData Security, a Mastercard company, financial institutions receive the highest percentage of sophisticated attacks (96%) amongst all industries.

As cybercriminals continue to exploit organizations and increase the quality of their attacks, financial institutions need to have a compliant incident response plan in place to control, contain, and recover from a potential cyber incident quickly and efficiently.

Safe Systems held a webinar discussing what a compliant cyber incident response plan should look like and shared key best practices community banks and credit unions should use to effectively document a cyber incident. In this blog, we’ll cover a few of the key points from the webinar.

Elements of a Compliant Incident Response Program

The requirements for incident response have changed significantly since 2005. The guidance was broad enough to encompass many of the events that are occurring today including cybersecurity and pandemic-related events. According to the Federal Deposit Insurance Corporation (FDIC), there are five key elements of a compliant incident response program:

  • Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused
  • Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
  • If required, filling a timely suspicious activity report (SAR), and in situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities
  • Taking appropriate steps to contain and control the incident to prevent further unauthorized access or use of customer information
  • Notifying customers when warranted in a manner designed to ensure that a customer can reasonably expect to receive it

Although these requirements have essentially stayed the same, there is one key change that has occurred in the FFIEC’s 2019 update to the Business Continuity Handbook. The guidance now requires financial institutions to reference or include the incident response plan (IRP) in the business continuity management plan (BCMP). While still acceptable to have a separate incident response plan, somewhere within your BCMP you must now reference the IRP.

How to Document and Maintain Evidence of an Incident

Documentation is a key component of incident response to provide auditors, examiners, and other stakeholders with key information about the abnormal event or incident. Initial steps include the recording of basic facts about the suspicious event before it becomes an official incident.

Key questions include:

  • What specific abnormalities were noticed?
  • Where were they discovered?
  • When were they discovered?
  • Who first noticed the abnormality or event and who did they notify/involve?
  • If the event escalates to an incident, how did it happen, and what were the contributing factors that allowed it to happen?

If the event is categorized as an “incident,” you need to know how to document and maintain the evidence; what decisions were made; and the resulting actions taken. When enacting your containment strategies, part of that should involve collection and preservation of the evidence, including all the key records created by all the various technologies your institution uses. The guidance references that all financial institutions should have some type of logging intelligence. But which logs are most important for incident response?

When creating a logging strategy, there are five key challenges to consider:

  • Sources – Logs are generated from various sources such as users, databases or file shares, endpoints, networks, applications, and cloud services. With so many logs coming from different sources, it’s important to be aware of all the systems and applications generating logs and know how to access them to monitor efficiently
  • Log Volume – The volume can be different depending on the source. Some sources are quiet and easier to manage while other sources like network switches and firewalls are a constant torrent of volume and may be difficult to log. It’s important to determine what is realistic for your institution to store and manage
  • Log Protocols – All of the various sources speak different languages or protocols. Some of them are sending emails using a language called simple mail transfer protocol (SMTP), while other sources like network switches are sending information using a constant stream of Syslog data. It is nearly impossible to create a centralized system that can speak all of these languages perfectly so you must determine how your institution will extract intelligence from the logs
  • Log destinations – Once you’ve collected information, where are you going to send it? You’ll need to determine storage destinations for the different types of logs
  • Log interaction – After you’ve built the logging platform, do you want it to be searchable? You’ll need to decide how you want to interact with the data and how long you will keep it. Adding data retention can become significantly more expensive depending on the time frame for storage

Different types of data likely require different lengths of time for retention. Your retention policy should outline the expected retention time frame for each data log. Institutions should carefully consider all these key challenges when building a logging strategy that fits their unique needs.

If you’d like to learn more about cyber incident response, download our recorded webinar, “Not If, But When: Best Practices for Cyber Incident Response.”

01 Oct 2020
After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

After a Year Unlike Any Other, What Community Banks and Credit Unions Should Budget for in 2021

In 2020 we’ve learned a lot about ourselves, and whether the general population realizes it or not, they have learned a lot about something often relegated just to banking: Risk Tolerance. And with that in mind, here are seven key items that your institution should consider while budgeting for 2021:

1. Laptops

Supply is down, demand is up, so from a pricing standpoint, you are unlikely to find great deals on laptops, but their portability has been a key component to companies and employees being successful during the pandemic. Remote work is a great option for employees who do not need face-to-face interactions with customers or members, but not every department can work successfully outside of the main office or branch.

When planning for next year, each position in the institution needs to be evaluated, if it hasn’t already, to determine the ability and effectiveness of remote working. When possible, consider having remote employees use a company laptop going forward. In a recent Safe Systems survey of community financial institutions, 1/3 of respondents have already decided that they will be purchasing more laptops this year.

2. Hardware Management Software

How many of the controls you use to secure your institution’s devices require the device to physically be in the office? As the work environment changes and more people make the shift to working from home offices, your current controls need to be evaluated to ensure they work just as effectively outside of the branch. For years, the push for “agentless” controls has been popular, but many of these controls assumed the office was a well-defined building where all devices used the financial institution’s network. As the home office becomes the new standard for many banks and credit unions, the need for agent-based controls is greater than ever. Controls/security measures are no longer effective if they require the device to be on premise.

3. Business Continuity Plan (BCP) Update

Having an updated pandemic plan as part of your BCP is still likely a need for many institutions. Because it has been more than a century since a full-scale pandemic hit the U.S., many of the assumptions and concepts that pandemic plans were based on have proven to be incorrect. For instance, many plans outlined operational changes based on only 50% staff for just a week or two. Much of the concern before 2020 was making sure staff members were properly cross trained in the event key individuals were unavailable for days or perhaps a few weeks. While this is still very important, it represents only a tiny portion of truly being ready for a pandemic.

Pandemic plans often did not address managing operations for a long duration or important measures like social distancing, security measures, consumer access, etc. Financial institutions must take a hard look at key lessons learned so far during the COVID-19 pandemic and update their plans accordingly.

4. Moving to the Cloud

Recognizing that having employees working outside of the office is a real possibility moving forward, investing in new servers and putting them in offices is becoming an antiquated idea. The cloud provides a level of redundancy, scalability, and accessibility that cannot be matched by buying a single server. It also means no one has to be in the office to manage the infrastructure. As servers need to be replaced, banks and credit unions should seriously consider the process of moving to the cloud.

5. Client Experience

One question every institution should be asking itself is: “how can we better enhance the customer experience?” While IT is usually seen as a cost center, the events of the past year may have opened a door for IT to step up and offer solutions that directly affect the customer experience. The pandemic has forced many people, some maybe for the first time, to adopt digital banking solutions. If IT can offer specific tools and/or insight into how to improve the customer experience, this may be the opening that IT has hoped for to secure a “seat at the table” among their institution’s leadership.

6. Cybersecurity

Garmin, the GPS and active wear company, reportedly paid $10 million in 2020 to counter a ransomware attack. Their customers were without the services for over a week while Garmin’s data was held hostage. All of the information about their case is not available yet, but the sad reality is that they likely could have prevented the entire situation with just a few technology solutions and security settings being implemented correctly. The threat to your data is as real today as it ever has been. Be sure to have a conversation with a security company you trust to ensure that even if you are the target of a ransomware attack, it won’t be able to hurt your business long-term. Invest in cybersecurity now, so that your institution won’t end up paying much more later.

Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report, and cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights.

Unfortunately spend and layers of protection most likely need to increase annually to address this issue.

  • Employee training – to ensure adequate and effective
  • Perimeter protection – to ensure the appropriate layers are enabled and all traffic is being handled correctly including encrypted traffic
  • Advance threat protection and logging – to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy – to ensure ransomware can’t wipe out your data

Per Computer Services, Inc (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

7. ISO

With the increase in responsibilities of the Information Security Officer and the focus on separation/segregation of duties, there has been an uptick in the number of institutions looking for virtual ISO (VISO)-type solutions. These solutions can help by taking some level of burden off of internal resources, provide staff with templates or toolsets when needed, and oversight to ensure nothing is falling through the cracks.

For 2021, there are a lot of things to consider. One focus should be to look at the changes your institution had to make because of the pandemic and what changes you should consider making in the future to improve cybersecurity, information security, and as always, your customers’ and members’ experience.

21 Sep 2020
Three Often Overlooked Elements of an Effective and Compliant Incident Response Plan (IRP)

Three Often Overlooked Elements of an Effective and Compliant Incident Response Plan (IRP)

Three Often Overlooked Elements of an Effective and Compliant Incident Response Plan (IRP)

In today’s security environment, it’s not if a cybersecurity incident will impact your institution, but when and how big? That’s why having an effective and compliant incident response plan (IRP) is so important to ensure your institution is prepared for the unexpected and equipped to recover.

When a financial institution experiences a cyber incident, the information security officer (ISO), along with the incident response team, must assess the situation and determine if this incident has resulted (or might reasonably result) in exposure of non-public personal information (NPI). If the answer is “yes,” then the team must activate the IRP to contain and control the situation and ensure quick and efficient response and recovery. When activating an IRP, there are three key elements that we sometimes see financial institutions overlook:

1. Incident Response Team Participation

When building your incident response team, it is important to include representatives from each functional unit of the institution. Too often the incident response team consists of IT personnel only. While an incident might seem to be isolated to a certain department (like IT), there could be residual effects impacting other parts of the organization.

For example, let’s say you have an incident that seems to be limited to a group of customers who received a phishing email appearing to be from the institution asking them to click a link to change their ebanking password.

In this situation, you may be inclined to simply involve IT and deposit operation teams. However, because there could be a ripple effect that goes beyond that one incident, you’ll want to include other departments such as lending, human resources, and accounting. For instance, the customer could have a lending relationship or home equity line with the institution that might be impacted as well. Or, the customer could also be a vendor. Furthermore, with the increased possibility of pretexting during a social engineering attack, the Human Resources department may want to use the incident as an opportunity to conduct refresher training to ensure employees know how to verify customer information. As such, it’s important to have all your bases covered and include all functional units on the incident response team.

2. Designated Spokesperson and Social Media Monitoring

Once you’ve activated your plan, it’s important to understand that you cannot simply hope to contain the incident within your organization. A cyber incident may involve key external stakeholders including the Board and senior management, regulatory agencies, law enforcement, third-party service providers, insurance, legal, customers, and may even attract the attention of the media.

When an incident occurs, it is important to have designated spokespeople pre-selected to communicate with each external stakeholder that needs to be informed. For example, you’d want to have your IT admin in contact with the point person at your outsourced IT company because they most likely have a direct relationship with this vendor. However, you probably wouldn’t want that same person reaching out to regulators or customers. A member of senior management would be the best choice for that. In addition, you should designate one or more individuals to be your media contact. Don’t forget to have someone monitoring social media channels to ensure news about the incident isn’t spreading online potentially exposing you to reputational harm.

When developing an incident response plan, designating spokespeople to communicate with external stakeholders and monitoring online social media channels often gets overlooked because the main focus is usually on how the incident happened and how to fix it quickly. The moment the incident response plan is activated it is critical for the incident response team to assign these roles and keep these individuals updated with any interactions they may have with stakeholders.

3. Detailed Incident Documentation and Log Retention

It is imperative that the incident response team creates detailed documentation outlining everything that occurred from the time the event was first identified, even before it became classified as an incident. Again, this is often overlooked as the team engages in containment and control activities. However, regulators, insurance companies, third-party forensics companies, the Board, law enforcement, etc., will need full details when and if they are drawn into the incident. The documentation should detail who responded, what actions were taken, when each action was taken, (the timeline), and why and how (if known) the incident occurred.

Equally important is the retention of any data logs that might assist with the response and recovery phase. Often insurance carriers will need this information if they are involved, and forensic firms will definitely need it if they are drawn into the investigation phase.

We’ll dive deeper into security event logging and best practices for responding to a cyber incident in a future blog post.

For more information, register for our upcoming webinar, “Not If, but When: Best Practices for Cyber Incident Response.”