Technology has become the lifeblood of the modern financial institution. It has also changed the makeup and priorities for financial security systems dramatically. Today’s threat landscape spans a range of electronic devices, due to the increase in internet access and usage of digital banking applications. These modern day conveniences make data more vulnerable and offer more outlets for criminal intrusion.
Importance of Being Secure
Falling victim to security breaches and associated attacks is very costly for Pennsylvania banks and credit unions, both from a financial and reputational standpoint. According to Cybersecurity Ventures, the global cost of cybercrime damages will hit $6 trillion annually by 2021. This includes damage and destruction of data, theft of personal and financial data, and disruption to the normal business operations, among others.
In addition, as the number of security threats continues to increase in the financial services industry, regulators, including FFIEC and NCUA, are taking a closer look at Pennsylvania banks and credit unions’ policies and procedures to ensure that they can effectively safeguard confidential and non-public information.
Ensuring a strong security posture
With the increasing frequency of cyberattacks in the financial industry, Pennsylvania banks and credit unions need an effective strategy to ensure they have a strong security posture and are able to continue business operations should an attack occur. To adequately protect against security threats, banks and credit unions must not only ensure that every device on the network has up-to-date antivirus software and adequate firewall protections, but there are a number of additional policies, preventive procedures, controls and processes that banks and credit unions should also implement. They include:
- Data Backup Architectures
Having technology in place that minimizes the potential for data destruction and corruption and ensuring all backups are working and accurate is vital to a secure institution.
- Layered Security Strategy
To be better protected in the digital world, Pennsylvania banks and credit unions must initiate layers of security that protect all vulnerability points. Multiple controls and security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others. Attackers are leveraging a number of channels to penetrate a bank or credit union, including web applications, operating systems, mobile platforms, email servers, and even hardware.
- Business Continuity Plan (BCP)
The BCP is the crucial blueprint for guiding a Pennsylvania bank or credit union through recovery from a business outage and is instrumental in ensuring that people, process, and technology elements are all properly coordinated and restored. These plans have evolved from one or two-page outlines for banks to follow in times of disaster to a large, step-by-step detailed instruction manual for everyone in the financial institution to follow should a disaster strike.
- Disaster Recovery Plan
The disaster recovery plan is designed to outline the specific steps that need to be done immediately after a disaster to begin to recover from the event. It serves as a plan for accessing required technology and infrastructure after a disaster and steps to take to enable the bank or credit union to operate normally.
- Patch Management Program
The lack of an effective patch management program has contributed significantly to the increase in the number of security incidents in banks and credit unions. All software applications require updates from vendors, not just operating systems. The most popular software products are tested by hackers for weaknesses, and vendors have to constantly release security updates to keep these applications safe and secure. An effective patch management program should include policies and procedures to identify, prioritize, test, and apply patches in a timely manner. The longer a system remains unpatched, the more vulnerable the intuition becomes.
- Vendor Management Program
Pennsylvania banks and credit unions rely heavily on third-party service providers to offer specialized expertise and services to ensure the institution is successful. To perform these services, vendors often must access, transmit, store or process sensitive information, including customers’ personal information. Banks and credit unions are responsible for understanding and managing the risks associated with outsourcing an activity to a service provider. It is important for all banks and credit unions to strengthen their vendor management programs to safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.
- Advanced End Point Security
Controlling the access rights to endpoints, such as a computer, laptop, mobile device or tablet that connect to a corporate network, limits the potential for harm by external sources. Endpoint Security is a valuable layer of security against cybercrime, especially against data loss via portable storage devices.
Security is one of the greatest challenges and concerns for Pennsylvania banks and credit unions today, and they cannot be complacent when it comes to protecting themselves and the sensitive information they hold.
At Safe Systems we understand the challenges that come with managing security programs and ensuring the network is safe and secure. By making the decision to partner with Safe Systems, your organization will benefit from time-saving automation, an in-depth view of your IT network environment, and additional support in co-managing your IT security operations. We want to provide you with assurance that the institution’s IT network is functioning efficiently, optimally, securely, and is in compliance with industry regulations at all times.
For more Pennsylvania-specific resources please visit the Pennsylvania Bankers Association, https://www.pabanker.com, Pennsylvania Department of Banking and Securities, https://www.dobs.pa.gov, and Pennsylvania Credit Union Association, www.pcua.org. These organizations serve as resources helping banks and credit unions stay well-informed about the marketplace, regulations and compliance issues affecting Pennsylvania institutions.
Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program
Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.
In addition to adequately training employees, financial institutions should have security awareness materials and information available to customers and members that enable them to spot security issues and adequately protect themselves as well.
In today’s regulatory environment, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply have some variant of a BCP plan in place. All financial institutions must have a solid understanding of the FFIEC guidance to ensure their plan is comprehensive and that it adequately addresses all areas. It must be updated, accurate and tested routinely. A comprehensive BCP limits the impact that a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what type of disaster may strike.
“When I learned that Safe Systems offered a service that included an application along with compliance consulting to help us improve our cybersecurity posture, I knew it would be the right solution for our bank,” said the senior vice president. “Safe Systems’ team of experts guided us through the installation process and provided us with the knowledge and support to ensure a more streamlined assessment.”
The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.
Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind. 
RegTech has made a big impact on the industry, but this is just the beginning. These solutions are more important than ever as the number of regulatory changes rises along with an increased use of technology and 
Community financial institutions depend on their 
To execute an attack, the hacker group installs the SamSam ransomware on the endpoints of networks compromised, often via unsecured connections. The hackers first look for unsecured remote desktop (RD) servers, launch attacks that compromise the server, and then use various tools to escalate access inside the organization’s network. Once they have gained access to as many endpoints as possible, the group installs the ransomware and starts the extortion process, and hope the victims do not have offline backups.
The complete report provides credit union executives with valuable peer-to-peer information to better understand the current IT environment within community banks and credit unions nationwide, while also helping improve decision making within their own institution in 2018 and beyond.
One effective strategy to 
To execute a DDoS attack, an attacker sends malicious software to vulnerable devices, often through infected emails, attachments, websites and even social media, creating an entire network of infected machines and devices called botnets. The attacker can then control the botnets remotely and send an influx of traffic to flood the network or target by sending huge amounts of random data or connection requests. The infected devices will show no signs of attack and will continue to function normally, but will have the occasional sluggish response due to the lack of available bandwidth.
Security experts agree that a missing piece in many institutions’ security strategy is identifying unusual activity and having solid reconnaissance protection in place. One of the few ways to do this is to deploy what is known as decoy data and services onto the network. This technology serves as a trap for someone who is looking to gain illegal access to the network. Remediation processes can begin immediately once an attacker accesses the “bait” or “decoy.” Any unusual activity on these areas will trigger an alarm, since no there are no legitimate reasons to access the decoys.
Using Continuum, Safe Systems established a site-to-site Virtual Private Network (VPN) between the branch in Blairsville and the Continuum site hosting the recovered servers to get operations back up and running quickly. Displaced employees could remotely access the network, and the bank was able to leverage Continuum for two full days until power was restored at all branches and the production servers were powered back on. 
To establish a secure IT network and be better protected in the current environment, financial institutions should employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the internet, as well as a network security solution that scans the entire network, including all devices and workstations. It is important to implement a solution that identifies unknown vulnerabilities and reduces the risk of cyber-attacks. By scanning more than just servers, financial institutions have the ability to prioritize and address the vulnerabilities identified. 
The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.
Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:
Each new regulatory guidance, update, change, and interpretation requires additional expertise and more employee resources. It’s a never ending cycle. The last decade has brought about an increase in compliance changes including: the 
A relatively new term, RegTech, refers to a set of companies and solutions that address regulatory challenges through innovative technology. RegTech is a subset of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than traditional compliance processes. 
Due to the complexity and momentum of regulatory changes, RegTech solutions must be customizable and easy to integrate into a variety of environments. No two institutions are alike but properly designed RegTech solutions should help to guide institutions to a better overall compliance posture. 
While it is true that outsourcing can be expensive, the benefits have proven to consistently 
It is simply no longer necessary for IT partners to be onsite to 
Regardless of location and size, small community banks and credit unions are under most of the same regulations as larger institutions, forcing a small IT staff to be well-versed in all regulatory guidance from cybersecurity to disaster recovery to meet examiner expectations. Auditors and examiners expect thorough documentation to prove that the institution’s daily practices match its defined policies and procedures. Financial institutions should not wait for a negative review finding to take a proactive approach to network management. Working with service providers that have dedicated staff and experts who understand the financial industry’s regulatory requirements and best practices ensures the required planning and reporting is completed in a timely manner. 
There are hundreds of tasks that a small IT staff must complete on a regular basis to keep the bank’s operations running efficiently. Many community financial institutions have limited in-house resources dedicated to IT network functions. If a critical staff member goes on a 
Without a doubt, the core banking platform is central to all financial institutions. However, you may be taking unnecessary risk by relying on them for all your needs. An IT services provider can help alleviate the stress by evaluating the infrastructure of the bank without bias, and eliminating the unnecessary hardware, processes and tasks, helping with overall management and ongoing cost. Whether it be network management, security, or compliance, it is unlikely your core will match the expertise a specialized partner can offer. Network management providers offer unbiased advice, while also diversifying your risk.
Many financial institutions struggle with choosing the right solutions partner. Smaller institutions in particular can benefit from outsourcing or partnering with a provider who offers network management solutions exclusively tailored for community banks and credit unions. Having a system in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation, and compliance-focused reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment.
Aside from having a BCP and associated 
Typically, a regulatory agency will not revisit the findings again until the next review. It is up to the financial institution to address each point and provide the proper documentation to show these items have been corrected before the next meeting. For example, if the bank’s antivirus was listed as out of date on the findings report, the institution would have to update each machine, run a report, and include this information in the findings package to be reviewed by the regulatory agency during the next visit. To complete the process efficiently, banks must keep up with who is in charge of each specific action item, when the item is due for completion, and which reports should be included in the findings package.
Often there is one person in charge of the review and they must work with each department to gather information by the designated due date. All files must then be stored in a central location, follow the template the reviewing agents have requested and be in a format that can be transmitted securely to the requesting party. Gathering all this information and ensuring all documents are complete and accurate can be a challenging task for smaller community banks and credit unions with limited in-house resources and staff.
Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal technology and compliance resources. The right third-party solution provider can serve as a true partner and work alongside current staff to manage the technology, compliance and regulatory aspects of the institution. When the technology or compliance staff is out or unavailable, outsourcing select business processes helps fill the personnel gap and provide added stability for the institution and peace of mind to all.
This was the case for Pembroke, N.C.-based Lumbee Guaranty Bank. To ensure his institution maintained compliance, Austin Maynor, Information Security Officer at Lumbee Guaranty Bank, manually filled out the CAT with the help of a spreadsheet, but quickly found this process to be an extremely time-consuming project to complete. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and where they needed to be in order to maintain compliance.
Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins.