The advancement of technology, online banking services, compliance and regulatory expectations plus the growing demand from customers to have 24/7 access to their financial lives have changed the business of banking. With more than 500 banks and credit unions in the state of Illinois today, it’s easy to see how these changes have shifted the objectives of running a bank or credit union away from simply needing to manage money and provide loans to also managing data, IT networks, compliance requirements and security. Since technology has quickly become the lifeblood of today’s bank and credit union, it is important for these institutions to establish a mature technology program to ensure operations run smoothly.
The three main components making up a mature technology management program include the technology itself, security and compliance.
- Technology
Illinois banks and credit unions depend on their IT network infrastructure and technology solutions for nearly all functions including managing data, network monitoring, online banking services, ATM services, teller functions, email, regulatory and compliance issues and security monitoring. Managing all of these moving parts can be challenging, but it’s crucial that all solutions work together efficiently, especially for smaller banks and credit unions in rural parts of Illinois that may need additional support. For this to happen, banks and credit unions must continue to update their hardware and software and invest in new resources or services to enhance the institution and better serve their customers or members.
To ensure all these critical systems are constantly functioning, it is important to continuously monitor hardware and software for failures, virus detection, and alerts for required maintenance. Having a centralized solution in place that automatically monitors, alerts, tickets, and provides support and reporting for servers, workstations, network routers, switches, software and other devices is an integral and critical function in today’s Illinois bank and credit union.
Patch management is also a critical component of any IT management plan. It starts with identifying the right patches, implementing a patch schedule, deploying patches, and ensuring all patches are effective and working correctly. Ensuring patches are up to date, as well as having a documented report of the patches that have been put in place, is crucial for security and compliance.
- Security
Establishing a strong security posture is important for Illinois banks and credit unions, especially with the increasing frequency of cyberattacks in the financial industry. To be adequately protected in today’s environment, banks and credit unions must ensure every device on the network has up-to-date antivirus software and adequate firewall protections, as well as layers of security that protect all vulnerability points. Multiple controls and security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others.
In addition, Illinois banks and credit unions should utilize threat-specific preventive controls and procedures to monitor for suspicious activity or unauthorized access on a network. Combatting ransomware is also a top issue. Thwarting events before they occur or inflict damage to a bank or credit union is important to eliminate costly damages and reputational issues.
Community banks and credit unions must also stay on top of the wide variety of threats in the industry. Reading articles and blogs, attending association meetings, and participating in organizations like the Financial Services Information Sharing and Analysis Center (FS-ISAC) are great tools to help banking professionals keep up with the evolving security landscape. Attending conferences, like Cybersecurity Chicago, can also offer a wide-range of insight on security trends and strategies to help Illinois banks and credit unions better protect their organizations. - Compliance
Compliance is one of the greatest challenges and concerns for financial institutions today. The Illinois Department of Financial & Professional Regulation (IDFPR)’s Division of Banking oversees regulations for the state and is committed to the protection of Illinois residents and their financial security. While Illinois banks and credit unions are growing accustomed to the strenuous regulatory reviews they must go through each year, they continue to struggle with managing an evolving set of state and government regulations. It’s also no secret that governing agencies have become more stringent in their exams in the last several years and have been liberal in issuing citations to banks and credit unions that have lapses or are not meeting regulations.
There are several aspects or pieces of a solid compliance program that all Illinois banks and credit unions must have. Regulators are looking to ensure all institutions have the following:
- Business Continuity Plan (BCP) — The BCP is the crucial blueprint for guiding a bank or credit union through recovery from a business outage and is instrumental in ensuring that people, process, and technology elements are all properly coordinated and restored.
- Disaster Recovery (DR) Plan — DR plans are designed to outline the specific steps that need to be done immediately after a disaster to begin to recover from the event. It serves as a plan for accessing required technology and infrastructure after a business outage and steps to take to enable the bank or credit union to operate normally.
- Cybersecurity — The increased occurrence of cybersecurity attacks has led regulators to require cybersecurity protection in all existing policies. Procedures must be in place to secure customer or member confidential data and recover business processes regardless of the threat.
- Vendor Management Program — Illinois banks and credit unions rely heavily on third-party service providers to offer specialized expertise and services to ensure the institution is successful. Banks and credit unions are responsible for understanding and managing the risks associated with outsourcing an activity to a service provider. It is important for all Illinois banks and credit unions to strengthen their vendor management programs to safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.
- Documentation — The FFIEC require documentation before, during and even after an exam. Gathering all these documents can be an extremely time consuming and stressful process. To manage this process efficiently, community banks and credit unions must understand what examiners are looking for and be able to streamline processes to ensure the proper documentation is prepared for the exam.
With today’s mounting pressures, many Illinois banks and credit unions are increasingly turning to technology service providers to help manage their IT infrastructure and overall technology and security programs. Such partners bring knowledge, additional resources and expertise to help banks and credit unions control and manage their complex IT environments and operate in today’s financial services arena with a greater degree of confidence.
At Safe Systems, we understand the challenges that come with managing IT networks, security programs and compliance issues while also ensuring the network is safe and secure. By making the decision to partner with Safe Systems, your organization will benefit from time-saving automation, an in-depth view of your IT network environment, and additional support in co-managing your IT security and compliance operations. We want to provide you with assurance that the institution’s IT network is functioning efficiently, optimally, securely, and is in compliance with industry regulations at all times.
For more Illinois-specific resources please visit The Illinois Department of Financial and Professional Regulation, Community Bankers Association of Illinois, Illinois Bankers Association, and Illinois Credit Union League. These organizations serve as resources helping banks and credit unions stay well-informed about the marketplace, regulations and compliance issues affecting Illinois institutions.
Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program
Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.
In addition to adequately training employees, financial institutions should have security awareness materials and information available to customers and members that enable them to spot security issues and adequately protect themselves as well.
In today’s regulatory environment, it is critical to ensure you are adhering to the examiner’s expectations. It is no longer enough to simply have some variant of a BCP plan in place. All financial institutions must have a solid understanding of the FFIEC guidance to ensure their plan is comprehensive and that it adequately addresses all areas. It must be updated, accurate and tested routinely. A comprehensive BCP limits the impact that a disaster will have on your financial institution and ensures that you can continue to provide services to your customers, no matter what type of disaster may strike.
“When I learned that Safe Systems offered a service that included an application along with compliance consulting to help us improve our cybersecurity posture, I knew it would be the right solution for our bank,” said the senior vice president. “Safe Systems’ team of experts guided us through the installation process and provided us with the knowledge and support to ensure a more streamlined assessment.”
The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.
Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind. 
RegTech has made a big impact on the industry, but this is just the beginning. These solutions are more important than ever as the number of regulatory changes rises along with an increased use of technology and 
Community financial institutions depend on their 
To execute an attack, the hacker group installs the SamSam ransomware on the endpoints of networks compromised, often via unsecured connections. The hackers first look for unsecured remote desktop (RD) servers, launch attacks that compromise the server, and then use various tools to escalate access inside the organization’s network. Once they have gained access to as many endpoints as possible, the group installs the ransomware and starts the extortion process, and hope the victims do not have offline backups.
The complete report provides credit union executives with valuable peer-to-peer information to better understand the current IT environment within community banks and credit unions nationwide, while also helping improve decision making within their own institution in 2018 and beyond.
One effective strategy to 
To execute a DDoS attack, an attacker sends malicious software to vulnerable devices, often through infected emails, attachments, websites and even social media, creating an entire network of infected machines and devices called botnets. The attacker can then control the botnets remotely and send an influx of traffic to flood the network or target by sending huge amounts of random data or connection requests. The infected devices will show no signs of attack and will continue to function normally, but will have the occasional sluggish response due to the lack of available bandwidth.
Security experts agree that a missing piece in many institutions’ security strategy is identifying unusual activity and having solid reconnaissance protection in place. One of the few ways to do this is to deploy what is known as decoy data and services onto the network. This technology serves as a trap for someone who is looking to gain illegal access to the network. Remediation processes can begin immediately once an attacker accesses the “bait” or “decoy.” Any unusual activity on these areas will trigger an alarm, since no there are no legitimate reasons to access the decoys.
Using Continuum, Safe Systems established a site-to-site Virtual Private Network (VPN) between the branch in Blairsville and the Continuum site hosting the recovered servers to get operations back up and running quickly. Displaced employees could remotely access the network, and the bank was able to leverage Continuum for two full days until power was restored at all branches and the production servers were powered back on. 
To establish a secure IT network and be better protected in the current environment, financial institutions should employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the internet, as well as a network security solution that scans the entire network, including all devices and workstations. It is important to implement a solution that identifies unknown vulnerabilities and reduces the risk of cyber-attacks. By scanning more than just servers, financial institutions have the ability to prioritize and address the vulnerabilities identified. 
The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.
Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:
Each new regulatory guidance, update, change, and interpretation requires additional expertise and more employee resources. It’s a never ending cycle. The last decade has brought about an increase in compliance changes including: the 
A relatively new term, RegTech, refers to a set of companies and solutions that address regulatory challenges through innovative technology. RegTech is a subset of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than traditional compliance processes. 
Due to the complexity and momentum of regulatory changes, RegTech solutions must be customizable and easy to integrate into a variety of environments. No two institutions are alike but properly designed RegTech solutions should help to guide institutions to a better overall compliance posture. 
While it is true that outsourcing can be expensive, the benefits have proven to consistently 
It is simply no longer necessary for IT partners to be onsite to 
Regardless of location and size, small community banks and credit unions are under most of the same regulations as larger institutions, forcing a small IT staff to be well-versed in all regulatory guidance from cybersecurity to disaster recovery to meet examiner expectations. Auditors and examiners expect thorough documentation to prove that the institution’s daily practices match its defined policies and procedures. Financial institutions should not wait for a negative review finding to take a proactive approach to network management. Working with service providers that have dedicated staff and experts who understand the financial industry’s regulatory requirements and best practices ensures the required planning and reporting is completed in a timely manner. 
There are hundreds of tasks that a small IT staff must complete on a regular basis to keep the bank’s operations running efficiently. Many community financial institutions have limited in-house resources dedicated to IT network functions. If a critical staff member goes on a 
Without a doubt, the core banking platform is central to all financial institutions. However, you may be taking unnecessary risk by relying on them for all your needs. An IT services provider can help alleviate the stress by evaluating the infrastructure of the bank without bias, and eliminating the unnecessary hardware, processes and tasks, helping with overall management and ongoing cost. Whether it be network management, security, or compliance, it is unlikely your core will match the expertise a specialized partner can offer. Network management providers offer unbiased advice, while also diversifying your risk.
Many financial institutions struggle with choosing the right solutions partner. Smaller institutions in particular can benefit from outsourcing or partnering with a provider who offers network management solutions exclusively tailored for community banks and credit unions. Having a system in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation, and compliance-focused reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment.
Aside from having a BCP and associated 
Typically, a regulatory agency will not revisit the findings again until the next review. It is up to the financial institution to address each point and provide the proper documentation to show these items have been corrected before the next meeting. For example, if the bank’s antivirus was listed as out of date on the findings report, the institution would have to update each machine, run a report, and include this information in the findings package to be reviewed by the regulatory agency during the next visit. To complete the process efficiently, banks must keep up with who is in charge of each specific action item, when the item is due for completion, and which reports should be included in the findings package.
Often there is one person in charge of the review and they must work with each department to gather information by the designated due date. All files must then be stored in a central location, follow the template the reviewing agents have requested and be in a format that can be transmitted securely to the requesting party. Gathering all this information and ensuring all documents are complete and accurate can be a challenging task for smaller community banks and credit unions with limited in-house resources and staff.
Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal technology and compliance resources. The right third-party solution provider can serve as a true partner and work alongside current staff to manage the technology, compliance and regulatory aspects of the institution. When the technology or compliance staff is out or unavailable, outsourcing select business processes helps fill the personnel gap and provide added stability for the institution and peace of mind to all.
