Category: Credit Unions

10 Jan 2018
Internal Audits are a Necessity

Internal Audits are a Necessity — Better Done In-House or Outsourced?

Internal Audits are a Necessity

In the world of financial services, where institutions are governed by regulations and information security is of utmost importance, internal audits play a significant role in assuring an institution’s practices are aligned with business objectives, security protocols are in place and all regulations and government mandates are met.

The Institute of Internal Audits defines the process as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps improve risk management, security and controls by evaluating the procedures and processes of the organization.

The internal audit system at a community financial institution should be specifically designed to provide:

  • Independence and objectivity
  • Qualified personnel to conduct audits
  • Adequate monitoring of internal controls
  • The testing and review of information systems
  • Documentation of tests, findings and corrective actions, and
  • Verification that management and the board of directors reviewed the findings and addressed necessary changes.

The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.

In-House Internal Audits

Community financial institutions can choose to conduct internal audits themselves if they have an in-house auditor who is qualified, competent, independent from bank management and has a sense of objectivity. Ideally, a community financial institution has someone on staff with an accounting or business degree, professional industry experience, and the appropriate training to conduct a comprehensive, independent internal audit. One of the benefits of an in-house employee conducting the audit is the internal knowledge that person(s) has about the institution’s network and daily operations.

An in-house internal auditor must complete training conducted by industry organizations, such as the ICBA’s Community Banker University ®, to prove they understand the trends, issues, procedures and practices related to the financial services industry. Additionally, this demonstrates that the internal auditor function is taken seriously by the financial institution, which in turn, is important to government agencies and regulators.

Outsourcing

Smaller institutions that don’t have the budget or the staff to dedicate personnel to the internal auditor role must outsource this responsibility. While outsourcing this function can prove to be the most effective and efficient solution for any institution, selecting the right outsourced auditor can provide the additional benefit of helping maintain the overall health of an organization and better prepare a bank or credit union for its next regulatory examination.

Some of the advantages of outsourcing internal audits include:

  • Access to a team with a high level of expertise that is not cost-effective to maintain in house
  • Management has more time to work on strategic projects and focus on other revenue-generating activities
  • Issues associated with staffing and competitive compensation for in-house employees are eliminated, and
  • The issue of loss of objectivity is eliminated.

Whether done in-house or outsourced to a service provider, conducting internal audits is essential to ensure effective monitoring of security controls and to verify an institution’s ability to quickly correct significant IT and compliance vulnerabilities. At Safe Systems, our strategic advisors work with each client to perform quarterly self-assessments or internal audits to gauge IT performance and evaluate emerging risks to the institution. We also leverage this opportunity for the strategic advisor to educate bank personnel on new or changing government regulations to help the institution maintain compliance and be adequately prepared for IT audits and examinations.

Free White Paper

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture
Get a Copy

20 Dec 2017
2017 12 5 Things to Consider Before Moving to the Cloud

5 Questions to Ask Before Moving to the Cloud

2017 12 5 Things to Consider Before Moving to the Cloud

The allure of having applications and systems hosted on a cloud network is appealing to community banks and credit unions as it allows them to eliminate servers, internal infrastructure, and applications that would typically have to be hosted inside the institution, as well as the associated support each one requires. As a result, many organizations are considering, or currently in the process of, moving to cloud-based systems.

While the cloud can certainly help streamline processes and increase bandwidth for bank staff, there are a number of details that community banks and credit unions should consider before making this transition, beginning with the cloud destinations or management types:

The Infrastructure Management Types

All hardware is located on-site at the financial institution.

All hardware is housed at a third-party data center. This solves the issue of location.

A cloud provider hosts the infrastructure components traditionally housed in an on premise data center, including servers, storage and networking hardware. It solves the issue of location + hardware storage.

A cloud computing model where a third-party provider delivers hardware and software tools to users over the internet. This model solves the issues of location + hardware + platform.

A software distribution model in which a third-party provider hosts applications and makes them available to customers over the Internet. Some examples include Gmail, Facebook and Office365. This model solves the issues of location + hardware + platform + software.

Cloud services offer many benefits for financial institutions, including system standardization, centralization of information, the simplification of IT management and the built-in ability to stay current with technology updates and vendor software releases. For cloud services to be implemented successfully, financial institutions must understand the different types of cloud environments that are available and which one best meets the strategic objectives of their institution. Each bank has a unique corporate strategy that will guide how it moves to the cloud, what type of cloud solution is best for its environment and what specific technology assets should be moved to the cloud.

Here are five questions you should ask before making the decision to move to the cloud:

  1. Which applications can we move to the cloud?
  2. Evaluating which applications can be moved to the cloud and which vendors offer cloud-based solutions is really the first step. This will help organizations understand issues and elements that will be solved or created by the move to the cloud. For example, even with cloud-based solutions, financial institutions will still need to manage user work stations, security issues, connections to applications, and switches and routers, to name a few.

    Free eBookEverything You Need to Know About the Cloud Get a Copy

  3. Does moving to the cloud fit with our corporate strategy?
  4. Some organizations consider moving to the cloud simply because they think it is the right thing to do; however, there is no set path that all financial institutions must follow. Each bank has a unique strategy that is driven by its market situation, such as the desire to expand service offerings, open new branches, merge with another institution or even be acquired. Your corporate strategy informs your institution’s IT strategy and will guide you in choosing the management type that best fits your overall goal.

  5. Is the connectivity at my bank strong enough to support cloud-based solutions?
  6. Delays in loading cloud-based applications can be frustrating as well as costly. The increased use of cloud-based computing will place added demands on Internet speed and connectivity, making a strong connection critical for the success and health of the financial institution. This is a very important consideration when determining whether to move to cloud-based services. Confirming your institution has the proper connectivity will certainly help streamline this transition.

  7. Are there additional security, risk and compliance issues to consider when moving to the cloud?
  8. Moving to a cloud-based application will mean giving up some controls to the cloud vendor. When selecting a cloud vendor, evaluate their practices and strategies for user identity and access management, data protection, incident response and SOC 2 Type II documentation. You should have a solid vendor management program in place to verify that your vendors are compliant and are following the service agreement.

  9. Will moving to the cloud save my institution money and cut down on IT costs?
  10. Many financial institutions find that the transition does not translate to a lower price tag, and in-fact can result in the bank actually spending more. However, with this expense comes the simplification of IT management and the built-in ability to stay up to date with software releases. Migrating to the cloud commonly requires an organization to move from a capital expenditure (CAPEX) to an operating expenditure (OPEX) financial model, in which large capital outlays for purchase of servers, computers and networking hardware, are replaced by monthly, quarterly, or annual fees that an institution pays to operate the application.

    An application hosted in the cloud does not require any major capital investments for the institution. While the monthly fee in the OPEX model may be higher than the hardware and software costs, it eliminates the responsibility and indirect expense of bank personnel having to maintain the IT infrastructure. Think of these pricing models in the same way as owning a car versus taking Uber. When you own a car, you are responsible for its general upkeep, paying for gas, cleaning the car, etc. When you take Uber you simply pay for the ride and the driver is responsible for the vehicle’s upkeep. While you may pay a little more for that Uber ride, you gain more free time to focus on activities you enjoy.

Working with a financial industry IT service provider, like Safe Systems, can help you with the decision-making process involved with moving to the cloud while ensuring the solution and applications are compliant and meet regulatory expectations. We work with each institution to create a plan, based on their goals and strategies, to determine what can and should be moved to the cloud. Ultimately, moving IT assets to the cloud enables your bank and IT executives to focus on the key capabilities that support your bank’s unique strategy.


White Paper Download

2017 Community Bank Information Technology Outlook

Primary Research and Analysis of Your IT Priorities in 2017
White Paper Download

14 Dec 2017
Importance of A Cybersecurity Risk Appetite Statement

Importance of A Cybersecurity Risk Appetite Statement

Importance of A Cybersecurity Risk Appetite Statement

As cybersecurity threats continue to increase in the financial services industry, banks and credit unions must work harder to meet regulatory expectations. Regulators are taking a deeper look at financial institution’s policies and procedures to ensure that these institutions can effectively safeguard confidential and non-public information. This includes ensuring financial institutions have a Board approved Cyber Risk Appetite Statement.

Regulators are not only looking to ensure financial institutions have a cyber risk appetite statement in place, but that it is being used to monitor and manage the institution’s cyber risk. In fact, risk appetite is mentioned more than 6 times in the FFIEC’s Cybersecurity Assessment Tool (CAT). The Overview for CEOs and Board of Directors released with the CAT by the FFIEC, states it is the Board or an appropriate Board committee’s responsibility to “engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.”


What is Cyber Risk Appetite? Safe Systems’ Compliance Guru gives us a good working definition of risk appetite: “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level is acceptable. Residual risk is the risk remaining after controls have been applied. Before the Board can define a cyber risk appetite statement they must have clear understanding of the institution’s risk profile. This will allow them to clearly define their risk tolerance. This is then used to inform management’s decision making. For example before an institution begins offering a new service, management should validate that the amount of risk after controls have been applied (residual risk) are within the defined risk appetite. If not, management should determine if additional controls can be applied to bring the risk within acceptable limits or reevaluate the service.

Failure to have a cyber risk appetite statement not only puts a financial institution in risk of violating regulatory requirements but can also lead the institution to improperly manage its cyber risk. Defining your cyber risk appetite allows an institution’s Board of Directors to set the tone for risk management throughout the financial institution.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Free White Paper

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture
Get a Copy

06 Dec 2017
2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

  1. Malware/Ransomware Layers: $1,500 – $5,000
  2. Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

    Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

    Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

  3. Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500
  4. Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

    White Paper Download

    Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

    Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.
    Free White Paper

  5. Honey Pots: $2,500+
  6. A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

  7. Robust Vendor Management Solution: $2,500 – $5,000
  8. With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

  9. New and Replacement Technology: $500 – $10,000
  10. Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

    • Expired in 2017 and should be replaced or upgraded
      • Windows Vista
      • Symantec Endpoint 10.x
      • Microsoft Office and Exchange 2007
      • Backup Exec 2015
      • Adobe Acrobat XI
    • Expires in 2018 and should be replaced or upgraded
      • ESXi/vCenter 5.5 expires 9/19/2018

  11. Training: $500 – $1,500
  12. Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

  13. Vendor and User Conferences: $1,000 – $1,800
  14. It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

White Paper Download
Read the Guide

29 Nov 2017
Combatting Cybercrime

Combatting Cybercrime: Change Your Cybersecurity Mindset to Enhance Your Institution’s Strategy

Targeting Employees - How to Prevent Phishing

Cyber-attacks are becoming more sophisticated as cyber criminals find alternative ways to target financial institutions and their data. Most recently, there has been an increase in phishing scams that specifically target bank employees, attempting to obtain sensitive information such as usernames and passwords. The ultimate goal is to trick bank employees into clicking on links or opening attachments that redirect them to fake websites where they are encouraged to share login credentials and other personal information.

With access to your employees email accounts, cyber criminals have the ability to read your bank’s critical information, send emails on your employees’ behalf, hack into the employee’s bank and social media accounts, and gain access to internal documents and customer financial information. This can result in both financial and reputational risks for the institution and its employees.

To help protect your institution’s data, here are two key ways to prevent phishing scams and increase security for your community bank or credit union:

  1. Employee Training is the Number One Priority
  2. Without proper training, it is very easy for employees to fall victim to a variety of email phishing scams. Financial institutions must have a policy of on-going testing and training to ensure employees understand security procedures and are equipped to identify phishing emails and other security threats. It is also important to establish a security culture within your organization to ensure that all employees recognize that they have a personal responsibility to safeguard against breaches.


    Community banks and credit unions can also leverage an outside security company to conduct security training and checks to verify how employees interact with suspicious emails. This allows network administrators to look at different levels of risk based on whether an employee ignored the email, opened the email, or clicked the link and provided information. After conducting this test, the administrator can then use that opportunity to educate employees on what happened during the test, explain how the system was compromised, and provide applicable advice on how to recognize these types of attacks in the future.

  3. Stop Email Phishing Attacks with Multifactor Authentication
  4. A proven way to protect your bank’s network is to implement multifactor authentication, which requires more than one method of authentication to verify a user’s identity for a login or other transaction. This security option is designed to make it more difficult for cybercriminals to access bank accounts and other sensitive information.

    While there are different ways to implement multifactor authentication, the three basic elements that can be used in this process include:

    • Something the user knows, like a password or PIN;
    • Something the user possesses, like a smart card, token or mobile phone; and
    • Something the user is (i.e., biometrics), such as a fingerprint or retina scan.

Many of our customers rely on Safe Systems SafeSysMail O365 hosted email solution, which provides them the option to turn on dual-factor authentication to increase the layers of security. When an employee tries to login to their email account, they would first type in their username and password. Then, as a second factor, they would use a mobile authentication app, which will generate a code or PIN to enter on the screen and would then be given access to the account. Implementing multifactor authentication is a powerful step toward preventing hackers from gaining access to accounts even if a password or security answer is stolen.

To combat today’s cyber threats, financial institutions must stay up to date on the latest phishing strategies and verify that the security policies and solutions in place can reduce potential threats. It is also vitally important that employees understand the types of attacks they may face, the risks, and how to address them. Implementing a combination of employee training and multifactor authentication strengthens your institution’s security strategy and can make the difference when (not if) cybercriminals attempt to hack into your employee accounts.

White Paper Download
Read the Guide

08 Nov 2017
2018 IT Outlook Survey

Your 2018 Plan: Identifying Top IT Priorities for Community Banks & Credit Unions

To help small financial institutions get a better understanding of what their peers are spending and planning for technology, compliance and security, we survey community banks and credit unions across the country annually. Last year, our 2017 Community Bank Information Technology Outlook Survey provided valuable data including top IT priorities, IT challenges, security concerns and compliance issues.

Looking Back at 2017

Looking back at last year’s survey, bankers and credit union executives were acutely focused on:

  1. Cybersecurity was one of the greatest security challenges for 2017 according to 94% of respondents.
  2. Nearly 77% of respondents claimed they were spending more on technology than they had in the past.
  3. Banks found it challenging to keep pace with the rapid rate of technological change that is influencing and impacting the banking industry.
  4. 71% of respondents reported outsourcing their network management and 63% outsourced their IT support.
  5. Compliance issues were top-of-mind as many community banks indicated that regulators were more aggressive as examiner expectations and demands continued to increase. This resulted in approximately 59% of participants spending more on their IT and compliance needs headed into 2017.

What Has Changed

What are community banks and credit unions evaluating most headed into 2018? In this year’s survey, we will focus on compliance and security concerns, IT management issues, vendor management, audit and exam preparation and implementation of new services, among others. Each year, the data we gather provides valuable peer data from financial institutions across the country t0 use as guidance for their own key IT, compliance and security decisions in 2018 and beyond.

IT Outlook Link
We hope you will participate in the 2018 survey by visiting http://info.safesystems.com/2018-community-bank-credit-union-it-outlook-survey. By completing the survey you will receive access to this comprehensive year-end report. Your anonymous responses will be aggregated to provide detailed graphs, charts and plenty of insight amongst your peers in the community financial industry.

01 Nov 2017
Are Regulations Killing Community Banks and Credit Unions?

Are Regulations Killing the Community Bank and Credit Union?

Are Regulations Killing Community Banks and Credit Unions?

Community banking has been an essential part of the financial backbone of the United States for over a century. Community bankers have funded the ideas and dreams that helped launch countless businesses across the country – businesses that sometimes grew to employ thousands of local residents and generate millions for local economies.

For many banks and credit unions today, the commitment to serve the local community is still very real. The mega banks are often looking for a “mega” deal and not the small business loan that a local company needs to get started. As a result, community banks and credit unions are vitally important to small and medium sized businesses that are often ignored by larger institutions.

Herein lies the problem, because over the last decade, the number of community banks has decreased by 27% while credit unions have decreased by 40%. Some of this, of course, is attributable to the Great Recession, but of the nearly 2,000 banks that have disappeared, only about 500 were shut down during the down turn, meaning the majority of the decline is not entirely based on this specific event. So, if the economic calamity of the last decade is not entirely to blame, what is?

While there are several factors that have led to the decrease in smaller institutions, one has had perhaps the most significant impact: the increase in regulatory requirements. Regardless of location and size, small community banks are subject to largely the same regulations as larger institutions. Regulatory agencies are continuously changing and increasing guidance around a variety of issues, including cybersecurity, vendor management, and disaster recovery, among others. The increase in regulatory requirements does two things:

It Creates a Challenging Environment to Run a Community Financial Institution

For many community banks and credit unions, meeting new regulatory requirements takes a considerable amount of time, effort and knowledge to execute successfully. Small community institutions that manage this function internally often struggle to keep up with the ever-changing regulatory landscape and provide the proper documentation to examiners. Without the right compliance expertise, it can be very difficult to ensure the institution’s processes and procedures are in line with federal regulations.

It Increases Operational Costs

Each new regulatory guidance, update, change, and interpretation requires additional expertise and more employee resources. It’s a never ending cycle. The last decade has brought about an increase in compliance changes including: the Patriot Act, the Bank Secrecy Act (BSA), new information security regulations and more requirements for lending and liquidity. All of these changes have increased compliance spending and forced institutions to redirect valuable employee time away from customer service and more revenue generating activities.

In the past, the core vendor has been the one to fill in the gaps between what banks can manage internally and areas where they required outsourced help. Historically, the core vendors helped community banks and credit unions with tasks to support everything from teller functions, to lending, to direct mail, as well as provide services such as remote deposit capture and mobile banking. Today however, many core vendors are very large and not agile enough to stay on top of the consistent changes in regulatory guidance.

This pressure in the market is forcing institutions to either hire additional in-house talent to keep up with all the new regulatory expectations or look beyond their core providers for outsourcing regulatory and compliance needs. Many that have tried to fill the gap with additional in-house expertise find that recruiting and training qualified staff to manage regulatory requirements demands considerable time and energy from a bank’s management team, which redirects valuable resources needed to support customers and banking operations.

So what’s the answer? The future of community banking depends on community financial institutions surviving in this new regulatory environment. The reality in today’s market is that the task of meeting all requirements laid out by regulatory agencies is becoming too much of a challenge for banks and credit unions – and even their trusted core providers — to manage alone. Working with a trusted IT and compliance partner that specializes in regulatory compliance can provide your institution with the regulatory expertise and knowledge to successfully meet compliance goals and provide the best banking experience to your community.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



25 Oct 2017

Top 4 Security Threats Your Financial Institution Faces Today & How To Protect Yourself

The financial services industry continues to be heavily targeted by cyber-attacks because of the sensitive financial data that institutions hold. Hackers, in turn, recognize one of the greatest potential avenues for financial gain is in targeting financial institutions, enabling them to either commit fraud themselves or sell the information to a third-party. What is most troubling is that cyber criminals have displayed new and advanced levels of sophistication, knowledge and ambition in 2017 – a year characterized by a series of extraordinary attacks, including malware threats, credit and debit card breaches, phishing attempts and data breaches.

Some of the most common security threats financial institutions are facing today include:

  1. Ransomware
  2. Ransomware has established itself as one of the leading cyber threats with instances increasing by 44 percent last year. In fact, according to the 2017 State of Malware Report by Malwarebytes, ransomware was the favored method of attack used against businesses in 2016. Recent FBI statistics also indicate that hackers successfully extorted more than $209 million in ransomware payments from businesses and financial institutions in Q1 2016, and the business of ransomware is now on track to become a $1 billion per year crime.

  3. Lack of Third-Party Vendor Security
  4. While a financial institution might have the right security systems and policies in place to protect itself and its customers from a cyber-attack, its third-party providers and vendors may not have the same level of security and diligence. This creates a major vulnerability for the financial institution and risks Federal Financial Institutions Examination Council (FFIEC) compliance issues.

  5. Insider Threats
  6. Often, all it takes is a disgruntled employee or ex-employee to release valuable security information and compromise system and data security. Additionally, cyber criminals are increasingly realizing success through bribery as a means to entice bank employees to give up their login credentials or other security information, allowing direct access to internal systems.

  7. Lack of Employee Training and Security Expertise
  8. Cyber-attacks are often able to outpace cyber-defense due to a shortage of qualified cybersecurity personnel and the limited IT staff bandwidth to stay abreast of a continually evolving security landscape. Employee testing and training is critical for banks and credit unions to decrease vulnerabilities and ensure staff — at all levels — understand their roles and responsibilities in protecting against security threats. Until this learning gap is resolved, financial institutions will continue to struggle to efficiently manage cybersecurity threats.

Combating Security Threats & Protecting Customer Data


To adequately protect against cyber threats, financial institutions should ensure that every device on the network has up-to-date antivirus software, adequate firewall protections and that all patches are up-to-date as a minimum requirement.

In addition, financial institutions should also employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the Internet to establish a secure IT environment. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation. Proactively protecting customer data will always be more cost effective than falling victim to malicious activity.

For more information, download our white paper, “Ransomware and the Evolving Security Landscape of Today’s Financial Institution.”
White Paper Download
Read the Guide

04 Oct 2017
What is RegTech and Why is it Important for My Organization

What Is RegTech and Why Is It Important for My Organization?

What is RegTech and Why is it Important for My Organization

The financial services industry is continually evolving, especially when it comes to regulatory and compliance changes. The number of regulatory changes a bank has to manage on a daily basis has increased from 10 in 2004, to 185 in 2017. To stay abreast of these changes more than a third of financial firms continue to spend at least a full work day each week tracking and analyzing regulatory changes, according to recent research by Thomson Reuters. Regulatory compliance efforts have become a resource consuming, expensive inefficiency within financial institutions, which has led to the development of a new technology product category: regulatory technology, or RegTech.

What is RegTech?

A relatively new term, RegTech, refers to a set of companies and solutions that address regulatory challenges through innovative technology. RegTech is a subset of FinTech that focuses on technologies that facilitate the delivery of regulatory requirements more efficiently and effectively than traditional compliance processes.

RegTech helps financial services organizations automate compliance tasks and reduce operational risks associated with meeting regulatory requirements and reporting obligations. In addition, the technology empowers organizations to make informed choices based on the actual data provided through the system. This data highlights the actual compliance risks the organization faces and how it mitigates and manages those risks.

Why is RegTech Important?

The relationship between compliance and technology is nothing new; however, it is becoming more important as the sheer number of regulatory changes rises along with an increased focus on data and reporting. U.S. financial institutions now spend more than $70 billion annually on compliance, and the market for regulatory and compliance software is expected to reach $118 billion by 2020.

Key Benefits of RegTech to Financial Institutions:

  1. Reduced cost of compliance efforts by simplifying and standardizing compliance processes and reducing the need for manual intervention
  2. Increased flexibility and growth opportunities due to the efficiency gains RegTech solutions provide;
  3. Data analytics enables regulatory information to be analyzed, helping organizations proactively identify risks and issues and remedy them in an efficient manner;
  4. RegTech enables risk and control frameworks that can be seamlessly linked.

Attributes of RegTech Solutions

Due to the complexity and momentum of regulatory changes, RegTech solutions must be customizable and easy to integrate into a variety of environments. No two institutions are alike but properly designed RegTech solutions should help to guide institutions to a better overall compliance posture.

RegTech solutions are usually cloud-based, providing the ability to maintain, manage and back-up data remotely, while ensuring all data is secure in a cost-efficient manner. The level of agility that cloud-based solutions offer ensures a high level of security and control over an institution’s compliance data. Overall, the technology is designed to reduce implementation time, enabling financial institutions to spend more time focusing on revenue-generating activities.

What do regulators think of RegTech?

Regulators around the world have been encouraging the adoption of RegTech. Many RegTech solutions enable financial institutions to not only streamline their reporting, but also have better oversight of their data. This makes it easier for regulators in the event they need to review time-sensitive information.

The need to ensure compliance and regulatory requirements are met has spawned new activity in the financial services arena. The use of technology to help streamline and automate the time-consuming processes of monitoring compliance and regulatory changes, risk monitoring and regulatory reporting will continue to gain momentum as regulations evolve and regulators expectations grow. RegTech solutions are quickly becoming standard operating tools for all financial organizations.

Safe Systems has combined compliance and technology to create RegTech solutions for financial institutions for over 25 years.

27 Sep 2017
Debunking the Top 5 Myths about Outsourced IT Network Management Systems

Debunking the Top 5 Myths about Outsourced IT Network Management Systems

Debunking the Top 5 Myths about Outsourced IT Network Management Systems

To manage complex IT networks, bank and credit union IT administrators need the proper tools to monitor the network, maintain patches, apply anti-malware, and troubleshoot network issues effectively. With constant technological change and increasingly strict regulatory guidelines, many community financial institutions struggle to efficiently administer these tasks and meet examiner expectations.

To counter these mounting pressures, community financial institutions are, or should be, looking for ways to more efficiently manage their networks. Often, outsourcing this function and the underlying IT operations proves to be the most effective and efficient solution, but some financial institutions are hesitant to outsource or have misconceptions when it comes to outsourcing their IT needs.

Some of the top myths about outsourcing IT network management include:

  1. Outsourcing is too expensive
  2. While it is true that outsourcing can be expensive, the benefits have proven to consistently outweigh the cost. Outsourcing IT network management removes routine, repetitive tasks for your staff so your team can work on higher value projects, and distributes the work to ensure you maintain business continuity. Additionally, an outsourced provider typically has certified engineers who will monitor devices, maintain patch updates, and help you resolve complex issues, even when your employees are away from the office.

  3. A local provider is better because they can come to our location to fix a problem
  4. It is simply no longer necessary for IT partners to be onsite to manage a network. In fact, it may be difficult to find a local vendor with the banking technology and regulatory expertise required to meet examiner expectations.

    An experienced outsourced IT services provider can help your institution recover quickly from unexpected business outages in your community. If a disaster does occur, local providers actually add a level of risk as they could also be out of service as well, increasing your recovery time and putting your organization at risk. The right IT partner understands the nuances of the financial services industry and can provide uninterrupted service, no matter the distance or circumstance.

  5. Without a bad exam, everything must be okay
  6. Regardless of location and size, small community banks and credit unions are under most of the same regulations as larger institutions, forcing a small IT staff to be well-versed in all regulatory guidance from cybersecurity to disaster recovery to meet examiner expectations. Auditors and examiners expect thorough documentation to prove that the institution’s daily practices match its defined policies and procedures. Financial institutions should not wait for a negative review finding to take a proactive approach to network management. Working with service providers that have dedicated staff and experts who understand the financial industry’s regulatory requirements and best practices ensures the required planning and reporting is completed in a timely manner.

  7. Outsourcing replaces the institution’s IT personnel
  8. There are hundreds of tasks that a small IT staff must complete on a regular basis to keep the bank’s operations running efficiently. Many community financial institutions have limited in-house resources dedicated to IT network functions. If a critical staff member goes on a vacation, is out sick, or leaves the bank, it can be difficult for the institution to manage the network effectively and maintain compliance.

    Outsourcing helps to augment the bank’s current staff to act as an extension of the IT team. An IT partner can provide bank IT employees with more time to work on strategic projects, support front-line employees and focus on other revenue-generating activities. With an outsourced IT service provider, financial institutions gain an entire team of IT professionals equipped with advanced technology experience to support their IT needs. The staff is empowered, not replaced.

  9. It’s better to do everything with the core provider
  10. Without a doubt, the core banking platform is central to all financial institutions. However, you may be taking unnecessary risk by relying on them for all your needs. An IT services provider can help alleviate the stress by evaluating the infrastructure of the bank without bias, and eliminating the unnecessary hardware, processes and tasks, helping with overall management and ongoing cost. Whether it be network management, security, or compliance, it is unlikely your core will match the expertise a specialized partner can offer. Network management providers offer unbiased advice, while also diversifying your risk.

 
Many financial institutions struggle with choosing the right solutions partner. Smaller institutions in particular can benefit from outsourcing or partnering with a provider who offers network management solutions exclusively tailored for community banks and credit unions. Having a system in place that offers key features such as patch management, third party patching, antivirus, hardware and software inventory management, vulnerability remediation, and compliance-focused reporting to verify that your financial institution’s network is adhering to your policies and procedures is critical in today’s environment. 



Safe Systems’ NetComply® One IT Network Management service is designed to help ensure community financial institutions operate even more efficiently, securely and compliantly, while also decreasing costs, increasing performance, and improving an organization’s overall compliance posture. NetComply One streamlines your IT strategy and sets you up for success. Safe Systems’ IT network management solution was built using experience from managing IT networks for more than 300 financial institutions. Safe Systems’ combined years of banking knowledge and regulatory expertise allows us to truly understand banking IT operations, the unique platform configurations of financial institutions as well as the enhanced regulatory requirements. 



For more information, read our white paper, “Dispelling 5 IT Outsourcing Myths within Financial Institutions.”




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



13 Sep 2017
The Importance of Network Management Systems in Community Banks and Credit Unions

The Importance of Network Management Systems in Community Banks and Credit Unions

The Importance of Network Management Systems in Community Banks and Credit Unions

The Importance of Network Management Systems in Community Banks and Credit Unions

The advancement of mobile phones, Wi-Fi, remote deposit capture, virtual infrastructures, shared storage and the growing demand from customers to have 24/7 access to their financial lives has changed the business of banking. These changes have shifted the objectives of running a community financial institution away from simply needing to manage money and provide loans to include managing data and the IT networks that carry this information. From the teller line and the loan origination system, to the phone and alarm systems, most modern institutions are highly interconnected and must have a strong IT network infrastructure to offer a variety of services to their customers and keep operations running smoothly.

To ensure all systems are continuously functioning, it is important to monitor hardware and software for failures, viruses and malware, and stay up to date on required maintenance functions. Many IT professionals utilize network management systems to help streamline this process and more efficiently perform their day-to-day functions. A network management system is a set of hardware or software tools that allow an IT professional to supervise and manage the individual components of a network within a larger network management framework. These systems help to provide a deeper understanding of the network and all important applications to help improve performance and ensure security. Having a centralized solution in place that automatically reviews the network, sends alerts, issues tickets, and provides support and reporting for servers, workstations, network routers, switches, software and other devices is an integral and critical function in financial institutions today.

Key Components of a Network Management System for Financial Institutions

To help ensure community financial institutions operate more efficiently, securely and compliantly, IT professionals should implement a network management system designed specifically for financial institutions to further decrease costs, increase performance, and improve their compliance posture.

Some key components of a network management system include:

Get a CopyTop 3 IT Management Worries for CEOs in Banking - Get a Copy
  • Network Device Discovery — the ability to identify what devices are present on a network;
  • Network Device Monitoring — the ability to monitor at the device level to determine the health of network components and the extent to which their performance matches capacity plans and intra-enterprise service-level agreements (SLAs);
  • Network Performance Analysis — the ability to track performance indicators such as bandwidth utilization, packet loss, latency, availability and uptime of routers, switches and other Simple Network Management Protocol (SNMP) enabled devices;
  • Intelligent Notifications – the ability to configurable alerts that will respond to specific network scenarios by paging, emailing, calling or texting a network administrator;
  • Mobile and Cloud Support – the ability to offer mobile and cloud support is important for the financial industry because users require 24/7 access to their financial data no matter where they are;
  • Integration – the ability to easily integrate with a variety of technologies in place at the institution and work seamlessly together;
  • Automated Intelligence – the ability to eliminate the need for IT staff to directly administer challenging and time consuming tasks such as patch management, anti-malware updates, and reporting. Automating these functions saves time while ensuring all patches are up to date. It also reduces the device exposure through server hardening;
  • Centralized Monitoring Console – should include remote control access and monitoring capabilities;
  • Dual Factor Authentication — enabling secure log-in to the system;
  • Enhanced Reporting Functions — featuring reporting based on FFIEC requirements for IT audits; and
  • Security services — to protect the institution servers. 

All of these features provide IT professionals with greater visibility into the network, increased security of the bank’s servers, and time-saving automation to streamline processes and focus on more valuable tasks. Community banks and credit unions are able to keep up with updates and changes to the system through alerts that notify IT personnel when there is a change or threat to the network. In addition, many network management systems are designed with compliance in mind to account for updates to banking regulations and changes as they occur. This allows financial institutions to stay ahead of the curve and ensure adherence to all regulatory requirements.

Benefits of Outsourcing the Oversight of Network Management Systems

New Call-to-actionSuccess Story: Peoples Bank of Georgia - Get a Copy

While the evolution of network management systems has made many processes and procedures more streamlined and efficient, the management of network management systems has also become a full-time, demanding responsibility. A financial institution’s IT staff must understand the ever-growing complexity of IT operations and applications, continuously changing regulatory requirements and FFIEC compliance guidelines. IT network administrators must be familiar with the challenges presented by overseeing networks that extend through multiple environments and must also understand concepts such as application delivery optimization and data analytics.

Even though the list of duties and level of complexity has grown substantially in recent years, many community financial institutions still rely on one or two-person staffs to manage all of the institution’s IT operations. Finding, training, and retaining qualified staff to manage an IT network can also demand considerable time and energy from a bank’s management team, which redirects valuable resources needed to support customers and banking operations.

With these mounting pressures, community financial institutions are, or at least should be, looking for ways to more efficiently manage their networks. Often they determine outsourcing this function and the underlying IT operations is the most effective and efficient solution. Community banks and credit unions can benefit in many ways from outsourcing with a provider who offers IT network management solutions exclusively tailored for community financial institutions and are also able to act as an extension of their organization and help augment internal IT resources. Such partners bring knowledge, additional resources and compliance expertise to help community banks and credit unions control and manage their complex IT environments and operate in today’s financial services arena with a greater degree of confidence.

An IT network management provider who is specialized in the financial services industry truly understands the evolving complexity of community banks’ IT operations and will have the knowledge to do an in-depth review of institution’s network environment. The provider can offer additional support in co-managing IT operations, providing financial executives with the assurance that their institution’s IT network is functioning efficiently, optimally, securely, and is in compliance with industry regulations.

A technology service provider can also help consolidate, automate and manage many of the administrative functions that are so time-consuming for in-house staff. Automating patch management and reporting saves bank IT administrators a great deal of time. In addition, providing financial executives the ability to receive live information for diagnostic or reporting purposes, as well as remote access to the network not only saves time and improves efficiencies, but also helps meet the responsibilities of financial IT managers for documenting the environment for regulators.

Compliance Considerations for a Network Management System

Regardless of location and size, banks and credit unions are all subject to largely the same regulations, which are continually changing. Meeting expectations and adequately preparing for an exam are top concerns for many financial institutions. The entire exam process, from preparation to providing accurate responses to reviewing and remediating findings, can be an extremely time-consuming and stressful process to complete. A network management system can help ensure community financial institutions increase efficiencies by automating the myriad of tasks associated with exams and regulatory requirements, and produce custom reports based on FFIEC requirements. Network management systems designed with compliance in mind are able to account for updates to banking regulations and changes as they occur, which allows financial institutions to stay ahead of the curve and ensure adherence to all regulatory requirements.

In addition, due to the volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) designed the Cybersecurity Assessment Tool (CAT), which plays a major part in helping financial institutions identify risk and understand their cybersecurity preparedness. The CAT provides a clear set of standards to ensure an institution’s network systems are managed efficiently and compliantly. Network management systems help organizations comply with the CAT by offering protections such as risk identification, network border protection, inventory of assets, auditing of the network, dual-factor authentication, and remote access. Failure to comply with FFIEC guidelines puts a financial institution at risk of doing poorly on exams, being written up for not following protocols, and spending large amounts of time correcting violations, which can all lead to reputational damage and loss of revenue.

Free White Paper

The New Era of RegTech

 Building Compliance into Your Financial Institution’s Processes
Get a Copy

Service Provider Considerations

Selecting an IT services provider is challenging and many financial executives struggle with choosing the optimal solution to work with — and truly benefit — their organization. When looking for a technology service provider, some areas to consider include:

  • Does the provider offer flexibility in their support services that align with your organization’s IT needs?
  • Does the technology service provider have knowledge and expertise of all the regulatory requirements of financial institutions?
  • Are their support center staff and system engineers well-versed in network and security technologies, as well as understand the unique technical requirements of your core banking platform and ancillary applications?

Financial institutions rely heavily on technology to deliver financial services to their customers and members. Delivering the right solutions in a timely and cost-effective manner can be a challenge for some. Resources are limited, the top talent is hard to find, and at the same time, network management systems continue to evolve and change, and security risks and examiner expectations continue to grow. Partnering with companies that can provide the tools and resources necessary for financial institutions to help manage technology and reduce burdens, provides greater visibility of the network management system as well as the documentation needed to verify the institution is adhering to regulations.

Ultimately, network management systems that are designed exclusively for community financial institutions can assist in taking the pressure off of increased examiner expectations and the increase in technology complexity. These systems enable community banks and credit unions to thrive in the complex world of banking by continuing to provide the hands-on attention to customers and members that set community financial institutions apart from the competition.

23 Aug 2017
Disaster Recovery Planning - How to Prepare Your Bank for Fall Storm Season

Disaster Recovery Planning: How to Prepare Your Bank for Fall Storm Season

Disaster Recovery Planning - How to Prepare Your Bank for Fall Storm Season

The potential damage that storms can inflict underscores the importance of Business Continuity Planning and disaster preparation, especially for local community banks and credit unions. A single disaster event, be it a hurricane, tornado, earthquake, severe thunderstorm, etc., has the potential to devastate communities by disrupting thousands of businesses and organizations and impacting millions of lives. While disasters do not take any seasons off, historically some of the worst storms actually hit during the fall months. A lack of proper planning and preparation could be particularly devastating for a financial institution impacted by a fall storm, as their customers will expect prompt access to their money in the aftermath of such an event. Moreover, regulators have expectations of their own, and financial institutions could face poor examination scores, fines, or increases in FDIC insurance costs. But who has the time to undertake such a big project? BCP/DR planning is especially challenging for smaller community financial institutions who often lack the staff and resources of larger institutions.

It is imperative that financial institutions have a solid Business Continuity Plan (BCP) and Disaster Recovery (DR) procedures in place and are able to implement them, as required by Federal Financial Institutions Examination Council (FFIEC) guidelines. These plans are instrumental to make sure that people, process, and technology elements are all properly coordinated to efficiently recover from disasters or business interruptions. In a disaster situation there is a stark difference in the reaction from financial organizations who have a disaster plan in place and those that do not. A solid and actionable BCP can literally be the difference between a temporary outage, and an institution closing its doors forever.

Preparing for Fall Storms

Aside from having a BCP and associated DR plan in place and the skills necessary to execute those plans, there are several additional steps your financial institution can take to adequately prepare for storms, natural disasters, and any other business outages, including:

  • Evaluating all backups and ensuring any redundant equipment critical to recovery is up-to-date and working;
  • Utilizing Uninterruptable Power Supplies (UPS) for short-term outages in power or preemptively shutting down servers and all IT equipment in anticipation of an extended outage;
  • Ensuring that the server room is locked with separate key access and that all equipment and sensitive documentation is otherwise secure if facilities must be vacated for an extended period;
  • Validating the procedures outlined in BCP/DR plans through functional testing; and
  • Ensuring that employees, vendors, and customers are aware of the proper communication protocols and contacts through educational efforts.

Common Issues and Solutions

Banks and credit unions that try to manage their own technology solutions, including backups, email, and server management, often get mired in day-to-day operational concerns. This leaves precious little time for the institution to make plans for potential disasters. The result is often a plan that does not truly consider all the processes and functions that go into running the business. This can leave significant gaps in recovery capabilities that might remain hidden to internal stakeholders without proper testing.

These issues can be avoided by working with an IT service provider who understands the unique needs each financial institution has when preparing for and recovering from a natural disaster. To ensure your institution is prepared for storm season and doesn’t run into the common issues mentioned above, partner with an IT service provider that offers the following:

  • Recovery plan testing on an annual basis;
  • Remote and secure back-ups;
  • Compliant data recovery practices;

  • Readily available staff and engineers; and

  • Proactive communication.

Fall storms and natural disasters cannot be prevented, but proactively knowing where to go, who to contact, and what critical functions to restore first can provide confidence when responding to a disaster. Developing, implementing, and regularly testing disaster recovery procedures as part of your business continuity plan is crucial in today’s banking environment. At Safe Systems we have been working with banks and credit unions for more than 20 years. Our proven experience enables us to provide the services and assistance necessary to help our customers weather the storm with minimal business interruption.

Free White Paper

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture
Get a Copy

15 Aug 2017
Bank Compliance How to Efficiently Respond to IT Exam Findings

Bank Compliance: How to Efficiently Respond to IT Exam Findings

Bank Compliance How to Efficiently Respond to IT Exam Findings

Community banks and credit unions have grown accustomed to the strenuous review processes of regulatory agencies on their practices and procedures. These reviews are designed to help ensure the stability of the organization and the adherence to laws and regulations and are thorough in scope. As a result, preparing for an exam can be an extremely time consuming and stressful process to complete and, for many institutions, providing accurate responses to the review findings in a timely manner can be quite a challenge.

Upon the completion of the on-site visit, the reviewing agent will provide the financial institution with his or her findings in a review report or a notice. This report requires a response from the bank or credit union outlining the institution’s plan for correcting or improving specific findings from the review. Some proven tips for writing a response include:

  • Make your responses clear and concise
  • Respond directly to the finding and recognize any recommendations the reviewer suggests
  • Outline specific actions that the financial institution commits to take to correct the finding
  • Assign who is directly responsible for the implementation and oversight
  • Exclude information that is not pertinent to the finding or its corrective action plan
  • Provide a specific — and realistic — timetable for implementation.

Typically, a regulatory agency will not revisit the findings again until the next review. It is up to the financial institution to address each point and provide the proper documentation to show these items have been corrected before the next meeting. For example, if the bank’s antivirus was listed as out of date on the findings report, the institution would have to update each machine, run a report, and include this information in the findings package to be reviewed by the regulatory agency during the next visit. To complete the process efficiently, banks must keep up with who is in charge of each specific action item, when the item is due for completion, and which reports should be included in the findings package.

Organize Your Efforts to Complete Review Findings

Safe Systems’ Audit Trail application helps financial institutions efficiently respond to the reviewing agent’s feedback and ensure each finding is completed in a timely manner. The application allows the user to input review findings into the system, customize reporting fields, assign each finding to specific team members and include due dates to ensure all updates are completed. This allows banks to automate the review finding process as opposed to a manual process such as a spreadsheet, providing a more effective, centralized way to address this complex project.

The Audit Trail application also allows the user to attach relevant documents and reports to each finding, making it easier to verify that each item has been corrected. In addition to this, all documents are housed in one centralized location to avoid reliance on one person for documents and reports usually stored on an individual computer. The document library helps to reduce the risk of data loss due to computer failure and ensures that all important information is readily available to complete the findings package.

Responding to review findings can be challenging, time consuming and stressful! However, working with Safe Systems can provide your financial institution with the right tools to keep this process organized and meet regulatory expectations. Streamlining this process helps community banks and credit unions improve on IT and compliance procedures in a timely manner and effectively demonstrate how the institution has addressed the reviewing agent’s feedback.

Audit Times Logo
Read the latest Audit Times
Read the latest Audit Times
08 Aug 2017
How to Beat IT Exam Stress and Boost Efficiency for Your Bank

How to Beat IT Exam Stress and Boost Efficiency for Your Bank

How to Beat IT Exam Stress and Boost Efficiency for Your Bank

External audits and exams have become a fact of life for financial institutions of all sizes. Community banks and credit unions undergo strenuous reviews of their procedures and practices anywhere between six and 18 times a year. While these reviews are designed to help ensure the stability of the organization and the adherence to laws and regulations, preparing for these events can be an extremely time consuming and stressful process to complete.

Most reviews consist of two phases – preparation and findings. At the beginning of the process the reviewing agent typically sends financial institutions a list of items that they want to review, certain areas they plan to examine and items they plan to discuss with the organization. This list normally includes a number of reports and documentation the financial organization must prepare ahead of the review and provide to the reviewing agents before the on-site visit. Some only require a handful of reports to prepare up-front, but others can request more than 60 different reports. Some of the reports and information that may be requested include:

  • Organizational Charts
  • Financial Reports
  • Business Continuity Plans
  • Disaster Recover Plans and Test Results
  • Vendor Management Policies
  • Security Policies

Often there is one person in charge of the review and they must work with each department to gather information by the designated due date. All files must then be stored in a central location, follow the template the reviewing agents have requested and be in a format that can be transmitted securely to the requesting party. Gathering all this information and ensuring all documents are complete and accurate can be a challenging task for smaller community banks and credit unions with limited in-house resources and staff.

Streamline the Pre-Exam Preparation Process

The Safe Systems’ Audit Trail™ application is designed to help financial institutions efficiently manage the preparation process. The application allows the user to import a variety of file types and formats, utilize the field matching wizard, and easily standardize items across the system despite the varied nature of the templates provided by the different agencies. To eliminate the mundane task of collecting the same documentation over and over, the application allows you to pull system reports directly from a variety of other Safe Systems’ services housed in theSafe, and store them in a central library so they are easily accessible the next time you need them.

All preparation reports are housed in the Audit Trail solution, meaning there is no duplication of documents; reports do not need to be saved in various folders; and the financial institution has peace of mind in knowing the most accurate and up-to-date information is sent to the reviewing agent. In addition, once all the preparation documents have been completed, a preparation item package is created in the form of a zip file, which makes it easier to input all the documents designated for the review into the reviewing agent’s delivery system. A report or manifest of documents attached to each audit is created, giving the financial institution a record of each review.

Preparing for an audit or exam can certainly be a headache! However, working with Safe Systems can provide your financial institution with peace of mind by ensuring you are well prepared and can feel confident for any upcoming review. Safe Systems provides financial institutions with a trusted resource and technology advisor, leading to a seamless and time efficient preparation process.

Audit Times Logo
Read the latest Audit Times
Read the latest Audit Times
02 Aug 2017
How to Stay Vigilant with Technology and Compliance Issues During the Summer Vacation Months

How to Stay Vigilant with Technology and Compliance Issues During the Summer Vacation Months

How to Stay Vigilant with Technology and Compliance Issues During the Summer Vacation Months

For many community banks and credit unions, keeping up with the ever-changing regulatory requirements and expectations can be a challenge, especially during the summer months when employees are taking time off to enjoy the warm weather and travel for summer vacations. The Federal Deposit Insurance Corporation (FDIC) actually encourages mandatory vacation time for bank employees of all levels. However, this can be a challenging time for many community institutions that have a small staff and rely on key individuals to make sure all activities related to technology, compliance and regulatory requirements are completed. So, what happens when the person(s) responsible for these crucial aspects of the institution goes on vacation?

Many financial institutions are turning to IT and security service providers to act as an extension of their organization and help augment internal technology and compliance resources. The right third-party solution provider can serve as a true partner and work alongside current staff to manage the technology, compliance and regulatory aspects of the institution. When the technology or compliance staff is out or unavailable, outsourcing select business processes helps fill the personnel gap and provide added stability for the institution and peace of mind to all.


A service provider can help automate and manage many of the administrative functions that normally fall to the technology or compliance department, making it less daunting for employees to take time away from the office. These service providers can automate technology functions that are required to stay vigilant with compliance and security procedures, such as patch management and reporting, vulnerability remediation, proactive network monitoring and issue resolution, vendor management, business continuity planning, cybersecurity, and compliance-focused documentation and reporting.


The right service provider should offer your financial institution full support for the demands of today’s technology, compliance and regulatory requirements. At Safe Systems we understand the complexity of community bank and credit union operations and the associated regulatory expectations. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We want to provide you with assurance that your institution is functioning securely and is in compliance with industry regulations at all times; but, especially when your institution’s key technology or compliance personnel are out of the office.

Free White Paper

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture
Get a Copy

26 Jul 2017
Top 4 Missing Declarative Statements in the FFIECs Cybersecurity Assessment Tool

Top 4 Missing Declarative Statements in the FFIEC’s Cybersecurity Assessment Tool

Top 4 Missing Declarative Statements in the FFIECs Cybersecurity Assessment Tool

With the heightened risk of cybersecurity attacks for financial institutions, many community banks and credit unions are completing the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) to assess their cybersecurity preparedness, determine their next steps to strengthen their maturity and better meet examiner expectations. The assessment consists of two parts, Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile assesses the risk posed by Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Then, Management evaluates the Cybersecurity Maturity level for five domains.

According the FFIEC’s Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors, “Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness.” Declarative statements within each domain are assessed on maturity levels ranging from baseline to innovative. Financial institutions determine “which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.”

Since the introduction of the CAT in 2015, we have been assisting community banks and credit unions with completing this process. Based on our experience, which consists of more than 100 reviews of the CAT to date, we have identified four declarative statements that community financial institutions are struggling to complete:

  1. Domain 4 – External Dependency Management – Connections
  2. Data flow diagrams are in place and document information flow to external parties.”

    According the FFIEC’s Information Security Handbook, “these diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems.” Regulators are looking for financial institutions to demonstrate solid understanding of where data is going and what type of data is being transmitted to third-parties.

  3. Domain 1 – Cyber Risk Management and Oversight – Training and Culture
  4. “Customer awareness materials are readily available” (e.g., DHS’ Cybersecurity Awareness Month materials)

    Customer awareness materials, according to the FFIEC Information Security Handbook, are used to “increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.” These materials should “consider both retail and commercial account holders.” It is important for community banks and credit unions to communicate effective risk management strategies to their customers. The declarative statement references the US Department of Homeland Security’s website. The Stop.Think.Connect Toolkit has resources Financial Institutions can utilize to provide awareness material to customers.

  5. Domain 3 – Cybersecurity Controls – Preventative Controls
  6. “Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise.”

    DNSSEC is a technology developed to digitally ‘sign’ data to ensure it is valid and from a trusted source. By enabling this, an institution would be less susceptible to DNS spoofing attacks. However based on the experience of Safe Systems engineers, DNSSEC may cause issues throughout an organization’s systems. There are other technical tools financial institutions can implement that will enable them to meet the spirit of the statement without deploying troublesome tactics.

  7. Domain 1 – Cyber Risk Management and Oversight – Oversight
  8. “The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.”

    Regulators are looking to ensure financial institutions have a cyber risk appetite statement in place that has been approved by the Board. In fact, risk appetite is mentioned more than 17 times in the CAT. Cyber risk appetite is an assessment of how much cybersecurity risk management is willing to accept to meet the goals and objectives of the institution’s strategic plan. To read more on how to develop a cyber risk appetite, visit the Compliance Guru Blog.

Financial institutions should review their current CAT responses, specifically the declarative statements in the Baseline maturity level that have been answered “No” or that they are struggling to complete to determine if there is a way to implement a compensating control. Adding in compensating controls may allow them to answer the question in the affirmative and ensure the institution is in compliance with regulatory requirements.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Free White Paper

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture
Get a Copy

20 Jul 2017
Lumbee Guaranty Bank Streamlines Cybersecurity Processes with Safe Systems’ Cybersecurity RADAR Application

Lumbee Guaranty Bank Streamlines Cybersecurity Processes with Safe Systems’ Cybersecurity RADAR Application

Lumbee Guaranty Bank Streamlines Cybersecurity Processes with Safe Systems’ Cybersecurity RADAR Application

The number of cyber-attacks directed at financial institutions of all sizes is continuing to grow and cybersecurity experts expect the trend toward increasingly sophisticated cyber-attacks to continue. Community banks and credit unions are prime targets for cyber criminals due to the sensitive data they house. As consumers and businesses continue to use electronic devices such as computers, tablets, and smartphones to perform financial transactions online, vulnerabilities continue to increase. A cyber breach can be devastating due to the costly ramifications, not to mention compromised customer confidence and reputational damage.

As a result of this heightened risk of cybersecurity attacks, regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. While not yet a requirement, the FFIEC’s Cybersecurity Assessment Tool (CAT) serves as the key guidance used to determine whether an institution is adequately prepared for a cybersecurity incident and in full compliance with federal regulations. In response, many banks and credit unions are now completing the assessment to assess their cybersecurity posture, determine their next steps to strengthen cybersecurity processes and better meet examiner expectations.

While completion of the assessment has proven itself beneficial, many financial institutions find the 100+ page assessment to be too cumbersome of a task to successfully manage and fully understand. As a result, they decide they need to find a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environment.

This was the case for Pembroke, N.C.-based Lumbee Guaranty Bank. To ensure his institution maintained compliance, Austin Maynor, Information Security Officer at Lumbee Guaranty Bank, manually filled out the CAT with the help of a spreadsheet, but quickly found this process to be an extremely time-consuming project to complete. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and where they needed to be in order to maintain compliance.

Streamlined CAT Completion Solution

As a long-time customer of Safe Systems, the bank decided to implement the Cybersecurity RADAR™ solution, a cybersecurity product that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application. The solution allows staff to quickly generate reports, document notes and save examination results to review each year.

For Lumbee Guaranty Bank, Cybersecurity RADAR streamlined the process of filling out the CAT and helped the bank improve its cybersecurity processes. With the automated application, Lumbee Guaranty Bank significantly reduced the amount of time spent completing the CAT from days to less than 4 hours. In addition, Safe Systems’ evaluation of the bank’s responses helped clearly illustrate to the bank where they were in regards to compliance and baseline expectations.

“The Cybersecurity RADAR solution has been a great addition to our bank, helping us gain meaningful operational efficiencies while continuing to grow and strengthen our cybersecurity program. We are grateful to have a true partner like Safe Systems helping us navigate the latest compliance guidelines and effectively streamline our most important processes.”

For more information, download our cybersecurity case study, “Lumbee Guaranty Bank Streamlines Cybersecurity Processes.”

Free White Paper

Lumbee Guaranty Bank Streamlines Cybersecurity Processes

Learn how they increased cybersecurity preparedness and streamlined the CAT
Get a Copy

28 Jun 2017
The CAT Isn’t Mandatory, So Why Should We Complete It

The CAT Isn’t Mandatory, So Why Should We Complete It?

The CAT Isn’t Mandatory, So Why Should We Complete It

Due to the increasing volume and sophistication of cyber threats financial institutions are facing, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness with a repeatable and measurable process. The CAT helps financial institutions weigh specific risks such as gaps in IT security, versus controls or solutions aimed to prevent, detect and respond to these threats and determine areas for improvement. Each institution is then responsible for identifying its own risk appetite and establishing its desired level of maturity. Using the CAT, financial institutions can understand where their security practices fall short and how to effectively address those gaps.

When the CAT was initially released in 2015, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. However, regulatory agencies including the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) have announced plans to incorporate the assessment into their examination procedures. Today, many examiners are using the tool to assess an institution’s cybersecurity readiness and have already begun to issue citations to financial institutions that have lapses or are not meeting expectations.

Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins.

In addition to meeting examiner expectations, completing the CAT benefits financial institutions by helping them:

  • Determine whether controls are properly addressing their identified risks
  • Identify cyber risk factors and assessing cybersecurity preparedness
  • Make more informed risk management decisions
  • Demonstrate the institution’s commitment to cybersecurity and
  • Prepare the organization for an upcoming audit.

When using the CAT correctly, it can provide a cost-effective methodology to help improve security, instill client trust, and avoid losses from a breach. For it to provide the greatest positive impact it should be completed periodically on an enterprise-wide basis, as well as when significant operational and technical changes occur. Completing the CAT helps community banks and credit unions understand the key risks they face and what controls they need in place to protect the institution’s data, leading to increased knowledge of regulatory expectations and a stronger, more compliant cybersecurity program.

For more information, please download our complimentary white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Free White Paper

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

Get a Copy

21 Jun 2017
Safe Systems Security Baseline Service Automates Server Hardening for a Secure Server Operating Environment

Safe Systems’ Security Baseline Service Automates Server Hardening for a Secure Server Operating Environment

Safe Systems Security Baseline Service Automates Server Hardening for a Secure Server Operating Environment

In today’s technological landscape, where every computing resource is online and susceptible to attack and malicious activity, server hardening is an important process for financial institutions to have in place. Every day servers are targeted by harmful malware, ransomware, and other malicious attacks.

The best defense against these threats is to ensure that server hardening is a well-established practice within your community bank or credit union. Server hardening is the process of enhancing server security through a variety of means, which results in a more secure server operating environment due to the advanced security measures that are put in place during the hardening process.

One challenge financial institutions face is that running and maintaining server hardening services strains the resources of a limited IT staff. Banks and credit unions are already swamped with ensuring their servers are secure, which includes examining vulnerability assessment reports, fixing numerous findings, troubleshooting services, and addressing patch management, antivirus, and other activities on an ongoing basis.

To help streamline this time-consuming but essential process, Safe Systems designed its unique Security Baseline Service to work with its NetComply® One IT network management service to help automate the server hardening process. The Security Baseline Service leverages aggregate vulnerability scan data and remediates vulnerabilities across the service’s customer base. The service implementation includes a testing phase and ticketing notification to alert the institution of remediated vulnerabilities to help alleviate attacks and ensure networks are secure and up to date.

The Security Baseline process includes:

  • Remediation of emerging security vulnerabilities
  • Vulnerabilities identified by Safe Systems’ and its partners, which includes:
    • Evaluating commonly found vulnerabilities on a monthly basis
    • Determining significance of vulnerabilities
    • Writing remediation procedures for significant commonly found vulnerabilities
  • Monthly remediation across all subscribed devices
  • Ticket generated detailing remediation application results
  • Comprehensive report detailing individual fixes
  • Remediation of vulnerabilities outside our sampling group available upon request at an hourly rate

Many of the vulnerability findings banks receive are often related to software issues that are addressed by updates or patches that pass Safe Systems’ testing procedure and then seamlessly executed on a daily basis. To ensure compliance, these patches and processes are implemented based on the FFIEC’s patch management guidelines outlined in the 2016 Information Security Booklet.

Financial institutions utilizing Security Baseline also benefit from the prolonged testing period Safe Systems uses to verify that Service Packs and new Windows builds will work with existing software. This ensures updates will be supported by the networks and any new features introduced will not cause problems for the institutions. The extra level of testing helps banks and credit unions avoid unnecessary IT challenges and network issues, reducing downtime and freeing up IT staff to focus on more pressing activities.
At Safe Systems, our goal is to reduce the amount of time internal IT staff must spend on time consuming activities such as examining vulnerability assessment reports, troubleshooting services and patch management issues. We are constantly working to create automation to provide the best experience to our customers and ensure all networks are secure and in compliance with government regulations.




7 Reasons Why Small Community Banks Should Outsource IT Network Management



7 Reasons Why Small Community Banks Should Outsource IT Network Management

This is a free white paper that addresses key issues smaller financial institutions face when managing their networks and the benefits of outsourcing these tasks to a provider who offers IT network management solutions exclusively tailored for community banks.


7 Reasons Why Small Community Banks Should Outsource IT Network Management

14 Jun 2017
Stay Ahead of the Curve! Windows 10 Updates Your Institution Needs to Know

Stay Ahead of the Curve! Windows 10 Updates Your Institution Needs to Know

Stay Ahead of the Curve! Windows 10 Updates Your Institution Needs to Know

Many financial institutions have just recently converted to Windows® 10, the latest operating system from Microsoft™ that was released July 29, 2015. Unlike previous versions of Windows, Windows 10 receives ongoing updates from Microsoft through a staggered update process that involves build numbers (Branch Releases) and regular build update (Branch Release) intervals to sustain the security of its signature product. These updates increase the build number and should be treated as a new operating system install, meaning that, as the build numbers increase, Microsoft will stop supporting older build numbers of Windows 10. To put this in context, the initial Windows 10 Release Build Number was 1507 and Microsoft is now releasing build 1703.

Knowing key dates in a product’s lifecycle helps organizations make informed decisions about when to upgrade or make other changes to software. Microsoft ended support in May 2017 for build number 1507, which means it no longer provides automatic fixes, updates, or online technical assistance for this version. Without Microsoft support, financial institutions will no longer receive important security updates that can help protect PCs from harmful viruses, spyware, and other malicious software that can steal information and infect networks. Because of this, we recommend systems be upgraded before they reach their end of life whenever possible.

To better understand the Microsoft upgrade schedule, here is a chart from Juriba that outlines the Windows 10 Branching Release Updates and End of Life Support Timeline:

Windows 10 Timeline

Technical Issues with New Releases


While a steady stream of build releases are great for resolving major issues and do provide a continuous flow of new features, the problem is that they pose a huge burden for in-house system administrators and IT professionals. These individuals are left deploying an often-insurmountable series of new builds and updates to machines both locally and remotely. While the updates are designed to increase security and address bugs in the system, they can be quite large and cumbersome to install. These large downloads have resulted in hung downloads, hung installations, download delays, and more. Microsoft addressed this issue by releasing the Universal Update Platform (UUP), designed to reduce download size for build updates. Recently, however, the ability to capture the UUP download files and convert them into an ISO was not working correctly. There is also the risk of data loss as some applications have proven to have compatibility challenges. Certain updates have also proven to kick machines off the domain and network servers and cancel out anti-virus and malware programs.

Staggered Update Plan

To help alleviate these issues and make the update process more seamless, we recommend implementing a staggered update plan. This approach helps reduce risk and minimize negative effects on productivity by not affecting an entire department or service. For example, implement the update on one or two teller machines, leaving a few untouched as to not affect the entire teller operation. This approach also gives you time to make improvements as needed and test for security issues while enabling the financial institution to operate its teller department.

Enlisting a Trusted Advisor

It is best for financial institutions to keep up with the latest technology, especially when it comes to keeping systems protected from malware and viruses that could lead to the equivalent of a virtual, modern day heist. As a trusted advisor exclusively serving financial institutions, Safe Systems is available to help along every step of the way. We have worked with more than 600 financial institutions and monitor more than 20,000 devices, and we understand the many considerations that go into providing secure, reliable IT. Safe Systems’ experts work directly with your team to better understand and tailor a solution specific to your needs. Please reach out to Safe Systems if you need assistance with your Windows 10 upgrade.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



Take the guesswork out of WAN communications by attending our webinar on Thursday, June 15th

Webinar:
Designing Your Credit Union’s WAN for
Network Availability and Business Continuity

Thursday, June 15th, 2–3 pm EST

Register Now

07 Jun 2017
5 Questions Credit Unions Need to Answer about WAN

5 Questions Credit Unions Need to Answer about WAN

5 Questions Credit Unions Need to Answer about WAN

From offering your members the service options they are looking for, to keeping up with regulatory demands, to ensuring day-to-day operations in a reliable and efficient manner, today’s credit union is asked to understand more about technology than ever before.

One area of technology that presents its own significant set of challenges is telecommunications. The telecom industry can be difficult to master for several reasons: First, despite the fact that it’s comprised of newer technology, it remains an “old school” industry with legacy players like AT&T and Verizon leveraging old fashioned, relationship selling vs. arming consumers with information and allowing them to select the best product for them.

Another reason is the pace with which the industry changes. From mergers and acquisitions, to technology advances and proliferation, one has to be plugged into the telecom industry on a full-time basis to really understand all of the available options. The result is that all of this churn and lack of visibility makes it difficult to design a telecommunications plan to serve and grow with your credit union’s technology needs. But where to start? Below are five questions to help guide you when building out your telecom plan:

  1. What Are Your Credit Union’s Technological Needs Beyond Simple Bandwidth?
  2. While bandwidth is the obvious factor that has always been considered, there’s more to think about than how fast your data moves when working to provide the best experience possible. Making sure you are built to withstand carrier outages, physical connection issues, and remote user connectivity (in addition to any unique needs that may be required by your service offerings) are all key considerations for your credit union to undertake.

  3. What Are The Current Offerings in Your Area?
  4. The pace with which technology is advancing and infrastructure is being installed requires you to evaluate all vendors in your immediate area to ensure you are making the best decision for your institution. It is wise to give the smaller telecom carriers consideration too as they can often offer a more competitive rate for the very same infrastructure that the larger providers are trying to sell you. Culturally, another reason to consider these smaller providers is the very same reason that a consumer should consider your credit union versus a mega-institution. This doesn’t imply you should move forward without doing your research into all providers, large and small, but don’t write any off immediately as you may risk giving up real value.

  5. How Can Your Institution Reduce Risk?
  6. As you develop your telecom plan, make sure that you are incorporating multiple technology platforms and providers into it. By varying your technologies and leveraging multiple providers, you effectively guard against outages of carriers and infrastructure. You may even wish to consider having the various connectivity points run to different ends of your locations to further guard against instances of digging crews taking your connectivity down all at once. Additionally, be sure to evaluate connectivity to each location from a business continuity standpoint, and be sure to consider broadband options in this process as they can provide some of the greatest value on the market today.

  7. What Technologies Should Be Insourced vs. Outsourced?
  8. Bandwidth can be expensive, especially if you are in a rural location without the benefit of multiple competitors for your business. Depending on your needs and your options, it may make more sense to employ internal technologies such as WAN acceleration instead of paying the price to add more bandwidth, a recurring cost that you will assume monthly. Other items to consider include use of a firewall and dual factor authentication to allow ease of access for remote users within a secure environment.

  9. Should Your Credit Union Monitor and Manage Equipment Internally Or Outsource?
  10. Both your communication equipment (i.e., routers and managed switches) and your security equipment (i.e., firewall) should be monitored 24/7 and managed in order to receive updates and ensure configuration changes are made properly. Additionally, you should consider whether this is a task that is best handled by internal personnel or outsourced to a managed service provider with established processes.

If you are looking to design a telecommunications plan for your credit union, Safe Systems has seasoned WAN and telecom engineers that will guide you throughout the process of choosing WAN carriers and the proper equipment to best fit your institution’s unique needs. There are a lot of choices, and we can ensure you get the right solution for your current and future technology requirements.

25 May 2017
Stay Compliant! 3 Areas Your Credit Union Should Focus on to Better Meet Regulator Expectations

Stay Compliant! 3 Areas Your Credit Union Should Focus on to Better Meet Regulator Expectations

Stay Compliant! 3 Areas Your Credit Union Should Focus on to Better Meet Regulator Expectations

Credit unions establish relationships and partnerships with third-party providers to meet strategic objectives, enhance member services, and manage competitive pressures. When a credit union actively manages its third-party relationships, the institution can then provide a wide range of potential benefits to its members.

However, third-party relationships also come with a high level of risk for financial institutions, making it crucial for them to have a solid vendor management program in place to effectively manage their vendors. A number of regulatory agencies including the National Credit Union Administration (NCUA) provide guidance to help credit unions evaluate the risks of working with third-party providers and understand examiner expectations related to their vendor management processes.

In a Supervisory Letter, the NCUA identified the following 3 concepts that credit unions should address and examiners should ensure are commensurate with the credit union’s size, complexity, and risk profile:

  1. Risk Assessment and Planning
  2. Before entering into a new third-party relationship, credit unions should determine whether the relationship complements their overall mission and philosophy. The credit union should evaluate the risks and benefits of outsourcing this process with the risk and benefits of keeping it internal. An explanation of how the relationship relates to the credit union’s strategic plan, long-term/short-term goals, objectives, and resource allocation requirements should all be documented. The credit union should conduct an initial risk assessment that includes the evaluation of enterprise risks including compliance, strategic, and reputation.

  3. Due Diligence
  4. Conducting thorough due diligence includes demonstrating a strong understanding of a third party’s organization, business model, financial health, and program risks. To ensure the proper risk controls are in place, credit unions must understand a prospective vendor’s responsibilities and all of the processes involved. Examiners should evaluate if the credit union’s due diligence process includes background checks, examining the third-party’s business model, the determination of how cash flows move between all parties in the proposed third party arrangement, financial and operational controls, contract evaluation and accounting considerations.

  5. Risk Measurement, Monitoring and Control
  6. Credit unions must establish ongoing expectations and limitations, compare program performance to expectations, and ensure all parties are fulfilling their responsibilities. Credit unions should develop policies and procedures detailing the responsibilities of the credit union and third-party including management oversight and reporting. On-going monitoring of controls over the third-party relationship should be implemented to mitigate risks.

Reduce Risk, Increase Compliance with Vendor Management Software

Regulations repeatedly make it clear that the use of third-party vendors or service providers does not reduce the responsibility of your credit union to ensure that data is safe, secure and complies with all applicable laws, regulations and security best practices. While it is more important than ever for credit unions to manage their vendors, many struggle with the best way to efficiently and successfully accomplish this. Until recently, most credit unions had only a handful of managed vendors, which could be tracked manually via a spreadsheet. While this may have worked in the past, regulators’ expectations today are much more sophisticated.

To comply with NCUA regulations, every credit union must be able to provide proper documentation on the ongoing monitoring and management of its vendor management program. Automating vendor management functions not only saves your staff time but also helps to ensure the institution is in compliance with regulatory requirements. An automated vendor management solution is an effective tool to help credit unions reduce risks and improve examination results.

For more information, please download our white paper: Why Automation is the Answer to Credit Unions’ Vendor Management Challenge.
White Paper Download

Why Automation is the Answer for Credit Unions’ Vendor Management Challenge

How confident are you in the management of your vendors?
Get a Copy

23 May 2017
Carolina Alliance Bank Enhances Compliance Posture with Safe Systems’ Vendor Management Solution

Carolina Alliance Bank Enhances Compliance Posture with Safe Systems’ Vendor Management Solution

Carolina Alliance Bank Enhances Compliance Posture with Safe Systems’ Vendor Management Solution

Vendor management has taken on an increased level of importance as regulators are now more heavily scrutinizing how banks manage their third-party vendors. In response, many community banks and credit unions are looking for more efficient, effective ways to monitor their outsourced vendors, protect themselves from associated risks, and maintain overall compliance.

For South Carolina-based Carolina Alliance Bank, manually monitoring vendors through a spreadsheet simply became too time-consuming and cumbersome a task for its staff. The bank sought a proven solution that could help streamline vendor management processes and enable them to more efficiently manage contracts, renewals and other critical activities. As a long-time customer of Safe Systems, the bank determined that implementing this industry-specific, automated vendor management solution was the most cost-efficient method to control and manage the risks associated with its third-party providers.

Improved Compliance and Streamlined Processes

Using the manual spreadsheet method, it was sometimes difficult for the bank’s staff to provide the level of vendor reporting that regulators required. In contrast, Safe Systems’ Vendor Management solution enabled Carolina Alliance Bank to more easily provide the proper documentation to examiners and in doing so, clearly demonstrate that bank staff are properly reviewing and monitoring vendors on an on-going basis.

Furthermore, the bank is now able to centralize all documents in one location where staff and management can easily access them to provide detailed information for audit purposes and executive summaries for board review. Through this level of intelligent automation, paired with Safe Systems’ compliance support, the bank has significantly reduced the amount of time spent on vendor management processes, which has freed up resources to focus on additional revenue-generating activities for the bank.

“Since we switched over from a manual to automated process, we’ve received nothing but great feedback from regulators,” said Judy Price, Vice President at Carolina Alliance Bank. “Working with Safe Systems has enhanced our ability to meet regulatory requirements and provide ‘top of the line’ technology to our staff and customers. They are truly a valued extension of our team.”

For more information, download our vendor management case study, “Carolina Alliance Bank Improves Vendor Management Process.”

17 May 2017
Choosing a Credit Union Vendor

Evaluating and Selecting Third-Party Vendor Relationships – What your Credit Union Needs to Know

Choosing a Credit Union Vendor

The majority of credit unions rely on third-party service providers for specialized IT services and technology that improve the overall quality and efficiency of the organization and for mission-critical software and hardware to actually run their business. As such, third-party providers have become an essential component of day-to-day operations, but it is important that credit unions understand the operational and reputational risks they assume if they do not select and manage these relationships and providers appropriately.

Some of the potential risks of using a third-party service provider include:

  • Compliance risks including violations of laws, rules or regulations or non-compliance with policies and procedures;
  • Reputational risks including dissatisfied members or regulation violations that lead to public enforcement actions;
  • Operational risks including losses from failed processes or systems, or losses of data that result in privacy issues;
  • Transaction risks including problems with service or delivery; and
  • Credit risks if a third-party is unable to meet its contractual obligations.

To help eliminate some of the risk that comes when working with third-party providers, there are several steps a credit union should take and processes that should be put into place before entering into an agreement with an outsourced provider. Before entering into a third-party relationship, credit unions should:

  • Determine whether the relationship complements their credit union’s overall mission and philosophy;
  • Document how the relationship will relate to the credit union’s strategic plan;
  • Design action plans to achieve short-term and long-term objectives;
  • Perform proper due diligence on all vendors;
  • Assign authority and responsibility for new third-party arrangements; and
  • Weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house, if possible.

Once a vendor is selected, credit unions should:

  • Adopt risk management processes to coincide with the level of risk and complexity of its third-party relationship;
  • Implement an effective risk management process throughout the life cycle of the relationship including: plans that outline the credit union’s strategy, identification of the inherent risks of the activity, and detailing of how the credit union selects, assesses, and oversees the third-party;
  • Have written contracts that outline the rights and responsibilities of all parties;
  • Implement a process for ongoing monitoring of the third-party’s activities and performance;
  • Have a contingency plan for terminating the relationship in an effective manner; and
  • Have clear documentation and reporting to meet NCUA regulations and requirements.

Following all of these steps and ensuring third-party relationships are managed correctly can be a time-consuming, often cumbersome responsibility for credit union staff. In response, credit unions are looking for ways to more efficiently perform due diligence and manage their outsourced vendors, protect themselves from risk, and maintain NCUA compliance and requirements. Credit unions often determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. When implemented correctly, automated vendor management solutions can save a tremendous amount of time and money, reduce risks and eliminate potential compliance issues.

For more information please download our white paper, Why Automation is the Answer to Credit Unions’ Vendor Management Challenge

White Paper Download

Why Automation is the Answer for Credit Unions’ Vendor Management Challenge

How confident are you in the management of your vendors?
Get a Copy

10 May 2017
Six Ways to Strengthen your Credit Union’s Vendor Management Program

Six Ways to Strengthen your Credit Union’s Vendor Management Program

Six Ways to Strengthen your Credit Union’s Vendor Management Program

Credit unions rely on third-party providers to offer specialized services and technology assistance to keep their operations running smoothly and help improve the overall quality and efficiency of their organizations. Vendor management has always been an important issue for credit unions, but with increased scrutiny from the NCUA, they now run greater risk of getting fined for not adequately managing their third-party vendors. In response, many credit unions are looking for ways to more effectively manage their roster of outsourced vendors while protecting themselves from the associated compliance risk.

Here are six steps to more efficiently monitor and manage third-party providers, ultimately strengthening a vendor management program:

  1. Perform Thorough Due Diligence
  2. The due diligence process ensures that a credit union has a consistent and reasonable approach to vetting its vendor relationships — especially if the vendor is providing a core business function or has access to personal confidential information. It’s not enough to perform due diligence during the initial vetting stage. Conducting diligence throughout the relationship, especially with mission-critical vendors, is essential to avoid being blindsided. Properly vetting and managing vendors will reduce risk for the credit union, while also ensuring all FFIEC and NCUA regulations and requirements are met.

  3. Develop Consistent Risk Assessment
  4. To properly assess risk exposure for vendors/services, establish consistent criteria to appropriately weigh the risk each poses to the credit union. This will help you grade or designate a level of criticality and risk for each service and each vendor. For example, will a vendor have access to private member data? Will it operate with our core system? The criticality will have a significant impact on the review process, as a more critical service or vendor will ultimately require more due diligence to be performed.

  5. Incorporate Vendor Management into the Business Continuity Plan
  6. If a credit union does not thoroughly analyze its vendors as part of the business continuity planning (BCP) process, it opens itself up to the risk of extended downtime. It is crucial for credit unions to know exactly how they are going to recover if their vendor goes down. Business Continuity/Disaster Recovery capabilities should be reviewed to determine if they align with the credit union’s Recovery Time Objectives. Regulators expect and mandate that credit unions have alternative procedures and processes in place in the event of disruption of service from a mission-critical provider.

  7. Board of Director Involvement
  8. The responsibility for properly overseeing outsourced relationships and the risks associated with that activity ultimately lies with the credit union’s Board of Directors and its senior management. It is typically the Information Security Officer (ISO), or sometimes the CIO or CTO, who is responsible for communicating with the Board and helping manage the process. In order to effectively communicate the need for comprehensive vendor management to the board, the ISO must first thoroughly understand exactly what examiners are looking for. NCUA’s Supervisory Letter 07-01 is designed to help credit unions better understand and manage the risks associated with outsourcing. This should not be a one-way line of communication. Board members are expected to understand the process and risks clearly enough to provide a credible challenge to the ISO when appropriate.

  9. Monitor and Control the Vendor Relationship
  10. Proper Vendor Management is cyclical. Staying abreast of important key dates, contract changes and upcoming vendor reviews and contract renewals is a key step in a vendor management program. Not doing so can end up costing you significantly, not to mention the added burden of inefficiencies if the process is not handled well.

  11. Implement an Automated Vendor Management Solution
  12. Many credit unions are looking for ways to more effectively manage their outsourced vendors, protect themselves from the risk, and maintain FFIEC compliance. Oftentimes, credit unions determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. Implementing automated vendor management solutions saves a tremendous amount of time and money, reduces risks and also eliminates compliance headaches. Moreover, an automated solution helps hold vendor managers accountable to a process that often gets “put on the backburner.” A complete vendor management system also ensures your Board of Directors and management are notified of all of the critical activities and actions required to effectively monitor a third-party relationship, ensuring all risk assessments, controls reviews and documentation are up-to-date.

Leveraging the skills and experience of third-party service providers can help credit unions better meet their members’ needs while accomplishing their strategic goals. Those that implement a solid vendor management program — and actively manage those relationships — will have the greatest level of success.

01 Jun 2016

Safe Systems Launches Enhanced IT Network Management Service for Community Banks, Credit Unions

Chris Banta
Director of Security
and Automation
Marshall Jones
Director of Managed
Services Development

Enhanced IT Network Management

To help ensure community banks and credit unions operate even more efficiently, securely and compliantly, we have enhanced our solutions to better meet our customers’ needs. Our new NetComply One managed IT offering is now available to help financial institutions further decrease costs, increase performance, and improve their compliance posture. We have rebuilt our entire IT network management service using insights gained while managing IT networks for more than 300 financial institutions over the past eight years.

NetComply One

NetComply One removes the burden of maintaining IT networks for community banks by further enabling Safe Systems to manage and monitor a client’s network hardware and software in a holistic manner. This eliminates the need for clients to directly administer challenging and time consuming tasks internally including patch management, anti-malware (optional add-on), and reporting. NetComply One uses automated patch management services to deliver patches for both Microsoft and common 3rd party applications. In addition, it reduces the device exposure through server hardening. Educational resources and Account Management services help prepare banks for IT audits and exams, and reporting shaped by FFIEC guidance all help the bank to meet and exceed regulatory standards.

Additional NetComply One Services

  • A centralized monitoring console with remote control access and monitoring capabilities
  • Dual factor authentication to log into the console
  • More comprehensive network monitoring and alerting function
  • Account Management services including quarterly control self-assessment preparation and meetings, which consist of audits, reviews, and executive meetings
  • Enhanced reporting functions, with reporting based on FFIEC requirements for IT audits
  • Security baseline services to ensure institution servers are secure
  • Online education material and live webinars on compliance and technology

Qualified Alerting

NetComply One also provides enhanced qualified alerting capabilities, which reduces the number of false alerts clients must review, making for a more streamlined and efficient level of service. Through this qualified alerting function Safe Systems engineers will review and validate alerts before they are sent to the bank, nearly eliminating all of the noisy false positives and providing less distractions for the bank’s IT personnel. Safe Systems will continue to constantly monitor and alert on hardware failures, back-up failures, software updates, PC issues, servers, routers, switches, and more.

Redesigned Platform

In addition to delivering an enhanced set of services, Safe Systems has redesigned its underlying IT management and reporting platform to better support Microsoft Windows 10. This technology enhancement is designed to make it easier to implement future platform integrations. We have always brought outstanding IT network monitoring, alerting and reporting to our community financial institution clients. Our research revealed that clients who allowed Safe Systems to fully administer patch management services consistently out-scored other institutions on audits. The integration of our patch management best practices into NetComply One offers bankers a superior way to run their IT networks, enhance IT security, reduce risks, and minimize time spent with auditors.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



10 Nov 2015

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions

Safe Systems Introduces Vendor Management Software for Banks and Credit Unions
 

Recent cybersecurity incidents affecting financial institutions have largely involved third-party service providers, prompting increased attention by regulators, and increased scrutiny on oversight of third party relationships. To maintain compliance with today’s stringent regulatory environment, community banks and credit unions must ensure their vendor management processes monitor and document every aspect of their vendor relationships, including vendor concerns such as financial viability and information security practices of their vendors.

To address this concern, we at Safe Systems are now offering our new vendor management solution to the marketplace. This web-based software automates the process of contract management, product risk assessment, and controls review to help banks and credit unions effectively manage third-party service providers and maintain regulatory compliance. This proven solution has been in use by a select group of approximately 20 client institutions during the past year.

“By the time I had used Safe Systems’ Vendor Management application for several weeks, I was convinced that this product met State Bank of Cochran’s needs for an automated vendor management solution. Their Vendor Management application met all of the regulatory specifications of a sound vendor management program: risk assessment, due diligence in selecting a third party, contract structure and review, documentation and reporting, as well as independent reviews, and ongoing oversight,” said Leesa Anderson, CTO of State Bank of Cochran.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

As a Software as a Service (SaaS) solution, our vendor management software centralizes vendor profiles and data into a client dashboard to provide real-time alerts, reporting, and recommended controls. This customizable solution enables banks to automate vendor management activities, assess risk, and easily upload and track contracts from multiple vendors. Our vendor management solution also stores information in a SOC1 and SOC2 audited datacenter and integrates vendor information into our client management portal, “the Safe.” In addition, we provide ongoing training and consulting services with each license.

Vendor management is often the most under-manned function within a bank’s IT department. Many community financial institutions keep track of their vendor management activities manually using spreadsheets, but with our web-based software solution, banks and credit unions can easily monitor and manage multiple third-party service providers; understand the level of risk each vendor poses to your institution; and ensure compliance with regulatory guidelines.

13 Oct 2015

Vendor Management Best Practices for Community Banks and Credit Unions

Successfully managing your vendors


 
Vendors play an important role in the financial services industry. Financial institutions rely on third-party service providers to offer specialized services and technology assistance that help improve the overall quality and efficiency of their organizations.

To perform these services, vendors often must access, transmit, store or process sensitive information, including customers’ personal information. Financial institutions are responsible for managing the inherited risk, which is the residual risk the institution acquires, or inherits, from each service provider. Financial institutions must be aware of and responsible for any cybersecurity risks of their vendors and the potential for those vendors to expose the bank or credit union to additional risks.

Regulators have issued guidance to help in understanding and managing the risks associated with outsourcing a bank activity to a service provider. To remain in compliance with governing organizations, it is important for all financial institutions to strengthen their vendor management programs. These enhancements safeguard the confidentiality and availability of the data and also minimize the impact if a data breach occurs.

To help your community financial institution execute vendor management safeguards, here are some best practices for implementing a successful, secure and compliant vendor management program.

 

Vendor Management Tool from Safe Systems

Complimentary eGuide
Why Automation is the Answer for Community Banks’ Vendor Management Challenge

Centralize Vendor Information

To efficiently manage multiple vendors and all the activities involved in managing a vendor relationship, it is important to have all information housed in one centralized location. It also serves as a central repository for regulatory reporting.

Assess Risk

Have a list of all vendors that conduct businesses with the financial institution and rank each vendor according to its level of access to critical data and importance to operational activities. For most institutions, only about 10-15% of vendors are considered high risk, but all outsourced relationships must be risk-assessed. Establish a risk tier and implement different controls for the different risk levels.

Review Controls and Perform Due Diligence

Once risks have been assessed, the financial institution should perform due diligence for all vendors, with the intensity of the effort commensurate with the risk category; low risk vendors may only need a cursory review, while high risk vendors need a deeper dive. Due diligence activities include reviewing and assessing the vendor’s financial health; knowledge and familiarity with the financial services industry and banking regulations; information security controls in place and ability to recover from breaches or disasters. These activities and the vendor relationships need to be documented and procedures put in place; that ensure the vendor information is updated and monitored on an ongoing basis. These same procedures must also insure that service providers are complying with any applicable consumer finance laws and regulations, and have a plan in place to promptly address and identify problems.

Proper Documentation and Reporting

In order to comply with newly implemented FFIEC regulations, every bank and credit union must be able to provide proper documentation on the monitoring of its vendor management program. This documentation should include (at a minimum) a current inventory of vendors, due diligence results, contracts, risk management reports, reports to the board of directors and independent review reports. It should also be able to easily identify all high inherent risk vendors and all high residual risk vendors.

Following these steps will help ensure your financial institution is in compliance with the regulations and guidelines around vendor management. Ultimately, it is the financial institution’s responsibility to ensure all sensitive data is protected. Implementing the above processes and procedures will help create a solid vendor management.

White Paper Download

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture



Get a Copy



28 Jul 2015

Windows 10 Offers Community Banks and Credit Unions Improved Security

Windows 10 Offers Community Banks and Credit Unions Improved Security

This post is the final in a three part series exploring aspects of Windows 10. Also read: Part 1 discusses market statistics, and Part 2 dives into the interface.

Another Windows 10 area where Microsoft appears to be placing a heavy focus is security. In late April, Microsoft announced on their blog several new security features that will be present in Windows 10. This was in following up on another security-minded post from October 2014. These features center on managing application execution and user identity and are especially important to financial institutions.

The application execution component is being termed Device Guard. The feature will be certified or supported by hardware manufacturers and will allow for the designation of authorized applications. Financial institutions interested in using this new tool will define authorizations at the network or enterprise level. Applications will be checked against the list to evaluate trustworthiness and prevented from executing if not authorized. Microsoft’s intent for this feature is to assist in preventing execution of malicious code, as modification of an existing previously authorized application would cause it to be de-authorized. It is important to note that Microsoft specifically mentions Device Guard will not prevent macros within documents from running; thus, the feature would enhance but not remove the need to continue using existing anti-virus and anti-malware solutions.

Windows 10’s new Identity Management features are called Windows Hello and Microsoft Passport. These features can supplement or replace the existing password mechanisms most commonly in use today. Windows Hello deals specifically with biometric user authentication. Microsoft indicated that fingerprint scanning, iris scanning and picture identification will all be supported; of course, specific hardware may be required in order to use these features. The Microsoft Passport feature in Windows 10 will authenticate and authorize users to a service or a network by using a cryptographic key stored on a hardware device. This technology has been in use for years with smart cards, but Microsoft is aiming to integrate this into the hardware of devices running Windows 10. Microsoft Passport, when used in conjunction with Windows Hello, would require both biometric and specific hardware requirements to access a user’s account. This multi-factor authentication approach would provide superior security over the traditional username/password combination.

This concludes our series exploring Windows 10. Microsoft plans to release Windows 10 to the general public starting on July 29, 2015. Please reach out to Safe Systems if you need assistance with your Windows 10 upgrade.




Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions



21 Jul 2015

Windows 10, What it Means to Community Banks and Credit Unions

 
 
Windows 10 Offers Community Banks and Credit Unions Improved Security

This post is the first in a three part series exploring aspects of Windows 10. Part 2 dives into the usability changes Microsoft has made in Windows 10, and Part 3 discusses changes to the security posture in Windows 10.

For nearly the past year Microsoft has been gearing up for the upcoming release of Windows 10. It will be the direct successor to the much maligned Windows 8, and a more spiritual successor to Windows 7. If you have seen Windows 9 in the wild, please let us know. It seems to have disappeared from Microsoft’s grand vision.

If you are reading these words on a desktop in mid-2015, there is a very good chance you are doing so on a Windows 7 machine. Hopefully, you are not still using a Windows XP device. If you are, fingers crossed in hopes that your auditor doesn’t know about it. Statistically speaking though, you probably are NOT using Windows 8.

The banking industry (perhaps even more so than the US at large) seems to have largely skipped out on Windows 8. By my recent count of NetComply client endpoints running a Desktop operating system, roughly 0.4% are currently running Windows 8 or 8.1. Put another way, for every 250 endpoints roughly one of those is running Windows 8. In fact, there are currently three times more Windows XP than Windows 8 devices within our NetComply clients. Thankfully, none of those XP devices are on your network! Right?

Given that Windows 7 was first released in July of 2009, one need not read too deeply to see Microsoft is expecting to upgrade many existing devices to Windows 10. Interestingly, Microsoft has indicated that it will provide free upgrades to Windows 10 for existing installs of Windows 7 and 8 on the consumer side. This may lend further credence to the theory that they are expecting to make up the difference in revenue from the business and enterprise side.



Free White Paper



Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.



Dispelling 5 IT Outsourcing Myths within Financial Institutions