Business Continuity Management Archives

12 Jan 2023

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

Top Blogs of 2022

Last year, we covered a wide range of blog topics, including ransomware prevention and recovery; business continuity management and disaster recovery; and managing Microsoft Azure and Microsoft 365 settings. In case you missed them, here’s a synopsis of our top blogs of 2022. Reviewing these important issues can help your bank or credit union be better prepared for the challenges—and opportunities—that lie ahead in 2023:

1. Best Practices for Ransomware Prevention and Recovery

Ransomware attacks strike a new target every 14 seconds, disrupting operations, stealing information, and exploiting businesses, according to the Cybersecurity and Infrastructure Security Agency (CISA). However, financial institutions that consistently employ best practices can prevent or bounce back from a ransomware assault. As an optimal strategy for prevention, institutions should identify and address known security gaps that can allow a ransomware infection. Since human error is the primary reason for most security breaches, banks and credit unions should focus on providing ransomware awareness training to help employees identify, respond to, and minimize attacks. They can also limit cybersecurity risk by using intelligent network design and segmentation to restrict ransomware intrusions to only a portion of the network and by having overlapping security solutions to provide layered protection. If a ransomware incident does occur, financial institutions should have pre-defined procedures for response and recovery. Many smaller institutions may lack the expertise internally to implement ongoing best practices for ransomware prevention and recovery, but they can work with an external cybersecurity expert to augment their resources. Read more.

2. Your Guide to Business Continuity Management and Disaster Recovery Planning

It can be challenging for financial institutions to implement successful strategies for business continuity management (BCM) and disaster recovery (DR). But our compilation of key strategies and best practices can facilitate the process. BCM encompasses all aspects of incorporating resilience, incident response, crisis management, vendor management, disaster recovery, and business process continuity, and it is an essential requirement for avoiding and recovering from potential threats. DR—the process of restoring IT infrastructure, data, and third-party systems—should address a variety of events that could negatively impact operations, including natural disasters, cyberattacks, technology failures, and even the unavailability of personnel. For successful disaster recovery, institutions should focus on four important “Rs”: recovery time objective (RTO), recovery point objective (RPO), replication, and recurring testing. In addition, leveraging a comprehensive cloud DR service can enhance redundancy, reliability, uptime, speed, and value. Using a cloud DR solution from an external service provider can give institutions the confidence of knowing their DR plan is being thoroughly tested and will work if a real disaster happens. Read more.

3. Managing Security, Identity, and Compliance within the Microsoft Azure and M365 Ecosystem

Microsoft Azure Active Directory (Azure AD) and Microsoft 365 have a distinct ecosystem. Understanding their services and settings is critical for IT administrators to manage security, identity, and compliance within their environment. Institutions can significantly bolster security by implementing some of the basic security settings under the free license level for Azure AD. Adjusting the security default setting, for example, can have a major impact. IT administrators can enable security defaults to enforce non-configurable conditional access policies as well as require multifactor authentication (MFA) registration for all users. IT admins should also review the identity architecture for their institution to ensure all users, devices, and apps connecting to Azure have an identity. Depending on their license level, institutions may be able to modify additional settings, such as allowing global auditing, blocking open collaboration, and restricting outbound email forwarding. Microsoft is constantly revising the features of Azure AD and M365, making it vital for financial institutions to stay on top of their ever-changing ecosystem. Read more to learn how to manage the complexities of customizing your Azure AD and M365 security settings.

Read about other important topics on cybersecurity, compliance, and technology. Subscribe now to the Safe Systems blog to have the latest updates on banking trends and regulatory guidance conveniently delivered to your inbox.

27 Jul 2022

Banks, Compliance, Credit Unions Christine Ray 0 comment

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

02 Feb 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”

05 Nov 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

03 Jun 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

What CEOs Should Know about Disaster Recovery

Disaster recovery—the process of restoring IT infrastructure, data and systems in the aftermath of a major negative event—is a specialized area of technology that’s not always top of mind for executives. CEOs must ensure their organization is equipped to quickly resume mission-critical functions following a calamity.

Here are some key considerations that bank CEOs should keep in mind to make sure their financial institution has a feasible approach to disaster recovery.

Expect the Unexpected

A disaster can happen anytime—and in any form. While people typically think of disasters as being natural occurrences, manmade catastrophes such as power outages, equipment failures, cyber attacks, and network downtime due to human error are equally common causes of disruption. Regardless of the source, the need for DR is truly a matter of when—not if. So, CEOs should get comfortable with the uncomfortable idea that some type of disaster will eventually impact their institution.

Be Proactive

DR planning is the key to both preventing disasters, and when they do eventually occur, successfully recovering from a natural or manmade calamity. Not having a sufficient plan in place can hit an institution where it hurts most: a loss of data, business functions, clients and reputation—not to mention time and money. Therefore, bank CEOs must ensure their management team is taking proactive steps to adopt effective DR strategies. This includes implementing—and testing—a plan for getting operations back to normal with minimum interruption.

Besides the practical need for DR planning, the Federal Financial Institutions Examination Council (FFIEC) advocates taking a preemptive approach to this often overlooked area of technology. The FFIEC IT Handbook’s Business Continuity Management booklet advises: “Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the BIA. In addition, management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software.”

The business impact analysis (BIA) is one tool that bank management can use to ensure their financial institution is adequately preparing for DR. This important mechanism predetermines and prioritizes the potential impact disruptive events will have on business functions. Essentially, the BIA can show gaps in critical processes that would impede disaster recovery and, in turn, the institution’s business continuity.

Consider Outsourcing DR

The intricacies of disaster recovery planning can be daunting, which is why many organizations fail to create a viable DR plan. More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyber attacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient and cost-effective. Outsourcing DR can be especially advantageous to smaller banks that may lack this type of specialized knowledge in house. It can also benefit larger institutions that want the comfort of having third-party services available to support their resident DR specialists.

CEOs have a lot on their plates but paying attention to these important DR issues can help ensure both operational resilience during a disaster as well as regulatory compliance. To learn more about how Safe Systems helps financial institutions and their CEOs develop well designed, compliant DR plans, explore our Managed Site Recovery solution.

13 May 2021

Banks, Compliance, Credit Unions Safe Systems 0 comment

Is Your Financial Institution BCM Compliant?

It’s been a few years since the FFIEC updated its BCM IT Examination Handbook and expanded its focus from “business continuity planning (BCP)” to “business continuity management (BCM).” While most financial institutions should already be aware of the updates to the handbook, it’s always beneficial for banks and credit unions to refresh their plan to remain up to date and compliant when it relates to business continuity.

In a recent post, Safe System’s compliance expert, Tom Hinkel, discusses five key points to keep in mind when evaluating your Business Continuity Management plan:

Resilience
Entities vs. Institutions
MAD vs. MTD
Exercises and Tests
Guidance vs. Requirements

In case you missed the full blog, view it here

22 Apr 2021

Banks, Compliance, Credit Unions Marshall Jones 0 comment

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.

25 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The ISO in 2021: New Challenges and Expectations Require a New Approach

The ISO in 2021 Featured Image

One of the key lessons financial institutions learned from the COVID-19 pandemic is that regardless of new challenges and seemingly constant change, they were expected to ensure their customers and members continued to receive products and services uninterrupted. The past 13 months (and counting) have been a live exercise in operational resilience.

The current crisis—perhaps more than any even prior—has underscored the true scope of the Information Security Officer’s job. Technically, there are only eight broad areas of responsibility for ISOs outlined in the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Management booklet. But the actual scope of ISO accountability spans at least 36 elements. One of the key challenges and responsibilities of the ISO is stakeholder reporting, which is intricately linked to accountability. The relationship between responsibility and accountability is that while the ISO is responsible for making sure critical InfoSec tasks are completed, they are also accountable to the various stakeholder groups, which requires providing documentation that a task is being completed a certain way, with a certain group, or with a certain frequency.

To meet their accountability obligations, because information security is pervasive, ISOs must be engaged at all levels across the enterprise and in all lines of business. This requires understanding every place that data is stored, processed, or transmitted—whether it involves a customer or member, employee, or vendor. The ISO also needs to be aware of the latest emerging risks and be able to implement an effective mitigation strategy. Ultimately, ISOs need to be effective at translating information to the board, management committee, and IT auditors and examiners, in a manner in which these various stakeholders are best able to consume and comprehend it.

The expectations for ISOs also extend beyond the traditional area of ensuring the confidentiality, integrity, and availability of data. ISOs are also responsible for minimizing the disruption or degradation of critical services—which has emerged as the more urgent necessity during recent pandemic and cyber events.

Some of the early challenges ISOs faced during the pandemic ranged from the technical, such as securing virtual private network access, to the administrative, such as ensuring that employees have signed acceptable-use policies and remote-access agreements. Fortunately, we’ve found that most institutions adjusted well to the initial hiccups, resulting in minimal degradation in their services. However, cybersecurity promises to keep that pressure on for the foreseeable future, even post-pandemic.

Predictably, financial institutions are now seeing more exam scrutiny in three areas.

Business Continuity Management (BCM)

When the FFIEC implemented a BCM update in 2019, it created new terminology and new expectations that are finally beginning to emerge in exam findings.

Strategic Planning

The expectation for additional strategic planning is calling for more formal project management procedures. On the IT examination side, FIs are receiving requests for “pre-initiative” risk assessments, meaning that ISOs are expected to assess the risks of a project or initiative before they even agree to move forward and select a vendor. The FFIEC’s Development and Acquisition Handbook states that “Poor planning often contributes to projects failing to meet expectations.” This early stage is referred to as the “initiation” or “feasibility” phase of the project. Once the project clears this phase and moves forward, a vendor or vendors are selected, and vendor due diligence and on-going management can proceed. As the project proceeds to completion, management should be kept informed.

Board and Committee Reporting

Which is now focusing on not just what gets reported, but the frequency of the reporting as well. Suffice to say that the traditional annual updates won’t get it done going forward.

A New Approach to Virtual ISO Services

With ISOs being forced to wear multiple hats, some institutions are choosing to leverage a virtual ISO solution. Whether outsourced, insourced, or a hybrid virtual ISO model, each offers varying levels of service, flexibility, and support. Further still, several FIs are leveraging technology in tandem with security expertise to support their ISOs.

Safe Systems’ ISOversight is a proven risk management solution that provides complete and comprehensive accountability for the responsibilities of the ISO position. This third-party solution assigns a dedicated ISO oversight lead who understands the details of the institution’s environment and provides institutions with expert guidance and access to additional resources. ISOversight is an ideal asset for new (or frankly, overwhelmed) ISOs that may be struggling to keep up with the complex responsibilities of their position. And now with federal and state examiners tightening their level of scrutiny, ISOversight is proving even more crucial for institutions that need to enhance their information security expertise.

To learn more about how Safe Systems is supporting ISOs in the industry, listen to our webinar on “The ISO in 2021: A New Approach to New Challenges and Expectations.”

04 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 ISO Duties that Can Be Automated for FIs

Information security officers (ISOs) at financial institutions typically have myriad responsibilities on their plates, and each of those responsibilities comes with one or more forms of documentation to verify the actions taken. While these duties relate to the main categories of network security and regulatory compliance, there are a host of functions that fall under the ISO’s oversight role.

Fortunately, many ISO responsibilities can be automated in some areas to facilitate the management of the institution’s information security program. Here are five of them:

1. Business Continuity Management (BCM)

ISOs are responsible for overseeing and coordinating BCM, providing detailed guidance on how to recover from a business interruption, and ensuring that the appropriate people, processes, and technology components that make up the network of interdependencies are also restored. Automation can make it easier for the ISO to identify the interdependencies, complete the annual updates, and conduct the training exercises and testing required. Automation can also enable alerts for tasks due by process owners, and generate reminders for annual plan board approval, and report the test results to the board. While the tests for BCP cannot be automated, the documentation and reporting of the tests can—something that can significantly streamline the ISO’s oversight responsibilities and make it much easier to locate these documents at audit and examination time.

2. Updates to the Information Security Program and Information Security Risk Assessment

Automation can provide alerts to help ISOs keep abreast of updates from regulators. Then the ISO can easily pull reports on the revised areas to present them for board approval. Essentially, it’s plan maintenance that can be automated—although some interpretation is needed to support the process. Automation can prevent an institution’s information security program from becoming out-of-date (which can happen easily when an ISO is relying on manual processes for management) as failing to make an important update can have significant, negative consequences. For instance, if management misses a major BCP update, or an annual test, or board reporting, auditors may construe this as a general weakness in management, and scrutinize other areas more closely, such as lending practices or financial reporting. Automation can help institutions avoid inadvertent missteps and resulting hassles within their information security program.

In addition, many recent examination findings relate to inconsistencies between the institution’s policies (what they say they do) and their procedures (how they say they will do them). Automation, when combined with integration between applications, can greatly reduce this probability by easily propagating policy and procedural changes throughout all elements of your information security program. For example, sometimes financial institutions will update their BCM plan but might be lax with other policies—something that can result in a disconnect between different policies. In this case, one policy may refer to a process that is no longer being used; or a policy may contain conflicting references for a process that has been updated. These and other kinds of inconsistencies are virtually impossible to catch without automation and integration.

3. Tracking Audit Exam Findings

Unresolved, or “repeat” findings are usually treated very harshly by regulators. Making sure that all audit and exam issues are resolved in a timely manner is crucial. Automation can rate the severity, assign them to a responsible party, assign a due date for resolution, and sending “ticklers” and reminders as the dates come due. At the end of the process, the ISO can quickly generate reports to provide to the institution’s board, examiners, and other stakeholders. Alerts and on-demand reporting can enhance accountability for addressing each of the findings to improve internal controls and other areas.

4. Managing Third-party Relationships

Financial institutions are required to manage the risks of their third-party vendors and the responsibility to assure this is done falls squarely on the shoulders of the ISO. Institutions can use automation in every aspect of their vendor relationship management, including alerting and tracking of periodic updates to the risk assessments, annual updates to the control reviews, contracts, and contract renewals. With automation, the ISO can instantly identify required tasks and produce the necessary documentation related to its vendor management activities.

5. Cybersecurity

Cybersecurity is an important sub-component of information security, and automation can significantly enhance the ISO’s multiple oversight efforts in this area. An automated system can remind ISOs to verify that crucial assessments are completed, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Alerts can be scheduled to prompt ISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. And on-demand reporting can keep all stakeholders informed on the progress of your cybersecurity efforts.

One final thought about automation; when the application is combined with a provider familiar with, and dedicated to, the regulatory environment of the financial institution, you do not have to worry about a non-compliant policy or procedure. All necessary regulatory and best practice updates are built-in to the automation.

As a national provider of fully compliant IT and security services, Safe Systems offers a variety of innovative solutions that can help financial institutions automate some of the important responsibilities of their ISO.

08 Jan 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2020 in the Rearview: A Regulatory Compliance Update

The COVID-19 pandemic dominated the regulatory landscape early in 2020, with cybersecurity dominating the last couple of months. Here is a look back at important regulatory changes and trends in 2020 and a look ahead at what to anticipate for 2021.

Characterizing Causes of Weakness

When it became obvious that the pandemic would have a pervasive and wide-ranging effect, the Federal Financial Institution Examination Council’s (FFIEC) issued several statements to address the situation. The FFIEC outlined some of the adjustments and accommodations that regulators expect bankers to make concerning lending, operational risks, and other areas. For instance, if an exam results in downgrading component or composite ratings for an institution, a distinction will be made between any weakness caused by the pandemic vs. management and governance issues.

Essentially, examiners will differentiate between a weakness resulting from an external event versus an internal systemic issue—even if the event is beyond management’s control.

The statement issued in June 2020, states, “Examiners will consider whether institution management has managed risk appropriately, including taking appropriate actions in response to financial and operational stresses caused by COVID-19 impacts.”

It is uncertain exactly how this issue will be interpreted in a post-pandemic world. After all, pandemic should be a part of all financial institutions’ business continuity planning, and as such, not completely outside the realm of a reasonably anticipated threat. So ideally management should have anticipated such an event, and have been prepared to respond. The only unanticipated aspect of the current Covid 19 event is the extreme extended duration compared to a standard Pandemic. It will be interesting to see how the agencies square the concepts of a “reasonably anticipated threat” vs. “external factors beyond management’s control”. Aren’t most threats both reasonably anticipated, and also beyond management’s control? We’ll let you know if and when we get any clarification on that.

Regardless of the scenario, documentation is crucial and often overlooked. Most folks are laser-focused on just getting past this and back to “normal” business, but memories fade over time, and documenting what adjustments you’ve made (or plan to make) during the pandemic will make the post-pandemic adjustments easier to explain to management and justify to examiners. Documentation can also help establish your increased ability to anticipate and respond to the next threat, also referred to as “resilience”. Institutions should make every attempt to document all management decisions, such as the minutes from management meetings, communications with third-parties, and any strategic or procedural changes you may have made or need to make. For example, if you’ve implemented technology to enable an increased mobile workforce (a strategic change), have you updated the remote access procedures and best practices in your employee Acceptable Use Policy accordingly (a procedural change)? Have all remote employees signed the updated AUP?

In our next blog post, we will dive into the focus on ransomware mitigation, how best to address cybersecurity, and what to expect heading into 2021.

01 Dec 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Why Documentation is an Essential Priority During the COVID-19 Pandemic

While financial institutions have spent the last nine months focused on pandemic response and ensuring critical services remain available to their customers and members, there are other key areas of consideration to ensure their institutions remain compliant and can thrive in the future, including documentation. Unfortunately, few financial institutions are adequately documenting their efforts and new strategies as they are being implemented. Below are three key reasons why they really should.

1. Regulatory Expectations

Examiners will expect to see how financial institutions have handled the pandemic and that all of the lessons learned are reflected in their business continuity management plans (BCMP).

Some key questions regulators may ask regarding pandemic response include:

What have you learned from this event?
What have you done to enhance your pandemic plan based on those lessons learned?
Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time?
Have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access?
If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

2. Key Lessons Learned

All banks and credit unions must take a different approach to pandemic planning that fits well with their institution’s unique needs. They need to consider all of the challenges they’ve faced throughout the pandemic and apply key lessons learned to enhance their operations, including the importance of cross-training staff, enhancing security measures, succession planning, or improving technology for an employee to work at home. Until the pandemic passes, financial institutions should continue to reference their business continuity plans and document the entire process to create a blueprint for reference if a similar situation arises again in the future.

3. Strategic Planning

According to the FFIEC, an entity’s strategic planning should be developed to address all foreseeable risks, and these risks should cover the potential impact on personnel, processes, technology, facilities, and data. Throughout the pandemic, financial institutions should track what they are doing, how they are doing it, and whether any new procedure should be included in their existing crisis management or response plan.

The key is for institutions’ steering or strategic planning committee to stop periodically and document—or backfill information after the fact (at least a month or a quarter later.) Failing to document this process will result in institutions returning to business as usual after the crisis subsides and potentially making serious mistakes if a pandemic situation occurs in the future.

To learn more about pandemic response and key priorities for financial institutions, download our latest white paper, “Navigating the Coronavirus pandemic: Best Practices for Pandemic Planning and Key Lessons Learned for Community Banks and Credit Union.”

19 Nov 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

3 Key Concepts to Incorporate into Your Business Continuity Management Plans

The 2019 FFIEC Business Continuity Management Handbook represented a significant change in how bank and credit union examiners will assess your business continuity planning efforts going forward. Here are 3 concepts to make sure you’ve incorporated into your Business Continuity Management Plan (BCMP):

1. Likelihood and Impact

According to the Federal Financial Institution Examination Council’s (FFIEC) Business Continuity Management Handbook, “management should evaluate the likelihood and impact of disruptive events. Risks may range from those with a high likelihood of occurrence and low impact such as brief power interruptions to those with a low probability of occurrence and high impact such as pandemics. The most difficult risks to address are those that may have a high impact on the entity but a low probability of occurrence.”

Performing a risk assessment helps financial institutions identify all potential risks and classify them based on probability and impact. They should also quantify the impacts and define loss criteria as either quantitative (financial) or qualitative (e.g., impact to customers, reputational impact). However, to efficiently assess these risks, banks and credit unions need to be able to visualize them and plan accordingly. One way to do this is to use a four-quadrant matrix to scatter graph and plot the likelihood and impact of every threat.

Likelihood and Impact Graph

There are many other ways to do this, but whichever method you choose, examiners expect financial institutions to be able to document both probability and impact, and not only for the high probability and high impact threats, but also for the low probability high impact threats.

Although the Handbook lists Pandemic as an example of a low probability, high impact event, you may want to adjust the probability (and possibly the impact) rating upward based on the COVID 19 event. At this point, it is a certainty that everyone has been impacted somehow.

2. Resilience

Resilience is the ability to prepare for—and adapt to—changing conditions, and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. The first step to resiliency is to identify your proactive measures for mitigating the risk of a disruptive event such as:

Off-site repository of software (Data vaulting)
Appropriate backups of data

Cloud-based disaster recovery services may be considered as part of resilience programs

Off-site/redundant infrastructure (Hardware, data circuits, etc.)
Third parties (Alternate vendors/suppliers)
Key personnel (Succession planning)
Cybersecurity assessment tool

Annual process of considering changes in inherent risk and how your evolving in maturity

These are things you probably are already doing. If so, you can use your calculations to show that you already have proactive resilience measures in place.

Make sure to incorporate any adjustments made and lessons-learned from the recent Pandemic into your inventory of resilience measure against the next pandemic.

3. Inherent vs. Residual Impact

Although the residual risk rating is often used as the measure of the effectiveness of your risk management program, best practices mandate that management should use inherent risk ratings to guide their recommendations for (and use of) mitigating controls. However, when calculating residual threat impact, you can factor in any existing impact mitigation measures you already have in place. For example, if you use forewarning, duration, and speed of onset to calculate impact, any measures taken to reduce those 3 factors can also reduce your impact rating:

Example 1: Smoke detector & Fire detection equipment decreases the impact of fire by increasing the forewarning factor
Example 2: Auxiliary power decreases the impact power outage by decreasing the duration factor
Example 3: Good project management practices decrease impact of strategic risk by slowing the speed of onset factor

This is how you can take advantage of the existing measures you already have in place to decrease the residual impact of an event. You don’t have to do anything new, just take into account all of things you’ve already done to build resilience into your business continuity plan. Then simply add on where residual risks are still above your risk appetite!

For more information, watch our webinar recording, “The New Business Continuity Guidance Requires a Whole New Approach.”

05 Nov 2020

Banks, Credit Unions, Technology Jamie Davis 0 comment

How Banks and Credit Unions Can Maintain Business Continuity to Achieve Effective IT Management

Banks and credit unions of all sizes experience some level of turnover or unexpected absence that can affect internal positions. When the IT administrator role is impacted, it can cause the most disruption, especially for smaller community institutions, as many have limited resources and may rely on only one employee in the role. When an IT administrator leaves, he or she takes with them the institutional knowledge and expertise gained through working with the FI’s unique IT infrastructure and network management processes. To lessen the impact, it’s up to the institution to effectively build continuity into its IT strategy and pay attention to the strategic decisions being made by the IT team.

In a recent Safe Systems webinar, we discussed the importance of continuity in IT and ensuring effective management of the network through transition periods. In this blog post, we highlight three key areas of focus to achieve continuity and keep the institution operating efficiently.

1. Strategic Decisions

We have seen financial institutions fall victim to the “power of one”, where the IT admin has all the knowledge and authority to make IT strategic decisions alone. Then when they leave, the rest of the institution doesn’t have a clear view of what’s been done to the network and how to properly maintain it.

Some IT admins prefer to try new technologies and add more automation to the institution’s processes. While others might stick to their comfort zone and not push for new IT tools. While it’s important to provide an appropriate level of autonomy to the IT admin, it is critical to also have a system of checks and balances in place and to examine the benefits and consequences of these decisions closely to ensure the institution has the right tools to succeed .

2. Strategic Management

For IT personnel to be successful, it is important to outline what your institution wants the IT admin to accomplish and let them know what success will look like when they achieve these goals. Some key questions to consider include: What are the desired outcomes you’re expecting from IT? Is the goal to spend their time and budget on efficiency projects, redundancy projects, or security projects? In other words, what is your tolerance for downtime, security risks, or ineffective and slower processes? How will these goals be measured?

Once these expectations are established, the IT admin should be given the freedom to do what they need to do to achieve the institution’s goals but there should also be a clear chain of command to provide oversight and to evaluate their work.

You do not want to let an employee’s expertise (or lack thereof) impact your technology or for the institution’s security to be affected negatively. Define clear objectives for your IT personnel, whether that’s uptime, recovery time objectives (RTOs), redundancy, budgeting, or specific controls you’d like to have in place to ensure the institution is operating securely.

3. Strategic Plan

Make sure the expectations and objectives you set for IT personnel align with your strategic plan. According to the Federal Financial Institution Examination Council (FFIEC), “strategic IT planning should address long-term goals and the allocation of IT resources to achieve them. Strategic IT planning focuses on a three- to five-year horizon and helps ensure that the institution’s technology plans are consistent and aligned with the institution’s business plan. Effective strategic IT planning can ensure the delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace. The IT strategic plan should address the budget, periodic board reporting, and the status of risk management controls.”

When discussing the strategic plan with management, it’s important to identify the key areas of improvement and provide information on price, level of risk, and what exactly the institution is trying to accomplish. Sometimes having an outside perspective can help push key initiatives along and get them into the budget for the year ahead.

To learn more, download the recording of our webinar, “Understanding The Lifecycle of the IT Administrator: Ensure Effective Management of Your Network.”

16 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

“Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
“Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
How do you plan to continue providing services in the event of the loss of key employees?
Have you been in communication with your critical third-party providers?
Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

18 Jun 2020

Banks, Compliance, Credit Unions Darren Bridges 0 comment

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

Review all guidance and issues related to their institution and become familiar with any changes that might impact them
Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

Analyzing potential threats
Assessing the technology required
Managing access controls and security
Conducting regular data recovery test
Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

01 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

16 Apr 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Building a Pandemic Response Plan: What Are the Requirements for Community Banks and Credit Unions?

Building a Pandemic Response Plan

As COVID-19 continues to spread around the world, financial institutions have been forced to respond to this pandemic in new and innovative ways to stop the spread of the virus; protect their employees and the public; and keep their doors open and operations running smoothly to serve their customers and members. Community banks and credit unions are referencing the Pandemic sections of their business continuity management plans to determine the best way forward for their institutions during this challenging time. With the Federal Financial Institution Examination Council’s (FFIEC) recent business continuity management (BCM) guidance, many financial institutions are first of all wondering what has changed in the guidance, and second what specific additional changes this particular event might require.

Pandemic Planning

Since 2007, financial institutions were required to have a separate pandemic plan, and regulators only looked for documentation that institutions were testing their plans periodically. Unfortunately, the pandemic section of the business continuity plan (BCP) has tended to be treated as more of an afterthought since these situations have historically occurred much less often than natural disasters or other business interruptions. If they were assessed at all, they fell into the category of a high impact, low probability event.

Notwithstanding COVID-19, pandemics are still low probability events, but the impact of these events may be far more significant than past risk assessments have indicated. In what may now be perceived as an untimely move, the FFIEC made the decision in the 2019 BCM update to deemphasize Pandemic by categorizing it the same as any other disruptive event. The FFIEC no longer requires financial institutions to have a separate pandemic plan, but instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters.

In other words, your BCM plan is your pandemic plan, and you must analyze the impact a pandemic can have on your organization; determine recovery time objectives (RTOs); and build out a recovery plan. You must also include a methodology to determine the key triggers your organization will use to activate your recovery plan when faced with a pandemic. But when should you activate your recovery plan and who is in charge of this process?

Pandemic Response

Before a recovery plan is activated, it is important to have an initial response team (typically comprised of C-Level executives) evaluate the situation and assess the potential impact of the current event on the institution. The team must determine if the situation is likely to negatively impact the institution’s ability to provide products and services to their customers or members beyond the established recovery time objectives outlined in the BCM plan.

The same rules apply in a pandemic. Community financial institutions should use the six pandemic phases outlined by the World Health Organization (WHO) or the Center for Disease Control (CDC) to evaluate the severity of the situation.

In most cases, the pandemic portion of the plan is not triggered for activation until phases 4-5 (or if between 20-40% of your workforce is not available to work).

What Regulators Expect

During a pandemic, regulators expect financial institutions to continue offering products and services to customers/members and conduct operations as normally as possible. This underscores the importance of including succession planning and cross training in the BCM plan. In the past, assumptions used to simulate a pandemic were that phases 4-5 wouldn’t last more than a week or two, so most financial institutions may only have planned for one person to be identified and pre-trained to step into a critical role until the event was over. However, the COVID-19 pandemic is a global crisis currently impacting at least 183 countries and territories and is predicted to impact many more people, and take much more time to contain.

To ensure critical functions continue, financial institutions should have at least two or three alternate staff members trained for every primary resource within the institution and assess whether some roles can be performed remotely. This can be difficult for smaller institutions with limited staff and resources. For specialized functions dominated by key personnel, such as funds management, wire services, human resources, etc., these institutions may not have multiple alternatives to step in if key employees are unavailable. In these circumstances, you may need to have other cross-trained staff members identified who can step into these roles quickly.

Next Steps: Lessons Learned

There will be many more lessons learned after the COVID-19 pandemic has passed, and regulators will expect those lessons to be reflected in your plan. When all is said and done, regulators are likely to ask “what have you learned from this event, and what have you done to enhance your pandemic plan based on those lessons learned?” Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time? Since interdependencies include employees, and pandemic events almost exclusively impact personnel, have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access? If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

The answers to these questions, and many more, will be used to enhance the pandemic section of your BCM plans, but until we reach that post-event, lessons-learned point, it’s important for financial institutions to continue to reference their business continuity plans; document the entire process; keep stakeholders informed; and put measures in place to continue serving their customers and members and protecting their employees and the public.

For more information on pandemic response, view our pandemic resource center. Or, if you would like to make sure your BCM is up to date, please request a complimentary plan review to ensure that your business continuity management plan is keeping up with changing regulations.

View Our Pandemic Resources