Cybersecurity RADAR Archives

25 Oct 2022

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
NetInsight^®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

27 Jul 2022

Banks, Compliance, Credit Unions Christine Ray 0 comment

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

27 Feb 2020

Banks, Compliance, Credit Unions Brendan McGowan 0 comment

Top 3 Cybersecurity Threats CEOs Need to Be Aware of in 2020

We recently conducted a sentiment survey to ask our community bank and credit union customers about their top worries for 2020. Cybersecurity was at the top of the list for most institutions and not without reason. According to a recent Boston Consulting Group report, cyber-attacks are 300 times more likely to hit financial firms than any other company.

In an effort to help community bank and credit union CEOs prepare for cybersecurity threats in 2020, I recently shared a video from my “Banking Bits and Bytes Super Duper CEO Series,” covering the current threat landscape and what financial institution CEOs need to look out for over the next 12 months. Here are three key areas to focus on:

Business Email Compromise

Business email compromise isn’t a new cybersecurity threat to financial institutions, but we’ve recently seen increased incidents of these malicious emails in community banks and credit unions. We often see this happen when the CFO at a bank receives an email that appears to come from the CEO asking them to send a wire transfer on their behalf. These types of emails are able to easily slip through email filters because they don’t contain any malicious code. It is just a plain text message so it can easily be viewed as a non-threatening email to an employee. This is why user security awareness training is the most important counter measure to prevent employees from interacting with these messages.

Extortion Emails

Top IT Areas Where CEOs Should Focus to Enhance Cybersecurity Posture Get a Copy

We’ve also seen a rise in extortion emails claiming to have compromising information about a financial institution executive that will be released to the public unless a ransom is paid. In these emails, hackers may also claim to know username and password pairings and say they have hacked into a victim’s computer. Fortunately, these threats are rarely – if ever — true or accurate, but this has still raised concerns from many executives.

The best way to guard against this sort of attack is to use different passwords for different accounts and to change those passwords often. Multi-factor authentication is another very effective tool in protecting against extortion. Also, ensuring your institution has quality user security awareness training prevents someone from mistakenly responding to these emails.

Internet of Things (IoT)

Most people think of the IoT as devices like the Amazon Echo or the Google Nest Thermostat, but that’s not what we’re talking about here. While most Windows PCs in financial institutions have effective security measures in place to protect against threats, there are other items on the network like multi-function printers; network connected LaserJet printers; the digital signage in front of the institution; or the even the DVR system or security camera from third-party providers, that can present an opportunity for criminals.

These devices are often on the network and as a result, can “see” the other devices connected to the network. They are often communicating with devices outside of the institution and unfortunately, you don’t have the ability to control the software that runs these devices; manage the patch level; or dictate who the device can talk to or how it does so. Financial institutions can compensate for this lack of control through careful network topology design; careful perimeter security rules; and installing detective technologies on the network to know when these IoT devices are up to no good.

As cybersecurity threats become more complex, so too must the measures that CEOs employ within their institutions to counter these threats. To learn more about security threats and how to protect your institution, watch the full “Banking Bits and Bytes Super Duper CEO Series” below.

24 Jan 2019

Banks, Credit Unions, Technology Jamie Davis 0 comment

What Community Financial Institutions Should Look for in a Managed Services Provider

The majority of banks and credit unions rely on managed services providers to help them improve efficiencies in their organization, meet mounting regulatory compliance requirements, and provide the competitive products and services their customers and members expect.

However, selecting the right managed services provider can be challenging. We have highlighted some key qualities that community banks and credit unions should look for when choosing trusted partners.

A managed services provider should have a true understanding of the following areas:

The community banking and credit union industries

Automating Your Compliance Processes with Technology Get a Copy

A managed services provider must truly understand the “ins and outs” of operating a community bank or credit union. This includes recognizing the industry trends, realizing the importance of priorities, such as customer- and/or member-service related touch points, and understanding regulatory and compliance issues. Not knowing how a community financial institution operates is a hindrance that can prohibit the provider from effectively meeting the demands of the institution and makes it unlikely that it will be in a position to offer informed recommendations on improvements and solutions to existing issues.

Financial services technology

Technology is ever-changing and it is nearly impossible for any one person to successfully keep up with all of the advancements. To provide the technological solutions and services that a community bank or credit union requires, a managed services provider should understand the technical requirements of all banking technology solutions, starting with the core platform. Since many applications have to work with — and integrate into — the core platform, it is impossible to design an efficient and comprehensive network without first an understanding of core platforms and banking technology.

Regulatory compliance requirements

The evolving world of financial regulatory compliance governs every aspect of your IT network and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, meet regulatory expectations such as, verifying all patches, ensuring security measures are up to date, and maintaining access to critical services during a disaster.

Working with the wrong managed services provider can be time-consuming, cumbersome, and even stressful. However, working with a provider who offers the desired services and who truly understands your industry can help guide the institution in today’s challenging financial environment. A good partnership is key to ensuring your organization remains competitive and profitable for years to come.

09 May 2018

Touchmark National Bank Streamlines Cybersecurity Processes and Improves Exam Ratings

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Banks Are Streamlining Cybersecurity Processes and Improving Exam Ratings

Banks Streamlines Cybersecurity Processes and Improves Exam Ratings

As cyber-attacks become increasingly more sophisticated, community banks struggle to ensure their institutions are adequately protected and in compliance with regulatory requirements and expectations. Regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. The Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT), which was released in June 2015 and is designed to ensure banks are prepared in the event of a cybersecurity attack, is not a requirement to complete but it is what regulators are using to examine institutions and determine their level of cybersecurity preparedness.

This has led many banks to complete the CAT and examine their cybersecurity preparedness. Although the assessment is beneficial, it can also be a time-consuming task to understand and successfully manage. As a result, bankers are seeking a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environments.

One senior vice president of a national bank, found himself in this exact situation. He was manually completing the CAT and pulling reports but quickly found this process to be quite challenging and cumbersome. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and examiner expectations.

The CAT Application

The bank began looking for a more user friendly and repeatable solution that captured the process of filling out the CAT in an application and provided compliance guidance about how to improve its cybersecurity processes. As a long-time customer of Safe Systems, the bank ultimately decided to implement its cybersecurity service, Cybersecurity RADAR, that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment.

“When I learned that Safe Systems offered a service that included an application along with compliance consulting to help us improve our cybersecurity posture, I knew it would be the right solution for our bank,” said the senior vice president. “Safe Systems’ team of experts guided us through the installation process and provided us with the knowledge and support to ensure a more streamlined assessment.”

Improved Exam Ratings

For this particular bank, Cybersecurity RADAR streamlined the process of filling out the CAT, generated detailed reports, and successfully prepared the bank for exams. With the ECAT application, the bank significantly reduced the amount of time spent completing the CAT from weeks to less than 2 hours.

“The reports generated in the Safe Systems ECAT application have been extremely beneficial to us,” said the senior vice president. “In one of our last exams, an examiner even commented on how user-friendly, complete and easy to understand the reports were. In the past, gathering all the reports and manually tracking the data took us weeks to complete, but now we are able to prepare for exams in a matter of hours.”

The Cybersecurity RADAR solution Safe Systems offers can be a great value to any bank wanting to improve operational efficiencies, strengthen cybersecurity and increase their confidence with compliance and security.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

02 May 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What’s Next After Completing the FFIEC’s CAT? Take Action on the Results

What's next after completing the CAT

In response to the increased occurrence of cybersecurity breaches and attacks, the Federal Financial Institution Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness. Since its introduction, the CAT has become the baseline that many examiners are now using to evaluate cybersecurity, so completing it positions financial institutions to better address risks and meet examiner expectations with greater confidence.
While financial institutions recognize that completing the CAT is an important part of maintaining compliance, in truth this represents just the first step that financial institutions should take.

Phases of the CAT Enforcement

Phase one of the CAT roll out was largely focused on examiners verifying that financial institutions were aware of the CAT and encouraging them to complete it. While this varied by institution, state, and governing body, the first year offered the most leeway for financial institutions.

Most examiners are operating in phase two of the CAT enforcement process today. In this phase, many financial institutions’ primary question during their exam was, “have you completed the CAT?” With cyber risks becoming a more common and pervasive problem, this cannot be the long-term expectation for examiners in regards to financial institutions. So while most institutions can answer “yes” during phase two, the examination process will eventually have to evolve to require financial institutions to do more.

Phase three of the CAT requires regulators to ensure that financial institutions are actively taking steps to respond to the CAT findings. Financial institutions that are not remedying cybersecurity lapses or vulnerabilities discovered in the CAT will likely be cited and potentially receive poor compliance ratings. There is pressure on regulators to take this step as they can be called before Congress when the next banking cyberattack happens to explain why enforcement has not been working. So moving forward, financial institutions will need to not only complete the CAT, but clearly demonstrate the steps they have taken in response to their CAT findings.

Next Steps After Completing the CAT

The good news is that the majority of financial institutions have successfully completed the CAT, so the key is in making those results actionable and taking steps to remedy any issues that arise.

The challenge is that completing the CAT and then fixing all uncovered vulnerabilities and gaps is a daunting process. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in their cybersecurity processes and ensure that all gaps and vulnerabilities are properly addressed, leading to a better cybersecurity posture and enhanced compliance ratings. Safe Systems helps financial institutions manage their cybersecurity program in a more time-efficient manner and ensure they meet their compliance requirements.

Safe Systems developed its Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. This is paired with a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

25 Apr 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

6 Common Misunderstandings of the FFIEC Cybersecurity Assessment Tool

Since its introduction three years ago, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) has been the focus of much attention within the financial services industry. The CAT can help financial institutions identify their risks such as gaps in IT security and determine their cybersecurity preparedness to determine areas for improvement.

While many financial institutions have completed the CAT, there are still some widespread misunderstandings about the assessment. Six of the top misconceptions we have seen include:

Filling out the CAT improves an institution’s position against a cyber-threat

While completing the CAT helps identify areas of risk and levels of cybersecurity maturity, after completing the assessment, the institution’s risks must then be compared to its maturity level. Thus, financial institutions must identify areas where risks are not mitigated appropriately. If your institution filled out the assessment but has not done a gap analysis between your risks and your maturity, you are not done.

Additionally, if you have filled out the assessment and have not yet changed your security posture based on the results, you are not done.

Filling out the Cybersecurity Assessment Tool is all that is required

Many institutions have stopped working on the CAT after they’ve had their exam because examiners have only required them to complete the assessment. Simply filling out the CAT does not come close to addressing the FFIEC guidance or the full intent of the CAT. If your institution has stopped here, there is much more to do to enhance your cybersecurity procedures. If you do not review your institution’s security gaps and improve compliance processes, you will continue to lag behind.

The CAT doesn’t have to be completed anytime soon

At this point, many examiners are simply asking most financial institutions if they have filled out the CAT. If your institution has not yet done so, you should consider completing it soon to ensure you institution meets examiner expectations. When you are finished, it is important to establish a timeline and action plan outlining how you will incorporate your responses and assessment findings into your cybersecurity plan.

The CAT can be completed by just one person

Completing the CAT is not a one person job because it requires input from a variety of departments within the institution. The 59-page assessment spans several job roles making this a cumbersome task for one individual to complete and can result in inaccurate responses. It is recommended that key personnel in all departments fill out the assessment together to ensure an accurate view of the institution.

I completed the CAT and passed my exam so I don’t need to do anything in regards to the CAT for my next exam

Time after time, examiners write up institutions in areas that they have previously done well on in past examinations. The bad news is that once regulators write up a bank for one infraction, they typically examine other areas more closely leading to additional findings. Don’t just assume because your examiner was content with your assessment in the past that there aren’t other areas where you can improve. Fill out the assessment; review your inherent risk profile and cybersecurity maturity level; and look for ways you can enhance your compliance processes to increase your institution’s cybersecurity preparedness.

The CAT is not a requirement

When the CAT was initially released, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. While it is true you do not have to use the CAT, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. If your assessment is different than what the examiner expects, it could lead to more questions or more scrutiny. While a better way to assess cybersecurity might exist, going down your own beaten path with assessing your risks is a little like taking a small row boat out into uncharted water.

The CAT is now the baseline many auditors or examiners are using, so completing it enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. However, while it is important to complete the CAT, the key is in making those results actionable and remedying any issues that arise.

Safe Systems developed the Cybersecurity RADAR solution, which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

14 Dec 2017

Banks, Compliance, Credit Unions Holly Hooks 0 comment

Importance of A Cybersecurity Risk Appetite Statement

As cybersecurity threats continue to increase in the financial services industry, banks and credit unions must work harder to meet regulatory expectations. Regulators are taking a deeper look at financial institution’s policies and procedures to ensure that these institutions can effectively safeguard confidential and non-public information. This includes ensuring financial institutions have a Board approved Cyber Risk Appetite Statement.

Regulators are not only looking to ensure financial institutions have a cyber risk appetite statement in place, but that it is being used to monitor and manage the institution’s cyber risk. In fact, risk appetite is mentioned more than 6 times in the FFIEC’s Cybersecurity Assessment Tool (CAT). The Overview for CEOs and Board of Directors released with the CAT by the FFIEC, states it is the Board or an appropriate Board committee’s responsibility to “engage management in establishing the institution’s vision, risk appetite, and overall strategic direction.”

What is Cyber Risk Appetite? Safe Systems’ Compliance Guru gives us a good working definition of risk appetite: “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” In other words, risk appetite is a decision by the Board and Senior Management that the residual risk level is acceptable. Residual risk is the risk remaining after controls have been applied. Before the Board can define a cyber risk appetite statement they must have clear understanding of the institution’s risk profile. This will allow them to clearly define their risk tolerance. This is then used to inform management’s decision making. For example before an institution begins offering a new service, management should validate that the amount of risk after controls have been applied (residual risk) are within the defined risk appetite. If not, management should determine if additional controls can be applied to bring the risk within acceptable limits or reevaluate the service.

Failure to have a cyber risk appetite statement not only puts a financial institution in risk of violating regulatory requirements but can also lead the institution to improperly manage its cyber risk. Defining your cyber risk appetite allows an institution’s Board of Directors to set the tone for risk management throughout the financial institution.

For more information, download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

How Your Institution Can Improve Its Cybersecurity Posture

06 Dec 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

Honey Pots: $2,500+

A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

Expired in 2017 and should be replaced or upgraded

Windows Vista
Symantec Endpoint 10.x
Microsoft Office and Exchange 2007
Backup Exec 2015
Adobe Acrobat XI

Expires in 2018 and should be replaced or upgraded

ESXi/vCenter 5.5 expires 9/19/2018

Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

26 Jul 2017

Banks, Compliance, Credit Unions Holly Hooks 0 comment

Top 4 Missing Declarative Statements in the FFIEC’s Cybersecurity Assessment Tool

Top 4 Missing Declarative Statements in the FFIECs Cybersecurity Assessment Tool

With the heightened risk of cybersecurity attacks for financial institutions, many community banks and credit unions are completing the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) to assess their cybersecurity preparedness, determine their next steps to strengthen their maturity and better meet examiner expectations. The assessment consists of two parts, Inherent Risk Profile and Cybersecurity Maturity. The Inherent Risk Profile assesses the risk posed by Technologies and Connection Types, Delivery Channels, Online/Mobile Products and Technology Services, Organizational Characteristics, and External Threats. Then, Management evaluates the Cybersecurity Maturity level for five domains.

According the FFIEC’s Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors, “Cybersecurity Maturity includes statements to determine whether an institution’s behaviors, practices, and processes can support cybersecurity preparedness.” Declarative statements within each domain are assessed on maturity levels ranging from baseline to innovative. Financial institutions determine “which declarative statements best fit the current practices of the institution. All declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.”

Since the introduction of the CAT in 2015, we have been assisting community banks and credit unions with completing this process. Based on our experience, which consists of more than 100 reviews of the CAT to date, we have identified four declarative statements that community financial institutions are struggling to complete:

Domain 4 – External Dependency Management – Connections

Data flow diagrams are in place and document information flow to external parties.”

According the FFIEC’s Information Security Handbook, “these diagrams should identify hardware, software, and network components, internal and external connections, and types of information passed between systems.” Regulators are looking for financial institutions to demonstrate solid understanding of where data is going and what type of data is being transmitted to third-parties.

Domain 1 – Cyber Risk Management and Oversight – Training and Culture

“Customer awareness materials are readily available” (e.g., DHS’ Cybersecurity Awareness Month materials)

Customer awareness materials, according to the FFIEC Information Security Handbook, are used to “increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.” These materials should “consider both retail and commercial account holders.” It is important for community banks and credit unions to communicate effective risk management strategies to their customers. The declarative statement references the US Department of Homeland Security’s website. The Stop.Think.Connect Toolkit has resources Financial Institutions can utilize to provide awareness material to customers.

Domain 3 – Cybersecurity Controls – Preventative Controls

“Domain Name System Security Extensions (DNSSEC) is deployed across the enterprise.”

DNSSEC is a technology developed to digitally ‘sign’ data to ensure it is valid and from a trusted source. By enabling this, an institution would be less susceptible to DNS spoofing attacks. However based on the experience of Safe Systems engineers, DNSSEC may cause issues throughout an organization’s systems. There are other technical tools financial institutions can implement that will enable them to meet the spirit of the statement without deploying troublesome tactics.

Domain 1 – Cyber Risk Management and Oversight – Oversight

“The institution has a cyber risk appetite statement approved by the board or an appropriate board committee.”

Regulators are looking to ensure financial institutions have a cyber risk appetite statement in place that has been approved by the Board. In fact, risk appetite is mentioned more than 17 times in the CAT. Cyber risk appetite is an assessment of how much cybersecurity risk management is willing to accept to meet the goals and objectives of the institution’s strategic plan. To read more on how to develop a cyber risk appetite, visit the Compliance Guru Blog.

Financial institutions should review their current CAT responses, specifically the declarative statements in the Baseline maturity level that have been answered “No” or that they are struggling to complete to determine if there is a way to implement a compensating control. Adding in compensating controls may allow them to answer the question in the affirmative and ensure the institution is in compliance with regulatory requirements.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

20 Jul 2017

Banks, Compliance, Credit Unions Christine Ray 0 comment

Lumbee Guaranty Bank Streamlines Cybersecurity Processes with Safe Systems’ Cybersecurity RADAR Application

The number of cyber-attacks directed at financial institutions of all sizes is continuing to grow and cybersecurity experts expect the trend toward increasingly sophisticated cyber-attacks to continue. Community banks and credit unions are prime targets for cyber criminals due to the sensitive data they house. As consumers and businesses continue to use electronic devices such as computers, tablets, and smartphones to perform financial transactions online, vulnerabilities continue to increase. A cyber breach can be devastating due to the costly ramifications, not to mention compromised customer confidence and reputational damage.

As a result of this heightened risk of cybersecurity attacks, regulators are heavily scrutinizing bank processes to verify that these institutions can effectively safeguard sensitive financial information. While not yet a requirement, the FFIEC’s Cybersecurity Assessment Tool (CAT) serves as the key guidance used to determine whether an institution is adequately prepared for a cybersecurity incident and in full compliance with federal regulations. In response, many banks and credit unions are now completing the assessment to assess their cybersecurity posture, determine their next steps to strengthen cybersecurity processes and better meet examiner expectations.

While completion of the assessment has proven itself beneficial, many financial institutions find the 100+ page assessment to be too cumbersome of a task to successfully manage and fully understand. As a result, they decide they need to find a more efficient way to complete the assessment, understand their level of risk and make improvements to their IT environment.

This was the case for Pembroke, N.C.-based Lumbee Guaranty Bank. To ensure his institution maintained compliance, Austin Maynor, Information Security Officer at Lumbee Guaranty Bank, manually filled out the CAT with the help of a spreadsheet, but quickly found this process to be an extremely time-consuming project to complete. He determined the bank needed a solution that could give them a better understanding of where they were in terms of cybersecurity preparedness and where they needed to be in order to maintain compliance.

Streamlined CAT Completion Solution

As a long-time customer of Safe Systems, the bank decided to implement the Cybersecurity RADAR™ solution, a cybersecurity product that combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application. The solution allows staff to quickly generate reports, document notes and save examination results to review each year.

For Lumbee Guaranty Bank, Cybersecurity RADAR streamlined the process of filling out the CAT and helped the bank improve its cybersecurity processes. With the automated application, Lumbee Guaranty Bank significantly reduced the amount of time spent completing the CAT from days to less than 4 hours. In addition, Safe Systems’ evaluation of the bank’s responses helped clearly illustrate to the bank where they were in regards to compliance and baseline expectations.

“The Cybersecurity RADAR solution has been a great addition to our bank, helping us gain meaningful operational efficiencies while continuing to grow and strengthen our cybersecurity program. We are grateful to have a true partner like Safe Systems helping us navigate the latest compliance guidelines and effectively streamline our most important processes.”

For more information, download our cybersecurity case study, “Lumbee Guaranty Bank Streamlines Cybersecurity Processes.”

Lumbee Guaranty Bank Streamlines Cybersecurity Processes

Learn how they increased cybersecurity preparedness and streamlined the CAT

12 Jul 2017

Banks, Compliance Jamie Davis 0 comment

How to Better Understand Your Bank’s Results from the CAT

The Federal Financial Institutions Examination Council (FFIEC) published the Cybersecurity Assessment Tool (CAT) in June 2015 to help financial institutions better identify and evaluate their cybersecurity risk awareness and readiness. The tool consists of a comprehensive set of questions to evaluate the cybersecurity risk of a financial Institution and is designed to encourage consistent analysis, evaluation, and examination of cybersecurity risks for financial institutions.

The CAT essentially consists of two parts, 1) Inherent Risk Profile and 2) Cybersecurity Maturity. The Inherent Risk Profile identifies the institution’s inherent risk before security measures have been implemented. It is a stage approach in which, once the Inherent Risk Profile has been determined, financial institutions then focus their attention on the Cybersecurity Maturity section.

Successful completion of the CAT for Inherent Risk and Cybersecurity Maturity provides financial institutions with practical insight in two specific areas:

Risk Grade

Completion of the Inherent Risk Profile gives financial institutions a risk grade in each potentially vulnerable security area, such as payments, teller processes and online banking operations. This gives the financial institution insight into how examiners are likely to see their relative risk exposure.

Gap Analysis

Completing the Cybersecurity Maturity section helps financial institutions form a gap analysis to better identify missing controls and process. To increase the level of cybersecurity maturity, financial institutions should continually implement changes and monitor their progress, and the gap analysis is the first step in this process.

The CAT also enables financial institutions to review their Inherent Risk Profile in relation to their Cybersecurity Maturity results, which will indicate if they are aligned. As one might expect, as inherent risk rises, an institution’s maturity level should also increase. However, an institution’s inherent risk profile and maturity levels will change over time as threats, vulnerabilities, and operational environments change, making it necessary for institutions to complete the CAT periodically or when making adjustments to their organizations.

It is important to note that while there are online tools available to complete the CAT, the key is in making those results actionable, which may require third-party expertise. That is why Safe Systems developed the Cybersecurity RADAR solution which combines compliance expertise with an Enhanced Cybersecurity Assessment Tool (ECAT) application to help document notes for examiners, create reports and maintain an up-to-date record of the assessment. Safe Systems also provides a knowledgeable team to provide expert advice and support to ensure a more streamlined assessment process.

The CAT is now the baseline many auditors are using, so completing it (and more importantly, understanding the results) enables financial institutions to address cybersecurity risks and meet examiner expectations with confidence. Working with a trusted IT partner enables financial institutions to realize significant operational efficiencies in its CAT assessment reviews and reporting, leading to a better understanding of regulatory expectations to help enhance their cybersecurity posture. Safe Systems can help financial institutions manage their cybersecurity program in a more time-efficient manner to ensure they meet their compliance needs.

For more information, please download our white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

28 Jun 2017

Banks, Compliance, Credit Unions Darren Bridges 0 comment

The CAT Isn’t Mandatory, So Why Should We Complete It?

The CAT Isn’t Mandatory, So Why Should We Complete It

Due to the increasing volume and sophistication of cyber threats financial institutions are facing, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help institutions identify their risks and determine their cybersecurity preparedness with a repeatable and measurable process. The CAT helps financial institutions weigh specific risks such as gaps in IT security, versus controls or solutions aimed to prevent, detect and respond to these threats and determine areas for improvement. Each institution is then responsible for identifying its own risk appetite and establishing its desired level of maturity. Using the CAT, financial institutions can understand where their security practices fall short and how to effectively address those gaps.

When the CAT was initially released in 2015, it was promoted as a free and optional tool available to financial institutions to help assess their cybersecurity preparedness. However, regulatory agencies including the Federal Deposit Insurance Corporation (FDIC) and the National Credit Union Administration (NCUA) have announced plans to incorporate the assessment into their examination procedures. Today, many examiners are using the tool to assess an institution’s cybersecurity readiness and have already begun to issue citations to financial institutions that have lapses or are not meeting expectations.

Even though the CAT is voluntary, all financial institutions are required to evaluate inherent risk and cybersecurity maturity in some way, which requires a robust assessment program. Completing the CAT is a good way to prepare for audits since the guidelines provide community banks and credit unions with detailed information on the federal government’s expectations for cybersecurity preparedness. The CAT enables financial institutions to identify vulnerabilities, fill in security gaps, and demonstrate a stronger security posture before the examination begins.

In addition to meeting examiner expectations, completing the CAT benefits financial institutions by helping them:

Determine whether controls are properly addressing their identified risks
Identify cyber risk factors and assessing cybersecurity preparedness
Make more informed risk management decisions
Demonstrate the institution’s commitment to cybersecurity and
Prepare the organization for an upcoming audit.

When using the CAT correctly, it can provide a cost-effective methodology to help improve security, instill client trust, and avoid losses from a breach. For it to provide the greatest positive impact it should be completed periodically on an enterprise-wide basis, as well as when significant operational and technical changes occur. Completing the CAT helps community banks and credit unions understand the key risks they face and what controls they need in place to protect the institution’s data, leading to increased knowledge of regulatory expectations and a stronger, more compliant cybersecurity program.

For more information, please download our complimentary white paper, Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

29 Mar 2017

Banks, Compliance Tom Hinkel 0 comment

Roadmap to Recovery: Cyber Resilience is More Than Just a Business Continuity Plan

Cyber Resilience

With the increasing frequency of cyber-attacks in the financial industry, community banks need an effective strategy to measure and control these risks, and a program of cyber resilience may just fit the bill. The concept of cyber resilience provides a different way of thinking about an institution’s information security processes. Rather than simply focusing only on preventive controls, cyber resilience also focuses on corrective controls, such as having solutions in place to continue business operations should an attack occur. Cyber resiliency ultimately refers to the preparations that an organization makes in regard to preventing threats and vulnerabilities (the defenses that have been developed and deployed), the responsive controls available for mitigating a security failure once it occurs, and its post-attack recovery capabilities (or corrective controls).

More than a BCP

While the Business Continuity Plan (BCP) has become a de facto framework for guiding an institution through the process of recovery from any unplanned event, including a cyber-attack (the word “cyber” is mentioned 49 times in the FFIEC BCP Handbook), cyber resiliency is far more than just developing and executing your bank’s BCP. Business recovery plans are often ill prepared to address non-traditional disasters. For example, continuity plans often rely on the geographic separation of production and backup facilities in the event of a natural disaster. Cyber attacks, however, are not geographically specific and can (and will) affect facilities and operations located anywhere in the world. Attacks can target both the financial institution directly as well as its backup facility, located elsewhere; or a financial institution along with its third-party service providers (TSP) simultaneously. All of these situations require special consideration and preparations that go well beyond traditional BCP planning.

Common Cyber Risks

The cyber risk and threat landscape is broad and continually changing. Some of the most common cyber risks financial institutions should be prepared for include:

Malware
Insider Threats
Data or Systems Destruction and Corruption
Communication Infrastructure Disruption, and
Simultaneous Attack on Financial Institution and Third-Party Service Provider

Recommended Controls

Being truly cyber resilient is essential for community banks and their vendors. According to Appendix J of the FFIEC’s BCP Handbook, financial institutions should implement the following controls to successfully achieve cyber resiliency:

Data backup architectures and technology that minimize the potential for data
destruction and corruption
Data integrity controls
Independent, redundant alternative communications providers
Layered anti-malware strategy
Enhanced disaster recovery planning to include the possibility of simultaneous attacks
Increased awareness of potential insider threats
Enhanced incident response plans reflecting the current threat landscape, and
Prearranged third-party forensic and incident management services

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

The Keys to Cyber Resilience

Prevention and recovery are the keys to being truly cyber resilient! Cyber threats will continue to challenge financial institutions, but having the proper preventive and corrective controls in place can greatly minimize the impact. Cyber resilience requires banks to bring together all the areas of information security, business continuity, vendor management and incident response in a coordinated effort.

01 Mar 2017

Banks, Compliance Tom Hinkel 0 comment

What is Cyber Resilience Anyway?

Cyber Resilience

As the role technology plays in today’s financial services environment has grown, this has also introduced a range of new risks and vulnerabilities that must be recognized and acknowledged, placing cybersecurity high on the agenda for financial services executives and IT staff. The new 2016 FFIEC Information Security Handbook states:

“…because of the frequency and severity of cyber attacks, the institution should place an increasing focus on cybersecurity controls, a key component of information security.”

With financial institutions becoming more reliant on third-party service providers to help support important bank functions such as: loan servicing, collections, item processing, payments, and IT network management, to name just a few, regulators have expressed increased concern that these third-parties could present a weak link that cyber attackers can exploit. And the more third-parties the institution uses, the greater the risk. All institutions, but especially Community banks, ultimately bear this responsibility, and must be aware of – and successfully manage — their service providers’ cyber risks.

Cybersecurity vs. Cyber Resilience

Regulations define cybersecurity as:

“…the process of protecting consumer and bank information by preventing, detecting, and responding to attacks.”

Cyber resilience then, is:

“The ability of a system or domain to withstand cyber attacks or failures and, in such events, to reestablish itself quickly.”

While cybersecurity (or protecting from an attack) is vitally important, it is not the only thing that matters. In order to minimize the risks and vulnerabilities in the evolving digital landscape, cyber resilience (or bouncing back from an attack) must be taken into consideration as well. Cyber resilience is an evolving perspective that essentially brings the areas of information security, business continuity and organizational resilience together. Ultimately it refers to the preparations that an organization makes in regard to threats and vulnerabilities, the defenses that have been developed and deployed, the resources available for mitigating a security failure once it occurs, and their post-attack recovery capabilities.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

One of the primary differences between the two is that although both cybersecurity and cyber resilience require effective third-party management, resilience requires an even greater focus on outsourced technology providers. This is particularly challenging because you must be prepared to recover from an event you couldn’t foresee, could not prevent, and cannot control. The initial stages of a cyber incident require a rapid assessment of the impact of the incident as soon as possible after detection. When the incident occurs at a third-party, you are relying on the vendor to notify you, which means your reaction time (and recovery capability) is entirely dependent on when (or if) you are notified. A recent report by the FDIC Office of the Inspector General found that most institutions have not fully considered and assessed the potential impact that third-parties may have on the bank’s ability to manage its own business continuity planning and incident response.

Compliance Expectations

Regulators expect financial institutions to be not just cyber-secure, but cyber resilient, and that requires close cooperation with all their critical third-parties. Assessing and managing risks, and developing capabilities for response and recovery in the event of disruptions regardless of where they may occur, requires financial institutions to have proven plans in place to meet regulatory expectations. The FFIEC has issued specific guidance on how it expects organizations to manage this process. The FFIEC IT Examination Handbook’s “Outsourcing Technology Services Booklet“, as well as the Information Security and the Business Continuity Booklets address expectations for managing due diligence, incident response, business continuity and the ongoing monitoring of outsourced third-party relationships.

Community banks should remain vigilant in the monitoring of emerging cyber threats or scenarios and consider their potential impact to operational resilience. The good news is that financial institutions can and should simulate and test their response to a cyber event just as they do for natural disasters. They should also make a point to include any significant third-parties in their testing. The financial industry is investing significant amounts of time and resources to defend against cyber-attacks and strengthen resiliency, and there are many resources available today that can help streamline and automate the entire process of cybersecurity and resilience planning, testing and execution.

15 Jun 2016

Banks, Technology Safe Systems 0 comment

Cybersecurity – What Senior Leadership at Your Bank Needs to Know

Cybersecurity is a serious concern for banks today. Hackers have stolen more than $1 billion from banks, as well as sensitive customer data, bank email information, ATM data, and PIN numbers. They have managed to do this in various ways such as reprogramming a bank’s ATMs or hacking into the online platform. Hackers are clever so banks must step up and be even more vigilant!

FFIEC Cybersecurity Guidance

In fact, in light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT)to help institutions identify their risks and determine their cybersecurity maturity. The assessment provides institutions with a repeatable and measureable process to inform management of their institution’s cybersecurity risks and preparedness.

Is Your Bank Ready to Discuss Cybersecurity with Regulators?

Recently I had the privilege to teach at the Southeast Community Bank Symposium at Georgia Southern University. This symposium consisted of senior leaders from banks in the southeast (CFO, senior lenders, President, CEO, and board members). I was tasked with educating the group on cybersecurity, and I focused on threats, examiner expectations, and best practices for the management of cybersecurity risk. My goal was to provide the audience with a better understanding of cybersecurity and some tangible takeaways to manage this risk at their banks.

As part of the session I informally polled the audience regarding how many of them had filled out the CAT. To my surprise, only about 10-15 percent raised their hands. I determined that either the bank filled out the CAT without including senior leaders in the process, or the bank simply did not fill out the CAT at all.

Does Your Leadership Team Fall into These Categories?

If so, here are some things to think about:

Opt-out? The regulators are stating that filling out the CAT is optional. While the CAT is not a requirement to complete, all government agencies have stated they intend to use the tool to assess an institution’s cybersecurity readiness. Regulators have already begun to issue citations to financial institutions that have lapses or are not meeting regulations. If you have not completed the CAT, your bank should expect to have findings targeting the management team, not just IT/Operations.
Same bank, different employees, different answers. All employees need to be on the same page and complete the CAT with the same answers. Your entire team, including management, needs to be trained, informed, and truly understand its cybersecurity plan. This should result in employees communicating consistent and accurate information to regulators.
What’s your risk level? Every bank thinks their cybersecurity risk is minimal on the threat level, and that is just not the case. Innovative banking technology has clearly improved the customer experience, and has even transferred activities that had to happen at the branch to computers and mobile devices. This expansion of the availability of technology is great in many ways, but at the same time this technology increases the risks to your institution.
Cybersecurity is a real threat. What would happen to your bank if hackers got control of your core data and would not let you access the systems? How much protected information could the hackers get if they controlled access to your key systems? What would happen to your business and reputation if you did not have access to your IT systems for 10 days, and then the hackers deleted the data?

How to Engage Bank Management

What should you do if your management team is not engaged, or the bank has not filled out the CAT? Here are the best next steps:

Complete the CAT as a management team (NOT just Operations/IT)
Educate Senior Management and the Board on the risk findings and the gaps in your current cybersecurity control maturity
Validate maturity level meets risk level through testing that emphasizes cyber threats

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.

The 4 Best Ways to Manage Cybersecurity Risk

Banks must incorporate cybersecurity into the bank’s overall risk-management framework. This includes a well-managed set of overlapping security controls to help prevent, detect, or recover from cybersecurity events. The FDIC recently encouraged bank supervisors to focus on four critical components to manage cybersecurity risk:

Corporate governance
Threat intelligence
Security awareness training
Patch-management programs

While all four areas are necessary, patch management programs are vital. The lack of a solid patch management program has led to an increasing number of security incidents. An efficient patch management system should include written policies and procedures to identify, prioritize, test, and apply patches in a timely matter. Without efficient patch management in place banks leave themselves vulnerable.

Understanding the Cybersecurity Expectations for Financial Institutions White Paper — Understanding the Cybersecurity Expectations for Financial Institutions
Get a Copy

Safe Systems Can Help!

With the increase in cybersecurity risk comes the promise of additional guidance to come. Safe Systems can help your financial institution manage its cybersecurity program and meet the compliance needs that come with government regulations. As a trusted advisor exclusively serving financial institutions, Safe Systems offers a network management solution to enhance your institution’s cybersecurity posture – one that includes a comprehensive and highly automated patch management capability to fit your bank’s needs.

15 Dec 2015

Banks, Compliance Darren Bridges 0 comment

Community Banks Options for Help with Cybersecurity Regulations

Financial institutions today are under pressure to comply with mounting regulatory requirements, especially as they relate to cybersecurity guidelines. In fact, the FFIEC recently issued an update to the FFIEC Information Technology Examination Handbook’s Management Booklet to more explicitly integrate cybersecurity concepts. Additionally, the FFIEC released a new resource called the Cybersecurity Assessment Tool (CAT) to help financial institutions identify risks and determine cybersecurity preparedness. This in-depth “assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time,” according to the FFIEC.

Due to the “increasing volume and sophistication of cyber threats,” cybersecurity has quickly become a hot topic with regulatory agencies. Regulators expect banks to show evidence that they are measuring cybersecurity threats and preparedness using the CAT or a comparable framework. This expectation applies to banks of all sizes, from a rural one-branch bank to a national bank with billions in assets. For smaller banks with fewer resources and less compliance expertise, complying with the new regulations and requirements can be a challenge.

While some regulatory agencies have indicated that completion of the Cybersecurity awareness Tool is not mandatory, all have stated they intend to use the tool to assess banks’ cybersecurity readiness. Examiners have already begun to issue verbal and written recommendations to financial institutions that have not filled out the CAT.

After completing the CAT, many community banks are finding they have a higher risk factor than they expected and are frantically searching for ways to efficiently manage the strategies needed to mitigate that risk.
What are your bank’s options for mitigating this increased cybersecurity risk?

Try to manage it yourself

Many banks that try to manage cybersecurity guidelines themselves in-house often run into hurdles immediately. Maintaining the knowledge and expertise of the evolving regulatory environment is a time-consuming endeavor. The CAT assessment alone is about 128 pages. Small banks do not have the bandwidth to manage cybersecurity compliance efficiently and in a manner that meets regulator demands. Many community banks simply can’t afford to have a team dedicated to regulatory management.

Use a local IT service provider

Community bankers have a natural inclination to “shop local,” and that includes looking for service providers who can assist with IT and compliance needs. However, it is also important to understand the risks that generalist IT service providers pose to your institution given today’s oversight environment. Local IT service providers often do not have experience with the regulatory demands bankers face. Auditors and examiners will expect a thorough paper trail to prove that daily practices match defined policies and procedures, and often this must flow through IT resources. Knowledge of your banking applications, cybersecurity and compliance environment is vital!

Engage an experienced bank IT and compliance professional

To help augment limited personnel resources, community banks are increasingly partnering with financially-focused IT and security service providers to better manage their growing compliance and security needs. It is important to partner with an organization with the right skills, knowledge and expertise.

The right IT service provider couples security measures with an understanding of and support for the unique compliance demands of the financial industry.

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture

08 Dec 2015

Banks, Compliance Tom Hinkel 0 comment

Is Cybersecurity Part of Your Bank’s Compliance Program?

Cybersecurity Cyber Attack Phishing

Cybersecurity has become a topic of interest to every community bank and credit union due to the growing dependence and reliance on technology, including smart phones and other mobile devices. In the financial industry it has also come under increased regulatory focus, and continues to be a hot topic for the foreseeable future, which is evident with the release of the FFIEC Cybersecurity Assessment Tool (CAT) and the updated FFIEC Management Examination Handbook.

So, exactly what do regulators expect from your community bank, and how does that differ from what you may be doing already? More importantly, with additional new guidance pending, how should you demonstrate cybersecurity compliance?

The FFIEC developed the CAT to help institutions identify their risks and determine their cybersecurity preparedness. The Assessment tool provides a repeatable and measurable process for financial institutions to measure their current state of cybersecurity preparedness, and track changes over time.

The CAT has 2 sections, the inherent risk profile and the cybersecurity maturity level. Inherent risk is a function of type, size and complexity of your institution’s operations, and does not include any existing mitigating controls. The second section of the CAT is designed to help your institution measure their behaviors, practices and processes related to cybersecurity preparedness, resilience, and recovery.

What Comes after the Cybersecurity Assessment?

Once a financial institution has completed both sections, management can create a “gap analysis,” meaning they can decide what actions may be needed to either reduce inherent risks or increase control maturity to bring the actual state in line with the desired state. This is where the biggest challenge may lie for most financial institutions, because the concept of a “desired state” requires you to establish a “risk appetite,” or an acceptable level of cyber risk. For the vast majority of financial institutions offering some electronic banking products, this level is greater than zero, but may have not been formally approved. Once your risk appetite is established, you are then able to determine whether or not your residual risks are acceptable.

Right now, most financial institutions seem to be on the first step of simply completing the CAT. It’s important to note that even though some regulatory agencies have indicated that completion of the tool is not mandatory, all the agencies have stated they intend to use the tool to assess your cybersecurity readiness.

So what should your financial institution be doing now in order to comply with new Cybersecurity regulations?

You need to make sure you have kept your information security, business continuity and vendor management policies and procedures up to date. There is no regulatory requirement to have a separate cybersecurity policy as long as cybersecurity is in each of those existing policies. You need to have procedures in place to secure customer and confidential data and recover critical business processes regardless of the source or nature of the threat. Your risk assessments should all be impact-based, not threat-based, but make sure they all contain specific references to the source of the risk.

Make Sure your Vendor Management Program Accounts for Cyber Threats

Vendor risk assessments will need to be adjusted if they don’t specifically account for cyber threats. For example, critical vendors should be assessed for their exposure to, and protection from cyber threats, with your controls adjusted accordingly (i.e. audit reports, penetration tests, etc.). Your business continuity planning risk assessment should account for the impact and probability of cyber-attacks, as well as traditional fraud, theft and blackmail. Regulators will likely be looking for specific references to cyber concerns, so make sure your Vendor Management policies include a reference to it as well.

Hopefully you’ve already incorporated cyber-based security elements into your overall information security program, and very little adjustment needs to be made. Regardless of what your specific approach to cybersecurity may entail, prepare to discuss what you are doing – and how you are doing it – with the regulators. They will ask about it!

Driving Compliance Through Technology

Learn how automation and documentation can improve your financial
institution’s compliance posture