Tag: DR

30 Dec 2021
Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

Subscribe to our blog

 

11 Oct 2021
What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

  • Employee training to ensure adequate, effective, and safe practices
  • Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
  • Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
  • Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

03 Jun 2021
What CEOs Should Know about Disaster Recovery

What CEOs Should Know about Disaster Recovery

What CEOs Should Know about Disaster Recovery

Disaster recovery—the process of restoring IT infrastructure, data and systems in the aftermath of a major negative event—is a specialized area of technology that’s not always top of mind for executives. CEOs must ensure their organization is equipped to quickly resume mission-critical functions following a calamity.

Here are some key considerations that bank CEOs should keep in mind to make sure their financial institution has a feasible approach to disaster recovery.

Expect the Unexpected

A disaster can happen anytime—and in any form. While people typically think of disasters as being natural occurrences, manmade catastrophes such as power outages, equipment failures, cyber attacks, and network downtime due to human error are equally common causes of disruption. Regardless of the source, the need for DR is truly a matter of when—not if. So, CEOs should get comfortable with the uncomfortable idea that some type of disaster will eventually impact their institution.

Be Proactive

DR planning is the key to both preventing disasters, and when they do eventually occur, successfully recovering from a natural or manmade calamity. Not having a sufficient plan in place can hit an institution where it hurts most: a loss of data, business functions, clients and reputation—not to mention time and money. Therefore, bank CEOs must ensure their management team is taking proactive steps to adopt effective DR strategies. This includes implementing—and testing—a plan for getting operations back to normal with minimum interruption.

Besides the practical need for DR planning, the Federal Financial Institutions Examination Council (FFIEC) advocates taking a preemptive approach to this often overlooked area of technology. The FFIEC IT Handbook’s Business Continuity Management booklet advises: “Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the BIA. In addition, management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software.”

The business impact analysis (BIA) is one tool that bank management can use to ensure their financial institution is adequately preparing for DR. This important mechanism predetermines and prioritizes the potential impact disruptive events will have on business functions. Essentially, the BIA can show gaps in critical processes that would impede disaster recovery and, in turn, the institution’s business continuity.

Consider Outsourcing DR

The intricacies of disaster recovery planning can be daunting, which is why many organizations fail to create a viable DR plan. More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyber attacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient and cost-effective. Outsourcing DR can be especially advantageous to smaller banks that may lack this type of specialized knowledge in house. It can also benefit larger institutions that want the comfort of having third-party services available to support their resident DR specialists.

CEOs have a lot on their plates but paying attention to these important DR issues can help ensure both operational resilience during a disaster as well as regulatory compliance. To learn more about how Safe Systems helps financial institutions and their CEOs develop well designed, compliant DR plans, explore our Managed Site Recovery solution.

06 May 2021
After the Disaster: Real Community Banking Recovery Stories

After the Disaster: Real Community Banking Recovery Stories

After the Disaster: Real Community Banking Recovery Stories

Even the best-laid plans can go awry—especially after a disaster. Our real-life stories from actual community financial institutions underscore the importance of having an effective disaster recovery (DR) process in place.

It’s obvious that a disaster can strike anywhere and anytime. What’s less obvious is that a natural disaster doesn’t have to happen for a financial institution to implement its DR plan. For instance, a server room and all the equipment inside could become damaged by a fire or flood. A power outage or loss of a communications line could take out an institution’s phones, email, and internet. This could be devastating because communication is such an integral function of a financial institution.

Not knowing how long a power outage will last can further complicate the issue. If the outage stretches over a few hours or days, the institution should be thinking about implementing its DR process. But making that call can be difficult. That’s where having an outside team of DR experts available can be helpful. For example, we can help institutions quickly leverage Microsoft Azure for cloud site recovery. We can also assist with ongoing monitoring, maintenance, and testing to ensure the viability of their DR plan.

Real DR Stories from Community Banks

For example, a tornado struck one of our community bank clients and severely damaged its main office. The branch was rendered completely inoperable, unable to serve customers or employees. Fortunately, the critical servers that were housed in the building were not destroyed, and we were able to relocate them to a different branch location. The bank operated the servers from that site for a year while the main office was being rebuilt. Ultimately, we returned the servers to their original location and made the necessary reconfigurations to get everything functioning again. Moving the severs to a different place allowed the bank to avoid failback, which can be the most complicated aspect of the disaster recovery process.

Another DR scenario involves a financial institution on the South Carolina coast, where hurricanes frequently make landfall. In this case, a hurricane demolished the main office and completely flooded the location. As a result, the institution lost its servers, internet connection, and ability to communicate. The bank’s DR strategy relied on using 4G to restore internet connectivity, but the cell towers were down. Thankfully, the network had an old telecommunication circuit that we were able to get turned on and operational. So, after we dealt with the communication curveball, we were able to get the network—and bank—up and running again.

Community Bank in Alaska Shares Insights

It’s often the physical environment that determines the disasters that an institution may encounter. Potential hazards for Fairbanks, Alaska-based Denali State Bank include flooding from nearby rivers, jolting earthquakes, and volcanic eruptions on the Aleutian Chain. Therefore, Denali State Bank—which has $380 million in assets and 150 endpoints across five branches—focuses on ensuring that it has critical IT staff and services available during a disaster.

As part of its DR solution, the bank maintains a designated alternate site—one of its branches—that sits on a separate portion of the power grid. Denali also uses cloud-based Microsoft Azure, which makes it easy to run and test critical functions. During testing, the bank can shut down all connections to its main office (including large SQL servers), quickly spin up everything virtually through Azure, and establish connectivity through a Safe Systems co-location facility. This helps to ensure that vital functions will work properly to support the institution after a disaster.

Get more community banking DR insights. Listen to our webinar on “After a Disaster: Real Community Banking Recovery Stories” to make sure your institution is better prepared for an unexpected negative event.

29 Apr 2021
The 4 “Rs” of Disaster Recovery

The 4 “Rs” of Disaster Recovery

The 4 “Rs” of Disaster Recovery

Organizations can be impacted by a natural or manmade disaster at any time. Having an effective approach to disaster recovery (DR) can help banks and credit unions meet their regulatory obligations, better protect themselves from the impact of a significant negative event and enhance their ability to bounce back and continue operating in the aftermath of a disaster.

There are four “R’s” when it comes to disaster recovery that every financial institution should focus on: Recovery Time Objective (RTO); Recovery Point Objective (RPO); Replication; and Recurring Testing. Here’s why each of them is integral to DR:

RTO

RTO, the longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens, is a crucial facet of DR. Established RTOs essentially represent trade-offs, with shorter RTOs requiring more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. Ideally, financial institutions will have RTOs predetermined before a disaster strikes, and the RTOs will be included in the institution’s Business Impact Analysis (BIA) as part of the business continuity planning process. Following a disaster, the recovery process will depend on the type of institution, technology solutions, and business functions as well as the amount of data involved. Institutions with an outside vendor guiding their disaster relief efforts typically have a more streamlined and less stressful recovery process.

RPO

The RPO represents the amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. The Information Security Officer (ISO) and management must define exactly how long they are willing to go without having a copy of their data available. As banks and credit unions become more dependent on technology, however, their tolerance for not having critical functions available shrinks. Increasingly, financial institutions are turning to outside vendors to bolster their recovery solutions, but they must ensure that those third-party providers are adequately equipped to satisfy their RPO requirements.

Replication

Effective DR replication is essential because it allows an exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. DR requires the duplication of data and computer processing to take place in a location not impacted by the disaster. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster. Options for recovery can take various forms: fully redundant systems at alternate sites; cloud-based recovery solutions (either internally developed or outsourced); another data center; or a third-party service provider; according to the Federal Financial Institution Examination Council (FFIEC).

Recurring Testing

Recurring testing allows banks and credit unions to pinpoint key aspects of their DR strategy and adjust as needed to accomplish their objectives. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback. The institution should employ a variety of tests and exercises to verify its ability to quickly resume vital business operations in a disaster situation. Regular testing can reveal possible problems in the institution’s DR plan so that it can immediately address these issues. The aim is not necessarily to pass each test or exercise, but rather to find and fix flaws before a disaster occurs.

Read more about how your bank or credit union can be better positioned to recover from a disaster. Download our “4 Rs of Disaster Recovery” white paper.

22 Apr 2021
Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.

28 Jan 2021
Why De Novo Banks Should Choose the Cloud

Why De Novo Banks Should Choose the Cloud

De novo banks have enough to be concerned about as they struggle to get established: raising capital, selecting a core system and products, getting enough personnel in place—and keeping everything afloat until they begin to thrive. Opting for the Cloud is one of the most prudent decisions a de novo bank can make.

Ease and Speed

A key benefit of employing the Cloud is the ease and speed of implementation, which is especially advantageous for a de novo with a tight timeline to get up and running. The Cloud also affords a de novo the ability to choose technology solutions based on its unique specifications. Rather than trying to estimate and make provisions for future growth, the bank can select cloud services according to its current requirements and as the de novo grows or reduces its operation over years, it can make the necessary adjustments to fit. In a real-world scenario, if a bank needs the capacity to process more loans, a cloud provider can instantly ramp up to meet that demand.

Cloud services also provide de novos with the cost-saving flexibility to forgo extensive infrastructure investments upfront and help avoid the expense of maintaining and replacing outdated hardware over time. Working with a major cloud provider means de novos will always be using the latest and best technology. This supports more predictable technology costs, especially when working in tandem with a managed cloud provider that can minimize the need for retaining a larger IT staff.

Disaster Recovery

Financial institutions—no matter how new they are—must have a strategy in place for restoring their IT infrastructure, data, and systems following adverse events, such as natural disasters, infrastructure failures, technology failures, the unavailability of staff, or cyber attacks, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

When a de novo chooses the Cloud to support its banking system, it simplifies many of the typical aspects of disaster recovery (DR). Cloud-based DR allows institutions to replicate the data in their main offices and transmit it to a safe location that staff can access during a catastrophic event. Having continuous replication means there’s minimal lag time when switching from live to DR mode. Plus, the Cloud makes it easier for IT staff to go live, run tests, and complete tests more thoroughly. Ultimately, cloud services can help de novos go beyond merely addressing disaster recovery, to instituting steps for disaster avoidance.

Here are some other compelling reasons for de novos to embrace the Cloud:

  • Security: A de novo bank has access to more security resources with the Cloud, making it easier to incorporate the best practices that regulators expect. Major cloud providers like Microsoft, Google, and Amazon maintain an army of security experts; they simply can offer more robust security than small de novos can build on their own.
  • Compliance: Leading cloud vendors are well versed in regulatory compliance issues, and de novos that use managed cloud providers receive a comprehensive solution that can further enhance compliance and vendor management.
  • Flexibility: With cloud services, de novos not only gain the advantage of being able to manage their IT infrastructure from anywhere, but they also gain the capability to easily turn on/off cloud services allowing them to quickly explore new ideas or diagnose problems within their environment.

The simple truth is that a de novo bank could never build an IT infrastructure on par with what it can accomplish through the Cloud. And working with a managed cloud service provider like Safe Systems can make using the Cloud even easier, leaving bankers free to focus on banking.

16 Jul 2020
The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

The ISO in a Crisis: The Increased Importance of Vendor Management During a Pandemic

In a previous post, we discussed the role of the ISO in a pandemic and how he or she must make sure all routine tasks are still being completed; help the institution adapt to the new circumstances; and continue providing all products and services at an acceptable risk level.

While an institution may be prepared to continue business as usual, its third-party provider partners may not be on the same page. Like the bankers they support, third-party vendors are also experiencing the impact of the pandemic and are dealing with a variety of operational issues as well. Financial institutions must be able to perform effective vendor management during a crisis and develop alternative plans in the event a critical vendor may not be able to perform the services agreed upon.

Here are a few things the ISO must consider to effectively evaluate the institution’s vendors during a crisis like a pandemic:

Identify Vendor Risks

During a pandemic, the ISO must anticipate several different risk scenarios that can adversely impact the institution’s daily operations. With vendors, there are two interrelated key risk factors to consider:

  • “Supply chain risk” is related to the interconnectivity among the entity and others. In a pandemic, critical vendors may receive an overload of requests for products and services from a variety of industries and may not be able to keep up with demand. For example, many financial institution employees have been working remotely due to Coronavirus and to keep the network secure, financial institutions have provided company laptops to staff. However, if the FI’s laptop provider runs out of inventory, the institution is then put in a difficult situation – if they allow the use of personal devices, they must still make sure all employees can work safely from home and ensure the network remains secure.
  • “Cascading impact risk” is an incident affecting one entity or third-party service provider that then impacts other service providers, institutions, or sectors. For example, if the vendor that manages the bank’s perimeter security has a large case of absenteeism and an inadequate succession plan, real-time alerting may be negatively impacted, and the institution could be exposed.

Evaluating these risks with third-party vendors in advance will help ensure that they have the proper personnel redundancies in place, so these situations don’t impact the institution.

Managing Third-Party Risks

According to the Federal Financial Institution Examination Council (FFIEC), open communication and coordination with third parties, including critical service providers, is an important aspect of pandemic planning. A current SOC 2 report that covers the “availability” trust criteria is the best way to determine if the vendor has the capability to respond and recover its systems. In the absence of a SOC report, the first thing the ISO should request is a copy of the business continuity plan. Since the SOC report may not cover the service providers’ vendors (also referred to as sub-service providers), the ISO will also want to gain some awareness of the possibility of supply-chain risk. For example, how might a provider failure two to three layers deep affect the institution?

In addition to vendor business continuity plans, the ISO should ask additional questions about how the vendor is managing the pandemic. Here are a few examples:

  • When was the last time you updated and tested your BCM plan? Have you incorporated the possibility of a failure of a critical sub-service provider?
  • Is the likelihood and impact of a pandemic evaluated as a part of your risk assessment?
  • How do you plan to continue providing services in the event of the loss of key employees?
  • Have you been in communication with your critical third-party providers?
  • Are you financially prepared to withstand a long-term pandemic event?

Critical third parties are often either overlooked or under-managed during normal circumstances, but because of the current high level of interdependency among financial institutions and their third-parties, operational events such as pandemics call for much closer scrutiny. Depending on responses received, ISOs may choose to accelerate their oversight efforts, revisit their vendor risk assessments, and make adjustments accordingly.

For more information on responding to pandemic events, view our pandemic resources.

18 Jun 2020
Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

  • Review all guidance and issues related to their institution and become familiar with any changes that might impact them
  • Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
  • Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

  • Analyzing potential threats
  • Assessing the technology required
  • Managing access controls and security
  • Conducting regular data recovery test
  • Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

14 May 2020
Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

  • Experimentation
  • If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

  • Fast Turnup and Fast Turndown
  • Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

  • Elasticity
  • The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

  • Serverless Functions
  • Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

07 May 2020
How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

Disaster recovery is a concern for all financial institutions, regardless of size or location, and is essential to protecting data, infrastructure, and overall business operations. In addition to having a thorough disaster recovery (DR) plan, community banks and credit unions need to have a solid site recovery environment to facilitate a quick return to normal business operations, in the event of a natural disaster or other disruption.

Cloud disaster recovery solutions are growing in popularity among many community banks and credit unions. However, it is important to understand the key differences in site recovery models to determine the best fit for your institution.

In a recent webinar, Brendan McGowan, Chief Technology Officer at Safe Systems, outlined the three most common site recovery models available to community banks and credit unions today and discussed key considerations when implementing each.

In-House Site Recovery

When using an in-house site recovery model, financial institutions commonly have a virtualized server environment. These machines often run in a VMware vSphere environment which sits on top of a storage array. On the DR side, there is essentially a clone of the production environment to receive the replicated data. This works well for many financial institutions, however, there are a few considerations to keep in mind.

House Site Recovery

With in-house site recovery, you’ll need to:

  • Have redundant hardware in the DR environment at an additional cost.
  • Purchase an additional facility like a co-location or branch for DR.
  • Oversee hardware and software lifecycle management for both production and DR environments.
  • Set up dedicated connectivity like multi-protocol label switching (MPLS) to point replication to the DR environment.
  • Conduct regular maintenance to ensure all replications are healthy and perform periodic testing.
  • Have significant expertise and talent to make sure the system works correctly and consistently.

Cloud Site Recovery

In this model, the production environment remains the same, but the hardware and software used in the DR environment are replaced with a cloud-based solution. With cloud site recovery, financial institutions don’t have to pay for servers and computing time until the day they need to turn on the disaster recovery solution. Until then, the institution will only be billed for the amount of storage it consumes.

Cloud Site Recovery

When you use a cloud site recovery solution like Microsoft Azure Site Recovery, you create a storage pool to receive replication from a small server on-premise, which is the cloud site recovery replication server. The replication server works by having each of your production servers send its data changes in real-time to the cloud application server. This server is compressing, encrypting, and deduplicating all of the incoming data and continuously shipping it securely to your cloud site recovery storage pool.

With the cloud site recovery model, you no longer have to:

  • Deal with redundant hardware on the DR side since everything is stored in the cloud.
  • Manage hardware and lifecycle management on the DR-side.
  • Pay for separate facilities since the data is in the cloud, and you can store your data anywhere in the world.
  • Worry about dedicated connectivity because you can send all of the replication over the internet with a simple virtual private network (VPN).
  • Handle all of the maintenance or have the expertise required to run the system.

Cloud-Native Resilience

In the cloud-native site recovery model, both the production and disaster recovery environments are in the Cloud. To set up the cloud environment, using Microsoft Azure, for example, you can sign up for Azure Virtual Machines, which would correlate to VMware vSphere in your environment. After that, you can set up your production virtual machines.

Cloud-Native Site Recovery

At this point, you can register for cloud site recovery for your institution’s individual virtual machines. Once you’ve selected your machines for replication, the system automatically moves that data to whichever Azure zone you select so you get to choose some zone disparity.

In the cloud-native resilience model:

  • There is no Azure site replication server as there was in the cloud site recovery model.
  • Since both environments are cloud-native, all the data is in the cloud and you need not worry about a replication server. Simply check a box to turn it on.
  • In addition, file backup is also a simple checkbox for each server, providing you the option to choose the location to store the data.

Migrating to cloud-based services is a great option to reduce maintenance; significantly speed up the disaster recovery process; and improve overall operations for your institution. If you are interested in implementing a cloud-based disaster recovery solution, Safe Systems can help you determine the right environment for your institution.

To learn more about disaster recovery and moving to the Cloud, watch our recorded webinar, “The Cloud: Recovery and Resiliency is Just a Click Away.”