Exams Archives - Safe Systems

20 Oct 2022

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

Special Guest Speakers Share their Expertise on Key Banking Systems and Compliance Trends

Our first Customer Success Summer Series offered live webinars with special guest speakers who shared their industry knowledge to help our customers and other financial institutions enhance internal processes and key areas of their banking operations.

In August, we hosted Cary Parris, Co-Founder and CTO at iTransit Solutions who presented “The Evolution of Phone Systems: Which is Right for You?”.
In September, we presented “2 Guys and a Microphone: Matt and Tom Chat About Compliance Trends and Rumors” where Matthew Jones, Partner and Financial and Information Security Auditor at Symphona, and Thomas Hinkel, the Compliance Guru at Safe Systems discussed recent developments and trends in regulations and shared their insights on current findings from examiners and auditors.

The Evolution of Phone Systems

Today businesses are facing the acceleration of remote working—Voice over internet protocol (VoIP), Virtual Private Networks (VPN), virtual meetings, and dynamic routing of phone systems based on the user’s location—all have become must-have requirements. Legacy telephone services are becoming more obsolete as some telecoms decommission analog technologies in favor of fiber pots and other alternatives. The old telephone system is evolving into a more modern option: unified communications as a service (UCaaS), which merges communication channels into a single cloud-based system. UCaaS offers all the necessary infrastructure, applications, and resources businesses need in an easily scalable solution. Unified communications tools can include chat, VoIP, text messaging, and online video conferencing.

UCaaS gives institutions the benefit of advanced functionality which allows employees to work remotely more efficiently, including things like the ability to check other users’ availability, reach people whether they are in the office or out in the field, and access the platform from anywhere. Another evolving facet in telecommunications is call center as a service (CCaaS), which also streamlines omnichannel communication and allows remote employees to work together as a call center team.

Given its flexibility and efficiency, it is easy to see why UCaaS is moving to the forefront of communications. There is a wide range of unified communications features, equipment, and prices and it is important for your institution to clearly define its unique needs to find a solution that will satisfy its requirements. It is also important to continue to evaluate your equipment and services every few years as technology and pricing continue to change.

Watch the recording of this webinar to gain a better understanding of UCaaS and other options so you can make the right choice for your institution.

2 Guys and a Microphone

Matt and Tom have both spent most of their careers focused on risk and regulatory compliance for financial institutions. We recorded their recent conversation which spans many topics including increased scrutiny on vendor management, continued focus on ransomware, and more.

Recent audit and exam trends continue to have a strong focus on third parties and proper vendor management. Examiners are considering the preponderance of fintechs, how much the average financial institution is outsourcing, and the inherent risk that originates from third-party vendors. Interestingly, their increased scrutiny may extend to any significant sub-service vendors that institutions may have. In addition, we are seeing questions arise about vendor management in the context of insurance. Cyber liability insurance applications are requesting more details about the management of vendors and other third parties.

There have also been some interesting audit and exam findings. For instance, one institution was encouraged to complete a post-pandemic/walk-through test or “dry run” of their pandemic procedures. This is curious considering all institutions have been in a “live exercise” for the past few years with the pandemic. Regardless, there is a good chance that the pandemic verbiage in your disaster recovery plan needs to be updated based on what has or has not been done in response to the current pandemic. And it is important to consider that an annual pandemic test will be a part of examiner expectations going forward along with the traditional business continuity, natural disaster, and cyber incident tests.

On the regulatory front, the new Computer-Incident Notification Rule went into effect on April 1, 2022, which is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The rule has two components:

The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

In March, we hosted an in-depth webinar on understanding the requirements, recognizing gray areas, and preparing for unknowns. To help intuitions meet these requirements, we also created a detailed flowchart to understand when an event is severe enough to activate your Incident Response Team (IRT) and when regulators and customers should be notified.

Another regulatory trend to keep your eyes on is the increasing focus on ransomware industry-wide is prompting some state banking organizations to require institutions to use the Ransomware Self-Assessment Tool (R-SAT). The 16-question R-SAT is designed to help institutions evaluate their general cybersecurity preparedness and reduce ransomware risks. The R-SAT supplements the Cybersecurity Assessment Tool developed by the Federal Financial Institutions Examination Council (FFIEC). It will be interesting to see if more states begin requiring this additional diagnostic tool.

Watch the recording to hear more insights about INTrex, SOC Reports, and SSAE 21.

16 Jun 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Choosing a Virtual ISO (VISO)

The ISO’s role is becoming increasingly more complex and challenging due to growing cyber security threats, the ever-changing technology environment, and expanding regulatory expectations. It can be difficult for banks and credit unions to stay on top of information security issues. That’s why today even the smallest institutions often engage a trusted third party for help. A virtual information security officer (VISO) service can help institutions effectively manage information security so that nothing gets missed or falls through the cracks.

Common Types of VISO

The most common types of virtual ISO solutions available to institutions are the “do-it-yourself” (DIY), “hybrid,” and “offload” models. The DIY option is designed for institutions that have a solid grasp of the ISO’s job functions and just need some basic tools and limited consultation to enhance their efforts. This model is the least expensive but also requires more of a time commitment from your internal resources. The hybrid model may typically include an assortment of apps, templates, pre-configured reports, and other tools, along with a broader and deeper level of consultation. Resource requirements from the institution side are greatly reduced compared to DIY, but typically greater than offload. Accordingly, costs for a hybrid approach are somewhere between the two other models. The hybrid model also tends to be the most flexible and is designed to evolve with the changing needs of the institution. Finally, the offload approach attempts to provide a “turn-key” solution wherein the virtual ISO partner effectively assumes most or all the responsibilities of your internal ISO. This approach requires the least involvement from your institution (which could introduce other challenges…see the “Examiner Support” section below), but it is usually also the most expensive. As this model is the most inclusive, the knowledge and experience of the third-party provider are your most important consideration. The offload approach typically includes unlimited consultation, on-demand reporting, participation in committee meetings, etc.

Key Factors to Consider

When choosing a virtual ISO, there are some important aspects to consider to ensure your institution selects the best option. Keep in mind that each virtual ISO model comes with a certain level of flexibility and engagement for a specific price. The key is to carefully balance the service and costs against your specific internal resource gaps to determine the best solution for your situation. Ideally, whatever solution you choose should have the flexibility to dial up or down the level of service, depending on how your situation may change in the future.

Whatever virtual ISO solution you opt for, it should provide documentation and reporting in a form that the various stakeholders can understand. Each one of the many ISO responsibilities has one or more reports or documents that support the requirement to hold the ISO accountable for its responsibilities. The board of directors, the steering committee, the IT auditors, and examiners, all have different perspectives and comprehension levels and may require different degrees of detail for the same information. For instance, boards and examiners might require higher-level data, whereas steering committees and IT auditors might require more detailed documentation for their purposes. You should have access to on-demand reporting with relevant, actionable, up-to-date information that matches the level of engagement for the various stakeholder groups.

The regulatory guidance on ISO responsibilities includes terms such as “engaging with” and “working with” management in the individual lines of business to understand the risks of various initiatives. They also expect the ISO to “implement” the information security strategy as defined by the board, and to periodically “inform” the board and senior management on the status of the program. In the case of a virtual ISO, your hybrid or offload third-party partner needs to have an excellent understanding of enterprise-wide strategic objectives, and a good working relationship with management in all lines of business and within the different departments within your organization.

Remember, as with all outsourced activities, even though you can delegate some (or even most) of the heavy lifting to a virtual ISO, you cannot outsource responsibility. Your institution still must maintain a strong oversight effort to ensure that all ISO duties are completed, documented, and reported appropriately. Higher levels of third-party reliance require correspondingly higher levels of oversight. According to the Federal Financial Institutions Examination Council’s Outsourcing Technology Services booklet you are obligated to oversee all activities, whether you perform them, or a third-party performs them on your behalf.

Examiner Support

The examiner feedback we have seen to date strongly supports the idea of financial institutions implementing a virtual ISO solution “…as long as it’s done correctly.” That means focusing on all the responsibilities and accountabilities of the role and making sure sufficient documentation and appropriate oversight and reporting are built-in. Doing it correctly also means making sure the in-house ISO is not so detached from the processes and procedures that they cannot authoritatively explain them to a stakeholder, which can be the primary downside of the “offload” model. The decision-making process is the most important concern for regulators. Your solution should allow you to offload enough to make the ISO’s job easier and more organized, but not so much that they become disconnected and lose operational awareness of their current threat and control environment.

In conclusion, choosing the right type of virtual ISO service allows institutions to provide the appropriate level of insight and oversight for their in-house ISO. This can help them to be better equipped to manage information security activities, meet evolving industry standards, and adjust to tightening regulatory requirements, all in an increasing cyber threat environment.

At Safe Systems, we offer a virtual ISO service based on the above-described hybrid model. ISOversight™, is a VISO service that is flexible to accommodate the changing needs of community banks and credit unions. The ISOversight service includes a full suite of applications to manage everything from vendors to business continuity, along with all associated information security policies and risk assessments. This is a cost-effective, comprehensive, and flexible solution that makes information security management much more efficient. For more insight about the most common virtual ISO models and how to determine which one may be right for you, view our webinar on “Is a Virtual ISO Right for You?”

02 Feb 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022

Compliance Review and Tactics

With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.

The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.

Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.

In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.

One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.

Tips, Tricks, and Tactics

One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.

Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.

What to Consider in 2022 and Current Trends

Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.

Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.

Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”

08 Dec 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site, ComplianceGuru.com, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

05 Nov 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

26 Oct 2021

Banks, Credit Unions, Technology Christine Ray 0 comment

Glennville Bank Strengthens Security Posture with CloudInsight™ M365 Security Basics

Our CloudInsight™ M365 Security Basics solution is helping community financial institutions increase their security posture. Take Glennville Bank, for example. The Georgia community bank, which has $312 million in assets, seven locations, and 66 employees, jumped at the chance to capitalize on the service to identify and secure threats to its Microsoft 365 settings. M365 Security Basics provided the bank with greater visibility into cloud security settings for Azure Active Directory (Azure AD) and M365 tenants through reports and alerts.

Like most financial institutions, Glennville Bank leverages technology to better serve its customers and maintain its operations. Also, like other institutions, the bank has a variety of Microsoft licenses, and managing the security settings for these products became difficult and time-consuming, particularly for Glennville Bank’s network administrator, Zach Horn, who describes his proficiency with Microsoft as “fairly limited.”

“Given the complexity of our cloud tenant settings, I’m not comfortable enough with Microsoft or their updates to manage every setting correctly,” Horn explained. “With all the potential security risks out there, I knew I needed reports that could help me identify risky security settings, monitor identity controls, and ensure our configuration matches our information security policy.”

With M365 Security Basics, Glennville Bank was able to set data trends and identify several settings that needed addressing, such as creating a baseline for failed logins. The bank also discovered that its user access details were often inconsistent, and through the M365 Security Basics service they received easy-to-follow instructions for correcting the problem. “Safe Systems did a great job fine-tuning the product to the demographic we needed,” Horn said. “Their knowledge has been helpful in pointing me in the right direction in knowing which Microsoft licenses I need to go to in the future.”

Product Highlights

M365 Security Basics is the first offering in Safe Systems’ CloudInsight™ family of products. It’s specifically designed for community banks and credit unions that have Microsoft 365 products (Exchange Online, SharePoint, or OneDrive), use Azure AD, and store non-public information in the cloud. M365 Security Basics’ reporting, alerts, and quarterly reviews are customized to help financial institutions improve their cloud security awareness by identifying potential risks and common signs of compromise. The product is developed by engineers who hold dozens of certifications, including the Microsoft 365 Certified: Security Administrator Associate certification. M365 Security Basics makes it easier for institutions to monitor their configurations for current and new features that are automatically enabled by major cloud providers like Microsoft Azure.

The powerful reporting from M365 Security Basics enables financial institutions to review vital Microsoft cloud tenant settings. This allows them to recognize unsafe security settings, examine identity controls, make sure their configuration is consistent with their information security policy, and demonstrate this to examiners and stakeholders. Reports are available as “Summary” versions (with brief information, such as the Tenant Summary and User Summary) and “Details” versions with more in-depth data. (Glennville Bank uses the Tenant Summary to highlight important issues during IT steering committee meetings.)

M365 Security Basics also offers alerts and quarterly reviews as add-on services. Alerts provide notifications about the most common indicators of compromise (like unauthorized access) and are grouped under Azure AD Roles, Azure AD Sign Ins, OneDrive, SharePoint, and Exchange Online. The quarterly reviews give institutions a periodic, objective analysis of their recent M365 Security Basics reporting, so they can gain a better understanding of their Microsoft 365 tenant security.

CloudInsight™ M365 Security Basics not only helps financial institutions like Glennville Bank secure their information but also makes it easier to compile data required for examiners. Read the complete Glennville case study to see how your organization can benefit from M365 Security Basics.

09 Aug 2021

Banks, Compliance, Credit Unions Christine Ray 0 comment

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Implementing a technology-enhanced information security program doesn’t have to be a daunting task. Working with a third-party expert can make the process easier and smoother than managing all the requirements completely in house.

Effective information security (InfoSec) allows organizations to safeguard key IT assets, business processes and data from potential threats. It involves the broad measures that ensure the confidentiality, integrity and availability of the information being processed and stored by computer systems. Most financial institutions, especially those with limited IT resources, can benefit from having an outside vendor provide additional technical expertise and solutions to enhance their existing InfoSec program.

First State Bank Improves InfoSec with Safe Systems

First State Bank of Blakely, Ga. is a prime example of how a financial institution was able to tap external resources to expand its InfoSec program. The bank, which has about 100 employees and 10 branches, was handling most of its InfoSec requirements in house. But when First State Bank’s InfoSec consultant retired, the bank opted to expand its vendor management relationship with Safe Systems to include information security.

Safe Systems made the implementation quick and easy, recommending strategic tweaks that significantly streamlined the process. Consequently, First State Bank was able to avoid “reinventing the wheel” by importing some of its existing information. And since the program elements are web-based and accessible through any internet browser, it will be easy for the bank to make future edits.

First State Bank’s IT Manager, William Barnes, specifically references Safe Systems’ expertise, saying: “The knowledge and experience of the experts I worked with during implementation were very helpful. It is good to know they are there to consult with. I think overall, we are in a good place with the new information security program.”

In addition, the program provides an easy-to-follow guide for securing the First State Bank’s operations and processes. The program is reviewed at least annually, which serves as a reminder of important security requirements. “It helps us stay on top of the risks within the bank and has all the available forms that we need for most policies and procedures,” Barnes says.

Benefits of Technology-Enabled InfoSec

Having a technology-enabled InfoSec program offers a host of benefits for institutions like First State Bank. In general, an automated security program can help banks better support the hardware, software, policies, procedures, and information assets needed to accomplish their business objectives. More specifically, incorporating technology can simplify an InfoSec program; it can streamline the process of identifying and classifying the vast number of assets institutions often have scattered across multiple branches and geographic locations. And a built-in risk assessment tool can provide pre-determined default risks for different assets based on commonly known threats and vulnerabilities.

All of this can reduce the need to create huge spreadsheets to maintain the amount of data typically required for an InfoSec program. As a result, financial institutions can have more accurate security-related information, enhanced board reporting, and better decision making and governance.

Consulting with a trusted vendor like Safe Systems allows institutions to immediately expand their information security expertise and resources. Safe Systems includes three applications in their service including Risk Assessment, Policy Manager, and Enterprise Modeling, to help banks and credit unions centralize and automate their InfoSec program. These powerful applications can make it easier for institutions to enhance their processes for assessments, notifications, reporting, policy/procedure updates and regulatory compliance so they can optimize their security posture.

29 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2021 Hot Topics in Compliance: Mid-Year Update

2021 Hot Topics in Compliance

While the COVID-19 pandemic certainly isn’t over, financial institutions have learned valuable lessons so far. In retrospect, the pandemic’s impact on community banks and credit unions hasn’t been as catastrophic as examiners had initially feared—at least not financially. Key impacts have been mostly operational, involving risk related to temporary measures taken to weather the crisis. For instance, examiners will want to know what modifications institutions have made to their operational processes to accommodate an increasingly mobile customer and member base and remote employees, and whether they accounted for additional fraud, cyber threats, or other risks as a consequence. If institutions implemented new products or services, they would need to also account for the operational risk associated with these changes—especially if additional third-party providers were involved. That said, throughout the pandemic, the overall industry demonstrated a very high level of resilience.

In addition to the post-Pandemic lessons, there are other important compliance trends and new regulatory guidance that institutions should anticipate as we approach the rest of the year:

Emphasis on Ransomware Cybersecurity

Recently, ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely ramp up going forward. This will be reflected, in part, by the number of (and types of) assessments that they may expect financial institutions to perform on an annual basis, including the familiar Cybersecurity Assessment Tool (CAT) and newer, non-compulsory Ransomware Self-Assessment Tool (R-SAT) developed partly by the State regulatory bodies.

In addition, at the federal level, the Cybersecurity and Infrastructure Security Agency (CISA) has recently developed its Cyber Security Evaluation Tool. This tool is not specific to the financial industry but rather designed to apply to multiple industries. And the National Credit Union Association (NCUA) decided earlier this year to move away from using its version of the CAT, known as the Automated Cybersecurity Evaluation Toolbox (ACET). It’s now prioritizing a modified InTREx for Credit Unions (InTREx-CU), which is designed to enable credit unions to identify and remediate potential high-risk areas, including within the cybersecurity controls domain.

Changes with Cyber Insurance

Major shifts are also happening with cyber insurance. Because of excessive losses by the insurance industry, there will very likely be increased deductibles, increased exclusions, and decreased limits for covering cyber losses. Cyber insurance coverage—which is not an absolute requirement by regulatory agencies—is going to be more difficult and expensive to obtain. So, the lesson is: As insurance policies come due, don’t automatically renew before you assess what has changed in terms of the coverages, exclusions, and limitations, and make sure you’ve documented your cost-benefit decision.

New Guidance on Architecture, Infrastructure, and Operations

In June, the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. The updated guidance, which replaces the “Operations” booklet issued in July 2004, acknowledges the inextricable link between an institution’s operations, architecture, and infrastructure. Or as a recent FFIEC press release states:

“The booklet discusses the interconnectedness among an entity’s assets, processes, and third-party service providers, along with the principles, processes, potential threats, and examination procedures to help examiners assess whether a financial entity’s management adequately addresses risks and complies with applicable laws and regulations.”

The booklet provides a fresh take on several concepts: It recognizes different treatments for smaller or less complex institutions and adopts a different approach to data classification by factoring in value with criticality and sensitivity. All entities—not just credit unions and banks but also non-financial, third-party service providers—are expected to adhere to the guidance.

In addition, there are also pending new rules for incident notifications for banks, service providers, and core providers, which isn’t surprising with all the recent cybersecurity attacks. Finally, examiners are also expecting more detailed board reporting, such as showing how an institution’s business continuity management plan, business strategy, and risk appetite are all aligned.

For more information about the latest expectations, compliance trends, and regulatory guidance, listen to our “2021 Hot Topics in Compliance: Mid-Year Update” webinar.

22 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

As financial institutions face greater expectations for corporate accountability from regulators, effective board reporting and governance are becoming even more essential in the banking sector. While board members aren’t generally involved in the day-to-day operations, they are ultimately responsible for the success of their institution. Proper reporting can enable the board to make decisions without having to be involved in routine activities, and technology can help institutions enhance their board reporting and, in the process, help directors exercise the care, skill, and diligence required for good governance.

Five Essential Elements of Reporting

Board members need access to a range of financial and non-financial information relating to their organization’s products and services. In order to function effectively as a feedback tool for the board and senior management, the FFIEC Management Handbook states that information systems reporting should meet five essential elements:

Timeliness: To facilitate prompt decision-making, an institution’s information systems should be capable of providing and distributing current information to appropriate management or staff
Accuracy: A sound system of automated and manual internal controls should exist to ensure the validity of the information and should include appropriate editing, balancing, and internal control checks
Consistency: To be reliable, data should be processed and compiled uniformly. Variations in data collection and reporting methods can distort information and trend analysis
Completeness: Reports should contain the necessary information to inform decision-makers without voluminous detail
Relevance: Information systems should provide current, applicable, and actionable information

Reporting that contains the essential elements above can provide decision-makers with facts that support and enhance the overall decision-making process and can also “…improve job performance throughout an institution.” At the board and senior management level, information systems reporting provides the data and information to help the board and management make strategic decisions. At other levels, information systems reporting allows management to monitor the institution’s activities and distribute information to staff, customers, and members of management.

Applying Technology

Advances in technology have increased the volume of data and information available to management and directors for planning and decision-making. Converting that data into actionable knowledge is essential for the board to provide a “credible challenge” to management, which involves being actively engaged, asking thoughtful questions, and exercising independent judgment. Integrating technology into their InfoSec efforts, institutions can create a comprehensive system to generate, collect, and analyze data to support a more effective process for board reporting and a more knowledgeable board.

Heather Helms, CFO and Information Security Officer of Mount Vernon Bank, knows firsthand the importance of having an application that supports board reporting. “Before we started our partnership with Safe Systems, we were not up to par with the industry standards of reporting. Since redoing our Information Security Program and moving away from a paper-based model to automated applications, we’ve seen noticeably better results in our board reporting and regulatory updates,” said Helms. “When trying to wear numerous hats within a small community bank and stay on top of a topic so huge in a regulatory world, solutions like Safe Systems’ Information Security Program makes all of the difference.”

There are several advantages to financial institutions using technology solutions to automate and optimize board reporting and governance. The primary advantage is the ability to generate on-demand reporting on all aspects of information security management; from managing projects, to risk assessments (including risk appetite), to managing critical vendors, to mitigating operational risk through business continuity planning. Reporting should allow just enough detail to enable the board to fulfill their responsibilities, but not be so detailed that they struggle to comprehend. Ideally, technology should support high-level reporting, with the ability to “drill down” as necessary. The emphasis should be on quality, not quantity.

Another potential advantage of technology in reporting is the ability to aggregate business intelligence from multiple sources enterprise-wide. This not only gives the board a more complete picture of risk but can also stimulate internal collaboration and deeper insights, giving directors more meaningful information for analysis. The importance of timely, accurate, relevant, complete, and consistent information cannot be overstated, as the success or failure of management is often defined by the decisions they make. As the FDIC states, “The extreme importance of a bank director’s position is clearly emphasized by the fact that bank directors can, in certain instances, be held personally liable.” By having a comprehensive system in place for optimal decision-making, institutions can improve the quality of the information flowing from management to the board, and then from the board to other internal and external stakeholders—helping directors not only improve governance, but also enhance regulatory compliance and possibly even reduce lawsuits, monetary fines, and other negative consequences from inadequate board reporting.

Technology not only optimizes board reporting and decision-making but also makes it easier for directors to access the information they need to perform their due diligence and oversight obligations. It all boils down to implementing technology to exercise better accountability—ensuring sound policies are in place to promote strategic objectives and regulatory compliance.

Safe Systems offers a wide range of compliance-centric, innovative solutions that can help financial institutions take advantage of technology to improve their board reporting and governance.

01 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Benefits of Integrating Technology into Your InfoSec Program

Information security (InfoSec) is a critical aspect of keeping an organization’s computers, networks, sensitive information, and users safe from potential threats. Integrating technology into a financial institution’s InfoSec program can make it easier to manage risk and protect their information and infrastructure assets. Institutions can utilize automation to capitalize on a variety of other benefits, including:

Simplicity

Banking is a complex business. Banks and credit unions maintain a wide assortment of information technology devices, systems, and applications to support their operations. They also have multiple personnel, partners, and third-party providers spread across different geographic areas. The interconnectivity of their operations can make it even harder for institutions to protect the hundreds (and in some cases, thousands) of assets they must maintain. An automated system can make it easier for institutions to inventory and classify their assets—without having to create enormous, time-consuming spreadsheets. It provides a centralized solution for tracking the criticality, location, and risk exposure level of each asset. Identifying the source of risk is the essential first step to effective risk management. Technology and various Software as a Service (SaaS) applications can greatly simplify the process of inventorying assets, assessing the risk, and selecting controls. Technology can also create automatic updates to ensure that all policies and procedures are current and based on industry standards and regulatory requirements. Additionally, on-demand stakeholder reporting can be generated to provide the requisite documentation to management committees, board of directors, and regulatory authorities, respectively.

Completeness and Transparency

Integrating technology can help financial institutions get a clearer sense of their security posture, so they can develop a more complete InfoSec program. Automation makes it easier to identify and categorize each asset, along with its related risks, threats, and controls. This can enable institutions to make a more accurate assessment of where their security risks actually lie. With enhanced transparency, institutions can determine the most appropriate level of protection for each of their assets. As a result, they can more effectively use, manage, and secure these assets. Proactively identifying risks, threats and controls can also better position them to minimize the impact of security incidents in the future.

Better Intelligence and Insights

Some financial institutions rely on manual spreadsheets to manage the vast amount of information and other assets in their InfoSec program. But manual spreadsheets are not always the most effective tracking and reporting mechanism. People can inadvertently feed the wrong data into spreadsheets and produce unreliable results (“garbage in, garbage out”). Plus, since creating spreadsheets is such a repetitive and time-consuming process, information may be infrequently updated—which can make it less timely and thus less useful. However, integrating technology can help institutions enhance the accuracy of the intelligence that supports their InfoSec program. In turn, their board and management can have better insights into the important issues that impact the information security of their organization, which in turn empowers them to make better decisions.

Enhanced Reporting

To make the best decisions for their institution and perform their fiduciary oversight duties, boards and management committees need accurate, relevant, and timely information. By incorporating technology in their InfoSec program, institutions can put an efficient process in place to generate, collect, and analyze data to support board and committee reporting. This can enhance the overall quality of the information being reported to the board, shareholders, and auditors, and regulators. Optimized, on-demand reporting can improve governance, foster compliance, and potentially reduce negative consequences from inadequate board reporting.

Resource Collaboration and Augmentation

InfoSec resources are limited at many financial institutions, and most community banks and credit unions do not have a dedicated InfoSec specialist in-house. Additionally, information security officers (ISOs) tend to wear multiple hats and are often stretched thin by their broad range of responsibilities. An automated application can create a centralized solution that creates a multi-user approach to allow the ISO to leverage internal resources wherever and whenever possible. For example, a department head or process owner can be a valuable internal resource for assessing vendors impacting the department’s functionality. Similarly, the process owner (and not necessarily the ISO) would be the most logical choice to perform the process Business Impact Analysis. In this way, InfoSec becomes an “all hands on deck” operation, with all personnel sharing ownership of the process. Outsourcing additional aspects of InfoSec via a virtual ISO solution can provide an institution with additional subject matter expertise and solutions to further support their designated ISO and the overall security of their systems and information.

Read more about the benefits of integrating technology into your information security. Download our white paper on “How Financial Institutions Can Use Technology to Build an Automated, FFIEC-compliant Information Security Program.”

24 Jun 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Automating Your Information Security Program: How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.

There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.

These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:

“… both the CAMELS composite and Management component ratings have significant predictive power for features of the distribution of banks’ return on assets (ROA), non-performing loans (NPL), stock returns, stock return volatilities, and market-to-book ratios.”

Advantages of Automation

Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.

As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.

Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.

Our Unique Approach

At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!

Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.

Positive Feedback

Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.

For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”

11 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s essential that banks and credit unions maintain segregation of duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the overall health of their operations.

From a regulatory standpoint, the separation (or segregation) of the ISO’s duties is the corrective action to a concentration of duties finding. Management should designate at least one information security officer responsible and accountable for implementing and monitoring the information security program, according to the Federal Financial Institutions Examination Council (FFIEC) IT Handbook’s Information Security booklet. The booklet states: “ISOs should report directly to the board or senior management and have sufficient authority, stature within the organization, knowledge, background, training, and independence to perform their assigned tasks. To ensure appropriate segregation of duties, the information security officers should be independent of the IT operations staff and should not report to IT operations management.”

The FFIEC also provides guidance on this matter in the IT Handbook’s Management booklet. “The institution should separate information security program management and monitoring from the daily security duties of IT operations. The IT department should have personnel with daily responsibility for implementing the institution’s security policy,” the booklet explains. “Responsibility for making changes and granting exceptions to policy should be segregated from the enforcement of the controls.”

Oversight Is the Key Issue

The importance of isolating the ISO’s duties comes down to oversight as separating the functions of the ISO and network administrator helps to create a clear audit trail and ensures that risk is being accurately assessed and reported to senior management. Without proper oversight reporting, financial institutions and their Boards lack a clear picture of their information security posture and can face other negative repercussions, such as downgrades in their Management IT component.

If, for instance, the ISO shares administrative duties and an administrator account, oversight dynamics can be undermined. As an example, the admin may have day-to-day responsibility for patch deployment, but the ISO is ideally suited to monitor and validate the overall patch management program—not the network administrator. The ISO has a higher-level, enterprise perspective of the impact of day-to-day activities; whereas the admin is at the ground level and may not always be capable of accurately assessing the full impact of performing, or not performing, a particular task. In addition, the definition of “oversight” is basically having another set of eyes validate the actions of someone else.

Understanding the Role and Duties of the ISO

The ISO’s oversight role primarily serves to ensure the integrity of a financial institution’s information security program. In essence, by segregating the admin/ISO duties, ISOs are the “other set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders.

The responsibilities of the ISO are clearly outlined in the FFIEC’s Information Security and IT Management booklets. Some of the ISO’s key duties include responding to security events by ordering emergency actions to protect the institution and its customers from imminent loss of information; managing the negative effects on the confidentiality, integrity, availability, or value of information; and minimizing the disruption or degradation of critical services.

However, in fulfilling these obligations, ISOs are expected to continually meet a high standard of information privacy and security. It’s imperative for institutions to not only assign the proper responsibilities to the ISO but to also select the right individual to assume the role.

Banks and credit unions often have difficulty designating an ISO with the appropriate technical and regulatory compliance expertise. Institutions in rural or small communities—where the talent pool is meager—might even have their chief financial officer or chief operations officer wear the hat for this “part-time” job. Regardless of these challenges, community institutions are expected to maintain the same level of segregation of duties as larger institutions. Size and complexity considerations may allow for some leeway in the timing of the separation, but not the ultimate outcome.

Leveraging a Virtual ISO

For every responsibility, there is an associated piece or set of documentation that must be provided to demonstrate adherence to and alignment with your formal written procedures. Not having an ISO with the requisite knowledge and/or time to effectively manage the assigned responsibilities of the position can result in control failures—and possibly policy or procedure non-compliance. In some cases, financial institutions may have a separation of duties “on paper”, but not so in practice. Again, the absence or presence of oversight is the key.

In fact, feedback from examiners indicates that because of the lack of oversight, there is a certain level of concentration of duties that cannot be adequately addressed internally. But institutions can remedy this problem by engaging a third-party, virtual ISO to add assurance that all responsibilities are being successfully addressed. A virtual ISO can provide another set of eyes and an independent layer of oversight on top of what the institution already has in place internally.

Virtual ISO services from Safe Systems, a national provider of fully compliant IT and security services, can be the ideal solution for community banks and credit unions. Safe Systems has proven experience in providing institutions with dependable technical expertise to ensure there is adequate separation of ISO-related duties within their organization—enhancing network security and significantly increasing regulatory compliance.

04 Mar 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 ISO Duties that Can Be Automated for FIs

Information security officers (ISOs) at financial institutions typically have myriad responsibilities on their plates, and each of those responsibilities comes with one or more forms of documentation to verify the actions taken. While these duties relate to the main categories of network security and regulatory compliance, there are a host of functions that fall under the ISO’s oversight role.

Fortunately, many ISO responsibilities can be automated in some areas to facilitate the management of the institution’s information security program. Here are five of them:

1. Business Continuity Management (BCM)

ISOs are responsible for overseeing and coordinating BCM, providing detailed guidance on how to recover from a business interruption, and ensuring that the appropriate people, processes, and technology components that make up the network of interdependencies are also restored. Automation can make it easier for the ISO to identify the interdependencies, complete the annual updates, and conduct the training exercises and testing required. Automation can also enable alerts for tasks due by process owners, and generate reminders for annual plan board approval, and report the test results to the board. While the tests for BCP cannot be automated, the documentation and reporting of the tests can—something that can significantly streamline the ISO’s oversight responsibilities and make it much easier to locate these documents at audit and examination time.

2. Updates to the Information Security Program and Information Security Risk Assessment

Automation can provide alerts to help ISOs keep abreast of updates from regulators. Then the ISO can easily pull reports on the revised areas to present them for board approval. Essentially, it’s plan maintenance that can be automated—although some interpretation is needed to support the process. Automation can prevent an institution’s information security program from becoming out-of-date (which can happen easily when an ISO is relying on manual processes for management) as failing to make an important update can have significant, negative consequences. For instance, if management misses a major BCP update, or an annual test, or board reporting, auditors may construe this as a general weakness in management, and scrutinize other areas more closely, such as lending practices or financial reporting. Automation can help institutions avoid inadvertent missteps and resulting hassles within their information security program.

In addition, many recent examination findings relate to inconsistencies between the institution’s policies (what they say they do) and their procedures (how they say they will do them). Automation, when combined with integration between applications, can greatly reduce this probability by easily propagating policy and procedural changes throughout all elements of your information security program. For example, sometimes financial institutions will update their BCM plan but might be lax with other policies—something that can result in a disconnect between different policies. In this case, one policy may refer to a process that is no longer being used; or a policy may contain conflicting references for a process that has been updated. These and other kinds of inconsistencies are virtually impossible to catch without automation and integration.

3. Tracking Audit Exam Findings

Unresolved, or “repeat” findings are usually treated very harshly by regulators. Making sure that all audit and exam issues are resolved in a timely manner is crucial. Automation can rate the severity, assign them to a responsible party, assign a due date for resolution, and sending “ticklers” and reminders as the dates come due. At the end of the process, the ISO can quickly generate reports to provide to the institution’s board, examiners, and other stakeholders. Alerts and on-demand reporting can enhance accountability for addressing each of the findings to improve internal controls and other areas.

4. Managing Third-party Relationships

Financial institutions are required to manage the risks of their third-party vendors and the responsibility to assure this is done falls squarely on the shoulders of the ISO. Institutions can use automation in every aspect of their vendor relationship management, including alerting and tracking of periodic updates to the risk assessments, annual updates to the control reviews, contracts, and contract renewals. With automation, the ISO can instantly identify required tasks and produce the necessary documentation related to its vendor management activities.

5. Cybersecurity

Cybersecurity is an important sub-component of information security, and automation can significantly enhance the ISO’s multiple oversight efforts in this area. An automated system can remind ISOs to verify that crucial assessments are completed, including the annual Cybersecurity Assessment Tool (CAT) and the Ransomware Self-Assessment Tool (R-SAT). Alerts can be scheduled to prompt ISOs to conduct annual incident response tests, a gap analysis, and cybersecurity training for employees and the board. And on-demand reporting can keep all stakeholders informed on the progress of your cybersecurity efforts.

One final thought about automation; when the application is combined with a provider familiar with, and dedicated to, the regulatory environment of the financial institution, you do not have to worry about a non-compliant policy or procedure. All necessary regulatory and best practice updates are built-in to the automation.

As a national provider of fully compliant IT and security services, Safe Systems offers a variety of innovative solutions that can help financial institutions automate some of the important responsibilities of their ISO.

25 Feb 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Five Key Areas of Focus for Your Regulatory IT Exam

Key Areas of Focus for Your Regulatory IT Exam

We’re back with part two of our IT Exam Prep blog series.

Picking up where we left off, there are five key areas where we expect you’ll likely be scrutinized closely at your next exam cycle:

Cybersecurity
Business continuity management
Outsourcing and third-party vendors
Governance and management engagement
Strategic planning

Of these, the most challenging, and most important, for smaller institutions might be governance and management engagement; the CAMELS “M”. This is true because often smaller institutions may have a more informal reporting structure.

For example, relevant issues may be discussed in committees and may even be reported upstream—but they may not be sufficiently documented. The issue is not just a matter of how you engage and report to senior management and the board, but rather, how you document that the necessary practices are in place. This is important when discussing day-to-day operational matters, but even more important when addressing issues of long-term strategic significance.

Although documenting management engagement can be particularly challenging, institutions must focus on all areas when prepping for an exam. You may not have time to rigorously prepare for every aspect, but you cannot afford to be lax in any one area, as examiners expect all areas of information security to be addressed. However, even if you are not where you need (or want) to be in any particular area, knowing where you are will often buy you additional time.

Our experience is that examiners will often give you additional time to address an issue if they know A) you are aware of it, and B) you have a plan in place (including a timeline) to address it. In short, if you haven’t had the opportunity to conduct a BCM exercise in the past 12 months, at least acknowledge it and have one on the calendar for the near future.

Ransomware on The Rise

As we discussed here and here, both the pandemic and cybersecurity will continue to dominate the infosec landscape for the foreseeable future, and because of that, are sure to receive special consideration during your next exam cycle. In particular, ransomware is a hot-button issue for examiners as attacks have been accelerating and cybercriminals capitalize on the security vulnerabilities and disruption caused by more employees working from home.

These malicious destructive malware attacks are becoming more targeted, more sophisticated and more costly, according to the FBI. Even more disconcerting is the fact that modern ransomware variants can not only lock data in place so that it’s no longer available to the institution but also exfiltrate data, making a secondary data disclosure attack much more likely. Another recent variant locks your data and initiates a distributed denial of service (DDoS) attack against your website if you don’t respond.

Resiliency

One common denominator between all five areas of focus is the concept of “resiliency”, which is the ability to withstand and recover from unplanned and unanticipated events. Examiners increasingly want to see a proactive approach to resilience, and when institutions implement the proper measures ahead of time, this can reduce their risk of operational downtime during a cyberattack, pandemic, natural disaster or another event.

Simply put, once ingrained into your practices and procedures, the reactive measures taken today become the proactive measures of tomorrow. Also, don’t forget to build resiliency into all future initiatives. If the initiative is important enough to implement and maintain, it’s important enough to protect from downtime.

Today, banks and credit unions are taking advantage of a host of resources to mitigate ransomware and other IT security issues, including the Cybersecurity Assessment Tool (CAT), the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), and the Ransomware Self-Assessment Tool (R-SAT). In addition, consulting with a third-party IT expert can help institutions better prepare for assessments and respond to difficult questions from examiners.

The bottom line is that regardless of the format regulators require for an examination, you can expect them to address a wide variety of areas. So, focus on the areas outlined here and in part one of this series, but be prepared to discuss all the relevant actions your institution is undertaking.

23 Feb 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

Part 1 - Financial Institutions, Know What to Expect at Your Next Regulatory IT Exam

While sometimes the IT examination is separate, most of the time it’s incorporated into the Safety & Soundness exam. Regulatory examinations like Safety & Soundness are designed to assess the financial health and risk management practices of a financial institution, and the results are expressed as a number “grade” from 1 (highest) to 5 (lowest). An information technology (IT) exam is narrower in scope and utilizes four components to assess information management maturity: Audit, Management, Development and Acquisition, and Support and Delivery (AMDS).

With the twin challenges of the Pandemic and cybersecurity continuing into 2021, on top of an already full plate of regulatory expectations, it’s critical for institutions to be prepared to address all IT issues to meet regulator expectations and ensure their safety and soundness.

So exactly what should financial institutions expect at their next IT regulatory exam? We’ll break it down in a two-part IT Exam Prep blog series.

The Pre-examination Questionnaire

On one hand, anticipating the exam elements is relatively straightforward, as the examiner will provide a pre-exam questionnaire. This is somewhat akin to an open-book test where the questions are provided ahead of time.

However, there is no single standardized questionnaire that all regulators adopt—and there likely won’t be in the foreseeable future. (The InTREx was an attempt by the FDIC a couple of years ago to standardize the process, but it is not yet caught on universally.) So, when the examiner sends his or her pre-exam questionnaire, that essentially provides the framework you should follow to prepare for your examination.

Nevertheless, bankers should expect a certain amount of the unexpected. While you should expect examiners to closely adhere to the pre-examination questionnaire, there will most likely be “curveball(s)” included. Curveballs are deviations from the questionnaire that could trip you up if you’ve followed it too strictly.

But if you’ve done your job correctly and addressed all infosec matters adequately since your last exam, you are better positioned to pivot when you need to during the exam. In other words, treat the pre-exam questionnaire more as a starting point than a checklist. And if you find yourself presented with a difficult question, do not respond with anything you are not 100 percent sure of, and that you know you can document. It is perfectly acceptable – and advisable — to wait and answer the question later when you have the appropriate information available.

One final point about examiner interaction: we strongly advise that your ISO be the primary point-person for the exam.

In most institutions, the ISO has the broadest and deepest knowledge of your information security procedures and practices. The ISO can bring in others as needed (network admin, internal audit, external providers, etc.), but they should still stay very close to the conversation. We’ve seen many situations where someone other than the ISO is interviewed by the examiner, and because of the person’s comparative lack of knowledge, it has resulted in exam findings that otherwise could have been avoided.

To ensure your financial institution’s next regulatory IT exam is a success, stay tuned for part two of our IT Exam Prep blog series, where we will dive into the key areas of focus you can expect to be evaluated on.

08 Jan 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

2020 in the Rearview: A Regulatory Compliance Update

The COVID-19 pandemic dominated the regulatory landscape early in 2020, with cybersecurity dominating the last couple of months. Here is a look back at important regulatory changes and trends in 2020 and a look ahead at what to anticipate for 2021.

Characterizing Causes of Weakness

When it became obvious that the pandemic would have a pervasive and wide-ranging effect, the Federal Financial Institution Examination Council’s (FFIEC) issued several statements to address the situation. The FFIEC outlined some of the adjustments and accommodations that regulators expect bankers to make concerning lending, operational risks, and other areas. For instance, if an exam results in downgrading component or composite ratings for an institution, a distinction will be made between any weakness caused by the pandemic vs. management and governance issues.

Essentially, examiners will differentiate between a weakness resulting from an external event versus an internal systemic issue—even if the event is beyond management’s control.

The statement issued in June 2020, states, “Examiners will consider whether institution management has managed risk appropriately, including taking appropriate actions in response to financial and operational stresses caused by COVID-19 impacts.”

It is uncertain exactly how this issue will be interpreted in a post-pandemic world. After all, pandemic should be a part of all financial institutions’ business continuity planning, and as such, not completely outside the realm of a reasonably anticipated threat. So ideally management should have anticipated such an event, and have been prepared to respond. The only unanticipated aspect of the current Covid 19 event is the extreme extended duration compared to a standard Pandemic. It will be interesting to see how the agencies square the concepts of a “reasonably anticipated threat” vs. “external factors beyond management’s control”. Aren’t most threats both reasonably anticipated, and also beyond management’s control? We’ll let you know if and when we get any clarification on that.

Regardless of the scenario, documentation is crucial and often overlooked. Most folks are laser-focused on just getting past this and back to “normal” business, but memories fade over time, and documenting what adjustments you’ve made (or plan to make) during the pandemic will make the post-pandemic adjustments easier to explain to management and justify to examiners. Documentation can also help establish your increased ability to anticipate and respond to the next threat, also referred to as “resilience”. Institutions should make every attempt to document all management decisions, such as the minutes from management meetings, communications with third-parties, and any strategic or procedural changes you may have made or need to make. For example, if you’ve implemented technology to enable an increased mobile workforce (a strategic change), have you updated the remote access procedures and best practices in your employee Acceptable Use Policy accordingly (a procedural change)? Have all remote employees signed the updated AUP?

In our next blog post, we will dive into the focus on ransomware mitigation, how best to address cybersecurity, and what to expect heading into 2021.

01 Dec 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Why Documentation is an Essential Priority During the COVID-19 Pandemic

While financial institutions have spent the last nine months focused on pandemic response and ensuring critical services remain available to their customers and members, there are other key areas of consideration to ensure their institutions remain compliant and can thrive in the future, including documentation. Unfortunately, few financial institutions are adequately documenting their efforts and new strategies as they are being implemented. Below are three key reasons why they really should.

1. Regulatory Expectations

Examiners will expect to see how financial institutions have handled the pandemic and that all of the lessons learned are reflected in their business continuity management plans (BCMP).

Some key questions regulators may ask regarding pandemic response include:

What have you learned from this event?
What have you done to enhance your pandemic plan based on those lessons learned?
Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time?
Have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access?
If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

2. Key Lessons Learned

All banks and credit unions must take a different approach to pandemic planning that fits well with their institution’s unique needs. They need to consider all of the challenges they’ve faced throughout the pandemic and apply key lessons learned to enhance their operations, including the importance of cross-training staff, enhancing security measures, succession planning, or improving technology for an employee to work at home. Until the pandemic passes, financial institutions should continue to reference their business continuity plans and document the entire process to create a blueprint for reference if a similar situation arises again in the future.

3. Strategic Planning

According to the FFIEC, an entity’s strategic planning should be developed to address all foreseeable risks, and these risks should cover the potential impact on personnel, processes, technology, facilities, and data. Throughout the pandemic, financial institutions should track what they are doing, how they are doing it, and whether any new procedure should be included in their existing crisis management or response plan.

The key is for institutions’ steering or strategic planning committee to stop periodically and document—or backfill information after the fact (at least a month or a quarter later.) Failing to document this process will result in institutions returning to business as usual after the crisis subsides and potentially making serious mistakes if a pandemic situation occurs in the future.

To learn more about pandemic response and key priorities for financial institutions, download our latest white paper, “Navigating the Coronavirus pandemic: Best Practices for Pandemic Planning and Key Lessons Learned for Community Banks and Credit Union.”

12 Nov 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Importance of Performing a Cybersecurity Gap Analysis for Banks and Credit Unions

In response to the Coronavirus pandemic, many financial institutions have implemented new technologies and made modifications to their IT infrastructure to better serve customers, members, and employees during this time. These changes may have increased the institution’s inherent risk profile, however, making it necessary to review the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool (CAT) or National Credit Union Association’s Automated Cybersecurity Examination Tool (ACET). When adjustments are made to the organization, community banks, and credit unions must evaluate their risks and perform a gap analysis to ensure the institution is protected from cyber threats.

What is a Cybersecurity Gap Analysis?

A cybersecurity gap analysis starts evaluating the results of the CAT or ACET, (which is simply a snapshot in time of where you are with your risks (inherent risk profile) and controls (cybersecurity maturity) and then comparing “where your institution is” to “where you need to be.” In almost every case, there is some degree of misalignment between the two. Some common questions financial institutions ask are “Could we be doing more to oversee our cloud providers?” or “Should we be doing more to manage our internal administrators or third parties?” The idea of the gap analysis is to take your risk areas and determine what set of controls are most effective against those specific risk areas.

Completing the Cybersecurity Maturity section, for example, helps financial institutions better identify missing controls and processes. So, in order to increase the level of cybersecurity maturity, institutions should continually implement changes even if their inherent risk profile doesn’t change. Conducting a gap analysis is the first step in this process.

Continuous Improvement

Why should institutions strive to continuously improve their security posture even if their risk profile doesn’t increase? Simply put, because the threat environment is constantly evolving. New threats (and new twists on old threats) require constant vigilance and continuous improvements to existing controls. Standing still means you’re probably falling behind. On the other hand, making steady, incremental progress on your control maturity demonstrates a proactive, forward-thinking approach to cybersecurity.

Key Areas of Focus

First, financial institutions must determine if their controls and risks align – no small task as there are roughly 30 risk elements and nearly 500 control maturity elements in the assessment. Attempting to improve all of these areas in the CAT can be challenging and expensive for any institution, but especially smaller community banks and credit unions. While all control maturity domains are important, if your financial institution has limited resources, there are two key domains that you should focus your attention on when developing the gap analysis.

Domain 4: External Dependency Management

This domain involves establishing and maintaining a comprehensive program to oversee and manage external connections and third-party relationships that provide access to the institution’s technology and information. Most financial institutions have a host of outsourced relationships that they rely on to keep operations running. Evaluating the interdependencies and associated security gaps from third-party vendors should be a key part of your analysis process.

Domain 5: Cyber Incident Management and Resilience

This domain focuses on establishing, identifying, and analyzing cyber events, as well as the ability to prioritize, contain, and mitigate during cyber events. The institution should also have the ability to properly inform the appropriate stakeholders in response to a cyber event. Cyber resilience includes both planning and testing to maintain and recover ongoing operations during — and following — a cyber incident. In the current security environment, it’s not if a cyber event will occur but when. Financial institutions should have an effective cyber incident response plan to control, contain, and recover from a potential cyber incident.

For more information, watch our Banking Bits and Bytes episode, “What is a Cybersecurity Gap Analysis?”

02 Nov 2020

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

The Impact of Digital Banking During the Coronavirus Pandemic

The coronavirus (COVID-19) pandemic has drastically reshaped the way banks and credit unions operate today. While financial institutions value face-to-face interactions with their customers and members, social distancing requirements and other safety precautions have caused retail banking to go almost entirely digital. This change impacts not only how financial institutions conduct their business and interact with customers and members, but also how they keep their institutions secure.

In this blog post, we outline 3 key ways the pandemic has impacted the industry and consumers, and how financial institutions are managing these changes in real-time while ensuring they continue to operate effectively for their employees, customers, members, and other stakeholders.

1. Know Your Customer

For banks and credit unions, know-your-customer (or member) procedures are a key function to establish a customer or member’s identity, understand their financial activities, and evaluate the level of risk to the institution. Traditionally, before opening an account, completing a transaction, and/or sharing private information, many financial institutions have relied on at least some face-to-face interactions. For community financial institutions, know-your-customer has gone well beyond best practice to become a competitive advantage. Many (if not most) community institutions pride themselves in knowing their customers by name!

However, due to the COVID-19 pandemic, financial institutions need to find ways to verify their customers’ identities and retain that personal touch using digital channels. Consumers want a frictionless banking experience where they feel trusted and can quickly receive the products and services they need, but they also want to avoid feeling like just another number. Institutions must balance managing remote transactions that could increase their security posture, against technology and policies that positively identify customers without alienating them. As a result, some financial institutions are leaning towards increased security by starting to adopt a “zero-trust” stance where every individual and transaction is considered suspicious unless proven otherwise.

2. Technology Updates

To protect customers and members during the pandemic, banks and credit unions have moved from in-branch, face-to-face interactions to using remote channels such as online, telephone, ATM banking as well as the drive-through to serve their customers. Our experience has been that many institutions that may have technology upgrades on their roadmap two or three years down the road have had to accelerate those projects. Others have added new initiatives to increase their remote capabilities and enhance their electronic services. However, all this likely requires tighter security protocols for customer verification. This can be challenging for smaller financial institutions that rely on more traditional in-branch visits to provide services to their customers or members, particularly if branches are closed or observing limited hours and services. It is up to these institutions to find the right balance of physical and digital solutions to ensure customers and members receive the same level of service they were accustomed to prior to the pandemic.

3. Digital Adoption

The COVID-19 pandemic has driven consumers to rely more heavily on digital channels for their banking needs. This has accelerated digital transformation for financial institutions in the U.S. as their customers demand solutions that allow them to quickly and easily complete transactions remotely. To meet this demand, financial institutions have reevaluated their traditional strategies, implemented and even accelerated digital initiatives, and are more inclined to not just enable but encourage digital capability for their customers. As they encourage consumers to adopt new solutions and remote tools, it will be critical to assess the risk of these solutions and develop controls to keep the network safe and protect sensitive, financial information.

Banks and credit unions must be able to provide the products and services their customers and members need all while keeping information secure, even in the midst of a pandemic. Having a solid plan to guide how you manage operations can make all the difference. One final thought, when the dust settles and things go back to “normal”, the steps you’ve taken to enable digital engagement with employees and customers will be considered resilience measures to mitigate the impact of a future event of this nature. Resilience will be a focus for regulators in future examinations.

To learn more about pandemic planning and best practices, download our latest white paper, “Navigating the Coronavirus Pandemic: Best Practices for Pandemic Planning and Key Lessons Learned.”

14 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The ISO in a Crisis: Key Responsibilities of the Information Security Officer During a Pandemic

According to the Federal Financial Institution Examination Council’s (FFIEC) Information Technology Examination Handbook, “ISOs are responsible for responding to security events by coordinating actions to protect the institution and its customers from imminent loss of information, managing the negative effects on the confidentiality, integrity, availability, or value of information, and minimizing the disruption or degradation of critical services.”

When faced with an operational crisis such as the current Covid-19 Pandemic, potential disruption of critical services is the primary concern. Since the information security officer (ISO) acts as the “quarterback” over the many different departments and functions within the institution, they must make sure all routine tasks are still being completed, in addition to ensuring that the institution has adapted to the unique circumstances of the crisis.

The FFIEC Management Handbook lists 8 broad categories of responsibilities for ISO’s. We’ve identified a few of those areas that should be of particular focus during a crisis:

Working With The IT Steering Committee

During any crisis, the ISO must work closely with the IT Steering Committee to ensure that the institution minimizes the risks to the security and confidentiality of non-public information and financial transactions. As difficult as this is during normal operations, it may be even more of a challenge during a crisis. Key considerations include:

The IT Steering Committee should still perform their normal duties and maintain a normal schedule. Phone /video conferences can suffice if in-person meetings are not an option.

Attention to on-going and planned IT project road map/initiatives. Timelines and all supporting activities must still be tracked, project plans updated, and all stakeholders informed.

Review the Remote Access Policy and the Remote User / Acceptable Use Acknowledgement with IT and HR as your current situation may include unique risks that have not been previously addressed. For example, some employees may have to use their personal devices to access the FI’s network to do their job. Take particular note of the Remote Access and Use of Remote Devices sections of the FFIEC Information Security Handbook and any other related best practices and/or guidance initiatives. Trusted third parties can also be an important resource for this effort.

Document all actions taken and lessons learned during the crisis so far. Then, incorporate them into your next round of policy updates.

Continue to report the status of all IT and information security activities to the Board.

Managing Incident Response, BCP/IRP, and Cyber Responsibilities during an Adverse Event

The ISO is typically the Incident Response Team Coordinator and may determine whether or not to activate the formal Incident Response Plan (IRP). The declaration of a pandemic or other adverse operational event does not in itself require the IRP to be invoked, however, any disruption of normal business services may create vulnerabilities that a cyber attacker could take advantage of.

The ISO will also likely be involved with general business continuity planning and recovery efforts. The criteria for activating the Business Continuity Plan will vary by institution, but the ISO is typically one of the few key individuals tasked with evaluating whether the event is likely to negatively impact the institution’s ability to provide business products and services to customers beyond recovery time objectives (RTOs).

In adverse situations, cyber awareness should be heightened. For example:

The institution could have key personnel out, and alternate personnel may not be adequately trained or have the same level of cyber awareness as the primary staff members.

The institution may be implementing workarounds for new software or devices when trying to accommodate customers affected by the event. In the interest of expediency for customers, the institution may take shortcuts that it normally wouldn’t or otherwise fail to follow normal procedures.

The institution could run into issues with the critical vendors that perform or support its perimeter security, compromising real-time alerting for the organization. This is known as “cascading impact”, where a product or service provided by a third-party is degraded, which in turn affects you.

The institution could experience secondary disruptions where hackers may attempt a cyber-attack against perceived weakened defenses.

The ISO must anticipate all of these risks and should communicate with critical third parties to ensure they have a plan in place to keep the NPI and financial transactions secure and provide critical operational services at acceptable levels of risk.

Addressing Auditor and Examiner Expectations

Although a pandemic, as a crisis event, was de-emphasized in the 2019 BCM Handbook, financial institutions should expect regulators to issue additional joint statements in the post-pandemic phase due to the shear impact and duration of this event. ISOs should expect examiners to ask about the specific actions the institution has taken in response to COVID-19, including:

Succession plans – ISOs should be prepared to share the institution’s succession plans, how these plans were implemented during the pandemic, and any key updates to the plan post-pandemic.

Cross-training efforts – the ISO (if also the BCP Coordinator) should explain the institution’s plans for cross-training and how these plans were implemented during the pandemic.

Remote access controls – the ISO should address all of FFIEC requirements for remote access and document any updates or changes that occur.

Third-party/supply chain issues – the ISO should communicate with all critical vendors to ensure there are no interruptions to critical services, and he or she should have contingency plans in place if a third-party provider can no longer provide adequate service.

Information security officers ultimately must be able to show auditors and examiners exactly how the institution withstood the pandemic, maintained compliance, kept all non-public information secure, and kept all stakeholders informed, all of which is no small task during normal operations!

For more information on responding to crisis events, view our pandemic resources.

02 Jul 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Keys to Develop a Compliant Business Continuity Management Program

Financial institutions (and examiners) are still adjusting to the Federal Financial Institution Examination Council’s (FFIEC) 2019 update to its BCP IT Examination Handbook. The handbook, now renamed Business Continuity Management (BCM), included several updates to the previous 2015 guidance. According to the FFIEC, BCM is the process for management to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services.

To ensure financial institutions do this effectively, the FFIEC expanded the original BCM process.

The previous handbook encouraged institutions to adopt a four-step approach:

Business Impact Analysis

Risk Assessment

Risk Management (essentially, recovery procedures), and

Risk Monitoring and Testing

The new guidance recommends a slightly different approach:

Risk Management (Business Impact Analysis, Risk/Threat Assessment)

Continuity Strategies (Interdependency Resilience, Continuity and Recovery)

Training & Testing (aka Exercises)

Maintenance & Improvement

Board Reporting

Additionally, the business continuity management process outlines 10 key steps financial institutions must complete to achieve a more enterprise-wide approach and meet examiner expectations. This is a bit more complicated than the process has been in the past and may require more time for plan preparation and annual maintenance.

The FFIEC handbook also provides a more detailed break-down of the BCM lifecycle:

Oversee and implement resilience, continuity and response capabilities

Align business continuity management elements with strategic goals and objectives

Develop a business impact analysis to identify critical functions, analyze interdependencies, and assess impacts

Conduct a risk assessment to identify risks and evaluate likelihood and impact of disruptions

Develop effective strategies to meet resilience and recovery objectives

Establish a business continuity plan that includes incident response, disaster recovery, & crisis/emergency management

Implement a business continuity training program for personnel and other stakeholders

Conduct exercises and tests to verify that procedures support established objectives

Review and update the business continuity program to reflect the current environment and

Monitor and report business resilience activities.

As many of these items were part of the previous guidance, here is a checklist consisting of required elements that may be missing from your program:

Have you conducted a formal business process-based Business Impact Analysis (BIA) that identifies all critical interdependencies?

Does the BIA produce sufficient information to establish the following?

Recovery point objectives (RPO)

Recovery time objectives (RTO) for each business process (prioritized)

Maximum tolerable (or allowable) downtime (MTD/MAD)

Does your risk/threat assessment measure both the impact and the probability (likelihood) of potential disruptive threats, including worst case (low probability, high impact) scenarios?

Do you use testing as employee training exercises to verify that personnel are knowledgeable of recovery priorities and procedures?

Do you track and resolve all issues identified during testing exercises, and use lesson-learned to enhance your program? (Must be documented)

Does your Board report include a written presentation providing the BIA, risk assessment, and exercise and test results, including any identified issues?

If you would like to make sure your BCM is up to date with the latest regulatory expectations, a complimentary plan review is the best place to start.

25 Jun 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

What is My Bank or Credit Union’s Cybersecurity Posture Compared to My Peers?

It is important to understand your institution’s cybersecurity posture to find out where you stand in regard to cyber threats and what you need to do to create a more secure environment. It’s a delicate balance because being behind on your cybersecurity posture means your institution is less secure than it should be but being ahead likely means that you are investing in resources that you may not need. Unfortunately, it’s almost impossible to do a true peer-to-peer comparison because there are just too many variables between even similarly sized financial institutions to obtain a useful analysis. Here’s why:

Every Institution Has a Unique Model

When we implement information security or business continuity programs for banks and credit unions, we start with a process called “Enterprise Modeling” where we identify the departments, the processes, and the functions that make up each individual financial institution. What this process typically reveals is that if you model out two financial institutions that look identical in terms of geographic area, demographic customer or member base, size and complexity, the results will almost always be significantly different since each institution has a unique operating model based on their specific services, organization, processes, and technologies.

Cyber Risk Appetite Is a Key Variable

Cyber risk appetite is another factor that often differentiates your institution from your peers. Safe Systems’ Compliance Guru defines risk appetite as “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” For example, let’s say we have two financial institutions that seem equivalent in outward appearance. Based on their strategic plan, one institution has decided to take a more aggressive cybersecurity posture to electronic banking products and the other has decided to take a more conservative approach. Because the level of risk varies by the approach, you simply cannot accurately compare the two institutions.

The Best Way to Evaluate Cybersecurity Posture

At Safe Systems, we recommend allowing your bank or credit union’s information to stand on its own. To truly improve your cybersecurity posture, you must examine where you are based on where you need to be — not where a peer may be in the process. Carefully evaluate your risks (including areas of elevated risk), and the controls you have in place that offset those risks. Then, examine the best control groups to apply against those areas of elevated risk and develop an action plan to take your institution from where you are now, to where you need to be. Then, when you conduct this process again next year, you can demonstrate steady progress to both examiners and your Board.

Holding Steady May Cause You to Fall Behind

In addition, just because your inherent risk profile isn’t increasing from one assessment to the next, this doesn’t necessarily mean your control maturity levels shouldn’t increase. The risk environment is constantly evolving, so holding steady on your controls may actually mean your cybersecurity resilience is decreasing. Making incremental increases in your control maturity levels will help keep you ahead of the latest threats.

For more information about improving your cybersecurity posture, watch the full “Banking Bits and Bytes Super Duper CEO Series,” below.

18 Jun 2020

Banks, Compliance, Credit Unions Darren Bridges 0 comment

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

Review all guidance and issues related to their institution and become familiar with any changes that might impact them

Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments

Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

Analyzing potential threats

Assessing the technology required

Managing access controls and security

Conducting regular data recovery test

Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

12 Jun 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The “Inherited” Risk – Assessing and Reporting on Vendor Risk

Vendors are the largest source of non-preventable risk for a financial institution, so it is critical that banks and credit unions carefully evaluate, monitor, and manage all vendor relationships to remain compliant and reduce risk. Additionally, institutions must be able to accurately assess risk, implement adequate controls, and provide all stakeholders (including regulators, management, and the Board) with appropriate reporting to convey the overall status of the vendor management program at any point in time.

Assessing Vendor Risk

The first step in vendor risk management is to perform a risk assessment to evaluate your level of inherent risk. This must always be done first so that you can then identify and implement the proper controls. If the controls selected do not completely offset the risks identified, then alternate or compensating controls would need to be identified in order to achieve a level of residual risk that is within your risk appetite.

Depending on the information you get from the risk assessment, you can clearly map out the level of inherent risk based on the vendor’s access to data and systems and the level of criticality for each vendor. These results will provide the information you need to control the risks, and ultimately report the overall results of your vendor management program to your key stakeholders.

When conducting a risk assessment you want to include all vendors but focus particularly on your critical vendors. A critical vendor is defined as one that either provides a product or service that is a key interdependency of one or more of your products or services, or one that stores, processes, or transmits non-public customer or confidential information.

Once you’ve established the initial or inherent risk level, you can identify one or more controls to off-set the risks. Typically, you want the vendor’s third-party audit report or SOC report; audited financials; insurance binders; a copy of their incident response and disaster recovery plans; and any testing the vendor has done on these plans. If you can’t obtain a SOC report, you’ll need compensating controls to determine their network security. Ask if they have an information security program and if they’ve conducted any vulnerability and penetration testing. You should also request a report of examination (ROE) from your primary federal regulator on your core provider.

Reporting to Stakeholders

When reporting to the various stakeholders within your institution, many of the reports are relatively similar, but the level of detail will be slightly different for each stakeholder group.

Board

The primary stakeholder that financial institutions must report to is the Board. When presenting to the Board, reporting does not generally need to be highly detailed and should provide a brief, high-level summary of the overall program.

Additionally, it is not necessary for the Board to see this report every time they meet. The requirement is to present an annual update, but we recommend reporting more often if the pace of internal change dictates (whether twice a year or quarterly) to show you are adequately managing vendor risk on an on-going basis. Here is an example of what a Board report should look like:

Management

The management committee (i.e. IT Steering) requires a bit more detailed information than the Board does, and unlike Board reporting frequency, IT should report to the management committee every time they meet. If your management committee meets on a monthly basis, you should produce a report each month as well and communicate this information to the committee. Management needs to know what you’re doing; what you’re not doing; what you’re behind on; and have a good understanding of your progress.

Regulators

Regulators typically review the same reports as your board and committee. However, auditors and examiners will tend to take a deeper dive into your vendor management program and want to review everything you have on your critical vendors. They are looking to see if you’ve done a risk assessment and if you have identified the reports from the vendor that will line up with, control, and offset the risks you identified in the risk assessment. The report you present to examiners and auditors may have more of a narrow but deeper focus, taking a more detailed view of your most critical vendors.

04 Jun 2020

Banks, Credit Unions, Technology Allison Stahlman 0 comment

I’m New to Banking Technology – What Do I Need to Know?

The reality for the community banking industry is that often, institutions are limited in staff size, especially in IT. As a result, employees are sometimes placed in an IT role without any prior experience and they are forced to learn the “ins and outs” of information technology quickly to ensure that the institution stays in compliance and the IT environment is secure.

This can be a daunting task for a financial institution employee who’s been placed in an IT role for the first time. From our experience working with more than 600 community financial institutions, there are four key steps that someone who’s new to banking technology needs to know to quickly get up to speed on all things IT:

Step 1: Determine the Financial Institution’s Current State

When stepping into an IT role from another department, the first thing you must do is get a strong understanding of the current state of the institution and how the IT infrastructure is set up. Key questions include:

What does the IT infrastructure look like?

What technology is currently in place?

Is there hardware or software that is reaching end-of-life?

Are network schematics and data flow diagrams up to date and accurate?

Look at all the policies and procedures currently in place and understand what management has approved for the information technology program and how the environment is organized. It’s important to know exactly where the bank is from an IT perspective because without this knowledge you won’t be able to troubleshoot potential issues or plan strategically for where the financial institution needs to be to meet compliance guidelines.

Step 2: Review Vendor Relationships and Responsibilities

It is critical to know exactly who is responsible for each IT activity. Many community banks and credit unions use a variety of vendors, including core providers, cloud providers, managed services providers, and others. It’s important to understand which vendors are involved with all your hardware, software, and IT services and review the service level agreements (SLAs) which are typically found in the contract to be clear on what the vendor should be providing to the institution. This is crucial because if an issue arises you need to know if it is your responsibility to handle it internally or if you should reach out to a vendor for support. Make sure you are clear about what the institution’s vendors are responsible for, when to go to them for help, and which activities are your responsibility under the SLA.

Another key part of this role is vendor management. As a new IT admin, you have a shared responsibility for monitoring and managing the institution’s vendors and weighing the risks each one poses to the institution. To keep the network compliant and secure, you need to thoroughly evaluate potential vendors; identify critical vendors and services; implement an effective risk management process throughout the lifecycle of the vendor relationship, and report appropriately to senior management. Some key best practices include:

Developing plans that outline the institution’s strategy;

Identifying the inherent risks of the specific activity, and the residual, or remaining, risk after the application of controls;

Detailing how the institution selects, assesses, and oversees third-party providers;

Performing proper due diligence on all vendors;

Creating a contingency plan for terminating vendor relationships effectively; and

Producing clear documentation and reporting to meet all regulatory requirements.

Having a proactive plan in place will help you effectively manage vendors and have a clear understanding of the level of criticality and risk for each service provider. Properly vetting and managing vendors will reduce risk for the institution, while also ensuring compliance requirements are met successfully.

Step 3: Understand the Institution’s IT Organizational Structure

How IT roles are structured within a community bank or credit union varies by the institution, but many financial institutions have an IT administrator, information security officer (ISO), chief information officer (CIO), and an IT steering committee to support IT activities. It’s important to learn how the institution is set up and understand what the ISO and CIO are responsible for so you can work together to ensure the institution’s environment is operating securely and efficiently. It’s also important to make sure all ISO duties are separated from other IT roles at the institution to maintain compliance with FFIEC requirements.

At some point, every functional area of a bank or credit union touches IT in one way or another so understanding how every system, application, and functional area within the institution operates and relates back to IT enables you to help the staff by troubleshooting the different issues each department may experience.

Step 4. Review Recent Audits and Exams

Another way to determine the current state of the financial institution is to review all recent IT audits and exams. Determine if there were any findings or recommendations made by a regulatory agency and make sure that this has been addressed and remediated appropriately. With this information, you can tell if there are any current issues or pain points and start to make strategic plans or address specific issues as they arise.

Financial institutions are held accountable for FFIEC compliance and must manage regulatory activities including reporting effectively. New IT personnel should become familiar with FFIEC guidance and understand what is required to meet regulatory expectations and perform well on future audits and exams.

With these steps, new IT admins can gain a deeper understanding of information technology and what their key responsibilities are at the financial institution to ensure the community bank or credit union can successfully meet examiner expectations and keep operations running smoothly.

21 May 2020

Banks, Compliance, Credit Unions Jamie Davis 0 comment

The Value of Network Reporting for Community Banks and Credit Unions

With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.

In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:

Gaps Between IT Staff and ISO/Compliance Teams

In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.

Oversight to Better Manage Controls

Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.

Limited Access to Reports

Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.

Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.

To learn more about information security reporting and get a demo of our NetInsight ™ cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”

14 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

Experimentation

If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

Fast Turnup and Fast Turndown

Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

Elasticity

The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

Serverless Functions

Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

07 May 2020

Banks, Credit Unions Jamie Davis 0 comment

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

Disaster recovery is a concern for all financial institutions, regardless of size or location, and is essential to protecting data, infrastructure, and overall business operations. In addition to having a thorough disaster recovery (DR) plan, community banks and credit unions need to have a solid site recovery environment to facilitate a quick return to normal business operations, in the event of a natural disaster or other disruption.

Cloud disaster recovery solutions are growing in popularity among many community banks and credit unions. However, it is important to understand the key differences in site recovery models to determine the best fit for your institution.

In a recent webinar, Brendan McGowan, Chief Technology Officer at Safe Systems, outlined the three most common site recovery models available to community banks and credit unions today and discussed key considerations when implementing each.

In-House Site Recovery

When using an in-house site recovery model, financial institutions commonly have a virtualized server environment. These machines often run in a VMware vSphere environment which sits on top of a storage array. On the DR side, there is essentially a clone of the production environment to receive the replicated data. This works well for many financial institutions, however, there are a few considerations to keep in mind.

With in-house site recovery, you’ll need to:

Have redundant hardware in the DR environment at an additional cost.

Purchase an additional facility like a co-location or branch for DR.

Oversee hardware and software lifecycle management for both production and DR environments.

Set up dedicated connectivity like multi-protocol label switching (MPLS) to point replication to the DR environment.

Conduct regular maintenance to ensure all replications are healthy and perform periodic testing.

Have significant expertise and talent to make sure the system works correctly and consistently.

Cloud Site Recovery

In this model, the production environment remains the same, but the hardware and software used in the DR environment are replaced with a cloud-based solution. With cloud site recovery, financial institutions don’t have to pay for servers and computing time until the day they need to turn on the disaster recovery solution. Until then, the institution will only be billed for the amount of storage it consumes.

When you use a cloud site recovery solution like Microsoft Azure Site Recovery, you create a storage pool to receive replication from a small server on-premise, which is the cloud site recovery replication server. The replication server works by having each of your production servers send its data changes in real-time to the cloud application server. This server is compressing, encrypting, and deduplicating all of the incoming data and continuously shipping it securely to your cloud site recovery storage pool.

With the cloud site recovery model, you no longer have to:

Deal with redundant hardware on the DR side since everything is stored in the cloud.

Manage hardware and lifecycle management on the DR-side.

Pay for separate facilities since the data is in the cloud, and you can store your data anywhere in the world.

Worry about dedicated connectivity because you can send all of the replication over the internet with a simple virtual private network (VPN).

Handle all of the maintenance or have the expertise required to run the system.

Cloud-Native Resilience

In the cloud-native site recovery model, both the production and disaster recovery environments are in the Cloud. To set up the cloud environment, using Microsoft Azure, for example, you can sign up for Azure Virtual Machines, which would correlate to VMware vSphere in your environment. After that, you can set up your production virtual machines.

At this point, you can register for cloud site recovery for your institution’s individual virtual machines. Once you’ve selected your machines for replication, the system automatically moves that data to whichever Azure zone you select so you get to choose some zone disparity.

In the cloud-native resilience model:

There is no Azure site replication server as there was in the cloud site recovery model.

Since both environments are cloud-native, all the data is in the cloud and you need not worry about a replication server. Simply check a box to turn it on.

In addition, file backup is also a simple checkbox for each server, providing you the option to choose the location to store the data.

Migrating to cloud-based services is a great option to reduce maintenance; significantly speed up the disaster recovery process; and improve overall operations for your institution. If you are interested in implementing a cloud-based disaster recovery solution, Safe Systems can help you determine the right environment for your institution.

To learn more about disaster recovery and moving to the Cloud, watch our recorded webinar, “The Cloud: Recovery and Resiliency is Just a Click Away.”

01 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.

Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.

DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.

URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.

Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

23 Apr 2020

Banks, Credit Unions, Technology Jamie Davis 0 comment

Managing Banking IT Operations During a Pandemic: Your Top Questions Answered

For many financial institutions, it has been a challenge to keep IT operations moving efficiently during this pandemic. Since community banks and credit unions are considered an essential business, they are required to continue to serve customers and members. This can be difficult when employees are unavailable or are forced to work remotely from their homes for the first time. Many financial institutions have questions about how to efficiently manage their remote workforce, while keeping the institution secure and employees, customers, and members safe.

To address these questions, Safe Systems’ Information Security Officer, Chuck Copland, VP of Compliance Services, Tom Hinkel, and Chief Technology Officer, Brendan McGowan held a live panel discussion last week covering ways financial institutions can manage banking IT operations during a pandemic. In this blog, we’ll cover a few of the top questions from the panel:

1. How would you suggest making sure that remote access vendors are vetted quickly but thoroughly?

For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger scale use. To do this effectively, you first need to consider all of the risks associated with remote access and the potential impact on your organization. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the your new risk appetite.

2. What are some lessons learned about remote access for financial institutions during this pandemic?

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC.

When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution. With telecommute remote control tools, like LogMeIn and Splashtop, the user is working from a local computer at the office. These tools limit the abilities of the computer from interacting with the institution’s local network, often, making it a secure option for organizations that don’t want employees to have direct access to the network. Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely.

There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

What are you hearing from examiners? How are exams continuing during the pandemic?

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when the dust settles, and we go back to a more normal set of circumstances? What will examiners expect then?

Most likely, we expect them to be looking for a mature “lessons learned” document that financial institutions create to show what they have learned over the course of this particular pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

If you’d like to find out what other questions were answered during the live panel, watch our recorded webinar, “Ask Our Experts: Managing Banking IT Operations During a Pandemic.”

16 Apr 2020

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Building a Pandemic Response Plan: What Are the Requirements for Community Banks and Credit Unions?

As COVID-19 continues to spread around the world, financial institutions have been forced to respond to this pandemic in new and innovative ways to stop the spread of the virus; protect their employees and the public; and keep their doors open and operations running smoothly to serve their customers and members. Community banks and credit unions are referencing the Pandemic sections of their business continuity management plans to determine the best way forward for their institutions during this challenging time. With the Federal Financial Institution Examination Council’s (FFIEC) recent business continuity management (BCM) guidance, many financial institutions are first of all wondering what has changed in the guidance, and second what specific additional changes this particular event might require.

Pandemic Planning

Since 2007, financial institutions were required to have a separate pandemic plan, and regulators only looked for documentation that institutions were testing their plans periodically. Unfortunately, the pandemic section of the business continuity plan (BCP) has tended to be treated as more of an afterthought since these situations have historically occurred much less often than natural disasters or other business interruptions. If they were assessed at all, they fell into the category of a high impact, low probability event.

Notwithstanding COVID-19, pandemics are still low probability events, but the impact of these events may be far more significant than past risk assessments have indicated. In what may now be perceived as an untimely move, the FFIEC made the decision in the 2019 BCM update to deemphasize Pandemic by categorizing it the same as any other disruptive event. The FFIEC no longer requires financial institutions to have a separate pandemic plan, but instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters.

In other words, your BCM plan is your pandemic plan, and you must analyze the impact a pandemic can have on your organization; determine recovery time objectives (RTOs); and build out a recovery plan. You must also include a methodology to determine the key triggers your organization will use to activate your recovery plan when faced with a pandemic. But when should you activate your recovery plan and who is in charge of this process?

Pandemic Response

Before a recovery plan is activated, it is important to have an initial response team (typically comprised of C-Level executives) evaluate the situation and assess the potential impact of the current event on the institution. The team must determine if the situation is likely to negatively impact the institution’s ability to provide products and services to their customers or members beyond the established recovery time objectives outlined in the BCM plan.

The same rules apply in a pandemic. Community financial institutions should use the six pandemic phases outlined by the World Health Organization (WHO) or the Center for Disease Control (CDC) to evaluate the severity of the situation.

In most cases, the pandemic portion of the plan is not triggered for activation until phases 4-5 (or if between 20-40% of your workforce is not available to work).

What Regulators Expect

During a pandemic, regulators expect financial institutions to continue offering products and services to customers/members and conduct operations as normally as possible. This underscores the importance of including succession planning and cross training in the BCM plan. In the past, assumptions used to simulate a pandemic were that phases 4-5 wouldn’t last more than a week or two, so most financial institutions may only have planned for one person to be identified and pre-trained to step into a critical role until the event was over. However, the COVID-19 pandemic is a global crisis currently impacting at least 183 countries and territories and is predicted to impact many more people, and take much more time to contain.

To ensure critical functions continue, financial institutions should have at least two or three alternate staff members trained for every primary resource within the institution and assess whether some roles can be performed remotely. This can be difficult for smaller institutions with limited staff and resources. For specialized functions dominated by key personnel, such as funds management, wire services, human resources, etc., these institutions may not have multiple alternatives to step in if key employees are unavailable. In these circumstances, you may need to have other cross-trained staff members identified who can step into these roles quickly.

Next Steps: Lessons Learned

There will be many more lessons learned after the COVID-19 pandemic has passed, and regulators will expect those lessons to be reflected in your plan. When all is said and done, regulators are likely to ask “what have you learned from this event, and what have you done to enhance your pandemic plan based on those lessons learned?” Prior to this event, had you analyzed your business processes and their interdependencies, and prioritized them by recovery time? Since interdependencies include employees, and pandemic events almost exclusively impact personnel, have you identified employees with job duties capable of being performed remotely? If so, did they have secure, reliable, remote access? If those job duties are highly specialized, or highly critical, did you have alternate personnel identified and pre-trained to step in when needed?

The answers to these questions, and many more, will be used to enhance the pandemic section of your BCM plans, but until we reach that post-event, lessons-learned point, it’s important for financial institutions to continue to reference their business continuity plans; document the entire process; keep stakeholders informed; and put measures in place to continue serving their customers and members and protecting their employees and the public.

For more information on pandemic response, view our pandemic resource center. Or, if you would like to make sure your BCM is up to date, please request a complimentary plan review to ensure that your business continuity management plan is keeping up with changing regulations.

View Our Pandemic Resources

09 Apr 2020

Banks, Compliance, Credit Unions Christine Ray 0 comment

American Pride Bank Tackles Information Security Responsibilities with Safe Systems’ ISOversight Virtual ISO Solution

With ongoing cybersecurity threats; increased use of third-party providers; and constantly evolving regulatory and reporting requirements, the role of the information security officer (ISO) is even more important in today’s complex banking environment than ever before. However, community bank and credit union ISOs often struggle to keep up with the growing number of responsibilities this role requires – often forced to manage critical tasks with limited resources and a lack of segregation of duties.

The Challenge

Nicole Rinehart, Chief Operations Officer at American Pride Bank, ran into this very issue as the sole IT admin at American Pride Bank. Managing all of the ISO responsibilities, including critical activities such as Board reporting and the production of comprehensive reports for examiners, was difficult to manage due to the many manual processes required.

During a regulatory examination, an examiner recommended the bank focus on having more independence within its ISO duties. The Federal Financial Institution Examination Council (FFIEC) states that all financial institutions must have separation of duties for the ISO role. To accomplish this, the bank began evaluating solutions to help streamline processes and ensure complete oversight of all information security activities.

The Solution

After consideration, American Pride Bank decided to partner with Safe Systems and implement its ISOversight virtual ISO solution. The service includes a suite of applications and programs to help institutions streamline management of key compliance duties including the CAT, BCP, Vendor Management and Information Security.

In this case, the bank was already leveraging individual components of ISOversight. By converting to the virtual ISO service, they gained additional tools, reports, and expert compliance support. An important part of the solution includes monthly meetings with the Safe Systems compliance team to assess the bank’s information security activities and provide guidance.

The Results

With ISOversight, American Pride Bank has improved its overall preparation and communication of the information security program. All key stakeholders in the bank have access to ISO-related items in real-time, and the information security program is more organized and streamlined, enabling the bank to save time on monitoring and reporting.

“The ISOversight solution has been a game-changer for our bank because now we have a robust process in place working with Safe Systems and a full committee of our team members to ensure all tasks are completed accurately and nothing slips through the cracks,” said Rinehart. “It’s so important to have a process like this, especially when you have limited resources. Safe Systems has truly become an extension of our internal team, helping us to stay on track with ISO responsibilities and ensuring we comply with all regulatory requirements.”

To learn more, read the full case study, “American Pride Bank Streamlines Processes and Improves Compliance Reporting with Safe Systems’ ISOversight Virtual ISO Solution.”