Attention: The Safe Systems website is transitioning to UFSTech.com. Please access our client portal, news, and blog posts from there.

Tag: Executive Management

25 Jun 2020
What is My Bank's Cybersecurity Posture Compared to My Peers?
Banks, Compliance, Credit Unions Tom Hinkel 0 comment

What is My Bank or Credit Union’s Cybersecurity Posture Compared to My Peers?

What is My Bank's Cybersecurity Posture Compared to My Peers?

It is important to understand your institution’s cybersecurity posture to find out where you stand in regard to cyber threats and what you need to do to create a more secure environment. It’s a delicate balance because being behind on your cybersecurity posture means your institution is less secure than it should be but being ahead likely means that you are investing in resources that you may not need. Unfortunately, it’s almost impossible to do a true peer-to-peer comparison because there are just too many variables between even similarly sized financial institutions to obtain a useful analysis. Here’s why:

Every Institution Has a Unique Model

When we implement information security or business continuity programs for banks and credit unions, we start with a process called “Enterprise Modeling” where we identify the departments, the processes, and the functions that make up each individual financial institution. What this process typically reveals is that if you model out two financial institutions that look identical in terms of geographic area, demographic customer or member base, size and complexity, the results will almost always be significantly different since each institution has a unique operating model based on their specific services, organization, processes, and technologies.

Cyber Risk Appetite Is a Key Variable

Cyber risk appetite is another factor that often differentiates your institution from your peers. Safe Systems’ Compliance Guru defines risk appetite as “The amount of risk that an enterprise is willing to pursue and accept in order to achieve the goals and objectives of their strategic plan.” For example, let’s say we have two financial institutions that seem equivalent in outward appearance. Based on their strategic plan, one institution has decided to take a more aggressive cybersecurity posture to electronic banking products and the other has decided to take a more conservative approach. Because the level of risk varies by the approach, you simply cannot accurately compare the two institutions.

The Best Way to Evaluate Cybersecurity Posture

At Safe Systems, we recommend allowing your bank or credit union’s information to stand on its own. To truly improve your cybersecurity posture, you must examine where you are based on where you need to be — not where a peer may be in the process. Carefully evaluate your risks (including areas of elevated risk), and the controls you have in place that offset those risks. Then, examine the best control groups to apply against those areas of elevated risk and develop an action plan to take your institution from where you are now, to where you need to be. Then, when you conduct this process again next year, you can demonstrate steady progress to both examiners and your Board.

Holding Steady May Cause You to Fall Behind

In addition, just because your inherent risk profile isn’t increasing from one assessment to the next, this doesn’t necessarily mean your control maturity levels shouldn’t increase. The risk environment is constantly evolving, so holding steady on your controls may actually mean your cybersecurity resilience is decreasing. Making incremental increases in your control maturity levels will help keep you ahead of the latest threats.

For more information about improving your cybersecurity posture, watch the full “Banking Bits and Bytes Super Duper CEO Series,” below.

18 Jun 2020
Addressing Banking Security, Technology and Compliance Concerns
Banks, Compliance, Credit Unions Darren Bridges 0 comment

Addressing Banking Security, Technology and Compliance Concerns

Addressing Banking Security, Technology and Compliance Concerns

To gain new insight into the needs of banks and credit unions today, Safe Systems conducted a sentiment survey and asked community financial institutions directly about their top concerns. Their responses were primarily concentrated in three main areas: security, compliance, and technology, especially regarding exams and audits, cyber threats, and disaster recovery. Since the pandemic events of this year, many of these concerns have only strengthened in importance. In this blog post, we’ll address these challenges and offer some key best practices to solve them.

Top Security Concern: Cybersecurity

Banking security threats are pervasive worldwide, leaving banks and credit unions with good cause for concern. Consider these alarming cybercrime statistics: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, according to a recent Boston Consulting Group report.

A key tool to combat cyber threats is the Cybersecurity Assessment Tool (CAT) from the Federal Financial Institutions Examination Council (FFIEC) and the Automated Cybersecurity Examination Tool (ACET) from the NCUA. Institutions can utilize this voluntary industry-specific cyber assessment tool to identify their risk level and determine the control maturity of their cybersecurity programs.

Top Compliance Concern: Exams and Audits

While examinations and audits are necessary components of compliance, many institutions are intimidated by the process itself, and while exams and audits may overlap in similar areas, they are distinctly different in terms of nature and scope.

The Federal Deposit Insurance Corporation (FDIC) conducts bank examinations to ensure public confidence in the banking system and to protect the Deposit Insurance Fund. Audits, which typically last several months, are designed to ensure institutions are complying with federal laws, jurisdictional regulations, and industry standards. Auditors conduct tests, present their findings, and recommend corrective actions for the bank to undertake.

Banks and credit unions can use several tactics to prepare for, and meet, the requirements and expectations of regulators:

  • Review all guidance and issues related to their institution and become familiar with any changes that might impact them
  • Review previous exam reports for comments or matters that require attention and be prepared to report and discuss these findings, along with any previous nonfinding comments
  • Use a managed services provider in combination with compliance applications to automate the process of documenting, reporting, and preparing for exams.

While following best practices will not guarantee that an institution won’t have examination findings, it can help significantly lower the likelihood and severity of them.

Top Technology Concern: Disaster Recovery

Financial institutions must have provisions for restoring their IT infrastructure, data, and systems after a disaster happens. Considering the recent outbreak of COVID-19, it is also important for community banks and credit unions to consistently review, update, and test their current disaster recovery plans to be able to address any issues that occur during a pandemic event.

With effective planning, banks and credit unions can launch a calculated response to a disaster, pandemic event, or other emergencies to minimize its effect on their information systems and the overall business operations. Some general best practices for disaster recovery include:

  • Analyzing potential threats
  • Assessing the technology required
  • Managing access controls and security
  • Conducting regular data recovery test
  • Returning operations to normal with minimal disruption

While the survey respondents shared a number of serious banking security, technology, and compliance concerns, the good news is that they all can be properly addressed with the right processes, strategies, and resources in place. For more information on the top concerns community banks and credit unions are experiencing today, read our latest white paper, “Top 10 Banking Security, Technology, and Compliance Concerns for Community Banks and Credit Unions.”

21 May 2020
The Value of Network Reporting for Community Banks and Credit Unions
Banks, Compliance, Credit Unions Jamie Davis 0 comment

The Value of Network Reporting for Community Banks and Credit Unions

The Value of Network Reporting for Community Banks and Credit Unions

With increased cyber-attacks, shared data with third-party vendors, and strict regulatory requirements, community banks and credit unions have high standards to meet for information security. Adequate oversight and network reporting on the information security program is needed to ensure the proper controls are in place and that all stakeholders have visibility into the network.

In a recent webinar, Safe Systems shared some key observations on the need for financial institutions to have better communication and reporting between IT staff, the compliance department, and senior management. Here are a few key points to consider:

  1. Gaps Between IT Staff and ISO/Compliance Teams

    2. In many financial institutions, there is a lack of synergy and communication between the IT department and the information security/compliance team. Many ISOs simply do not have the technical background to fully understand how information is being protected. They tend to be more focused on vendor management, business continuity management, and performing risk assessments and less familiar with how systems are getting patched; if machines have antivirus; or if backups are updated consistently. It can be difficult to communicate effectively if ISOs don’t understand the IT world or don’t have visibility into network reports and the necessary information to do their job.

  2. Oversight to Better Manage Controls

    3. Because bank and credit union IT staff are human, sometimes errors will occur. While financial institutions have many technology solutions that automate IT functions and controls, oversight is required to ensure that the controls are adequate, working, and therefore mitigating risks. Without appropriate oversight, any gaps in the network can lead to a successful cyber-attack. Similarly, a finding during an exam that shows certain controls were implemented ineffectively can also leave the institution vulnerable.

  3. Limited Access to Reports

    4. Too often, when ISOs conduct a review of the information security program, the reports they receive are vague or too technical to decipher the key insights most important to the ISO role. Other key stakeholders, like the Board and senior management, also may need more access to high-level reports to better identify threats, assess risk, and make decisions on the appropriate controls to implement.

    Without access to adequate reports, the ISO and other stakeholders can become overly reliant on the IT team to explain what is happening on the network without having the ability to verify that information independently.

To learn more about information security reporting and get a demo of our NetInsight ™ cyber risk reporting tool, watch our webinar, “NetInsight: Trust But Verify.”

01 May 2020
Combating Business Email Compromise and Protecting Your Remote Workforce
Banks, Credit Unions, Technology Brendan McGowan 0 comment

Combating Business Email Compromise and Protecting Your Remote Workforce

Combating Business Email Compromise and Protecting Your Remote Workforce

Over the last two months, there have been more people working remotely than ever before, and with more being done outside the branch, financial institutions cannot rely on their usual firewall and anti-malware solutions to protect their staff. Today, the single most common attack used to target remote users is what is known as “business email compromise” (BEC).

Safe Systems hosted a live webinar earlier this month discussing how BEC works; the main techniques used in these types of attacks; and the cost-effective solutions needed to mitigate them. In case you missed it, here are a few key points from the webinar:

What is business email compromise and how does it work?

Business email compromise is a security exploit where an attacker targets an employee who has access to company funds or other non-public information and convinces the victim to transfer money into a bank account controlled by the attacker.

These attacks have two main categories:

  1. Phishing emails – this is just a spoofed email that seemingly comes from someone you trust within the organization (like the CFO or CEO) instructing an employee to wire money to a specific account.
  2. Account takeover – the attacker procures your real username and password and then logs into your mailbox where they are then able to send and receive emails at will from your actual account.

Using these attack methods, cybercriminals can commit many different types of fraud, including wire fraud, non-public information (NPI) theft, and spreading of malware.

There are also a number of different attack “types” that cybercriminals commonly use to take over accounts:

A single-stage attack is a social engineering email directing a user to complete a certain action. For example, an email may include a link that leads to a rogue website where the attacker is trying to capture login information. This is a fairly simple, one-step attack.

The more sophisticated variation on this type of attack is the multi-stage method. In this attack, we often see that instead of having a link in the email that goes to a suspicious website that could potentially be blocked by other security layers, attackers use a link in the email that goes to a highly trusted place like a Citrix share file or some other trusted site. If the user clicks the link, they’ve now stepped outside of any email security layers the institution might have in place. Most often these sites are SSL encrypted so this underscores the importance of having SSL inspection performed on your traffic to ensure links in emails do lead to legitimate, secure websites. The problem with this, however, is that it can be an increasingly difficult job for some financial institutions to implement and manage.

How Can Financial Institutions Defend Against These Threats?

Prevent

The first line of defense against business email compromise is to stop the user from being exposed in the first place, and the single most effective measure financial institutions can implement is user training. It’s important for financial institutions to regularly conduct penetration testing and use security awareness training to educate their employees. Over the years, we’ve seen a distinct correlation between the frequency of user security awareness training and the success rate of phishing attacks. Some institutions leverage self-testing tools such as KnowBe4, but there are many other services that financial institutions can use to test their employees.

Mitigate

The second line of defense is to stop the user from causing damage. To mitigate the threat, financial institutions can use a variety of effective tools, including:

  • Email Filtering – a tool that filters out suspicious emails to ensure no spam, malicious content, or sensitive data makes it out of the institution unauthorized.
  • DNS Filtering – is the process of using the Domain Name System lookup to find the IP address of a website to block malicious websites and filter out harmful or inappropriate content.
  • URL Rewrite – if an email has a link, the system rewrites the destination of the link to go to a security company first before the real session is connected.
  • Multifactor Authentication – this tool requires more than one method of authentication to verify a user’s identity for a login or other transaction. The methods include something you know (pin); something you have (phone) and/or something you are (biometrics).

These are just a few of the tools that can help strengthen your institution’s security posture and ensure users do not fall victim to malicious attacks. However, if they do, it is critical to have a plan to respond.

Respond

The last line of defense is to stop the expansion of damages if a threat has occurred. In this case, financial institutions must conduct an investigation into the cyberattack and have thorough logs of their mail system to understand exactly what occurred; how far it has spread; and determine the next steps. Community banks and credit unions should have an incident response plan in place and perform regular tabletop testing to confirm the plan works and will be useful when a real attack occurs.

To learn more ways to protect your institution from business email compromise, watch our recorded webinar, “Business Email Compromise – Preventing the Biggest Risk from Remote Users.”

© 2025 UFS and Safe Systems are now the same company. Safe Systems is a registered trademark in the US. All rights reserved. Privacy Policy