Information Security Program Archives

25 Oct 2022

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
NetInsight^®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
Security Awareness Training: Safe Systems has partnered with KnowBe4, a market leader who is in the business of training employees to make smarter security
Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.

27 Jul 2022

Banks, Compliance, Credit Unions Christine Ray 0 comment

Learn How to Eliminate Compliance Pain Points with COMPaaS

Keeping compliance processes and information security up to date is crucial, especially with the ever-increasing risks and regulatory requirements that are facing financial institutions. Our compliance-as-a-service solution, COMPaaS, solves this problem. It offers community banks and credit unions an easy way to customize information technology and compliance services to match their institution’s needs.

What is COMPaaS?

COMPaaS is a collection of connected compliance applications combined with critical monitoring and reporting tools that institutions can customize to address their specific pain points. Regardless of type or size, any financial institution can use COMPaaS to build a unique package of services that are based on their specific compliance resources, expertise, and budget.

The full suite of services meets regulatory requirements in a range of areas from vendor and network management to cloud security, information technology, and business continuity management:

BCP Blueprint: An application that automates the building and maintenance of a business continuity plan.
CloudInsight M365 Security Basics: A reporting tool that provides visibility into security settings for Azure Active Directory and M365 tenants.
Cybersecurity RADAR: A user-friendly application to assess cybersecurity risk and maturity.
Information Security Program: A proven regulatory framework with applications that allow you to build a customized, interactive, and compliant infosec program.
Lookout: An event log monitoring solution that efficiently combs through daily logs and sends notifications for activities that need review.
NetInsight: A reporting tool that runs independently of existing network tools to provide third-party “insight” into IT controls.
Vendor Management: An application that tracks vendor risks, automates contract renewal reminders, and generates reports.
V-Scan: A security solution that scans a network, identifies vulnerabilities, and generates a comprehensive report.

How Does It Work?

The COMPaaS applications and services were built with our expert’s core knowledge and industry best practices to help your institution build a strong compliance foundation. Whether you choose one of the automated applications or a service that provides a dedicated compliance resource, COMPaaS can help you better manage your policies and procedures, implement effective controls, and fill in reporting gaps to meet examiner expectations. It is the ideal solution because it lets you select the exact products and services you need now and add more later as your requirements change. For example, if you are a smaller bank, you might begin with a vendor management application and then build from there to cover your cybersecurity risk and information security concerns.

Key Benefits

COMPaaS allows financial institutions to leverage the benefits of automation to streamline time-consuming processes related to regulatory requirements. It converts labor-intensive processes that often exist on paper into apps to create living documents that are more efficient and less likely to become outdated.

COMPaaS also uses technology to enforce verifiable controls and provide consumable reports so that institutions can implement the appropriate actions to maintain information security. This can make it easier to prove to a third party that critical issues are being addressed. In addition, all COMPaaS was designed with the regulatory needs of community banking institutions in mind. For example, the technology and security products cover the standards set by the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool (CAT) or the National Credit Union Administration’s Automated Cybersecurity Examination Tool (ACET).

The COMPaaS Advantage

With COMPaaS, institutions have an effective way to target and eliminate their specific compliance and information technology weaknesses. They can save time by automating compliance tasks and save money by selecting only the options where they need help. Institutions also can expand COMPaaS’ services to support internal IT staff who may not be well-versed in a particular area or wearing multiple hats and juggling too many tasks. Or they can use COMPaaS to fill a void when an IT staff member takes a vacation, goes on leave, gets promoted, or retires. Whatever the situation, institutions can maintain continuity by having access to the same tools, reporting features, and experts through COMPaaS. And our solutions will grow with the institution, so it can implement various services at separate times based on its budget and needs.

30 Mar 2022

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Get Prepared for the New Computer-Security Incident Notification Rule

As of April 1^st, financial institutions are expected to comply with new cyber incident notification requirements for banking organizations and their third-party service providers. The Computer-Incident Notification Rule, as it’s officially called, is designed to give regulators early awareness of emerging threats to banking organizations and the broader financial system, including potentially systemic cyber events. The final rule—approved last November by the Federal Deposit Insurance Corporation (FDIC), Federal Reserve, and Office of the Comptroller of the Currency (OCC)—takes effect on April 1, 2022, with full compliance extended to May 1, 2022. (To date, the NCUA has not adopted the new rule, although it’s possible they may at some point. Credit Unions should check with their regulator for notification expectation specifics.)

Understanding the Regulations

To meet the upcoming deadline, financial institutions need to be well versed in the intricacies of the new rule. The rule has two components:

The first part requires a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident.”
The second part requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a “computer-security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.

Focusing on the financial institution expectations under the final rule, a couple of definitions must be understood.

A “computer-security incident” could include almost anything: a hardware or software failure, an innocent mistake by an employee, or a malicious act by a cybercriminal. However, the incident must result in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
A “notification incident” is defined as a significant computer-security incident that has materially disrupted or degraded a banking organization in at least one of these areas:
its ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base in the ordinary course of business
its business line(s), including associated operations, services, functions, and support that, upon failure would result in a material loss of revenue, profit, or franchise value
its operations, including associated services, functions, and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

In the event an incident rises to the level of a “notification incident,” the banking organization’s primary federal regulator must receive this notification as soon as possible, and no later than 36 hours after the banking organization determines that a notification incident has happened.

Recognizing the Gray Areas

The words “material” and “materially” are key terms; so much so that they are used 97 times in the 79-page guidance about the ruling. But beyond an “enterprise-wide” impact, the regulation does not precisely define these concepts, so financial institutions will need to specify what this term means to their organization as a whole. And since a determination of materiality is a prerequisite to starting the 36-hour “clock” for notification, they should do so ahead of time. The undefined nature of “material” to each organization creates a gray area open for interpretation that not only allows institutions some flexibility in this area but also opens the door for differences in opinion between an institution and its regulator.

In another gray area, the rule does not impose any specific recordkeeping requirements, which is a reduced burden. However, we strongly recommend keeping at least basic documentation in case the examiners ever question why your institution did or did not decide to escalate an event from a computer-security incident to a notification incident, and why it started the “clock” when it did.

Preparing for the Unknowns

At this stage, there are some unknowns about the implications of the new cyber incident notification requirements. One of the unknowns discussed in our recent webinar was related to an official contact person and method for each primary federal regulator. This has since been addressed and we recommend incorporating the following verbiage into the regulator notification section of your Incident Response Plan:

FDIC institutions:

Notification can be made to the case manager (primary contact for all supervisory-related matters), to any member of an FDIC examination team if the event occurs during an examination, or if the primary contact is unavailable, the FDIC may be notified by email at: incident@fdic.gov.

OCC Institutions:

Notification may be done by emailing or calling the OCC supervisory office. Communication may also be made via the BankNet website, or by contacting the BankNet Help Desk via email (BankNet@occ.treas.gov) or phone (800) 641-5925.

Federal Reserve Institutions:

Notification may be made by communicating with any of the Federal Reserve supervisory contacts or the central point of contact at the Board either by email to incident@frb.gov or by telephone to (866) 364-0096.

Another unknown as of the date of this post: Will the State banking regulators also require notification if a federal regulator is notified? The unofficial initial indication we have received is ‘Yes,’ but it would be good practice for institutions to check with their state regulator. Chances are regulators will request this, but whether or not it will be a requirement is still unknown.

Steps to Take Now

There are additional steps financial institutions can take now to be better prepared to address the requirements of the computer-Security Incident Notification Rule.

Our primary recommendation is for institutions to expand the notification section of their incident response plan to include the criteria for determination of a notification incident, and to add the regulator contact information above.
Institutions should also define “materially” for their organization and predetermine the meaning of “materially disrupted or degraded,” or what constitutes a “material portion” of their customer base.
Third-party contracts should contain verbiage obligating them to notify your institution under certain circumstances as required by the new rule. We also strongly advise designating an official contact person within your institution — whether it’s the CEO, CIO, or ISO — who should receive incident notifications from your third parties. It’s also prudent to specify a backup contact person—and make sure vendors know who the primary and alternate contacts are to ensure a smooth notification process.

For more information about this important topic, access our webinar on “New Cyber Incident Notification rules: How to Get Prepared”, or this recent blog post from Compliance Guru.

08 Dec 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

5 Compliance Lessons Learned in 2021 to Bring into the New Year

As the challenges presented by the COVID-19 pandemic persist, there are important compliance trends and new regulatory guidance that financial institutions should consider to ensure they are well prepared to begin the New Year.

Accounting for Operational Risk

During the pandemic, banks and credit unions have made necessary adjustments that have increased their operational risk. Two prime examples are switching to a remote workforce and accommodating a more remote customer base. Having employees work remotely extends an institution’s network out to that endpoint and, in effect, broadens security considerations to that point as well. Serving a remote customer base—including expanding e-banking and implementing electronic signatures—creates a similar risk. Security implications multiply as more employees and customers access services electronically.

Rapid changes in operational practices and increases in fraud and cyberthreats can cause a heightened operational risk environment if not properly managed. Examiners will want an account of how institutions determined what changes were necessary, how those modifications were implemented, whether those changes were temporary or permanent, and if controls (primary and compensating) have been adjusted for any resulting operational risk increases. They will review the steps management has taken to evaluate and adjust controls for new and modified operational processes. For instance, for permanent changes, did the institution factor in the operational risk of downtime relating to the new processes?

As a measure of governance effectiveness, examiners will also very likely:

Assess actions that management has taken to adapt fraud and cybersecurity controls to address the heightened risk associated with the altered operating environment.
Review management’s post-crisis efforts to assess the controls and service delivery performance capabilities of third parties.
Consider how imprudent cost-cutting, insufficient staffing, or delays in implementing necessary updates impacted the control environment.

Temporary vs. Permanent Changes

For the most part, because we are still dealing with the impact of the virus and its variants, institutions have chosen to maintain many of the temporary measures they implemented during the pandemic. So, because they may have rolled out the changes anticipating an eventual rollback, it may be necessary to “backfill” some documentation to address what is now permanent. Examiners will want to know if the changes were properly risk-assessed prior to implementation, including any new processes and interdependencies. Institutions should be able to provide a report to regulators if they ask—and ensure their board is appropriately updated. This could be a matter of going back and reviewing previous board reports to ensure that any gaps in their risk management reporting were addressed and properly reported to the board.

Ransomware Self-Assessment Tool (R-SAT)

With the pervasive occurrence of cyberattacks, regulators are increasingly concerned about cybersecurity, particularly reducing ransomware. Consequently, regulators in some states are more aggressive than others about having institutions fill out the Ransomware Self-Assessment Tool (R-SAT), which is based on the National Institute of Standards and Technology (NIST) cybersecurity framework. However, most state regulators we’ve spoken with are not going to make completing the R-SAT compulsory—although they may recommend it. If they do, the majority of what is asked by the 16-question tool should already be in place in the institution’s existing incident response and business continuity plans. Your decision to complete or not should be based on a self-assessment of your existing efforts in this area.

Regulatory Updates

New Architecture, Infrastructure, and Operations (AIO) Booklet

Earlier this year, the Federal Financial Institutions Examination Council (FFIEC) revamped its Information Technology Examination Handbook series with a new Architecture, Infrastructure, and Operations booklet. The revised guidance provides examiners with fundamental examination expectations about architecture and infrastructure planning, governance and risk management, and operations of regulated entities. Credit unions, banks, and non-financial, third-party service providers are expected to comply with the new guidance, which replaces the original “Operations” booklet issued in July 2004.

The FFIEC indicates that the release of the updated booklet is warranted because of the close integration between institutions’ architecture, infrastructure, and operations. “Updates to the booklet reflect the changing technological environment and increasing need for security and resilience, including architectural design, infrastructure implementation, and operation of information technology systems,” explains a June 2021 FFIEC press release.

An important component of the new booklet is the resilience and proactive measures that must be built into an institution’s AIO components. Importantly, the handbook also recognizes special treatment for smaller or less complex entities, which is reasonable because examiners are starting to indicate that smaller entities will often implement these concepts differently from large, multinational, multi-regional financial organizations, while still achieving the same objectives. The refreshed guidance also takes a different approach to data classification; it factors in value, along with criticality and sensitivity. However, (and this is consistent with all FFIEC Handbooks released in the past 3 years) the new booklet states that it does not impose requirements on entities; instead, it describes principles and practices examiners will review to assess an entity’s AIO functions. (Of course, we have always found that anything an examiner may use to evaluate, or grade, your practices becomes in effect a de facto requirement.) A much deeper dive into the booklet is here.

New Cyber Incident Notification Rules

Another big update that will impact 2022 and beyond, the new cyber incident notification rules. Officially called “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers”, they were proposed and submitted for comment in early 2021, approved in November 2021, and become effective in April 2022. Visit our partner site, ComplianceGuru.com, to read the latest post and gain an understanding of how these rules will impact both you and your third-party providers going forward.

To learn more about these and other critical compliance topics, listen to our webinar on “2021 Hot Topics in Compliance: Mid-Year Update.”

05 Nov 2021

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

Minimize Examiner Scrutiny by Automating Compliance Processes

Financial institutions can expect to receive increased auditor and examiner scrutiny over their governance and oversight practices, and inconsistencies between procedures and practices will often result in findings. However, these challenges can be minimized or even eliminated by using automation to manage compliance processes.

Incorrect or Outdated References

One of the most widespread exam issues institutions encounter is due to policy inconsistencies, where incorrect or outdated references are used. Mentioning outdated guidance in policies is one of the most common offenses that institutions commit. For instance, referring to an older term like SAS 70 (Statement on Auditing Standards No. 70) or SSAE 16 (Statement on Standards for Attestation Engagements No. 16) instead of the newer SSAE 21 (Statement on Standards for Attestation Engagements No. 21) could be dismissed as a minor oversight, but it could also be considered a “red flag” causing examiners to question whether the institution has properly updated its policies, resulting in further scrutiny. A weakness in one area strongly suggests that there may be other weaknesses.

Another example of this type of issue is referencing “business continuity planning” (or BCP) versus “business continuity management planning” (or BCMP). Again, this would be a minor mistake because the term business continuity planning is not necessarily obsolete; still, it’s not consistent with the most recent guidance, and could lead to deeper dives in other areas. (In 2019, the Federal Financial Institutions Examination Council (FFIEC) issued the Business Continuity Management booklet. This guidance, part of the FFIEC Information Technology Examination Handbook, replaces the Business Continuity Planning booklet issued in February 2015.)

The problem with employing slightly outdated terminology also applies to phrases like “maximum allowable downtime” (MAD) and “maximum tolerable downtime,” (MTD) which is the newer reference. Examiners and auditors will accept either phrase so this is not a critical issue, but the use of dated terms can instill doubt in examiners and make them inclined to dig deeper into the institution’s policies.

Procedure and Practice Inconsistencies

Disconnects between policies and practices are another frequent exam challenge for institutions. Ideally written procedures should not contain statements that contradict the institution’s actual practices. In other words, your actual practices should as closely as possible reflect what you say you’ll do in your written procedures. For instance, there would be a procedure/practice inconsistency if the password policy of the information security program required eight characters, and the acceptable use policy (AUP) that employees signed allowed passwords of a different length. This type of inconsistency will almost certainly lead to further issues with examiners and auditors.

Another key area of focus for examiners and auditors is board reporting. Disconnects can occur if the information presented to the Board is not properly documented in Board minutes. This challenge is compounded by the sheer volume of information modern Boards are required to digest. The only way to make sure board minutes contain all pertinent details is to periodically review them. This will help ensure that the content of board meetings is consistent with both examiner expectations, and your written procedures.

Integrating Automation

In addition to changes in guidance terminology or updates to guidance policies, an institution’s procedures can and do change periodically as well. So contradictory statements resulting from policy updates are inevitable. Still, financial institutions must be aware of guidance changes and must also ensure their current procedures align with their practices and are consistent across all documents to make sure they comply with industry guidance and regulations. While this is easier said than done, technology can make it easier for institutions by providing regular updates to accommodate changing regulations and trends as well as make it more feasible for them to identify inconsistencies between their policies and procedures.

For example, a simple way to assess your potential exposure to procedural disconnects is to search through the documents in your institution’s information security program, for statements that include the words “will,” “must” or “shall.” Each of these statements contains an obligation of some sort; something you’ve committed to doing. For each occurrence, determine if A) it’s being completed exactly as indicated, B) by the group or individual assigned responsibility, and C) it’s being performed at the designated frequency or interval. Automation can help track these tasks and provide the necessary proof in the form of documentation. Additionally, most policies will make multiple references to the same task; business continuity may be referenced in information security, incident response in business continuity, vendor management in both information security and business continuity, etc. A change to a procedure or practice in one document should automatically trigger the associated changes elsewhere.

Integrating automation into the equation can help institutions streamline their methods for managing a variety of compliance changes and issues and greatly reduce the most common causes of findings due to disconnects and inconsistencies. Automation can make it easier to maintain more consistent and complete integration in areas throughout the organization, including information security, risk management, network management, vendor management, and business continuity management. Ultimately, automated updating, tracking, reporting, and other tasks can facilitate better preparation for exams and audits, and greatly reduce stress levels!

To learn more about how automating routine procedures can help financial institutions avert auditor and examiner criticism, listen to our webinar on “Managing Your Compliance Processes in 2021: Is There a Better Way?”

If you’re not certain where to begin when it comes to automating your compliance processes, check out our new service, COMPaaS™ (Compliance as a Service). This set of connected applications and powerful monitoring and reporting tools can be customized to target and eliminate your institution’s specific compliance pain points. One of our experts will help you create a solution that is unique to your institution, so you only pay for the services you need. And you can feel confident in choosing from products and services that are backed by nearly 30 years of experience in the banking industry.

09 Aug 2021

Banks, Compliance, Credit Unions Christine Ray 0 comment

Third-Party Solution Makes It Easy for Community Bank to Enhance InfoSec Program

Implementing a technology-enhanced information security program doesn’t have to be a daunting task. Working with a third-party expert can make the process easier and smoother than managing all the requirements completely in house.

Effective information security (InfoSec) allows organizations to safeguard key IT assets, business processes and data from potential threats. It involves the broad measures that ensure the confidentiality, integrity and availability of the information being processed and stored by computer systems. Most financial institutions, especially those with limited IT resources, can benefit from having an outside vendor provide additional technical expertise and solutions to enhance their existing InfoSec program.

First State Bank Improves InfoSec with Safe Systems

First State Bank of Blakely, Ga. is a prime example of how a financial institution was able to tap external resources to expand its InfoSec program. The bank, which has about 100 employees and 10 branches, was handling most of its InfoSec requirements in house. But when First State Bank’s InfoSec consultant retired, the bank opted to expand its vendor management relationship with Safe Systems to include information security.

Safe Systems made the implementation quick and easy, recommending strategic tweaks that significantly streamlined the process. Consequently, First State Bank was able to avoid “reinventing the wheel” by importing some of its existing information. And since the program elements are web-based and accessible through any internet browser, it will be easy for the bank to make future edits.

First State Bank’s IT Manager, William Barnes, specifically references Safe Systems’ expertise, saying: “The knowledge and experience of the experts I worked with during implementation were very helpful. It is good to know they are there to consult with. I think overall, we are in a good place with the new information security program.”

In addition, the program provides an easy-to-follow guide for securing the First State Bank’s operations and processes. The program is reviewed at least annually, which serves as a reminder of important security requirements. “It helps us stay on top of the risks within the bank and has all the available forms that we need for most policies and procedures,” Barnes says.

Benefits of Technology-Enabled InfoSec

Having a technology-enabled InfoSec program offers a host of benefits for institutions like First State Bank. In general, an automated security program can help banks better support the hardware, software, policies, procedures, and information assets needed to accomplish their business objectives. More specifically, incorporating technology can simplify an InfoSec program; it can streamline the process of identifying and classifying the vast number of assets institutions often have scattered across multiple branches and geographic locations. And a built-in risk assessment tool can provide pre-determined default risks for different assets based on commonly known threats and vulnerabilities.

All of this can reduce the need to create huge spreadsheets to maintain the amount of data typically required for an InfoSec program. As a result, financial institutions can have more accurate security-related information, enhanced board reporting, and better decision making and governance.

Consulting with a trusted vendor like Safe Systems allows institutions to immediately expand their information security expertise and resources. Safe Systems includes three applications in their service including Risk Assessment, Policy Manager, and Enterprise Modeling, to help banks and credit unions centralize and automate their InfoSec program. These powerful applications can make it easier for institutions to enhance their processes for assessments, notifications, reporting, policy/procedure updates and regulatory compliance so they can optimize their security posture.

22 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

How Financial Institutions Can Enhance Board Reporting and Governance with Technology

As financial institutions face greater expectations for corporate accountability from regulators, effective board reporting and governance are becoming even more essential in the banking sector. While board members aren’t generally involved in the day-to-day operations, they are ultimately responsible for the success of their institution. Proper reporting can enable the board to make decisions without having to be involved in routine activities, and technology can help institutions enhance their board reporting and, in the process, help directors exercise the care, skill, and diligence required for good governance.

Five Essential Elements of Reporting

Board members need access to a range of financial and non-financial information relating to their organization’s products and services. In order to function effectively as a feedback tool for the board and senior management, the FFIEC Management Handbook states that information systems reporting should meet five essential elements:

Timeliness: To facilitate prompt decision-making, an institution’s information systems should be capable of providing and distributing current information to appropriate management or staff
Accuracy: A sound system of automated and manual internal controls should exist to ensure the validity of the information and should include appropriate editing, balancing, and internal control checks
Consistency: To be reliable, data should be processed and compiled uniformly. Variations in data collection and reporting methods can distort information and trend analysis
Completeness: Reports should contain the necessary information to inform decision-makers without voluminous detail
Relevance: Information systems should provide current, applicable, and actionable information

Reporting that contains the essential elements above can provide decision-makers with facts that support and enhance the overall decision-making process and can also “…improve job performance throughout an institution.” At the board and senior management level, information systems reporting provides the data and information to help the board and management make strategic decisions. At other levels, information systems reporting allows management to monitor the institution’s activities and distribute information to staff, customers, and members of management.

Applying Technology

Advances in technology have increased the volume of data and information available to management and directors for planning and decision-making. Converting that data into actionable knowledge is essential for the board to provide a “credible challenge” to management, which involves being actively engaged, asking thoughtful questions, and exercising independent judgment. Integrating technology into their InfoSec efforts, institutions can create a comprehensive system to generate, collect, and analyze data to support a more effective process for board reporting and a more knowledgeable board.

Heather Helms, CFO and Information Security Officer of Mount Vernon Bank, knows firsthand the importance of having an application that supports board reporting. “Before we started our partnership with Safe Systems, we were not up to par with the industry standards of reporting. Since redoing our Information Security Program and moving away from a paper-based model to automated applications, we’ve seen noticeably better results in our board reporting and regulatory updates,” said Helms. “When trying to wear numerous hats within a small community bank and stay on top of a topic so huge in a regulatory world, solutions like Safe Systems’ Information Security Program makes all of the difference.”

There are several advantages to financial institutions using technology solutions to automate and optimize board reporting and governance. The primary advantage is the ability to generate on-demand reporting on all aspects of information security management; from managing projects, to risk assessments (including risk appetite), to managing critical vendors, to mitigating operational risk through business continuity planning. Reporting should allow just enough detail to enable the board to fulfill their responsibilities, but not be so detailed that they struggle to comprehend. Ideally, technology should support high-level reporting, with the ability to “drill down” as necessary. The emphasis should be on quality, not quantity.

Another potential advantage of technology in reporting is the ability to aggregate business intelligence from multiple sources enterprise-wide. This not only gives the board a more complete picture of risk but can also stimulate internal collaboration and deeper insights, giving directors more meaningful information for analysis. The importance of timely, accurate, relevant, complete, and consistent information cannot be overstated, as the success or failure of management is often defined by the decisions they make. As the FDIC states, “The extreme importance of a bank director’s position is clearly emphasized by the fact that bank directors can, in certain instances, be held personally liable.” By having a comprehensive system in place for optimal decision-making, institutions can improve the quality of the information flowing from management to the board, and then from the board to other internal and external stakeholders—helping directors not only improve governance, but also enhance regulatory compliance and possibly even reduce lawsuits, monetary fines, and other negative consequences from inadequate board reporting.

Technology not only optimizes board reporting and decision-making but also makes it easier for directors to access the information they need to perform their due diligence and oversight obligations. It all boils down to implementing technology to exercise better accountability—ensuring sound policies are in place to promote strategic objectives and regulatory compliance.

Safe Systems offers a wide range of compliance-centric, innovative solutions that can help financial institutions take advantage of technology to improve their board reporting and governance.

01 Jul 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Benefits of Integrating Technology into Your InfoSec Program

Information security (InfoSec) is a critical aspect of keeping an organization’s computers, networks, sensitive information, and users safe from potential threats. Integrating technology into a financial institution’s InfoSec program can make it easier to manage risk and protect their information and infrastructure assets. Institutions can utilize automation to capitalize on a variety of other benefits, including:

Simplicity

Banking is a complex business. Banks and credit unions maintain a wide assortment of information technology devices, systems, and applications to support their operations. They also have multiple personnel, partners, and third-party providers spread across different geographic areas. The interconnectivity of their operations can make it even harder for institutions to protect the hundreds (and in some cases, thousands) of assets they must maintain. An automated system can make it easier for institutions to inventory and classify their assets—without having to create enormous, time-consuming spreadsheets. It provides a centralized solution for tracking the criticality, location, and risk exposure level of each asset. Identifying the source of risk is the essential first step to effective risk management. Technology and various Software as a Service (SaaS) applications can greatly simplify the process of inventorying assets, assessing the risk, and selecting controls. Technology can also create automatic updates to ensure that all policies and procedures are current and based on industry standards and regulatory requirements. Additionally, on-demand stakeholder reporting can be generated to provide the requisite documentation to management committees, board of directors, and regulatory authorities, respectively.

Completeness and Transparency

Integrating technology can help financial institutions get a clearer sense of their security posture, so they can develop a more complete InfoSec program. Automation makes it easier to identify and categorize each asset, along with its related risks, threats, and controls. This can enable institutions to make a more accurate assessment of where their security risks actually lie. With enhanced transparency, institutions can determine the most appropriate level of protection for each of their assets. As a result, they can more effectively use, manage, and secure these assets. Proactively identifying risks, threats and controls can also better position them to minimize the impact of security incidents in the future.

Better Intelligence and Insights

Some financial institutions rely on manual spreadsheets to manage the vast amount of information and other assets in their InfoSec program. But manual spreadsheets are not always the most effective tracking and reporting mechanism. People can inadvertently feed the wrong data into spreadsheets and produce unreliable results (“garbage in, garbage out”). Plus, since creating spreadsheets is such a repetitive and time-consuming process, information may be infrequently updated—which can make it less timely and thus less useful. However, integrating technology can help institutions enhance the accuracy of the intelligence that supports their InfoSec program. In turn, their board and management can have better insights into the important issues that impact the information security of their organization, which in turn empowers them to make better decisions.

Enhanced Reporting

To make the best decisions for their institution and perform their fiduciary oversight duties, boards and management committees need accurate, relevant, and timely information. By incorporating technology in their InfoSec program, institutions can put an efficient process in place to generate, collect, and analyze data to support board and committee reporting. This can enhance the overall quality of the information being reported to the board, shareholders, and auditors, and regulators. Optimized, on-demand reporting can improve governance, foster compliance, and potentially reduce negative consequences from inadequate board reporting.

Resource Collaboration and Augmentation

InfoSec resources are limited at many financial institutions, and most community banks and credit unions do not have a dedicated InfoSec specialist in-house. Additionally, information security officers (ISOs) tend to wear multiple hats and are often stretched thin by their broad range of responsibilities. An automated application can create a centralized solution that creates a multi-user approach to allow the ISO to leverage internal resources wherever and whenever possible. For example, a department head or process owner can be a valuable internal resource for assessing vendors impacting the department’s functionality. Similarly, the process owner (and not necessarily the ISO) would be the most logical choice to perform the process Business Impact Analysis. In this way, InfoSec becomes an “all hands on deck” operation, with all personnel sharing ownership of the process. Outsourcing additional aspects of InfoSec via a virtual ISO solution can provide an institution with additional subject matter expertise and solutions to further support their designated ISO and the overall security of their systems and information.

Read more about the benefits of integrating technology into your information security. Download our white paper on “How Financial Institutions Can Use Technology to Build an Automated, FFIEC-compliant Information Security Program.”

24 Jun 2021

Banks, Compliance, Credit Unions The Safe Systems Compliance Team 0 comment

Automating Your Information Security Program: How Technology Can Get Policies Off the Shelf

Automating Your Information Security Program - How Technology Can Get Policies Off the Shelf

Working with paper-based information security policies can be limiting for financial institutions. Automation allows banks and credit unions to take their policies off the shelf and move them online to reap multiple benefits.

There are 2 major challenges to having a static, paper-based information security program; the first is making sure policies accurately reflect the financial industry’s current guidance and best practices, and the second is making sure they accurately reflect your institution’s specific practices. Often new paragraphs and sections get added to cover additional policies while almost nothing gets expunged. Or a revision in one section of the program might not be properly updated in all other related areas.

These twin challenges are the primary cause of disconnects between policies, procedures, and practices —and compliance-related findings from IT auditors and examiners. Today examination auditors are scrutinizing documents far more closely, and they expect to see documentation that proves institutions are doing what their policies say they are. And unfortunately, policy disconnects and lack of adequate documentation in IT often reflect poorly on management. It is not unusual for us to see weaknesses in the IT area pull down the CAMELS management component in other areas. In a study conducted by the OCC earlier this year, researchers found that:

“… both the CAMELS composite and Management component ratings have significant predictive power for features of the distribution of banks’ return on assets (ROA), non-performing loans (NPL), stock returns, stock return volatilities, and market-to-book ratios.”

Advantages of Automation

Leveraging technology for an information security (InfoSec) program offers significant benefits by addressing both challenges. A key advantage is that it places all InfoSec related documents in one place where personnel can easily access them. Having a digitally enhanced program makes it easier to minimize exam findings related to inconsistencies between policies (what you say you’re going to do) and procedures (how you say you’re going to do them). Automation streamlines the process of updating policies and documenting the corresponding procedures that are in place to support them.

As another advantage, automation promotes personnel collaboration and engagement in the information security process. Having a web portal where staff can access the policies and procedures related to their area of focus enables collaboration, encourages engagement, and generally helps generate buy-in. As a result, personnel becomes better informed and more engaged in the information security program.

Automation also supports change management by facilitating periodic, detailed reporting to update various stakeholders about the status of the information security program. Reports can focus on a specific area or be customized for different stakeholders who may need more specialized reporting. They may be high-level summaries, or highly detailed. Most importantly, as regulatory guidance and best practice evolve, automation can allow policy updates to happen with the click of a button.

Our Unique Approach

At Safe Systems, we took a unique and comprehensive approach when creating our new Information Security Program solution. The program includes a comprehensive set of policies and a process-based risk assessment. It’s also structured around the Information Security and Management handbooks by Federal Financial Institution Examination Council (FFIEC). And it features a detailed, easy-to-navigate table of contents that will look familiar to auditors and examiners. The idea is to make it as easy as possible for IT auditors and examiners to find what they’re looking for, so they can move on to other areas!

Another way our approach is unique is that our methodology starts with enterprise modeling: We find out everything about the institution’s departments, processes, functions, and required interdependencies. That data then flows directly into the risk assessment and links to other areas that may be added later, such as business continuity management or vendor management. All of these areas will “talk” to the model to support automatic updating whenever global changes are made.

Positive Feedback

Our Information Security Program—which has been years in the making and incorporates everything we’ve learned about what does and doesn’t work—is effectively simplifying an inherently complex process for institutions of all types and sizes. So far, we’ve heard great feedback from auditors, examiners, and customers. (In fact, the risk assessment was developed in close collaboration with IT auditors.) Customers are finding our information security program much easier to manage than having multiple disjointed policies in Word documents and PDFs strewn across disparate folders. They can access policies without worrying if they have the most current version. And our broad and deep understanding of financial institution risk management allows us to start with a pre-filled set of policies, which are then customized to each institution. This greatly accelerates the onboarding process. Customers also like being able to work one-on-one with our team to build a process-based risk assessment model, being able to customize policy language as needed, and not worrying about what changes to make, or where to make them.

For more details, listen to our webinar on “Automating Your Information Security Program: How Technology Can Get Policies Off The Shelf.”

24 Jan 2019

Banks, Credit Unions, Technology Jamie Davis 0 comment

What Community Financial Institutions Should Look for in a Managed Services Provider

The majority of banks and credit unions rely on managed services providers to help them improve efficiencies in their organization, meet mounting regulatory compliance requirements, and provide the competitive products and services their customers and members expect.

However, selecting the right managed services provider can be challenging. We have highlighted some key qualities that community banks and credit unions should look for when choosing trusted partners.

A managed services provider should have a true understanding of the following areas:

The community banking and credit union industries

Automating Your Compliance Processes with Technology Get a Copy

A managed services provider must truly understand the “ins and outs” of operating a community bank or credit union. This includes recognizing the industry trends, realizing the importance of priorities, such as customer- and/or member-service related touch points, and understanding regulatory and compliance issues. Not knowing how a community financial institution operates is a hindrance that can prohibit the provider from effectively meeting the demands of the institution and makes it unlikely that it will be in a position to offer informed recommendations on improvements and solutions to existing issues.

Financial services technology

Technology is ever-changing and it is nearly impossible for any one person to successfully keep up with all of the advancements. To provide the technological solutions and services that a community bank or credit union requires, a managed services provider should understand the technical requirements of all banking technology solutions, starting with the core platform. Since many applications have to work with — and integrate into — the core platform, it is impossible to design an efficient and comprehensive network without first an understanding of core platforms and banking technology.

Regulatory compliance requirements

The evolving world of financial regulatory compliance governs every aspect of your IT network and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, meet regulatory expectations such as, verifying all patches, ensuring security measures are up to date, and maintaining access to critical services during a disaster.

Working with the wrong managed services provider can be time-consuming, cumbersome, and even stressful. However, working with a provider who offers the desired services and who truly understands your industry can help guide the institution in today’s challenging financial environment. A good partnership is key to ensuring your organization remains competitive and profitable for years to come.