30 Dec 2021

Banks, Compliance, Credit Unions, Security, Technology Christine Ray 0 comment

Our Top Blog Posts of 2021

With a new year approaching, it’s a good time to review some of the key discussions from the past year. Read these highlights from our top blog posts of 2021, to help your financial institution refine key operational strategies for 2022 and beyond:

1. 2021 Hot Topics in Compliance: Mid-Year Update

Although the COVID-19 pandemic isn’t over, financial institutions have learned valuable lessons so far. Key impacts have been primarily operational, involving risks related to temporary measures taken to weather the crisis. In addition, there are important compliance trends and new regulatory guidance institutions should anticipate going forward. Ransomware cybersecurity has been a key area of focus for regulators, and given the recent high-profile cyber events affecting the industry, their scrutiny will likely increase in the future. This will be reflected, in part, by the number of (and types of) assessments that regulators might expect institutions to perform annually. These assessments from various state and federal entities include the Cybersecurity Assessment Tool (CAT), the optional Ransomware Self-Assessment Tool (R-SAT), the Cybersecurity Evaluation Tool, and the modified Information Technology Risk Examination for Credit Unions (InTREx-CU). In addition, there have been major shifts with cyber insurance, and the FFIEC released a new Architecture, Infrastructure, and Operations booklet in its Information Technology Examination Handbook series. Read more.

2. The 4 “R’s” of Disaster Recovery

Maintaining an effective approach to disaster recovery can help financial institutions satisfy regulatory requirements, better protect themselves from the effects of negative events, and improve their ability to continue operating after a disaster. There are four important “R’s” that institutions should concentrate on for disaster recovery: recovery time objective ( RTO ), recovery point objective ( RPO ), replication , and recurring testing .

RTO is the longest acceptable length of time a computer, system, network, or application can be down after a disaster happens. When establishing RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. The RPO is the amount of time between a disaster occurring and a financial institution’s most recent backup. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. DR replication entails having an exact copy of an institution’s data available and remotely accessible when an adverse event transpires. The best practice is to keep one backup copy onsite and another offsite in a different geographic location that’s not impacted by the disaster. Recurring testing allows institutions to identify key aspects of their DR strategy and adjust as needed to accomplish their objectives. Regular testing can expose potential problems in their DR plan so they can address these issues immediately. Read more.

3. Segregation of ISO Duties Critical to Network Security and Regulatory Compliance for FIs

It’s crucial for financial institutions to maintain distinct duties between their information security officer (ISO) and network administrator to ensure network security, regulatory compliance, and the health of their operations. There should be at least one designated ISO who is responsible for implementing and monitoring the information security program and who reports directly to the board or senior management—not to IT operations management. The significance of segregating the ISO’s duties comes down to oversight: Separating ISO and network administrator tasks helps to create a clear audit trail and ensures risk is being accurately assessed and reported to senior management . It also allows the ISO to provide another “set of eyes” that help to maintain a level of accountability to management, the board, and other stakeholders. The ISO’s independent role primarily serves to ensure the integrity of an institution’s information security program . Financial institutions can also use a virtual ISO to create an additional layer of oversight on top of what they have in place internally. Read more.

Discover these and other key topics about banking compliance, security, and technology on the Safe Systems blog.

Or, subscribe now to be the first to receive the latest updates on banking trends and regulatory guidance directly to your inbox.

11 Oct 2021

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Financial Institutions Should Budget for in 2022

Many of us thought 2021 was going to be the downhill side of the pandemic. I recall working on a webinar presentation that we hosted last summer and including the words, “Now that the pandemic is behind us…” Obviously, I was overly optimistic. As we look ahead to 2022, we must acknowledge that the COVID-19 pandemic will continue to affect us to one degree or another. With that said, these budgeting ideas for 2022 may look somewhat similar to those for 2021, but there are slight variations based on current banking technology, compliance, and security issues.

1. Multifactor Authentication

Implement multifactor authentication (MFA) on all your email accounts wherever it is possible and appropriate. MFA can reduce the risk of having account credentials compromised by as much as 99.9%, making it one of the most effective measures you can use to protect your institution. There is typically a small cost for licensing and implementing MFA software. So, you can add MFA to your email accounts for a nominal cost and with minimal effort in most cases. If you are using Microsoft’s cloud email solution, for instance, implementing MFA can be as easy as changing a few minor settings. Another area to consider for MFA is logging into the domain account. There can be a cost associated with this as you will probably want to use a tool to help you manage the process. You can apply MFA only on accounts with administrator rights or on all users. But since many cybersecurity insurance companies are requiring MFA for accounts with administrator rights, using this stronger type of authentication might be your only option.

2. Laptops

With different variants of COVID-19 or other viruses popping up, remote work may still be an option for certain employees. Remote capabilities may even be necessary to keep the institution operating smoothly at times. Be sure you have the infrastructure in place for a partial remote workforce because the need could develop at any point. For this reason, you should consider providing laptops for all employees who could conceivably work from home. Start with those who need new devices. Then prioritize based on those doing the highest-level work necessary to keep the institution running. Laptops and encryption software, required for mobile devices, may cost slightly more but should not cause a huge increase in expenditures. In some cases, you may be able to reuse a desktop computer to replace an older workstation for an employee whose duties cannot be performed remotely.

And don’t forget… There is a chip shortage and high demand for laptops, which means it can take months to secure computers and other hardware. So, order any equipment you need well in advance to ensure you have the appropriate infrastructure in place to support staff that may need to work from home.

3. Moving to the Cloud

Having infrastructure in the cloud can be extremely beneficial, so slowly start moving your infrastructure to the cloud. Cloud infrastructure decreases the need for an employee to be onsite with the hardware, and cloud computing increases uptime. In addition, disaster recovery becomes easier and faster with cloud infrastructure. More than 90% of Fortune 500 companies are running at least some infrastructure in the cloud, primarily through Microsoft’s cloud computing platform: Azure. The cloud is the future of IT and infrastructure, and it makes sense for institutions that need reliable and resilient infrastructures. So, if you need to purchase a server next year, consider getting a quote for moving the server to the cloud instead.

4. Cloud Security

While the cloud offers plenty of advantages, it comes with settings, management tools, and security options that must be effectively configured and managed to ensure the highest level of security in the cloud. Cloud security is a concern for not only institutions with infrastructure in the cloud, but also for M365 Windows/Office licensees with OneDrive enabled, email in the cloud, or using Microsoft as an authentication mechanism with a third-party application. Earlier this year, the FDIC released a letter outlining the need to secure cloud configurations. Their cloud-security concerns are warranted. Safe Systems has worked with several institutions ranging from a hundred million in assets up to multibillion dollars in assets and found that almost every institution had gaps in their cloud security. Some institutions had indications of their email or user accounts being compromised; others had settings that could open the door to future compromises. Safe Systems worked closely with these institutions to develop an innovative M365 Security solution to address these issues with reports, alerts, and reviews. This unique product is specifically designed to help financial institutions manage their cloud setup now and in the future. In addition, it is a reasonably priced option for the substantial amount of value that it delivers. Institutions should reach out for a quote to determine if M365 Security could fit into their budget next year.

5. Virtual ISO

Another item to consider for your budget is virtual Information Security Officer or VISO services, which we also mentioned last year. These services have become increasingly popular as the landscape of information security has grown more extensive and complex. In many cases, institutions are finding it harder to keep up with the latest information security expectations, regulations, and trends. Safe Systems’ ISOversight service addresses this problem by combining applications for self-management with assistance from compliance experts to offer a VISO service at a competitive price. This type of service can be beneficial in many ways as it can provide structure, automation, accountability, assistance, and consistency throughout your information security program. It can also enable your institution to stay engaged, which is critical when an exam or audit occurs. VISO services, which vary in price depending on the work being performed by the third-party provider, are ideal for any institution with limited access to security expertise in-house.

6. Cybersecurity

You cannot have a conversation about budgets for next year without addressing the issue of cybersecurity. Consider this: Cyber-attacks are 300 times more likely to hit financial services firms than other companies, a recent Boston Consulting Group report indicates. Cyber-attacks continue to climb each year, with the global cybersecurity market expected to eclipse $300 billion by 2024, according to Global Insights. And cybersecurity has become even more precarious during the COVID-19 pandemic. The pandemic has created new opportunities for security breaches as the increase in remote work makes information security more challenging to manage. Unfortunately, institutions will need to increase their security layers and annual spending to address this issue. According to Computer Services Inc. (CSI), 59% of financial institutions will increase spending for cybersecurity this year.

In Conclusion

The threat to your institution’s data is as real today as it ever has been. Therefore, make sure you are applying these measures to strengthen your security:

Employee training to ensure adequate, effective, and safe practices
Perimeter protection to ensure the appropriate layers are enabled and all traffic is being handled correctly, including encrypted traffic
Advanced threat protection and logging to be able to identify how, if at all, malware or an intrusion created an incident
Backup and data redundancy to ensure ransomware cannot wipe out your data

Have a conversation with a security company you trust to ensure that, if you are the target of a ransomware attack, your business won’t sustain long-term damage. In other words, invest in cybersecurity now, so your institution won’t end up paying more later.

As you contemplate your budget for 2022, don’t just think about the items that others have put on your plate. Be sure to consider the changes that may have occurred at your institution—and the ones that may be coming—and have a plan to address these. All these changes can be exciting and make a major difference for your institution. But they can often be hard to get implemented if they are not budgeted for ahead of time.

03 Jun 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

What CEOs Should Know about Disaster Recovery

Disaster recovery—the process of restoring IT infrastructure, data and systems in the aftermath of a major negative event—is a specialized area of technology that’s not always top of mind for executives. CEOs must ensure their organization is equipped to quickly resume mission-critical functions following a calamity.

Here are some key considerations that bank CEOs should keep in mind to make sure their financial institution has a feasible approach to disaster recovery.

Expect the Unexpected

A disaster can happen anytime—and in any form. While people typically think of disasters as being natural occurrences, manmade catastrophes such as power outages, equipment failures, cyber attacks, and network downtime due to human error are equally common causes of disruption. Regardless of the source, the need for DR is truly a matter of when—not if. So, CEOs should get comfortable with the uncomfortable idea that some type of disaster will eventually impact their institution.

Be Proactive

DR planning is the key to both preventing disasters, and when they do eventually occur, successfully recovering from a natural or manmade calamity. Not having a sufficient plan in place can hit an institution where it hurts most: a loss of data, business functions, clients and reputation—not to mention time and money. Therefore, bank CEOs must ensure their management team is taking proactive steps to adopt effective DR strategies. This includes implementing—and testing—a plan for getting operations back to normal with minimum interruption.

Besides the practical need for DR planning, the Federal Financial Institutions Examination Council (FFIEC) advocates taking a preemptive approach to this often overlooked area of technology. The FFIEC IT Handbook’s Business Continuity Management booklet advises: “Management should identify key business processes and activities to be maintained while IT systems and applications are unavailable and prioritize the order in which these systems are restored, which should be reflected in the BIA. In addition, management should develop a coordinated strategy for the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software.”

The business impact analysis (BIA) is one tool that bank management can use to ensure their financial institution is adequately preparing for DR. This important mechanism predetermines and prioritizes the potential impact disruptive events will have on business functions. Essentially, the BIA can show gaps in critical processes that would impede disaster recovery and, in turn, the institution’s business continuity.

Consider Outsourcing DR

The intricacies of disaster recovery planning can be daunting, which is why many organizations fail to create a viable DR plan. More than one-third of small and medium-sized businesses do not have a plan in place for responding to data breaches and cyber attacks, according to the Ponemon Institute’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report. However, bank management can leverage external resources to expand their institution’s disaster recovery capabilities. Outside vendors can provide new technologies that reduce risk and enhance data backup, storage and recovery. They offer a variety of cloud-based solutions that can make the DR process more streamlined, efficient and cost-effective. Outsourcing DR can be especially advantageous to smaller banks that may lack this type of specialized knowledge in house. It can also benefit larger institutions that want the comfort of having third-party services available to support their resident DR specialists.

CEOs have a lot on their plates but paying attention to these important DR issues can help ensure both operational resilience during a disaster as well as regulatory compliance. To learn more about how Safe Systems helps financial institutions and their CEOs develop well designed, compliant DR plans, explore our Managed Site Recovery solution.

06 May 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

After the Disaster: Real Community Banking Recovery Stories

Even the best-laid plans can go awry—especially after a disaster. Our real-life stories from actual community financial institutions underscore the importance of having an effective disaster recovery (DR) process in place.

It’s obvious that a disaster can strike anywhere and anytime. What’s less obvious is that a natural disaster doesn’t have to happen for a financial institution to implement its DR plan. For instance, a server room and all the equipment inside could become damaged by a fire or flood. A power outage or loss of a communications line could take out an institution’s phones, email, and internet. This could be devastating because communication is such an integral function of a financial institution.

Not knowing how long a power outage will last can further complicate the issue. If the outage stretches over a few hours or days, the institution should be thinking about implementing its DR process. But making that call can be difficult. That’s where having an outside team of DR experts available can be helpful. For example, we can help institutions quickly leverage Microsoft Azure for cloud site recovery. We can also assist with ongoing monitoring, maintenance, and testing to ensure the viability of their DR plan.

Real DR Stories from Community Banks

For example, a tornado struck one of our community bank clients and severely damaged its main office. The branch was rendered completely inoperable, unable to serve customers or employees. Fortunately, the critical servers that were housed in the building were not destroyed, and we were able to relocate them to a different branch location. The bank operated the servers from that site for a year while the main office was being rebuilt. Ultimately, we returned the servers to their original location and made the necessary reconfigurations to get everything functioning again. Moving the severs to a different place allowed the bank to avoid failback, which can be the most complicated aspect of the disaster recovery process.

Another DR scenario involves a financial institution on the South Carolina coast, where hurricanes frequently make landfall. In this case, a hurricane demolished the main office and completely flooded the location. As a result, the institution lost its servers, internet connection, and ability to communicate. The bank’s DR strategy relied on using 4G to restore internet connectivity, but the cell towers were down. Thankfully, the network had an old telecommunication circuit that we were able to get turned on and operational. So, after we dealt with the communication curveball, we were able to get the network—and bank—up and running again.

Community Bank in Alaska Shares Insights

It’s often the physical environment that determines the disasters that an institution may encounter. Potential hazards for Fairbanks, Alaska-based Denali State Bank include flooding from nearby rivers, jolting earthquakes, and volcanic eruptions on the Aleutian Chain. Therefore, Denali State Bank—which has $380 million in assets and 150 endpoints across five branches—focuses on ensuring that it has critical IT staff and services available during a disaster.

As part of its DR solution, the bank maintains a designated alternate site—one of its branches—that sits on a separate portion of the power grid. Denali also uses cloud-based Microsoft Azure, which makes it easy to run and test critical functions. During testing, the bank can shut down all connections to its main office (including large SQL servers), quickly spin up everything virtually through Azure, and establish connectivity through a Safe Systems co-location facility. This helps to ensure that vital functions will work properly to support the institution after a disaster.

Get more community banking DR insights. Listen to our webinar on “After a Disaster: Real Community Banking Recovery Stories” to make sure your institution is better prepared for an unexpected negative event.

29 Apr 2021

Banks, Credit Unions, Technology Marshall Jones 0 comment

The 4 “Rs” of Disaster Recovery

Organizations can be impacted by a natural or manmade disaster at any time. Having an effective approach to disaster recovery (DR) can help banks and credit unions meet their regulatory obligations, better protect themselves from the impact of a significant negative event and enhance their ability to bounce back and continue operating in the aftermath of a disaster.

There are four “R’s” when it comes to disaster recovery that every financial institution should focus on: Recovery Time Objective (RTO); Recovery Point Objective (RPO); Replication; and Recurring Testing. Here’s why each of them is integral to DR:

RTO

RTO, the longest acceptable length of time that a computer, system, network, or application can be down after a disaster happens, is a crucial facet of DR. Established RTOs essentially represent trade-offs, with shorter RTOs requiring more resources and ongoing expenses. When setting RTOs, prioritizations must be made based on the significance of the business function and budgetary constraints. Ideally, financial institutions will have RTOs predetermined before a disaster strikes, and the RTOs will be included in the institution’s Business Impact Analysis (BIA) as part of the business continuity planning process. Following a disaster, the recovery process will depend on the type of institution, technology solutions, and business functions as well as the amount of data involved. Institutions with an outside vendor guiding their disaster relief efforts typically have a more streamlined and less stressful recovery process.

RPO

The RPO represents the amount of time between a disaster occurring and a financial institution’s most recent backup. If too long, and too much data is allowed to be lost, it could result in substantial damage. Essentially, the RPO will be determined by the institution’s technology solution and risk tolerance. The Information Security Officer (ISO) and management must define exactly how long they are willing to go without having a copy of their data available. As banks and credit unions become more dependent on technology, however, their tolerance for not having critical functions available shrinks. Increasingly, financial institutions are turning to outside vendors to bolster their recovery solutions, but they must ensure that those third-party providers are adequately equipped to satisfy their RPO requirements.

Replication

Effective DR replication is essential because it allows an exact copy of an institution’s data to be available and remotely accessible when an adverse event happens. DR requires the duplication of data and computer processing to take place in a location not impacted by the disaster. The best practice is to have one backup onsite and another offsite in a different geographic region—somewhere that is not likely to be affected by the same disaster. Options for recovery can take various forms: fully redundant systems at alternate sites; cloud-based recovery solutions (either internally developed or outsourced); another data center; or a third-party service provider; according to the Federal Financial Institution Examination Council (FFIEC).

Recurring Testing

Recurring testing allows banks and credit unions to pinpoint key aspects of their DR strategy and adjust as needed to accomplish their objectives. Thorough testing of a financial institution’s core applications should be done annually — while they are functioning normally — to generate the most meaningful feedback. The institution should employ a variety of tests and exercises to verify its ability to quickly resume vital business operations in a disaster situation. Regular testing can reveal possible problems in the institution’s DR plan so that it can immediately address these issues. The aim is not necessarily to pass each test or exercise, but rather to find and fix flaws before a disaster occurs.

Read more about how your bank or credit union can be better positioned to recover from a disaster. Download our “4 Rs of Disaster Recovery” white paper.

22 Apr 2021

Banks, Compliance, Credit Unions Marshall Jones 0 comment

Why a Comprehensive Disaster Recovery Service is Critical to Any Financial Institution’s BCM

As part of business continuity management (BCM), banks and credit unions must ensure they can maintain and recover their operations after a catastrophic event happens. Their BCM strategy should outline all the significant actions they intend to take after a natural disaster, technological failure, human error, terrorism, or cyber attack. The goal is to lessen the disaster’s impact on business operations, so the financial institution can continue running with minimal loss and downtime.

Disaster recovery (DR) is essentially the IT part of the business continuity plan. It should address the recovery of data centers, networks, servers, storage, service monitoring, user support, and related software needed to get operations back to normal, based on the Federal Financial Institution Examination Council (FFIEC) IT Handbook’s Business Continuity Management booklet.

The Need for a Comprehensive DR Solution

Financial institutions must have effective DR measures in place to ensure they can deliver the resources their employees need to continue serving customers after a disaster. That’s why having a comprehensive DR service is so critical. The simplest and most cost-effective way to accomplish this is with a cloud-based solution.

With DR in the Cloud, institutions are always prepared to respond to natural and man-made disasters as well as infrastructure and technology failures. The Cloud allows institutions to access their data—no matter what kind of disaster strikes. This could be crucial if a severe storm does damage to an entire city and multiple locations of a community financial institution. The institution would not be able to handle DR on-site, making the Cloud the most viable option. The March 25th outbreak of tornados in central Alabama is a good example of the potential need for cloud DR. The tornadoes tore into hundreds of miles of Alabama forest and neighborhoods, causing significant damage, according to the National Weather Service.

The Cloud provides major benefits in any DR situation, including ease, expediency, and efficiency. If institutions have been doing ongoing backups, they can leverage the Cloud to initiate DR right away. The process is quick; recovery can take minutes instead of hours or days as it did for older DR solutions. However, it’s important to set up DR processes so that they are not subject to issues that can impact the institution’s main system. Take, for instance, the rapidly increasing problem of ransomware. It’s important to have cloud DR services structured so that the DR backups cannot also be infected with the same ransomware.

Essential Aspects of a DR Service

Another essential element for a cloud DR service is testing. The test results should be documented and available for Management and the Board of Directors to scrutinize. This can help institutions ensure their expectations are being met by the DR service. Institutions that are not using a comprehensive DR service are more likely to delay the testing and validation steps that are critical to business continuity planning (BCP). It’s basic human nature: IT admins tend to prioritize addressing urgent day-to-day issues over doing routine testing.

So, either testing doesn’t get done regularly or it doesn’t happen at all. A third-party DR service with a team of experts available can make sure testing gets done at the proper time. Another important issue for institutions is having IT staff available with the appropriate knowledge when a disaster strikes. With an external service provider, someone with the right expertise will always be there to execute the disaster recovery. So, the success of the institution’s DR plan will not depend on the availability of just a few employees.

A comprehensive cloud DR service offers substantial redundancy, reliability, uptime, speed, and value. It can give financial institutions the best bang for their buck. Not using cloud DR can be cost-prohibitive for many institutions, considering the hardware and software requirements, maintenance, ongoing testing, and documentation required. Ultimately, a cloud DR solution from an external service provider can give institutions the comfort of knowing their DR plan is being adequately tested and will work during a real disaster.

14 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

Experimentation

If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

Fast Turnup and Fast Turndown

Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

Elasticity

The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

Serverless Functions

Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

07 May 2020

Banks, Credit Unions Jamie Davis 0 comment

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

Disaster recovery is a concern for all financial institutions, regardless of size or location, and is essential to protecting data, infrastructure, and overall business operations. In addition to having a thorough disaster recovery (DR) plan, community banks and credit unions need to have a solid site recovery environment to facilitate a quick return to normal business operations, in the event of a natural disaster or other disruption.

Cloud disaster recovery solutions are growing in popularity among many community banks and credit unions. However, it is important to understand the key differences in site recovery models to determine the best fit for your institution.

In a recent webinar, Brendan McGowan, Chief Technology Officer at Safe Systems, outlined the three most common site recovery models available to community banks and credit unions today and discussed key considerations when implementing each.

In-House Site Recovery

When using an in-house site recovery model, financial institutions commonly have a virtualized server environment. These machines often run in a VMware vSphere environment which sits on top of a storage array. On the DR side, there is essentially a clone of the production environment to receive the replicated data. This works well for many financial institutions, however, there are a few considerations to keep in mind.

House Site Recovery

With in-house site recovery, you’ll need to:

Have redundant hardware in the DR environment at an additional cost.
Purchase an additional facility like a co-location or branch for DR.
Oversee hardware and software lifecycle management for both production and DR environments.
Set up dedicated connectivity like multi-protocol label switching (MPLS) to point replication to the DR environment.
Conduct regular maintenance to ensure all replications are healthy and perform periodic testing.
Have significant expertise and talent to make sure the system works correctly and consistently.

Cloud Site Recovery

In this model, the production environment remains the same, but the hardware and software used in the DR environment are replaced with a cloud-based solution. With cloud site recovery, financial institutions don’t have to pay for servers and computing time until the day they need to turn on the disaster recovery solution. Until then, the institution will only be billed for the amount of storage it consumes.

Cloud Site Recovery

When you use a cloud site recovery solution like Microsoft Azure Site Recovery, you create a storage pool to receive replication from a small server on-premise, which is the cloud site recovery replication server. The replication server works by having each of your production servers send its data changes in real-time to the cloud application server. This server is compressing, encrypting, and deduplicating all of the incoming data and continuously shipping it securely to your cloud site recovery storage pool.

With the cloud site recovery model, you no longer have to:

Deal with redundant hardware on the DR side since everything is stored in the cloud.
Manage hardware and lifecycle management on the DR-side.
Pay for separate facilities since the data is in the cloud, and you can store your data anywhere in the world.
Worry about dedicated connectivity because you can send all of the replication over the internet with a simple virtual private network (VPN).
Handle all of the maintenance or have the expertise required to run the system.

Cloud-Native Resilience

In the cloud-native site recovery model, both the production and disaster recovery environments are in the Cloud. To set up the cloud environment, using Microsoft Azure, for example, you can sign up for Azure Virtual Machines, which would correlate to VMware vSphere in your environment. After that, you can set up your production virtual machines.

Cloud-Native Site Recovery

At this point, you can register for cloud site recovery for your institution’s individual virtual machines. Once you’ve selected your machines for replication, the system automatically moves that data to whichever Azure zone you select so you get to choose some zone disparity.

In the cloud-native resilience model:

There is no Azure site replication server as there was in the cloud site recovery model.
Since both environments are cloud-native, all the data is in the cloud and you need not worry about a replication server. Simply check a box to turn it on.
In addition, file backup is also a simple checkbox for each server, providing you the option to choose the location to store the data.

Migrating to cloud-based services is a great option to reduce maintenance; significantly speed up the disaster recovery process; and improve overall operations for your institution. If you are interested in implementing a cloud-based disaster recovery solution, Safe Systems can help you determine the right environment for your institution.

To learn more about disaster recovery and moving to the Cloud, watch our recorded webinar, “The Cloud: Recovery and Resiliency is Just a Click Away.”

10 Oct 2019

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

5 Things Community Banks and Credit Unions Should Budget for in 2020

The final months of the year signal the beginning of many traditions. For community banks and credit unions, the Fall marks the start of budget season. Financial institutions use this time to assess the year’s performance, make necessary adjustments—or full upgrades—for 2020 and beyond.

As you know, technology and security are constantly evolving, and compliance continues to be a moving target, so it’s time to consider important areas your institution needs to budget for in the next year. To ensure that your institution heads into 2020 on an upward trajectory, here are five key items to include on your list.

Hardware

Every year hardware should be evaluated to see if it is under warranty; in good working condition; and that the operating system hasn’t reached end of life.

Two dates to be aware of:

SQL Server 2008 R2 reached end of life on 7/9/2019
Windows Server 2008 and 2008 R2 reach end of life on January 14, 2020

These items will need to be upgraded or replaced as soon as possible with supported software. If the decision is to replace a server based on these products being end of life, there are options to consider as covered in number 2 in this article.

Cloud vs. In-house Infrastructure

Everything You Need to Know About the Cloud Get a Copy

Moving internal infrastructure out of the office is the new trend. This move feels similar to the move to virtualization, in that everyone agrees this is the next logical step in the evolution of computing. You should be asking the same question about cloud infrastructure as you did about virtualization—when is the right time for your institution to make the move and what are the pros and cons of this move? When the time comes to replace pieces of your infrastructure, start to gather information about the benefits of moving to the cloud and the costs associated with it. Remember, each server has both direct and indirect costs.

Direct:

Server Hardware
Warranty
Software

Indirect:

Electricity
Cooling
Storage/physical space
Maintenance
Backup
Disaster Recovery

Each year as hardware becomes outdated and needs to be replaced, evaluate whether moving that server to the Cloud makes sense. Be sure that the functions of the server can be accomplished in a cloud environment. Once a presence in the cloud is established, future growth and changes become much easier and quicker.

Firewalls

Moving Beyond Traditional Firewall Protection to Develop an Integrated Security Ecosystem Get a Copy

Firewalls continue to evolve as network and cybersecurity threats evolve and change. Ten years ago, adding intrusion prevention systems (IPS) to firewalls became commonplace in the industry. Now there are a host of new features that can be added to your firewall to improve your institution’s security posture. Many of these fall under products using the term next-gen firewalls. A few key features to consider include:

Secure Sockets Layer, or SSL, is the industry standard for transmitting secure data over the internet. The good news is most websites on the internet now use SSL to secure the traffic between the PC and the website. The bad news is, your firewall may be protecting your institution from fewer sites than ever before. Google researchers found that 85% of the websites visited by people using the Chrome browser are sites encrypted with SSL. This means that for many firewalls, 85% of web traffic cannot be inspected by the firewall. Many firewalls can perform SSL inspection but may require a model with more capacity; a new license to activate the feature; and configuration changes to enable this feature to work.
Sandbox analysis is a security mechanism used to analyze suspect data and execute it in a sandbox environment to evaluate its behavior. This is a great feature to introduce to your infrastructure because it provides more testing and insight into the data coming into your institution.
Threat intelligence feeds (like FS ISAC), built-in network automation, and correlation alerting are also important features that can help you keep track of emerging security threats; automate key processes; and improve your institution’s cybersecurity posture.

Consider enhancing your firewall features or upgrading to a next-gen firewall to ensure the traffic traversing your firewall is truly being evaluated and inspected.

Virtual Information Security Officer (VISO)

A newer service that has grown in popularity over the last year is the Virtual ISO or VISO role. While services like this have been available for a while, this is the first year we have heard so much talk from community financial institutions. As the job of Information Security Officer (ISO) has become more involved the expertise needed has grown as well. These VISO services offer a way to supplement the internal staff with external expertise to accomplish the tasks of the ISO. Budgeting for a service like this becomes critical if one of the following is true:

No one else in the institution has the needed knowledge base and finding this knowledge set in your area is difficult or expensive;
Your current ISO does not have a background in the field or is wearing too many hats to do it well;
Your current ISO is likely to retire or leave due to predictable life change events; or
The role of ISO and Network Administrator or other IT personnel do not provide adequate separation of duties at the institution.

Disaster Recovery (DR)

Many institutions do not have a fully actionable or testable disaster recovery process. A verified DR process is a critical element of meeting business continuity planning (BCP) requirements. Therefore, this can be a significant reputational risk for the financial institution, if not done correctly. If your institution hasn’t completed a thorough and successful DR test in the last 12 months, it is time to evaluate your current DR process. Using a managed site recovery service can ensure you have the proper technology and support to thoroughly test your DR plan and recover quickly in the event of a disaster.

Budget season is a time to address needs and wants, but also a time to seek improvement or evaluate key changes for the new year and beyond. For example, moving your infrastructure to the cloud may not make sense for the coming year, but the insight gained by evaluating it this budget season improves your knowledge-base for when it is time to make that decision. As we conclude 2019, we hope these insights position your institution for a productive budget season and a successful 2020.

23 Sep 2019

Banks, Credit Unions, Technology Jamie Davis 0 comment

The Dangers Financial Institutions Face with a DIY Approach to Disaster Recovery

Disaster recovery planning is an essential aspect of protecting a financial institution’s data, infrastructure, and overall business operations. It encompasses restoring access to the information technology systems and other resources that organizations need to resume critical business functions. This includes everything from networks, servers, and computers to software applications, data, and connectivity (fiber, cable, or wireless).

Without all the necessary system components in place, financial institutions will not be able to access critical files and applications and function effectively during a disaster situation. This can result in significant losses in employee productivity, business and, ultimately, public trust. Given all the looming threats—natural disasters, fires, floods, power outages, hardware failures, or plain human error—a do-it-yourself (DIY) approach to disaster recovery can be dangerous for banks and credit unions.

A DIY approach to disaster recovery is when a financial institution performs or puts together a disaster recovery solution in-house and all hardware and software that is required must be implemented by an IT staff member. While this can be costly depending on the amount of resources an organization needs to restore and maintain their environment, it is also a technical and time-consuming process, which can be a burden for institutions with limited IT staff.

So Much at Stake

Most DIY disaster recovery solutions involve multiple technologies along with automation, scripting, and well-documented procedures. These components and processes can be difficult for a static IT environment to manage, and technology continues to change and evolve, adding an extra layer of complication to the process. A DIY approach requires in-house resources to be available, and in the case of a disaster, communications may be limited, or the employees may be caught in the disaster themselves and unable to respond.

Testing is an important component of disaster recovery to ensure the institution can recover quickly and meet its unique Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). However, DIY disaster recovery solutions are often difficult to test because few IT departments are equipped to do a full outage simulation with complete failover to the disaster recovery environment. Testing enables failures to be documented and corrected, but without proper testing, the risk of extended downtime in the event of an actual disaster remains high.

How Southern Bank and Trust Recovered from Hurricane Irma Get a Copy

The DIY disaster recovery approach often starts with the best intentions. However, a lack of understanding of the ongoing time commitment by senior management and the IT knowledge required to keep disaster recovery systems up-to-date and effective is easily overlooked as time passes. At the very least, inadequate disaster recovery can end up costing a financial institution more time and expense. As a worst-case scenario, it can lead to reputational damage if the institution cannot successfully bounce back from a disaster or other business disruption.

Benefits of a Managed Services Provider

To combat these issues, financial institutions should consider using a managed services provider to support their disaster recovery needs. This can offer a more affordable, feasible, and reliable alternative than going the DIY route. A managed site recovery solution that replicates servers from a financial institution’s site to the cloud can get the organization back up and running in minutes—not hours or days—after a natural disaster, system outage, or other disruption. Partnering with the right services provider will also ensure financial institutions find the right-sized solution for their needs so they are not underestimating or over-spending trying to do it themselves.

In addition, working with a managed services provider can provide several other benefits over a DIY solution. For one, the solution is setup, installed, monitored, and maintained by experts in the field. The institution doesn’t have to worry about their key IT personnel spending their time focused solely on the recovery process during a disaster. Instead, they can focus on getting users setup on computers, ensuring printers are connected, and verifying that critical applications are installed. In short, managing the disaster recovery process would just be another burden for them to bare. Community banks and credit unions have the comfort of knowing that a skilled managed services provider and redundant resources will be available when needed.

A managed services provider can also provide annual DR testing and on-going support to ensure the institution is well-equipped to recover from any disaster.

All financial institutions can benefit from managed site recovery services. And partnering with a managed services provider can be especially advantageous for banks and credit unions with branches that are grouped within the same geographic area. The impact of a storm could be even more devastating to these types of institutions if they lose their only branch or the location hosting communication to their core provider.

A DIY approach may seem like the easier route to take, but when a disaster strikes, financial institutions shouldn’t have to recover on their own. A managed services provider can work as an extension of the internal team to provide dedicated support and ensure the institution recovers quickly and efficiently. The goal of a disaster recovery program is to ensure continuity, not only for the financial institution, but for the communities it serves. In the event of a disaster, financial institutions need to have a solid DR environment in place and detailed processes to recover successfully. Working with a team that can effectively address the institution’s unique needs and provide dedicated DR support streamlines internal processes, improves disaster preparedness, and provides confidence that no matter what disasters arise, the institution will be able to resume business operations.

12 Sep 2019

Banks, Compliance, Credit Unions Jamie Davis 0 comment

Is Your Financial Institution Ready to Weather a Storm? How to Be Prepared for the Upcoming Fall Storm Season

Is Your Financial Institution Ready to Weather a Storm

While natural disasters can strike at any time, September and October have historically produced some of the worst storms we have seen. Just last week Hurricane Dorian wreaked havoc on the Bahamas and the Eastern Seaboard of the U.S, disrupting thousands of businesses and organizations, and impacting millions of lives. While hurricane season is top of mind today, tornados, earthquakes, severe thunderstorms, wildfires, etc. all can have a negative impact on area businesses and communities.

As a result, September has been declared National Preparedness Month, designed to encourage and remind everyone to be prepared for disasters or emergencies in their homes, businesses, and communities.

In the spirit of National Preparedness Month, we thought it was important to review the critical steps all banks and credit unions should have in place to ensure they are prepared for a disaster – no matter what time of year it is.

Preparing for Disasters

The potential damage that storms can inflict underscores the importance of Business Continuity Planning (BCP) and Disaster Recovery (DR) plans. In addition, regulators require financial institutions to prepare for disasters and have plans in place that ensure key products and services remain available to customers and members after a crisis. In addition to having an updated and tested BCP and DR plan, there are several additional steps your institution can take to adequately prepare for storms, natural disasters, and any other business outages. These steps include:

Monitor success of backups and/or replication services to DR site;
Utilize Uninterruptable Power Supplies (UPS) for short-term outages;
Preemptively shut down servers and all IT equipment in anticipation of an extended outage;
Confirm that the server room is locked and secure;
Verify that all equipment and sensitive documentation is secure;
Ensure all ATMs are stocked as customers may require access to cash;
Validate the institution’s Business Continuity Plan through appropriate annual testing;
Confirm technology infrastructure will work in a disaster through annual DR test;
Make sure that employees and vendors are aware of the proper communication protocols and actions items outlined in your BCP plan to ensure a successful recovery of an event; and
Keep the safety and security of employees top of mind. Confirm that key employees have someone to step in should they be unavailable during or after the disaster.

While storms and natural disasters cannot be prevented, proactively knowing what critical functions must be restored first provides confidence to bank executives and staff when responding to a disaster. Developing, implementing, and regularly testing your BCP and DR plans is crucial in today’s banking environment and can make the difference between satisfied customers in the event of a disaster and loss of customer trust when they may need their bank most.

05 Sep 2019

Disaster Recovery Planning What You Do Not Know Can Hurt You

Banks, Credit Unions, Technology Jamie Davis 0 comment

Disaster Recovery Planning: What You Don’t Know Can Hurt You

Disaster Recovery Planning What You Do Not Know Can Hurt You

Disaster recovery is a crucial business continuity area that all financial institutions must prepare for, no matter the size of the organization or location. Each year, the U.S. gets hit with multiple tornadoes, hurricanes and other storms that produce damaging winds, rain and flooding. As of July 9th, there were already six weather and climate disaster events with losses exceeding $1 billion each across the United States, according to the National Center for Environmental Information (NCEI). The costs of these events varied, including physical damage to commercial buildings; time element losses like business interruption; and disaster restoration expenses. In addition, many areas of the Southeast are currently preparing for Hurricane Dorian as we speak!

The overall impact of adverse weather can be particularly detrimental to community banks and credit unions that may have fewer disaster recovery resources at their disposal. This highlights the need for all financial institutions to be prepared for potential disasters—whether natural or manmade—so they can implement a smooth recovery. Here are some important aspects about disaster recovery planning that community banks and credit unions should consider:

Implement Effective Strategies and Tactics

The disaster recovery plan provides detailed instructions to ensure all mission-critical functions can recover in the event of a business interruption. To facilitate effective disaster recovery, bank and credit union personnel must be able to implement specific activities that can restore an institution’s vital support systems after a disaster strikes. These include ensuring all back-ups are up to date and working; implementing uninterruptable power supplies for short-term outages; making sure the server room is secure and all sensitive documentation is protected; and ensuring all employees, vendors, and customers are aware of the proper communication protocols. Without these steps, the institution will not have the resources required to meet its operational needs, which could have a devastating effect on the entire organization.

Prepare for All Disaster Situations

Disaster recovery often focuses on the prospect of restoring technology and communications after a hurricane, tornado, or other storm. However, disaster preparedness must extend beyond storms, earthquakes, fires, floods, and other natural calamities. Events like electric power outages, hardware failures, security breaches, and human error can also be catastrophic. There are also mundane reasons for needing disaster recovery: A backhoe inadvertently wipes out the internet connection or a water line leak knocks out the server. Not planning broadly enough can cause institutions to miss covering all the bases when the time comes to implement the disaster recovery plan.

Know What’s at Stake

Disaster recovery planning goes well beyond minimizing the loss of hardware, applications or data. It’s a matter of losing time, money, clients and, in some cases, losing business opportunities or reputation. To minimize downtime and ensure critical business functions recover quickly, it is important to determine the specific Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for both the financial institution and all third-party vendors the institution relies on for critical business functions. The RTO is the amount of time an application can afford to be down without causing significant damage to the business, and the RPO is the allowable data loss. The longer a financial institution’s system is down the more it will suffer, so defining the RTOs and RPOs is an important step to ensure the institution can be up and running in a timely manner.

Test the Plan

Having a plan on paper is one thing; having a plan that works is another. Financial institutions must test their disaster recovery plan to determine what could go wrong and adjust accordingly. Not knowing if a plan works—until an actual disaster occurs—can be extremely risky. If the plan proves to be insufficient during a real-life scenario, the institution could experience undue damage and expense. Hence, the need for regular testing. The frequency of testing will depend on the size and type of financial institution. Smaller banks and credit unions should test at least once a year; larger institutions or those with a more fluid environment should test more often.

Update the Plan as Needed

As a part of the overall business continuity planning process, it’s essential for institutions to review and revise their disaster recovery plan to make sure it supports their current technological environment, business needs, and objectives. Updates to the plan should be done whenever an important element (internal or external) in the institution changes. To streamline this process, disaster recovery should be integrated into all business decisions and responsibility should be clearly outlined for each update and area. The importance of the disaster recovery plan should be communicated to the entire organization, which includes the board, senior management, and other stakeholders. The more frequently a disaster recovery plan is updated and the better educated the entire organization is on the plan, the more reliable and useful it will be when a problem arises.

It’s important to stay on top of all disaster recovery processes to make sure the entire financial institution is well-equipped to respond in the event of a disaster. The good news is community banks and credit unions do not have to be knowledgeable about every facet of disaster recovery planning to do this successfully. Instead of worrying about what they don’t know, they can capitalize on third-party recovery services that ensure they have the proper technology and support to recover quickly. Safe Systems, for example, offers a fully managed site recovery solution to support financial institutions of all sizes. Safe Systems’ experts can assist with disaster recovery planning, testing, and execution to safeguard institutions against the impact of a natural disaster and other threats.

06 Jun 2019

Banks, Compliance, Credit Unions Tom Hinkel 0 comment

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

SKIP AHEAD:

Regulatory Requirements
How to Develop a BCMP
Pandemic Planning and Business Continuity Strategy
The Importance of Integrating Vendor Management into the BCMP
Importance of Exercises and Tests When Updating the BCMP
Automating the Planning Process
Conclusion

The Ultimate Guide To Business Continuity Management for Banks and Credit Unions

By Tom Hinkel

In November 2019, the Federal Financial Institution Examination Council (FFIEC) updated its BCP IT Examination Handbook and expanded its focus from Business Continuity Planning (BCP) to Business Continuity Management (BCM). The change makes sense, because “planning” is only one part of the business continuity process. Business continuity management encompasses the entire process by integrating resilience, incident response, crisis management, third-party integration, disaster recovery, and business process continuity.

In the financial industry, community banks and credit unions are required to develop compliant business continuity plans that identify business processes along with their interdependencies that provide resilience to, and recovery from, all potential threats to the financial institution. BCM is designed to help organizations, regardless of their size, location or activity, minimize the impact of disruptions of any kind, natural or man-made, including cyber.

The new BCM guidance represents the first major update since 2015 and calls for all “entities” to rethink their approach to business continuity and be prepared to make appropriate plan revisions to meet these expectations. Entities are defined as depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers. The use of this term is significant, as it essentially pulls all interdependencies into the planning process.

With so much at stake, it is important for financial institutions to understand the BCM process and the key requirements to develop the business continuity plan:

Regulatory requirements relevant to a compliant BCM Program
How to develop the business continuity management plan (BCMP)
Pandemic planning and business continuity strategy
The importance of integrating vendor management into the BCMP
Steps to effectively update and test the plan
The benefits of automating the BCM process

Regulatory Requirements

To comply with regulatory expectations, financial institutions are required to focus on an enterprise-wide, process-oriented approach that considers technology, business operations, testing, and communication strategies that are critical to business continuity management for the entire organization, not just the information technology department. Regulations make it clear that institutions need to plan to perform their critical business functions, even if technology may be impaired or unavailable.

Auditors and examiners are also scrutinizing business continuity plans to verify that the institution’s methodology and plan structure closely adhere to the 2019 regulatory guidance. A key change in the guidance is the increased focus on resilience. Resilience is the ability to prepare for—and adapt to—changing conditions and both withstand and recover rapidly from disruptions, whether that includes deliberate attacks, accidents or naturally occurring threats or incidents. Two keys for understanding resiliency are the terms “withstand” and “recover”, with an emphasis on withstanding adverse events. In the past, business continuity planning has been focused more on recovery, but now the FFIEC has placed a heavy focus on resiliency. The ultimate goal is for financial institutions to be more proactive and minimize having to implement traditional recovery measures down the road. When going through the BCM process, resilience must be included from the very beginning of the process to successfully meet regulatory expectations.

How to Develop a BCMP – What to Include in the Plan

It’s safe to say that most banks and credit unions have some sort of a BCMP in place, yet many struggle with determining what to include in the plan to ensure it is both recoverable and compliant. With the new changes to the guidance, many community banks and credit unions may also be wondering what specific changes they’ll need to make to meet these new expectations.

While each financial institution has a unique operating model based on its services, demographic profile, organizational processes, and technologies, the first step when drafting or updating the BCMP is to have a thorough understanding of all the functions and processes that make up those operations. This process, which we refer to as Enterprise Modeling, involves identifying all departments or functional units, with all associated processes and functions (including all internal and external interdependencies), and determining the team owners and members responsible for each department. Having representatives from each department take an active role in the planning process ensures the technologies and responsibilities for each area are accurately represented. This also helps the financial institution develop a more accurate assessment of its recovery time objectives and actual recovery capabilities. It is not realistic to have a single individual with all the knowledge and unique skill set required to put together a comprehensive BCMP.

A plan should consist of all the steps required to ensure key products and services remain available to customers or members. The BCMP consists of five phases including risk management (Business Impact Analysis, Risk/Threat Assessment); continuity strategies (Interdependency Resilience, Continuity and Recovery); training and testing (aka Exercises); maintenance and improvement; and board reporting.

Furthermore, the BCMP should be a “live” document that keeps pace with any changes in infrastructure, strategy, technology, and human resources. As soon as a plan is board approved, it should be tested, and a new draft plan should be initiated. At any point in time you should have both an approved plan, as well as a live draft to accommodate changes.

Pandemic Planning and Business Continuity Strategy

In the past, financial institutions were required to have a separate pandemic plan, but the new FFIEC guidance instead expects community banks and credit unions to assess and manage pandemic risk alongside all other possible disasters. This means the BCM plan is the pandemic plan, and financial institutions must analyze the impact a pandemic can have on the organization; determine recovery time objectives (RTOs); and build out a recovery plan.

As we’ve all learned, pandemic planning is very different from natural disasters, technical disasters, malicious acts, or terrorist events because the impact of a pandemic is much more difficult to determine due to the differences in scale and duration. Pandemics also directly impact financial institution and third-party employees rather than targeting infrastructure or technology-based interdependencies. Cross training and succession planning should be a key part of the pandemic planning process to ensure operations can continue even if key individuals are unavailable.

FFIEC guidance states that the financial institution’s BCMP should include five key elements to address the unique challenges posed by a pandemic event:

A preventive program including monitoring of potential outbreaks; educating employees; communicating and coordinating with critical service providers and suppliers; and providing appropriate hygiene training and tools to employees
A documented strategy that provides for scaling the institution’s pandemic efforts to align with the current six-stage CDC framework
A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that large numbers of the institution’s staff are unavailable for prolonged periods
A testing program to ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue
An oversight program to ensure ongoing review and updates to the pandemic plan

The Importance of Integrating Vendor Management into the BCMP

The vast majority of banks and credit unions today rely on third-party service providers, or vendors, to conduct business on a day-to-day basis. When financial institutions outsource key functions to a service provider, it creates a reliance on that third-party and exposes the institution to the risk of not being able to resume operations within pre-defined recovery time objectives in the event of a disruption. The FFIEC now expects critical third-party providers to be active participants in the BCM program, and it’s likely that regulators will require financial institutions to have a detailed understanding of the resilience capabilities of their core/technology service providers, cloud providers and others moving forward. When creating a BCMP, financial institutions have to account for all interdependent third-party relationships and identify the potential consequences a third-party disruption might have on its operations.

The criticality of the product or service the vendor provides is directly related to the criticality of the dependent process it supports, as identified by the business impact analysis. Some questions financial institutions should consider include:

How important is this vendor to what we do?
If they fail, how many of our dependent services would be negatively impacted?
How challenging would it be to replace this vendor?

Vendor criticality is expressed in terms of Recovery Time Objectives (RTOs), and each bank or credit union determines and assigns the same RTOs to the third-party vendor as they have to the underlying process they support. In other words, if you’ve identified a two-day recovery time objective for a particular process, any underlying vendors will also inherit that same two-day RTO. In the event that the vendor cannot match your RTO (validated by testing), you must have a contingency plan in place such as alternative procedures or providers to compensate for the gap.

Successfully integrating vendor management and business continuity planning is essential for financial institutions to truly understand their actual recovery capabilities by validating whether or not their third-party providers “have sufficient recovery capabilities” to meet your recovery objectives.

Importance of Exercises and Tests When Updating the BCMP

Exercises and tests are important parts of the process, and in fact, the BCMP is not complete until the plan has been thoroughly tested. The new handbook makes an important distinction between exercises and tests in the BCMP process, defining an exercise as “a task or activity involving people and processes that is designed to validate one or more aspects of the BCMP or related procedures.” On the other hand, a test is often performed “to verify the quality, performance, or reliability of system resilience in an operational environment.” The handbook emphasizes the importance of both exercises and tests to demonstrate resilience and recovery capabilities.

Exercises and testing verify the effectiveness of the plan by validating all recovery time objectives; helps train the team on what to do in a real-life scenario; and identifies areas where the plan needs to be strengthened. In addition, examiners are also verifying that a BCMP has been tested, and the financial institution is able to execute the plan if and when the need arises. Because the financial industry is considered part of the nation’s critical infrastructure, testing, exercises, and training will continue to be a focus going forward.

Every test should start with a realistic scenario drawn from the top threats as identified by the risk management phase of the planning process. Top threats are those determined to have both high impact and high probability ratings. While initial testing of a plan can be relatively straightforward, a bank or credit union should strive to extend the scope and severity of the exercise with each consecutive test by making the tests consecutively more complex and including different individuals. Conducting the very same test with the same participants every year will not satisfy examiners nor will it give your management the assurance they need.

In addition to the senior management and information security roles defined in a plan, the testing team should include key department heads with detailed knowledge of the processes and functions impacted by the scenario. Tests should cover the steps departmental managers must take to complete functions manually or in an alternate way. In addition, all departmental specialists should be included in the exercise and testing program. There are two reasons for that, the first is so they are familiar with alternate procedures in emergency scenarios, the second is to make sure you have backups, or successors, to your primary recovery resources. Succession planning is another hot button item with examiners now because of the pandemic.

While regulators require proof of exercises and testing annually, more frequent testing is indicated whenever a previous test uncovered significant gaps in the plan, or if there are significant internal changes to processes or infrastructure or personnel.

Automating the Planning Process

To help streamline this time-consuming process, banks and credit unions can automate repetitive portions of business continuity planning. Automating these activities eliminates the need to update cumbersome spreadsheets and manually copy/paste information from various reports and previous assessments. The 2019 guidance requires a number of changes to your existing plan, some subtle and some significant.

An automated BCP solution will also help guide banks and credit unions through the entire BCMP process, assuring that all required elements are included as they are necessitated by regulatory guidance changes. Automating the planning process makes it easier and much less time-consuming to perform annual plan updates by allowing static portions of the plan to carry forward, while incorporating changes wherever necessary. Any automated solution should also allow you to identify all material plan changes from year-to-year, so management and board approval is easier.

Conclusion

Business Continuity Management is a critical process for banks and credit unions regardless of size and location, and the plan is central to that effort. To streamline the planning process, financial institutions should integrate business continuity into all business decisions; conduct periodic reviews of the plan; and perform regular testing. Everyone in the organization — from the tellers to the Board — should understand the importance of business continuity planning and how his or her unique role fits into the financial institution’s overall business continuity strategy.

24 Jan 2019

Banks, Credit Unions, Technology Jamie Davis 0 comment

What Community Financial Institutions Should Look for in a Managed Services Provider

The majority of banks and credit unions rely on managed services providers to help them improve efficiencies in their organization, meet mounting regulatory compliance requirements, and provide the competitive products and services their customers and members expect.

However, selecting the right managed services provider can be challenging. We have highlighted some key qualities that community banks and credit unions should look for when choosing trusted partners.

A managed services provider should have a true understanding of the following areas:

The community banking and credit union industries

Automating Your Compliance Processes with Technology Get a Copy

A managed services provider must truly understand the “ins and outs” of operating a community bank or credit union. This includes recognizing the industry trends, realizing the importance of priorities, such as customer- and/or member-service related touch points, and understanding regulatory and compliance issues. Not knowing how a community financial institution operates is a hindrance that can prohibit the provider from effectively meeting the demands of the institution and makes it unlikely that it will be in a position to offer informed recommendations on improvements and solutions to existing issues.

Financial services technology

Technology is ever-changing and it is nearly impossible for any one person to successfully keep up with all of the advancements. To provide the technological solutions and services that a community bank or credit union requires, a managed services provider should understand the technical requirements of all banking technology solutions, starting with the core platform. Since many applications have to work with — and integrate into — the core platform, it is impossible to design an efficient and comprehensive network without first an understanding of core platforms and banking technology.

Regulatory compliance requirements

The evolving world of financial regulatory compliance governs every aspect of your IT network and that includes what hardware and software you choose to deploy. In today’s banking environment, vendors must be able to make recommendations on how to manage hardware and software to meet regulatory expectations, meet regulatory expectations such as, verifying all patches, ensuring security measures are up to date, and maintaining access to critical services during a disaster.

Working with the wrong managed services provider can be time-consuming, cumbersome, and even stressful. However, working with a provider who offers the desired services and who truly understands your industry can help guide the institution in today’s challenging financial environment. A good partnership is key to ensuring your organization remains competitive and profitable for years to come.

28 Nov 2018

Banks, Compliance, Credit Unions, Security, Technology Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2019

As 2018 winds down, banks and credit unions are thinking ahead to 2019. They are determining the new solutions, products, and enhancements needed to meet their strategic plans in 2019 and beyond. In addition, they are evaluating what needs to be updated or upgraded and the processes that can be improved upon.

There are three key areas banks and credit unions should focus on during budgeting season – technology, security and compliance. While lines that separate technology, security, and compliance are blurry at best, 2019 budgeting items for operations fall largely into these three buckets.

Compliance

Managing Risk with Truly Secure Vendor Management Program Get a Copy

While the focus of many examiners has shifted back to financial aspects of institutions, the top three findings our customers report relate to:

Vendor Management – Typically the current vendor management solution (if it exists at all) is deemed inadequate or insufficient. Often the solution doesn’t cover all vendors or provide a way to adequately assess these vendors.
Business Continuity Planning (BCP) – In the mid to late 2000’s many banks and credit unions updated their Business Continuity Plan. However, for many institutions, these plans have remained relatively unchanged for a decade now. Technology and business processes on the other hand, have changed rapidly over the last decade. The Federal Financial Institutions Examination Council (FFIEC) has also updated their guidance to address the current challenges of BCP. If the institution’s plan has not been thoroughly updated in a while, the institution may be at risk of a finding on a future exam.
With both of these findings there may be an additional finding of inadequate management or board oversight. Often these findings happen on the same exam and are followed with a concern with oversight. Many of the calls Safe Systems gets after an exam relate to these issues.

Avoid finding yourself under a Memorandum of Understanding or a Matters Require Attention by budgeting to ensure your compliance processes are up to date.

Vendor Management solutions can run from $2,500 to more than $6,000 per year. Business Continuity Plans can range more significantly from a couple of thousand to more than seven thousand dollars per year. Do some research and find some solutions that would meet your institution’s needs and identify their year one cost and annual cost thereafter.

Security

With attacks on the rise and businesses continually falling victim to cybercrime, security needs to be an institution’s priority. There are innovative solutions coming to market every day to help address security risks. These solutions can help mitigate the risks that your institution faces, but they can also cause confusion on where you should focus your attention. For the next several years, it is in the institution’s best interest to continually focus on the impending security landscape and verify that your budget reflects your strategy.

One place to start is to review your current solutions. Verify that your current investments are still applicable for your ever-changing environment. Upon investigation, you might find features that are available as an add-on to your current solution to help mitigate risk. You may also find holes in your current strategy that may need to be rectified.

As of October 2018, 90% of web traffic accessed through Chrome, the most popular web browser, was encrypted. These numbers have been increasing rapidly over the last few years. Many firewalls can only inspect unencrypted web traffic. This was a small risk when encrypted websites were less common. With the sudden rise of encrypted web traffic, many firewalls are NOT equipped to scan this data. It is possible to scan encrypted web traffic, but for many institutions this will require changes and additional investment. The risk of not scanning this encrypted web traffic significantly increases the chances of your institution becoming a victim of a malware outbreak or a data breach. Examiners in some regions have started to pick up on this security hole, and they are encouraging institutions to address this issue.

Another area of concern for institutions is new and emerging threats. Attackers are continually innovating and improving their attack methods, and basic security solutions may not be enough to detect and prevent these advanced attacks. Newer solutions specifically designed to analyze the growing attack techniques have been developed. The use of sandbox technology and machine learning are being tasked to make it more difficult for attackers to be successful. In many instances, these solutions can be imbedded within your perimeter firewall solution. These types of defenses can vastly increase the effectiveness of your security landscape.

Even though your firewall is viewed as a technical security device, it is also the device that grants users access to the internet. The internet has quickly become a business-critical service. When strategizing about upcoming budget aspects, the institution should consider the business risks involved when an internet device causes downtime. There are ways to mitigate internet downtime using high availability solutions. High availability involves having two firewall devices configured in a cluster. If one device fails, the second device seamlessly takes over responsibility so that downtime is avoided.

Additional devices and licensing will also affect the budget. These changes can be small or very large depending on the scope and goals of your strategy. Going forward, have a plan and strategy to deal with the ever-changing security landscape.

Technology

The biggest move in technology over the last half decade has been the move to the cloud. This will continue to be the case in 2019. The cloud offers benefits such as low maintenance, high availability and rapid disaster recovery that can’t be easily or affordably addressed with in-house solutions. The future likely means more servers and business functions moving to the cloud. This likely is where technology spend will move over the next 5 years. Another term for this is Infrastructure as a Service (IaaS). There are three likely situations that will lead to this move and determine how your institution makes the transition.

Your institution desperately needs high availability and/or disaster recovery and is willing to incur the cost of moving from a hardware-based solution to a cloud-based solution.
Your institution’s hardware infrastructure is reaching the end of its life and it is time to purchase all new hardware or move in a new direction. This can be a good time to evaluate your current setup and what is best for the future.
Your institution has some regular hardware turnover scheduled for next year and wants to evaluate slowly moving to the cloud. Instead of buying a new server, it may be time to evaluate what the future of your infrastructure will look like and if the cloud is a long-term solution.

Some vendors pitch the move to IaaS as a cost savings move. There are cost savings involved. No more hardware to buy and maintain; no more electricity to run the devices; no more cooling to keep hardware cool; and the ability to achieve high availability is easier and more efficient. However, the move to IaaS is typically not a cost savings, but a feature advantage. Most institutions will be lucky if they break even with moving to an IaaS model, but they will gain great redundancy, uptime, reliability, and disaster recovery capabilities.

Generic cost estimates are impossible due to the fact that everyone has different infrastructure, needs, wants, etc. But if flexibility and added freedom is something your institution wants or needs, start investigating what IaaS might cost for your institution. This technology has matured greatly over the last few years and continues to evolve, making it viable now and likely the wave of the future.

In moving into 2019, focus on two things. Are my current processes and products adequate? Not have they passed exams this year, but are they mitigating the current risks to the institution? Too often measuring by exams leaves the institution open to a false sense of security and potential exam issues in the future. For compliance, ensure the institution’s processes are thorough, up to date, and adequate to meet the needs of the institution. For technology, consider what the long-term goals of the institution are and start working on a plan to implement these changes. Security is going to need new investments each year for the foreseeable future. The historical solutions for security problems have been successful which has forced criminals to find ways around them. It’s time to realize that the threats have changed, and it is time to address the new threat landscape.

13 Jun 2018

Banks, Compliance, Credit Unions Jamie Davis 0 comment

BCP vs. DR: Key Differences Every Financial Institution Needs to Know

In the wake of a very active hurricane season last year and considering the current volcanic eruptions in Hawaii, financial institutions are well aware of the importance of disaster preparation and the need to be ready for the unexpected. If your financial institution were affected by a natural disaster and your systems went down, how long would it take to get your institution up and running again? Would your organization have the resources in place to restore critical systems quickly and efficiently?

Community banks and credit unions rely on their institution’s business continuity plans (BCP) to guide them through the strategies and protocols needed to minimize downtime and keep operations running smoothly. However, in times of crisis, it is equally important to have a comprehensive disaster recovery (DR) plan in place as well.

You might think, “I have a good Business Continuity Plan in place already, so why do I need a DR plan too?” Business continuity planning refers to strategies and protocols that enable a financial institution to operate during and immediately after a disaster. A bank’s business continuity plan has evolved to become the crucial blueprint for guiding a financial institution through the process of recovering from a business interruption. This plan outlines what needs to happen to ensure that key products and services continue to be delivered in case of a disaster.

On the other hand, disaster recovery refers to having the ability to restore critical data and applications that enable the financial institution to operate normally. The DR is designed to outline what needs to be done immediately after a disaster to begin to recover from the event.

Driving Compliance Through Technology Get a Copy

So practically speaking, a BCP informs your business with the steps to be taken to ensure key products and services remain available to customers and members, while a DR outlines the specific steps to be taken to recover the institution’s required technology needs after a disaster. Both are vital to have for any financial institution and are designed to work in tandem. Essentially, the DR plan is a part of the bigger BCP.

There are some differences in how each are structured as well. The BCP consists of a business impact analysis, risk assessment and an overall business continuity strategy; while the DR plan includes evaluating all backups and ensuring any redundant equipment critical to recovery is up-to-date and working. While the plans work together, they can be seen as two separate concepts.

BCP: A plan to continue business operations
DR: A plan for accessing required technology and infrastructure after a disaster.

Once the plans are complete, organizations must test to verify the effectiveness, train staff on what to do in a real-life scenario, and identify areas where the plans need to be improved. These plans are different enough that they are often tested separately. A BCP test is often a “table-top test” where a potential disaster and outcome are used to ensure all employees know where to go and what to do. A DR test is usually a more hands on process, where all servers and communications are made unavailable, and the backup technologies are implemented to confirm the institution will be able to function as needed and expected in the correct amount of time or Recovery Time Objective (RTO). The plans should be tested at least once a year; the results of the tests should be thoroughly evaluated; and the plans should be revised based on the results. These are not static documents– the disaster recovery plan and BCP should be updated to meet changes in regulatory expectations as they occur to ensure compliance.

We understand that disaster recovery and business continuity planning are challenging for smaller community banks and credit unions that often lack the staff and resources of larger institutions. At Safe Systems, we have been working with banks and credit unions for more than 25 years to provide the services and assistance necessary to help our customers weather the storm. Our hope is that it isn’t needed, but should it be, our proven experience enables us to provide the services and assistance necessary to ensure our customers are prepared for a disaster and able to quickly recover from one.

24 Jan 2018

Banks, Compliance, Credit Unions Safe Systems 0 comment

Safe Systems Helps Southern Bank & Trust Recover from Hurricane Irma with Continuum Disaster Recovery Service

Safe Systems Helps Southern Bank & Trust Recover from Hurricane Irma

The potential damage that storms can cause underscores the importance of disaster recovery solutions, especially for local community banks and credit unions. When Hurricane Irma hit Georgia in September 2017, many were left without power for an extended period, including Southern Bank & Trust’s main branch in Clarkesville, Ga. This presented a significant challenge for the bank because its main server is run from that branch. The bank’s other full-service branch in Blairsville, Ga. (along with its loan production office in Dahlonega, Ga.) still had power but were unable to run while the server was down. The bank needed a way to access its server from Blairsville and Dahlonega to continue to serve its customers.

Managing Disaster Recovery

When the staff at Southern Bank & Trust learned the severity of the power outage in their town, they made the difficult decision to declare a disaster, and as a customer of Safe Systems, leveraged the company’s Continuum Disaster Recovery Service to respond to the situation. Continuum is a fully managed and secure data replication and failover solution designed to help community banks and credit unions adhere to regulations and ensure business critical data and applications are available in the event of an unplanned business interruption.

Using Continuum, Safe Systems established a site-to-site Virtual Private Network (VPN) between the branch in Blairsville and the Continuum site hosting the recovered servers to get operations back up and running quickly. Displaced employees could remotely access the network, and the bank was able to leverage Continuum for two full days until power was restored at all branches and the production servers were powered back on.

A Trusted Partner

Working with Safe Systems’ Continuum service, Southern Bank & Trust was able to avoid a complete shutdown of all of its branches. The bank’s staff knew the importance of serving their customers and providing them with access to their money, even during a disaster, and Continuum allowed them to achieve that.

“Safe Systems’ experience and guidance helped us keep things in perspective,” said Brenda Speed, Senior Vice President at Southern Bank & Trust. “When something like this happens, it affects every line of our business, and Safe Systems provided us with the resources we needed at every step of the way. They are familiar with our network, our products and our business values, truly making them an important part of our team.”

To learn more about how Safe Systems helped Southern Bank & Trust, download our case study.

Southern Bank & Trust Case Study

23 Aug 2017

Banks, Compliance, Credit Unions Chuck Copland 0 comment

Disaster Recovery Planning: How to Prepare Your Bank for Fall Storm Season

Disaster Recovery Planning - How to Prepare Your Bank for Fall Storm Season

The potential damage that storms can inflict underscores the importance of Business Continuity Planning and disaster preparation, especially for local community banks and credit unions. A single disaster event, be it a hurricane, tornado, earthquake, severe thunderstorm, etc., has the potential to devastate communities by disrupting thousands of businesses and organizations and impacting millions of lives. While disasters do not take any seasons off, historically some of the worst storms actually hit during the fall months. A lack of proper planning and preparation could be particularly devastating for a financial institution impacted by a fall storm, as their customers will expect prompt access to their money in the aftermath of such an event. Moreover, regulators have expectations of their own, and financial institutions could face poor examination scores, fines, or increases in FDIC insurance costs. But who has the time to undertake such a big project? BCP/DR planning is especially challenging for smaller community financial institutions who often lack the staff and resources of larger institutions.

It is imperative that financial institutions have a solid Business Continuity Plan (BCP) and Disaster Recovery (DR) procedures in place and are able to implement them, as required by Federal Financial Institutions Examination Council (FFIEC) guidelines. These plans are instrumental to make sure that people, process, and technology elements are all properly coordinated to efficiently recover from disasters or business interruptions. In a disaster situation there is a stark difference in the reaction from financial organizations who have a disaster plan in place and those that do not. A solid and actionable BCP can literally be the difference between a temporary outage, and an institution closing its doors forever.

Preparing for Fall Storms

Aside from having a BCP and associated DR plan in place and the skills necessary to execute those plans, there are several additional steps your financial institution can take to adequately prepare for storms, natural disasters, and any other business outages, including:

Evaluating all backups and ensuring any redundant equipment critical to recovery is up-to-date and working;
Utilizing Uninterruptable Power Supplies (UPS) for short-term outages in power or preemptively shutting down servers and all IT equipment in anticipation of an extended outage;
Ensuring that the server room is locked with separate key access and that all equipment and sensitive documentation is otherwise secure if facilities must be vacated for an extended period;
Validating the procedures outlined in BCP/DR plans through functional testing; and
Ensuring that employees, vendors, and customers are aware of the proper communication protocols and contacts through educational efforts.

Common Issues and Solutions

Banks and credit unions that try to manage their own technology solutions, including backups, email, and server management, often get mired in day-to-day operational concerns. This leaves precious little time for the institution to make plans for potential disasters. The result is often a plan that does not truly consider all the processes and functions that go into running the business. This can leave significant gaps in recovery capabilities that might remain hidden to internal stakeholders without proper testing.

These issues can be avoided by working with an IT service provider who understands the unique needs each financial institution has when preparing for and recovering from a natural disaster. To ensure your institution is prepared for storm season and doesn’t run into the common issues mentioned above, partner with an IT service provider that offers the following:

Recovery plan testing on an annual basis;
Remote and secure back-ups;
Compliant data recovery practices; 
Readily available staff and engineers; and 
Proactive communication.

Fall storms and natural disasters cannot be prevented, but proactively knowing where to go, who to contact, and what critical functions to restore first can provide confidence when responding to a disaster. Developing, implementing, and regularly testing disaster recovery procedures as part of your business continuity plan is crucial in today’s banking environment. At Safe Systems we have been working with banks and credit unions for more than 20 years. Our proven experience enables us to provide the services and assistance necessary to help our customers weather the storm with minimal business interruption.

Understanding the FFIEC’s CAT

Understanding the FFIEC’s CAT: How Your Institution Can Improve Its Cybersecurity Posture

17 Aug 2016

Banks, Technology Brendan McGowan 0 comment

4 Steps for Moving Your Community Bank’s Server Workloads to the Cloud

More and more organizations are moving line of business and ancillary systems to the cloud including community banks and credit unions. Moving applications to the cloud is a way for financial institutions to control spending, ensure compliance with regulations, and enable employees to focus on revenue generating activities. Cloud outsourcing may start with specific IT functions or processes such as disaster recovery, backup and network servers.

Today, core banking services are almost exclusively hosted from the cloud. The in-house servers, or the servers running ancillary systems, consist of lending applications, Microsoft applications, internal accounting applications, and voice response systems, among others. There is a lot of infrastructure involved in managing all the applications needed to run an efficient and successful financial institution.
While the cloud has proven to be beneficial for banks by enabling the limited in-house personnel to focus on core strategic initiatives instead of worrying about IT infrastructure, there are steps all financial institutions must follow. Here are four things to consider before moving your bank’s critical data to the cloud.

Support Your Bank’s Corporate Strategy

Each bank has a unique corporate strategy that is driven by its market situation, such as the desire to expand services offered, open new branches, merge with another institution or even to be acquired. This strategy will guide how and what should be moved to the cloud.

Catalog the Application Opportunities

Before moving to the cloud, your IT team must understand the requirements of the applications that are being used. Evaluate the IT infrastructure that must exist to provide each application and determine how to minimize the amount of IT assets that are needed internally. Then, the applications that can be moved to the cloud can be identified.

Determine the Best Cloud Service for your Bank

The idea behind moving to the cloud is to eliminate servers, internal infrastructure, and applications that must be hosted inside your bank, as well as the associated work to manage each one. This enables your IT team to work on higher value, strategically critical projects.

There are three options to do this:

Simply move your servers to a co-location facility or data center. This can be an attractive option since it does not require extensive configuration changes to applications and servers, but moves these critical assets out of the bank building to a highly available datacenter.
Move to an Infrastructure as a Service (IaaS) model, which means that instead of physically moving servers that you own, you pay a service provider to lease out the server capacity you need. You access the servers remotely to install, run, and maintain your applications. This can be a challenging option. It can be rather expensive, and the financial institution and IT personnel are still required to manage the process and technical specifications. IT personnel must reinstall all applications in a new environment and change all networking at the same time, which is a cumbersome and time consuming process to manage.
Rather than setting up additional infrastructure, banks are turning to the Software as a Service (SaaS) model, which is a software licensing fee and delivery model in which software is licensed on a subscription basis and is centrally hosted by the application software provider. This often enables financial institutions to run their applications from a browser, is supported by the developer and has no additional infrastructure to maintain.

Develop a Phased Approach

Long term, banks should consider moving all of their applications to the cloud, and most of the applications are ready to do so today. The migration should be completed in multiple phases, enabling a smoother transition. However, the applications that are not technically ready should not be forced to move as this can cause unnecessary complications and technical issues. Today, financial systems and even Microsoft solutions are cloud-based.

While the benefits of cloud computing — improved efficiency, scalability, cost, reliability, improved access, consistent security and compliance and compensation??? for limited in-house resources — are clear, making the leap to these services can be challenging and a daunting task for some community banks. Working with an outsourced service provider, such as Safe Systems, can help with the process, design and installation while ensuring the systems are compliant and meet all regulator expectations. Our cloud services are built specifically for community banks. With focus on regulatory guidance and compliance, we do extensive and rigorous vendor management vetting of all cloud providers before we offer or recommend a provider or service. We have more than 20 years’ experience offering products and services exclusively to community banks and credit unions. Safe Systems helps financial institutions to significantly decrease costs, increase performance, and improve their FFIEC compliance posture. Working with Safe Systems lets bankers go back to being bankers!

Dispelling 5 IT Outsourcing Myths within Financial Institutions

Learn why five of the most commonly believed “facts” about IT outsourcing within community financial institutions are actually myths.