Similar to my previous post on Risk Assessments, I believe Uncertainty is also a 2-part trend:
– Uncertainty about future regulatory changes, and
– Uncertainty about the interpretation of existing regulations (more…)
Author: Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.
09
Jan
2012
Another incident management table-top training exercise
I’ve mentioned before that financial institutions would be wise to use news reports of security incidents as “what if” table-top training exercises. Here is another one that just occurred a couple of days ago:
Test scenario:
- You receive a subpoena from a government agency requesting financial information on several customers. The subpoena includes names and social security numbers for the customers involved.
- (Your privacy policy probably contains verbiage similar to this: “Social Security numbers may only be accessed by and disclosed to <bank employees> and others with a legitimate business “need to know” in accordance with applicable laws and regulations”, or perhaps you state that you will disclose only if “…responding to court orders and legal investigations”.)
- You determine that information disclosure is necessary and appropriate in this case, and you provide the information.
- Although there is nothing in your privacy policy that requires it, you then decide that you will notify the affected customers that their information was disclosed pursuant to a legal request.
- You send a letter to each affected customer explaining the reasons for the disclosure, as well as what information was disclosed.
- You include a copy of the original subpoena in the letter to the affected customers in it’s original form, including the names and social security numbers of all of the affected customers. In other words, you did not redact information pertaining to everyone other than the intended recipient of the letter, all affected customers received everyone else’s information in addition to their own.
Discussion topics:
- Does this qualify as a “security incident” as it is defined by your Incident Response Plan? It is clearly not an intrusion, but it does qualify as an irregular or adverse event which negatively impact the confidentiality of customer non-public information.
- Is customer or regulator notification required? In order to answer this question, answer the following: “Has misuse of non-public information occurred, or is it reasonably possible that misuse could occur?” If the answer is “yes”, customer and regulator notification is required, as well as credit monitoring services, ID theft insurance, credit freeze activation, and any other remedies the law, and your policies, require.
- Is a Suspicious Activity Report filing required? (Perhaps not, but I would err on the side of caution.)
- What, if anything, would we do differently? Under what exact circumstances will we disclose customer NPI? If disclosed, will we notify the affected customer? What are the legal implications?
Use these real world examples to fine tune your incident management policies and procedures. Perhaps they will prevent you from becoming someone else’s training exercise!
04
Jan
2012
2012 Compliance Trends, Part 4 – Risk Assessments
Information security, business continuity, vendor management, ID theft, RDC, Internet banking…it seems that every time you do anything these days you’re expected to perform a risk assessment. This is nothing new, risk assessments have been around since risk management began, but I think we’re going to see even more focus on them in the future. Furthermore, I believe this is actually a 2 part trend. Not only will the volume of assessments increase, but the scope will expand to include additional risks as well. So perhaps this trend should be called:
Risk Assessments – More of them, and more in them
First of all, as I’ve said before the blame for the largest recent failures in the financial industry has been placed largely on managements’ inability to properly assess and manage risk. Additionally the vast majority of FDIC Consent Orders require increased Board and senior management involvement. The intent is to place the accountability firmly at the top, because management is expected to make decisions based on an accurate understanding of the risks involved. And that always requires a risk assessment.
Secondly, there has been a clearly discernible shift towards including enterprise-wide risks into all risk assessments. This started with the FDIC Winter 2009 Supervisory Insights newsletter, which basically redefined the customer information risk assessment to include “assessment of risks across all business lines, including, but not limited to, risks to information security“. We also saw this trend exhibited in the disaster recovery process, where the term “enterprise-wide” is mentioned 39 times in the latest FFIEC guidance. Finally, we’ve seen this enterprise-wide focus validated in recent regulatory examinations. Regulators are now asking about things like strategic risk and reputation risk and operational risk, and expecting that these risks are assessed alongside the more traditional categories like privacy and security.
In order to fully understand and prepare for this trend, it’s important to understand 2 things:
- There is no single universal template for all risk assessments, and
- A risk assessment is only one step in the risk management process…and it’s not the first step
So, lacking a universal template for risk assessments, how do you proceed? You start by understanding that risk assessments are actually step 2 in the risk management process. The essential elements of an effective risk management program are:
- Identify the assets to be protected. What are you protecting (i.e. customer information, critical business processes, etc.), and why (privacy, security, reputation, etc.)? Be sure to consider all (i.e. enterprise-wide) risks.
- Identify the threats to those assets. What bad things could happen to the assets identified in step 1? Rank the threats by both impact and probability. (This is the traditional risk assessment step.)
- Apply controls in a layered, overlapping way until the risks are reduced to an acceptable level.
- Test the adequacy and effectiveness of the controls.
- Monitor the program and periodically repeat the process.
Exactly how the risk management process is documented is not specifically prescribed by the regulators, it is up to the institution to adopt a process that works best for them. I do suggest you try to adopt a consistent format that can be easily duplicated for all occasions requiring a risk assessment, and is also flexible enough to accommodate change. I’ve found that a spreadsheet-type risk ranking matrix works best, with assets on the vertical axis, and threats and controls on the horizontal axis, but other approaches work fine too. Regardless of how it’s done, the process should include all 5 of the required elements, and include enterprise-wide risks. From the FDIC:
“Risk assessment findings should be tied to business risks more broadly. These efforts will help ensure that senior management, the Board of Directors, and the institution’s regulators gain sufficient insight into the institution’s true risk posture and help reduce the potential for an unforeseen, escalated risk profile.”
28
Dec
2011
Top Topics for 2011
With every one else doing their end-of-the-year top ten lists, I thought I might join in and see what topics were most popular with visitors to the Compliance Guru site in 2011. There were a total of almost 24,000 page views, and here are the 5 most popular blog posts with view counts:
| 1,139 views | |
| 628 views | |
| 569 views | |
| 439 views | |
| 427 views |
So there was definitely a trend here…3 of the top 5 searches related to the AICPA phase-out of the SAS 70!
Something else I found interesting was the search term people used to find the Compliance Guru site. This is another pretty good indication of what people are concerned about. Here are the top 5 keywords:
|
|
|
|
|
No surprise that the SAS 70 again dominated, but I thought “bank service company act” was a bit surprising. One of the biggest reasons folks search for terms like this is when they hear them from an auditor or examiner for the first time, so I take this as an indication that the BSCA may be a continuing trend going into 2012.
I may have other lists as I continue to review the data, but since the SAS 70 is so popular here is a shortcut to all blog posts related to that subject, most recent first:
https://www.complianceguru.com/tag/sas-70/
See you all in 2012!
22
Dec
2011
FDIC offers “Insight” on Mobile Banking
Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future. (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced us to the concept of the Enterprise-wide risk assessment as the preferred replacement for the traditional information security risk assessment. I consider these Supervisory Insight newsletters to be a pretty accurate peek into the regulatory crystal ball.)
The article is titled “Mobile Banking: Rewards and Risks”, and is a fairly deep dive into this relatively new banking service. Mobile banking is defined as the use of a mobile device, commonly a cell phone or tablet computer, to conduct banking activities. The article starts by discussing the current, and estimated future, market for this service, quoting a survey placing the potential adoption of mobile banking at 38 million households by 2015. Clearly, if institutions have not already considered adopting this delivery method, they certainly will in the near future. They separate the mobile service offerings into 3 broad categories based on the delivery method:
- Text messaging/short message service (SMS)
- Mobile-enabled Internet browser
- Mobile applications (apps)
They then discuss the channel-specific mobile banking risks, and this was one of the most interesting parts of the article for me:
A recent study looked at the security of four types of mobile applications – financial services, social networking, productivity, and retail. The study focused on the types of sensitive data that mobile applications store on the device and whether these data were stored securely. Each application was rated “Pass,” “Warn,” or “Fail.” A “Pass” rating means sensitive data are not stored on the device or are encrypted. A “Warning” rating means certain data are stored on the device, but this does not put the user at significant risk of fraud. A “Fail” rating indicates sensitive data, such as account numbers and passwords, are stored on the device in clear text, placing the user at an increased risk of identity theft or other financial fraud.
As you can see, although financial institutions had the highest “pass” rate for mobile applications, they also had uncomfortably high “warn” and “fail” rates. (Also note the extremely high “fail” rates for social networking apps…this only confirms my concerns.) Although they don’t go into great detail on the availability and proper use of controls to mitigate the risks, they do make the point that proper vendor management is key. This is particularly true for community institutions who rely heavily, and almost exclusively, on the built-in controls provided by their product’s vendor.
But they also refer to the updated FFIEC Authentication guidance, stating that it “applies to mobile banking“. This is a bit of a news flash, as the term “mobile banking” is not specifically mentioned anywhere in the updated guidance. In fact this was one of the major criticisms of the update when it was released (although I disagreed). I think it’s clear now that the FFIEC intended for the updated guidance to be broad enough include new and emerging technology, and that we shouldn’t expect a new update every time technology changes. This also means that you should include mobile capabilities in your Electronic Banking risk assessment, as well as the associated controls.
So consider this an early Christmas present from the FDIC, and make sure to incorporate the mobile banking risk management concepts discussed in this article into your electronic banking risk assessment. In summary:
Financial institutions are challenged to ensure their mobile banking service is designed and offered in a secure manner, and customers are made aware of steps they can take to protect the integrity of their mobile banking transactions. (Edit – so does making customers aware mean mobile banking customer training will be a requirement?)
19
Dec
2011
2012 Compliance Trends, Part 3 – Management
I’ve written about the importance of this before, and from many different angles, but I want to recap and explain why I think management (both IT and enterprise) will be an area of increased regulatory focus in the year ahead. To recap my criteria for inclusion in the “2012 Trends” list, it must have a basis in:
- Recent audit and examination experience,
- Regulatory changes, and/or
- Recent events.
Management, or as it is sometimes referred, governance, is defined by the FFIEC in the IT Examination Management Handbook as;
“…an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”
And…
“Due to the reliance on technology, effective IT management practices play an integral role in achieving many goals related to corporate governance.”
So regulators have always considered IT management critical, and most institutions address that obligation by assigning responsibility for day-to-day management of IT to a committee, such as a technology or IT Committee. In recent examinations we have seen regulators ask specifically to see committee minutes, looking for things such as discussion of vendors before they are approved, and discussion of new technology before it is implemented. They want to know that the institution considered the strategic value of the vendor and the new technology prior to approval. Was the decision to approve consistent with (in alignment with) the overall goals and objectives of the strategic plan? Can you document that?
Effective management of IT has significance way beyond just IT and strategic alignment though, after all…
“…IT management is an essential component of effective corporate governance and operational risk management.”
An institution that fails to demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide. I further explained this here, and examiners agree. Consider this…the two most often repeated statements in FDIC enforcement orders this year is for the institution to “have and retain qualified management”, and for the Board of Directors to “increase its participation in the affairs of the Bank”.
For all these reasons I believe the CAMELS “M” will be in the minds of examiners. So how can you prepare? In a word, reporting. Take a look at the following illustration:
Once the overall strategy has been communicated top-down (left side), reporting (right side) will document that the strategy has been successfully incorporated into the policies and procedures of the organization, and (most importantly) that day-to-day practices abide by those policies and procedures. Implementing an internal self-assessment program can be a very effective way of both communicating strategy and documenting compliance. Use automated controls and monitoring (like this for example), and employ outside expertise whenever possible.