-
UPDATE – New Proposed Cyber Incident Notification Rules Finalized
Last updated March 30, 2022. Currently, financial institutions are required to report a cyber event to their primary federal regulator under very specific circumstances. This requirement dates back to GLBA, Appendix B to Part 364 and states that FI incident response plans (IRP’s) should contain procedures for: “Notifying its primary Federal regulator as soon as…
-
Hot Topic: Ransomware on the Radar (Updated)
Both the State banking regulators and the Treasury Department have issued recent advisories to financial institutions regarding the ransomware threat. Ransomware is defined as a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs, in order to extort ransom payments from victims in…
-
FFIEC Issues Statement on Pandemic Planning
Background Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency Statement on Pandemic Planning in response to the current COVID-19 epidemic. Similar to the Destructive Malware statement, this statement does not impose any additional regulatory expectations on…
-
Ask the Guru: Do We Need to Perform a review on a New Vendor in a Foreign Country?
Hey Guru! Our institution works with a third-party that has recently engaged with a company in a foreign county to begin assisting them in taking care of our institution’s IT matters. Do we need to perform a review on this new foreign third-party? When evaluating this situation, the first step is to understand the parties…
-
Ask the ISO: What Makes a Good Password?
Hey Chuck! Our auditor is telling us we need longer passwords. I’ve done some reading and asked around on this, and I’ve heard everything from 8 to 15 characters. How long should our passwords be? Ask a simple question, get… a different answer from every person you ask. Frustratingly enough, they all might be right.…
-
Ask the Guru: A Prospective Vendor Either Won’t or Can’t Provide the Documentation We Need. What Should We Do?
Hey Guru! We’re doing our due diligence on a new HR software package. We’ve requested the vendor’s financials and a SOC 2 report, but they told us they don’t provide financials (they are privately held), and their SOC 2 won’t be completed until the end of the year. They do have a SOC 1. What…