In Part 1 I discussed the increasing regulatory focus on cybersecurity, and what to expect in the short term. In this post I want to dissect the individual elements of cybersecurity, and list what you’ll need to do to demonstrate compliance on each one going forward. So here are the required elements of a cybersecurity program, followed […]
Cybersecurity – Part 1
Cybersecurity has gotten a lot of attention from regulators lately, and with assessments already underway it promises to be a regulatory focus for the foreseeable future. But exactly what are they expecting from you, and how does that differ from what you may be doing already? More importantly, how should you demonstrate that you are […]
Incident Response in an Outsourced World
UPDATE – On June 6th the FFIEC formed the Cybersecurity and Critical Infrastructure Working Group, designed to enhance communications between and among the FFIEC members agencies as well as other key financial industry committees and councils. The goal of this group will undoubtedly be to increase the defense and resiliency of financial institutions to cyber […]
NIST Incident Response Guidance released
UPDATE – The National Institute of Standards and Technology (NIST) has just released an update to their Computer Security Incident Handling Guide (SP 800-61). The guide contains very prescriptive guidance that can be used to frame, or enhance, your incident response plan. It also contains a very useful incident response checklist on page 42. I’ve […]
Managing Social Media Risk – LinkedIn Edition
By now everyone has heard about the breach at LinkedIn, where 6.5 million email password hashes were leaked (over half of which have been cracked, or converted into plain text). Those who read this blog regularly know how I feel about social media in general: “So managing social media risk boils down to this: You […]
Another incident management table-top training exercise
I’ve mentioned before that financial institutions would be wise to use news reports of security incidents as “what if” table-top training exercises. Here is another one that just occurred a couple of days ago: Test scenario: You receive a subpoena from a government agency requesting financial information on several customers. The subpoena includes names and […]
The “Security Breach” and your Incident Response Program
Last week Wells Fargo said that some of their customers in South Carolina and Florida received portions of other customers’ bank statements in the mail as the result of a printer error. Essentially a printer malfunction caused some printed statements to contain a portion of another customer’s statement to be appended to the bottom. A […]
Incident response – to report or not?
For the purposes of regulator reporting and customer notification, it is critical that we first define an “incident”. Here is how an incident is defined by the FFIEC: