Hey Guru I saw multiple references to the term “risk appetite” in the FFIEC Cybersecurity Assessment Tool. What exactly is risk appetite, and how can I address this in my institution? They just released Management Handbook contains 10 new references to “risk appetite”, including a requirement that the Board has defined the institution’s risk appetite and it’s risk tolerance levels. […]
FFIEC Releases Cybersecurity Assessment Tool
UPDATE: Safe Systems just released their Enhanced CyberSecurity Assessment Toolkit (ECAT) – This enhanced version of the FFIEC toolkit addresses the biggest drawback of the tool; the ability to collect, summarize, and report your risk and control maturity levels. Once risks and controls have been assessed (Step 1 below), institutions will now be better able […]
FFIEC Issues 2 Statements on Cybersecurity
Both statements address recent cybersecurity threats; one targeting online credentials (passwords, usernames, e-mail addresses that may be used by employees or customers to authenticate themselves), and one addressing destructive malware. The statements advise specific risk mitigation steps institutions should consider, and I thought it would be instructive to compare the steps to see which are common to […]
Vendor Management in 3 Parts. Part 2 – Risk Assessment (or, “will they or won’t they?”)
In Part 1 I said that vendor management, just as any other risk management endeavor, consists of 3 basic phases; Identify the risk Assess the risk, and Control the risk I also discussed why risk identification was a more difficult task today because of the “access to data” question, and also because “data” includes not just NPI, but confidential […]
Vendor Management in 3 Parts. Part 1 – Risk Identification (or, “do they or don’t they?”)
Service provider oversight (aka vendor management) is undoubtedly the hottest hot-button item on the regulator’s agenda right now, and for good reason. For one thing, regulators know that the vast majority of financial institutions outsource at some point, in fact recent studies put the number of FI’s that either transmit, process or store information with […]
Windows XP and Vendor Management
The FFIEC issued a joint statement recently regarding Microsoft’s discontinuation of support for Windows XP. The statement requires financial institutions to identify, assess, and manage the risks of these devices in their institutions after April 8, 2014. After this date Microsoft will no longer provide regular security patches or support for this product, potentially leaving […]
FDIC Institutions still getting UIGEA (Reg GG) findings – UPDATE
Update 1 – 12/5/2011 to add examination procedures*.
Update 2 – 2/13/2012 to emphasize policy requirements.
Update 3 – 10/8/2012 to add specific courses of action
BYOD Redux – The Policy Dilemma (Part 1)
Employee-owned mobile devices are everywhere, and they’re being used for everything from email to document storage and editing. Proper risk management procedures are defined in your policies, but do you need a separate mobile device policy, or can you simply mention them in the same policy sections that address other portable devices? Or is there […]
“Operational Risk Increasing”
In a recent speech to the Exchequer Club1, Thomas J. Curry, the new head of the OCC, stated that although asset quality has improved, charge-off rates have fallen, and capital now stands at its highest level in a decade, another type of risk is gaining increasing prominence; Operational Risk. “Some of our most seasoned supervisors, […]
CFPB Examinations Are Coming – UPDATE 2
Coming soon to your financial institution:
Dear Board of Directors:
Pursuant to the authority of the Dodd-Frank Wall Street Reform…
Read the rest of the article
FDIC offers “Insight” on Mobile Banking
Although not considered official supervisory guidance, the most recent FDIC Supervisory Insights newsletter offers an instructive early look into how the agency might examine this emerging electronic banking delivery method in the future. (Before you tune out and decide to wait for the formal guidance, remember it was the Winter 2009 issue that first introduced […]