Your Next Regulatory Exam May Be Easier and More Difficult
Because of the effect of the pandemic, banks can expect examiners this fall to show some leniency in various areas and take a hard line in others.
Federal and state regulators on June 23rd jointly issued guidance for examiners. They provide for special considerations to help banks navigate the effect of the pandemic in Asset Quality and Income & Liquidity.
But bankers should note there is no such leniency directed in Operational Risk, which regulators tag as heightened because of the pandemic. Banks can expect more examiner focus on how management is assessing and implementing effective controls in these areas:
- Vendor controls and service-delivery capabilities;\
- Fraud and cyber threats;
- Remote work and teleconferencing;
- Cost-cutting, staffing and delayed updates.
Find the link to the regulatory release; Read more on the BankOnIT blog.
Have You Done Due Diligence on Your Vendor’s Vendor’s Vendor?
De-Risking Your IT Supply Chain
You may be surprised to learn that many of the vendors you rely upon for critical functions in your institution rely in turn on other vendors, who also rely on yet others to provide services you have contracted for. Read more on the BankOnIT blog.
Vendor Due Diligence Webinar
Presented by Sharon Bracken, CISSA and Internal Audit manager at BankOnITUSA , the webinar will provide you guidance on performing effective due diligence as well as warn about those areas where vendors are most likely to have second- and third-level deep-outsourcing relationships – many times offshore.
Email Solutions@BankOnITUSA.com for a link and discount code for the “Have You Done Due Diligence on Your Vendors’ Vendor’s Vendor” webinar.
Your CPA Firm, Trade Association and Others: Cyber-Attackers Targeting Them to Get to You
There is an increased frequency in cyber-attackers compromising email accounts at entities that do business with banks. The attackers gain unauthorized access to email accounts at an entity and then send email with malicious content to individuals at targeted financial institutions. The attackers know that many institutions have an electronic “allow” list of specific email address from supposedly trusted sources. Additionally, cyber-attackers are relying on social engineering – they know if you see an inbound email from a trusted source you are much more likely to open it and be less cautious about clicking on links or opening attachments in the email.
Here are some suggestions:
- Minimize the number of email addresses on electronic “allow” lists;
- Have multiple layers of security (it’s no longer sufficient to rely on a trifecta of a firewall, SPAM filer and anti-virus software); and
- Make sure training has an emphasis on this threat; emails containing malicious content can come from anyone.
It’s Not the CIO, It’s the CEO
Target, Equifax, Sony all had high-profile, cyber-security breaches. Do you recall who the CIO was at these firms? Likely not. That’s because it was the CEO who was in front of television cameras and called to testify in Congress when problems hit. How prepared is your CEO for such an event?
Preparation is key to managing reputational risk.
Russ Florence of Schnake Turnbo Frank, a public relations and leadership consulting firm, says “There is a direct correlation between preparation and response to a crisis.
“The more you prepare and train, the less likely you are to have an event that causes long-term reputational damage,” says Florence, who is the firm’s president, chief operating and inclusion officer.
COVID-19 Cybersecurity Risks So Numerous, FBI Created a Web Page Detailing Risks
Visit https://www.fbi.gov/coronavirus for the latest threats and how to keep you, your family and your wallet safe from emerging COVID-19 related crimes.
Guarding Against Virtual Viruses in a Pandemic
Cyber-attackers are known to be opportunistic, pouncing during times of anxiety and uncertainty. Rest assured, they won’t let up once the coronavirus has run its course. While information technology directors are focusing on assisting bankers working remotely, computer virus and malware threats continue to rise. Read more on the BankOnIT blog.
Ramping Up Work-From-Home Cybersecurity
Hackers see work-from-home employees as weak points into company networks and online processes, so companies are shifting cybersecurity focus to securing individual employees and their devices. Expanded virtual private networks (VPNs), secure cloud computing environments, and more stringent multi-factor authentication measures are among strategies companies are deploying.
#WorkFromHome images on social media can help create community, understanding and humor in these strange times. But, those photos may be rich with opportunity for cybercriminals.
The caution here is to be aware of what sensitive information a photo may inadvertently reveal – from computer screens showing company-confidential data to an inventory-control decal with serial number on a laptop computer. And those photos that show pets, grandkids, books, trophies and trinkets can be fodder for email phishing attempts and even password hacks.
Prove You’re You – Before a Thief Steals Your Ability to Do So
Have you turned on multi-factor authentication (MFA) on all of your websites and apps that offer this added security safeguard?
More and more websites and apps offer customers MFA – whether it’s for more secure day-to-day access or to support recovery in the event of a password that is forgotten, breached or stolen. MFA often looks like this: Enter your ID and password, then at a prompt, get a one-time code by text message or email to enter as the second authentication to access your account.
It’s an easy win when you set up MFA: Your account access is doubly secure and you’ve cut off the path for a hacker to tie the secondary authentication to their email or phone, locking you out.
Get Savvy on Snail-Mail Security
With all of the focus on email security protocols, it may be time to add some security to your snail mail – USPS and parcel-delivery services. Knowing what’s coming in your USPS mail each day (a check, an important document or a credit-card solicitation) can bring some peace of mind. For the parcel-delivery services, you can see what’s coming and when – as well as have the opportunity to redirect delivery to an alternate location or reschedule delivery.
Like other web- and app-based services, though, it’s important to sign up – before a hacker signs up on your account and starts redirecting your mail and your packages to their own address.
Pandemic Pushes CEOs to Rely More on Top Tech Officers
Remote-work needs, cybersecurity and a challenging economy are making chief information officers more important to CEOs than in pre-pandemic times.
The new key performance measure CEOs are setting for CIOs is how well their companies can 100 percent digitally serve customers and operate with a remote work force. Cybersecurity is a significant focus.
Cybersecurity Is Chief Fear in CIO’s Sleepless Nights
Eight corporate technology executives answered the simple question: What’s keeping you up at night?
The common denominator in their answers: Cybersecurity.
Here are some excerpts from their answers in the June round-up the Wall Street Journal published:
“... Third-party risk management to prevent malicious actors from infiltrating our network via our partners’ systems.”
“...An increase in cybercrime activity … targeting our online services, consumers, customers and employees.”
“Protecting our customers’ data with such a distributed workforce. The pandemic shifted 98% of our staff to their homes in three days.”
“... Also worry about keeping up with the hiring pace. It’s a hypercompetitive market right now for great [IT] talent.”
“Remote workforce security is top of mind for every CIO right now.”
Cybersecurity Risk-Management Survey Says...
The Wall Street Journal’s research arm conducted a sweeping survey of cybersecurity preparedness among nearly 400 enterprises across various sectors. (The data-gathering closed prior to the pandemic effect.)
One interesting correlation the researchers discovered was the positive effect of delivering tailored cybersecurity training to executives. Companies that did this were more likely to have: identified and protected critical data; cyber insurance coverage; and an incident-response plan.
One challenge – assessing the effect of attacks on an organization’s supply chain or third-party suppliers – crossed all sectors. The vast majority of companies saw it as a major threat, but just more than half indicated confidence in their preparation. The researchers note that even financial-services firms lagged in this area, with only six out of 10 firms managing the risk well.
Interested in knowing more? Contact us at Solutions@BankOnITUSA.com, or 800.498.8877.
If you’d like to receive the Information Technology for Directors publication directly in your email inbox, please email us at Guidance@BankOnITUSA.com.