Posted November 29, 2016
A nine-page advisory issued by FinCEN on October 25, 2016 contains information, analysis and access to additional resources intended to help financial institutions understand both the threats posed by criminals, terrorists and state actors, and the essential role financial institutions play in protecting their customers and the larger financial system from such threats.
The advisory is especially pertinent to bank employees responsible for cybersecurity, network administration, risk management, fraud prevention, BSA/AML management, and AML efforts. To access the document, browse the RESOURCES section (Advisories/Bulletins/Fact Sheets) at www.fincen.gov for FinCEN Advisory FIN-2016-A005.
Posted November 8, 2016
Cybersecurity month (October) is behind us for 2016, but that doesn’t mean it’s okay to let our guard down. As a matter of fact, the best time to use cybersecurity best practices is always.
With the holidays drawing near, online purchases are sure to spike. Here are a few tips you (and your customers) can use for safer online shopping:
- Shop at reputable companies. If a bargain seems too good to be true, it probably is.
- Avoid clicking shopping links that are embedded in emails unless you subscribe to the seller’s ads.
- Create a free “junk” email address through a service like outlook.com, yahoo.com, or juno.com. Use the address only for registering with retailers so their email ads won’t crowd the inbox you reserve for family and friends.
- When making a purchase online, consider using a credit card you seldom use. That way, if the vendor has a breach, it won’t affect your main credit card.
- Before making a purchase, look for the “lock” symbol in the address bar to ensure you’re on a secure site.
- Consider shopping at an all-in-one site such as Amazon.
- Use a credit card instead of your bank debit card.
- Save a copy of your order.
Posted October 3, 2016
The 2016 series of WesPay-led classes scheduled exclusively for Bankers’ Bank of the West customer banks will conclude in December with a two-part course focused on Regulation E.
Reg E sets forth the requirements of the Electronic Funds Transfer Act. This class will discuss the impact of Reg E for the financial industry as it relates to consumer rights. It examines various aspects of the regulation, particularly from the standpoint of the Automated Clearing House (ACH). Topics include definitions, coverage, required disclosures, error resolution, and more.
Part one: Friday, December 2 (1 pm Mountain Time | 2 pm Central Time)
Part two: Friday, December 9 (1 pm Mountain Time | 2 pm Central Time)
Register soon! To request a registration form, email firstname.lastname@example.org.
Could you be inviting more spam into your Inbox—or revealing your work habits to hackers? Using Outlook’s out-of-office feature might do both.
Microsoft Outlook offers an automated way to notify emailers when the recipient is out of the office for a period of time (ideally, for a vacation). The feature is called Out of Office (OOO). When you invoke it, Outlook will reply to your incoming emails with a message you write before leaving. Your response message could read something like this: “I’m out of the office until May 2. For immediate assistance, please call ABC Bank at 789-555-1234.”
The OOO feature is a convenient means of notifying staff, customers or vendors that you’re away from the office, and letting them know when you’ll return.
The hitch: Hackers will use spam email to gauge what time you normally arrive at work, get back from lunch, and catch up on emails. They can make educated guesses when you send OOO responses. Once hackers know you’re away, they can plan hacks on your account knowing the breach will likely go undetected until you return. They might also use social engineering to impersonate you, contact your customers, and persuade them to release sensitive information—or money.
To disclose less information for hackers to exploit, you could limit your OOO responses to addresses in your Outlook contacts folder. One approach: From the OUTSIDE MY ORGANIZATION tab, click the MY CONTACTS ONLY button instead of ANYONE OUTSIDE MY ORGANIZATION. With these settings, OOO will reply only to email addresses in your contacts folder.
If that option—which could result in legitimate inquiries from new customers going unanswered for days—is unacceptable, there’s another alternative: You could have your incoming emails redirected to a colleague during your absence.
Either solution will further secure your bank and your work identity. Even if your bank doesn’t use Outlook, almost all email programs have similar built-in functions. Ask your IT staff if you have questions about your system.
More security measures you can take before you leave:
- Unplug your desktop computer from the network. Hackers try to run stealthy programs from unattended computers. Don’t let them use yours.
- If you don’t need email access while away, ask IT to temporarily disable your network ID.
- Reset your network password. This has two benefits: You won’t risk getting a prompt for a new password while you’re gone, and hackers won’t be able to use the old password when your user ID is idle.
You deserve a stress-free vacation. Put potential cybersecurity concerns to rest by following the recommendations above—and enjoy your time off.
Posted September 13, 2016
On July 1, the FDIC released the Information Technology Risk Examination program (InTREx), which replaced its IT risk management program.
Since the release, several states have adopted InTREx, and more states are likely to follow suit. One reason: InTREx is considerably smaller than most IT risk questionnaires, and it has a quantifiable ability to determine scope and resources needed for exams. Many states have modified the program to fit their needs; they also have the option of building sections to further define each exam.
At least 90 days prior to an IT exam, the bank will receive an Information Technology Profile from FDIConnect. The profile made up of 26 questions, under the categories of: Core Processing (4); Network (6); Online Banking (4); Development and Programming (1); Software and Services (2); and Other (9).
For the examination, banks will be assessed using four core analysis modules: Audit; Management; Development and Acquisition; and Support and Delivery. Two workpapers contained within InTREX—one covering information security standards and one applicable to cybersecurity—are referenced in the core analysis modules.
Also built into the document are two expanded analysis sections—one specific to management, the other pertaining to support and delivery. Examiners may opt to complete either or both expanded sections if certain procedures are not specifically addressed in the core modules, or if an examiner determines the bank needs additional analysis.
All questions and referenced materials (modules, expanded sections, workpapers) are incorporated in the downloadable InTREx document, which is posted to the FDIC website via this link: https://www.fdic.gov/news/news/financial/2016/fil16043a.pdf
InTREx will markedly change how a bank prepares for and conducts IT examinations and audits. The new InTREx process can help banks wanting to adopt a more proactive stance to risk while devising their IT strategy. Overall, a bank that completes the initial questions and reviews the modules and workpapers will be better prepared for an exam by the FDIC or by a state that has adopted InTREx.
InTREx is also a publicly available, examiner-approved and organized way to internally audit a bank’s IT functions with a heavy emphasis on cybersecurity.