What We ll Cover. Assessing Risk. Common elements in risk assessments NCUA categories of risk Risk assessments required by law

Size: px
Start display at page:

Download "What We ll Cover. Assessing Risk. Common elements in risk assessments NCUA categories of risk Risk assessments required by law"

Transcription

1 Assessing Risk It s the Law What We ll Cover Common elements in risk assessments NCUA categories of risk Risk assessments required by law What to assess Factors to consider When to assess Resources to help 1

2 Common Elements in a Risk Assessment 1. Identification Risks Mitigating ii i Factors/Controls Assignment of Rating How likely is the risk/threat to occur? What is the impact of the risk? How strong is the factor/control? Determining Residual Risk Risk Rating + Control Rating = What s left? Developing Strategies for Higher Risk 4 common responses to risk Step 1 Identification Risk of Driving a Car Risk Mitigating Factor/Control 2

3 Types of Controls Step 2 Assignment of Rating Risk FLAT TIRE Likelihood Impact Mitigating Factors/Controls 3

4 Step 3 Determining Residual Risk LIKELIHOOD + IMPACT = INHERENT RISK MEDIUM (2) + HIGH (3) = MED/HIGH (2.5) + CONTROLS = RESIDUAL RISK (WHAT S LEFT AFTER ALL CONTROLS ARE CONSIDERED) MED/HIGH (2.5) + HIGH (3) = LOW Now what? 4 common responses to risk 4

5 4 Common Responses Avoidance Mitigate /Reduce Acceptance Transference Consider if the risk is a result of activities outside the core business. If outside and high, consider ceasing undertaking these activities. If something you want to do within the business, figure out a possible alternative way of doing things to minimize risk or loss. Use of control measures. Cost of doing business, contingency plan. Possible transfer of loss via insurance, vendor whose core business is this activity, outsource. Step 4 Develop Strategy/Response for Higher Residual Risks You determine the appropriate response based on your credit union s appetite for risk. ik Cannot ignore risks rated HIGH 5

6 Remember the focus Strategic Reputation Credit Interest Rate Liquidity Transaction Compliance NCUA Categories of Risk 6

7 BSA Risks to assess: Money laundering Factors to consider: Members, products, services, geographic locations. When: Update periodically especially when any of the above factors change. Resources: Appendix J, Quantity of Risk Matrix, FFIEC BSA/AML Manual OFAC Risks to assess: Areas vulnerable to OFAC transactions Factors to consider: Membership base, high risk members, geographic locations, products, services, past OFAC actions. When: Ongoing as new products and services are offered. Resources: Appendix M, Quantity of Risk Matrix, FFIEC BSA/AML Manual 7

8 ACH Risks to assess: Strengths and weaknesses in major components of ACH functions within organization Factors to consider: Quality of systems/controls, credit risk, compliance, high risk activities, 3 rd party servicer providers, direct access, operational/transactional, information technology, membership base, high risk members, geographic locations, products, services, past OFAC actions. When: Ongoing as new products and services are offered. Resources: FFIEC BSA/AML Examination Manual, Guidance on Risk Management of Remote Deposit Capture Examination Handbooks, ACH Rules Vendor Management Risks to assess: Whether the relationship compliments the Credit Union s overall mission and philosophy and is consistent with CU s overall business strategy and risk tolerances Factors to consider: Proposed activities, related costs, product and services standards, and third party involvement. When: Prior to engaging in a proposed activity or offering a product or service and periodically as long as the product/service is offered. Resources: CUNA s Due Diligence Task Force Third Party Vendor Management Guide, FFIEC Retail Payment Systems Exam Handbook, NCUA AIRES Third Party Relationship Questionnaire 8

9 Identity Theft Red Flags Risks to assess: Changes in identity theft risks to members and safety and soundness of CU Factors to consider: Types of accounts offered, ways they are opened/accessed, d risks ik of identity theft using those channels. When: Periodically as identity theft risks change or when new methods of opening/accessing accounts are introduced. Resources: Regulation V Fair Credit Reporting Appendix J to Part 222 Interagency Guidelines on ID Theft, Detection, Prevention and Mitigation and Supplement to this Appendix Internet Banking Authentication Risks to assess: Controls in place to authenticate identity of member using electronic banking services and internet banking Factors to consider: Products/services offered using internet, changes in internal/external threats, changes in membership base adopting e banking, changes in functionality offered, actual incidents of security breaches, ID theft, or fraud experienced by CU or industry. When: Periodically as risks change or when factors listed above change but at least annually. Resources: Guidance on Authentication in Internet Banking (Letter 05 CU 18) FAQ (Letter 06 CU 13) Supplement to 2005 Guidance (Letter 11 CU 09), Risk Alert: 13 Risk 01, NCUA IT AIRES Member Online Services 9

10 Information Security Risks to assess: Threats to the security, confidentiality, or integrity of the Credit Union's information systems and member data Factors to consider: Member information that is stored on systems owned or managed by service providers, and member information disposed of by service providers used by the credit union, likelihood and potential damage, sufficiency of policies and procedures, weaknesses/deficiencies in existing security controls. When: At least every 12 months and prior to implementing new products/services or system changes, ongoing and continually. (Information on review and findings should be included in written program). Resources: LCU ENC, FFIEC Information Security Booklet E Commerce Risks to assess: Operational, transactional, legal, compliance, security, reputational, business continuity associated with e commerce activities Factors to consider: Internal/external threats including employees, hackers, failure of critical service providers, disasters, likelihood and controls. When: Prior to implementing new products/services, periodically and reassess when a new delivery system, vendor, serviceprovideror or product is adopted. Resources: NCUA E Commerce Guide LCCU

11 Remote Deposit Capture Risks to assess: Legal, compliance, operational Factors to consider: Clearing methods used, financial loss due to human error or fraud, failure to maintain compatible and integrated IT systems, MFA, fraud detection, insider fraud, securing member info, MDD and VDD/Suitability, member training, contracts, BCP. When: Prior to implementation and reviewed periodically. Resources: LCU ENC, 09 CU 07, 13 CU 01 Patch Management Risks to assess: Software vulnerabilities and direction for the implementation of a path management program (part of Info Security Program) Factors to consider: Vendors providing software, process, software vulnerabilities, system weaknesses, impact, quality of controls, monitoring and testing. When: Annually and periodically, reported to Board aspart ofpart 748, Safeguarding Member Info. Resources: LCU ENC, Risk Alert: 13 Risk 01 11

12 Remote Access Risks to assess: Connections to the Credit Union's network from any external location or host that may cause damage, such as loss of sensitive or company confidential data, intellectual property, damage to public image, damage to criticalinternalsystems internal systems, etc. Factors to consider: Any relevant changes in technology; changes in internal and external threats; changes in the member base adopting electronic banking; changes in member functionality offered through electronic banking; and actual incidents of security breaches, identity theft, or fraud experienced by the Credit Union or industry. When: Periodically as factors change. Resources: FFIEC IT Examination Handbook, NCUA AIRES IT Questionnaire Concentration Risk Risks to assess: Single exposure or group of exposures with the potential to produce losses large enough (relative to capital, total assets, or overall risk level) to threaten a financial institution s health or ability to maintain its core operations. Factors to consider: Risk of product/service, potential loss exposure, business decision on acceptable concentration level. When: At least semiannually reported to Board. Resources: LCU , FFIEC Advisory on IRR, 13 CU 01 12

13 Coming Soon Social Media Risks to assess: Potential harm to members, compliance and legal risks, as well as related risks, such as reputation and operational risks associated with the use of social media, along with expectations tti for managing those risks. ik Factors to consider: Products/services offered and applicable laws, payment systems used, BSA/ML concerns, privacy, negative public opinion, fraud/brand identity, third party concerns, employee use, loss due to failed processes or systems. When: To be dt determined. d Resources: FFIEC , LCU Best Practice Fair Lending Risks to assess: Potential for fair lending violations, discrimination in lending decisions. Factors to consider: All creditproductsandservices services offered, organizational structure, advertising or marketing media, lending channels, collections, loss mitigation functions, internal controls and monitoring. When: Ongoing. Resources: 13 FCU 02, Fair Lending Guide, FFIEC Fair Lending Exam Procedures, NCUA Fair Lending Compliance Best Practices for FCUs, April,

14 Amy Wargo, CUCE CU Solutions Group X493 14

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com

More information

Information Technology

Information Technology Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level

More information

Risk Management of Remote Deposit Capture

Risk Management of Remote Deposit Capture Federal Financial Institutions Examination Council 3501 FAIRFAX DRIVE ROOM 3086 ARLINGTON, VA 22226-3550 (703) 516-5487 http://www.ffiec.gov Background and Purpose Risk Management of Remote Deposit Capture

More information

A Cautionary Tale Plus Cross-Channel Risk

A Cautionary Tale Plus Cross-Channel Risk Dan Tobin A Cautionary Tale Plus Cross-Channel Risk IT Examiner Supervision, Regulation & Credit Dan.tobin@bos.frb.org Agenda A Cautionary Tale Shames-Yeakel v. Citizens Financial Bank Cross-Channel Risk

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: October 2001 LETTER NO.: 01-CU-12 TO: SUBJ: Federally Insured Credit Unions e-commerce Insurance

More information

Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014. Topics of Discussion

Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014. Topics of Discussion Remote Deposit Capture Customer Due Diligence FFIEC Tier II Exam Considerations Plus Mobile Capture! March 5, 2014 Carolyn C. Dowdy, Speaker Bank Project Solutions does not guaranty by implementing criteria

More information

DCU BULLETIN Division of Credit Unions Washington State Department of Financial Institutions

DCU BULLETIN Division of Credit Unions Washington State Department of Financial Institutions DCU BULLETIN Division of Credit Unions Washington State Department of Financial Institutions Phone: (360) 902-8701 FAX: (877) 330-6870 January 2, 2014 No. B-14-01 Bank Secrecy Act Guidance and Exam Procedures

More information

REGULATORY COMPLIANCE. Dynamic Solutions. Superior Results.

REGULATORY COMPLIANCE. Dynamic Solutions. Superior Results. REGULATORY COMPLIANCE Dynamic Solutions. Superior Results. STREAMLINE, STRENGTHEN AND SIMPLIFY YOUR COMPLIANCE EFFORTS CSI S AUTOMATED, DYNAMIC SOLUTIONS MITIGATE RISK, DECREASE COSTS AND IMPROVE COMPLIANCE

More information

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015 Cyber Security Auditing for Credit Unions ACUIA Fall Meeting October 7-9, 2015 Topics Introduction Cyber Security Auditing Program Discuss an effective and compliant Cyber Security Auditing Program from

More information

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red

More information

Outsourcing Technology Services A Management Decision

Outsourcing Technology Services A Management Decision Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships

More information

11- INFORMATION TECHNOLOGY RMP SNAPSHOT WORKPROGRAM

11- INFORMATION TECHNOLOGY RMP SNAPSHOT WORKPROGRAM 11- INFORMATION TECHNOLOGY RMP SNAPSHOT WORKPROGRAM INSTRUCTIONS 1. Review the IT Officer s Questionnaire (ITOQ) and comment on any responses from the ITOQ that result in a finding. 2. Provide responses

More information

GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)

GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014) Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Financial Institution Letter FIL-127-2008 November 7, 2008 GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July

More information

Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment. August 15, 2006

Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment. August 15, 2006 Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Frequently

More information

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX Mobile Banking Secure Banking on the Go Matt Hillary, Director of Information Security, MX Mobile Banking Channels SMS / Texting Mobile Banking Channels Mobile Web Browser Mobile Banking Channels Mobile

More information

Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers

Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta Disclaimer The opinions expressed

More information

Sample Financial institution Risk Management Policy 2011

Sample Financial institution Risk Management Policy 2011 Sample Financial institution Risk Management Policy 2011 1 Contents Risk Management Program...2 Internal Control and Risk Management Diagram... 2 General Control Environment... 2 Specific Internal Control

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA DATE: August 2001 LETTER NO.: 01-CU-11 TO: SUBJ: ENCL: Federally Insured Credit Unions Electronic Data

More information

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results.

REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES. Dynamic Solutions. Superior Results. REGULATORY COMPLIANCE REGULATORY COMPLIANCE SERVICES Dynamic Solutions. Superior Results. PERSONALIZED HELP THAT RELIEVES THE BURDEN OF MANAGING COMPLIANCE The burden of managing risk and compliance is

More information

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire

INFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology

More information

NIST National Institute of Standards and Technology

NIST National Institute of Standards and Technology NIST National Institute of Standards and Technology Lets look at SP800-30 Risk Management Guide for Information Technology Systems (September 2012) What follows are the NIST SP800-30 slides, which are

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL OFFICE OF FOREIGN ASSET CONTROL COMPLIANCE REVIEW Report #OIG-06-09 December 18, 2006 William A. DeSarno Inspector General Released By:

More information

NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314

NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: APRIL 14, 1997 LETTER NO: 97-CU-5 TO: The Board of Directors of the Federal Insured Credit

More information

Ali Chalak, Manager. Top 10 Audit Findings

Ali Chalak, Manager. Top 10 Audit Findings Ali Chalak, Manager Top 10 Audit Findings Objective Review top ten audit findings for credit unions from regulators and external auditors standpoint. We will provide these findings, discuss the impact

More information

Mobile Deposit Policy

Mobile Deposit Policy Mobile Deposit Policy Mobile Deposit, a deposit transaction delivery system, allows the Credit Union to receive digital information from deposit documents captured at remote locations (i.e., the Credit

More information

National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization

National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization NCP 2016 Exam Cycle Core Training Series Session 11 National Check Payments Certification Fraud, Risk, and Risk Mitigation Part II Copyright 2015 by the Electronic Check Clearing House Organization NOTICES

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: October 2000 LETTER NO.: 00-CU-07 TO: SUBJ: Federally Insured Credit Unions NCUA s Information

More information

Identifying Key Risk Indicator

Identifying Key Risk Indicator PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories

More information

TABLE OF CONTENTS INTRODUCTION... 1

TABLE OF CONTENTS INTRODUCTION... 1 TABLE OF CONTENTS INTRODUCTION... 1 Overview...1 Coordination with GLBA Section 501(b)...2 Security Objectives...2 Regulatory Guidance, Resources, and Standards...3 SECURITY PROCESS... 4 Overview...4 Governance...5

More information

How-To Guide: Cyber Security. Content Provided by

How-To Guide: Cyber Security. Content Provided by How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses

More information

White paper: Nine Simple Steps to Vendor Management

White paper: Nine Simple Steps to Vendor Management White paper: Nine Simple Steps to Vendor Management March 2014 White Paper: Nine Simple Steps to Vendor Management Using a third-party vendor naturally subjects an institution to risks outside its control.

More information

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework

More information

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA

Pandemic Planning. Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA Pandemic Planning Presented by: Ron Wagner, IT Examiner with FDIC & Dana Lavey, Supervision Analyst with NCUA Regulator Expectations FDIC and NCUA have similar expectations for pandemic planning Pandemic

More information

Cybersecurity Issues for Community Banks

Cybersecurity Issues for Community Banks Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street

More information

Third-Party Senders Risks and Best Practices

Third-Party Senders Risks and Best Practices Third-Party Senders Risks and Best Practices Please turn off all cell phones or mobile devices. Thank you to today s sponsors! This morning s refreshment break sponsored by The Royal Bank of Scotland EventMobile

More information

FFIEC Supplemental Guidance to Authentication in an Internet Banking Environment. Robert Farmer Senior Technology Compliance Manager

FFIEC Supplemental Guidance to Authentication in an Internet Banking Environment. Robert Farmer Senior Technology Compliance Manager FFIEC Supplemental Guidance to Authentication in an Robert Farmer Senior Technology Compliance Manager 1 888 250 4400 Effective Date The FFIEC Supplement to Authentication in an was issued on June 28,

More information

OCC 98-3 OCC BULLETIN

OCC 98-3 OCC BULLETIN To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel

More information

Validating Third Party Software Erica M. Torres, CRCM

Validating Third Party Software Erica M. Torres, CRCM Validating Third Party Software Erica M. Torres, CRCM Michigan Bankers Association Risk Management & Compliance Institute September 29, 2014 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

3 rd -party Security Risk Assessment

3 rd -party Security Risk Assessment 3 rd -party Security Risk Assessment Understanding Supplier Chain Risks. Presented by: Nasser Fattah CISSP, CISM, CISA, CGEIT Email: nasser.fattah@gmail.com Linkedin: www.linkedin.com/in/nasserfattah April

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Top Fraud Trends Facing Financial Institutions

Top Fraud Trends Facing Financial Institutions Top Fraud Trends Facing Financial Institutions Presented on: October 7, 2015, 2-3 ET Presented by: Ann Davidson - VP of Risk Consulting at Allied Solutions Webinar Agenda 1. Fraud trends in 2015 and beyond

More information

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Payment Processor Relationships Revised Guidance

Payment Processor Relationships Revised Guidance Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Payment Processor Relationships Revised Guidance Financial Institution Letter FIL-3-2012 January 31, 2012 Summary:

More information

Identity Theft Red Flags Procedures

Identity Theft Red Flags Procedures 3 4 5 6 7 8 9 INTRODUCTION AND PURPOSE DEFINITIONS EXCEPTIONS PENALTIES RECORD RETENTION REQUIREMENTS A B D Identity Theft Red Flags Procedures 717.90 Duties Regarding the Detection, Prevention, and Mitigation

More information

Information Technology. A Current Perspective on Risk Management

Information Technology. A Current Perspective on Risk Management Information Technology A Current Perspective on Risk Management Topics Covered Information Security Program Common Examination Findings Existing and Emerging Risks ACH/Wire Fraud and Corporate Account

More information

What Directors need to know about Cybersecurity?

What Directors need to know about Cybersecurity? What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: September 2003 LETTER NO.: 03-CU-14 TO: SUBJ: ENCL: Federally Insured Credit Unions Computer

More information

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN 10/25/2012 TECHNOLOGY SERVICES INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN Procedure Name: LIT Risk Management Information Technology Plan ver 2.31.docx Risk Management Plan Issue Date: TBD Procedure Owner:

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC. Top Ten Fraud Risks That Impact Your Financial Institution Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC Agenda Education on understanding the fraud risk Take away.. Education to

More information

Supervisory Committee Training Workshop. Las Vegas, NV

Supervisory Committee Training Workshop. Las Vegas, NV Supervisory Committee Training Workshop Las Vegas, NV 1 Supervisory Focus NCUA Letter 15 CU 01 Moss Adams Supervisory Committee Conference Las Vegas 2 picture of cybersecurity Moss Adams Supervisory Committee

More information

RISK MANAGEMENT AND COMPLIANCE

RISK MANAGEMENT AND COMPLIANCE RISK MANAGEMENT AND COMPLIANCE Contents 1. Risk management system... 2 1.1 Legislation... 2 1.2 Guidance... 3 1.3 Risk management policy... 4 1.4 Risk management process... 4 1.5 Risk register... 8 1.6

More information

Any business relationship between a bank and another entity, by contract or otherwise

Any business relationship between a bank and another entity, by contract or otherwise An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise

More information

Evaluating Payment Systems Service Providers. 2011 OSCUI Workshops

Evaluating Payment Systems Service Providers. 2011 OSCUI Workshops Evaluating Payment Systems Service Providers 2011 OSCUI Workshops Goal To provide credit unions with sound guidance regarding potential changes to payment service providers including the due diligence

More information

NCUA LETTER TO CREDIT UNIONS

NCUA LETTER TO CREDIT UNIONS NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA DATE: July 2002 LETTER NO.: 02-CU-13 TO: Federally Insured Credit Unions SUBJ: Vendor Information Systems

More information

Understanding It s Me 247 Security. A Guide for our Credit Union Clients and Owners

Understanding It s Me 247 Security. A Guide for our Credit Union Clients and Owners Understanding It s Me 247 Security A Guide for our Credit Union Clients and Owners October 2, 2014 It s Me 247 Security Review CU*Answers is committed to the protection of you and your members. CU*Answers

More information

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy. Abstract This paper addresses the methods and methodologies required to develop a corporate security policy that will effectively protect a company's assets. Date: January 1, 2000 Authors: J.D. Smith,

More information

Disaster Preparedness & Response

Disaster Preparedness & Response 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B C E INTRODUCTION AND PURPOSE REVIEW ELEMENTS ABBREVIATIONS NCUA REFERENCES EXTERNAL REFERENCES Planning - Ensuring

More information

Are All High-Risk Transactions Created Equal?

Are All High-Risk Transactions Created Equal? Are All High-Risk Transactions Created Equal? How to Minimize FFIEC Exam Pain 1 Lee Wetherington, AAP Director of Strategic Insight ProfitStars @leewetherington Agenda New Supplement to FFIEC Guidance

More information

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not

More information

Federal Financial Institutions Examination Council FFIEC. Retail Payment Systems RPS. February 2010 IT EXAMINATION HANDBOOK

Federal Financial Institutions Examination Council FFIEC. Retail Payment Systems RPS. February 2010 IT EXAMINATION HANDBOOK Federal Financial Institutions Examination Council FFIEC Retail Payment Systems February 2010 RPS IT EXAMINATION HANDBOOK RETAIL PAYMENT SYSTEMS RISK MANAGEMENT Action Summary Financial institutions engaged

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

RDC Risk Management & FFIEC Compliance

RDC Risk Management & FFIEC Compliance RDC Risk Management Presented By: John Leekley, Founder & CEO Ed McLaughlin, Executive Director RemoteDepositCapture.com & Hope Schall, Attorney, Vedder Price P.C. This webinar is sponsored by: February

More information

Identity Theft Red Flags & Address Discrepancies under the FACT Act of 2003. Summary of Final Rule

Identity Theft Red Flags & Address Discrepancies under the FACT Act of 2003. Summary of Final Rule Identity Theft Red Flags & Address Discrepancies under the FACT Act of 2003 Summary of Final Rule On November 9, 2007, the Office of the Comptroller of the Currency ( OCC ), Federal Reserve Board ( Board

More information

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed

More information

FFIEC Authentication Guidance Examination in 2012: Are You Prepared?

FFIEC Authentication Guidance Examination in 2012: Are You Prepared? FFIEC Authentication Guidance Examination in 2012: Are You Prepared? Areas of Continuity, Change, and Emphasis The Knowledge Congress LIVE Webcast March 8, 2012 Andrew Lorentz Partner, Washington, D.C.

More information

Anti-Money Laundering Policy Manual Table of Contents [Sample Client] Table of Contents

Anti-Money Laundering Policy Manual Table of Contents [Sample Client] Table of Contents Table of Contents [ Client] Table of Contents TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 3 1.1 GOALS AND OBJECTIVES... 3 1.2 REQUIRED REVIEW... 3 1.3 APPLICABILITY... 3 1.4 MONEY LAUNDERING DEFINED...

More information

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices

More information

Compliance and Ethics at the Federal Reserve Bank of New York

Compliance and Ethics at the Federal Reserve Bank of New York Compliance and Ethics at the Federal Reserve Bank of New York Operational Risk and Internal Audit Course Marina Adams, Compliance Officer and AVP David K. Clune, Compliance and Ethics Officer Kevin White,

More information

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

RISK MANAGEMENT IN A FOR-

RISK MANAGEMENT IN A FOR- RISK MANAGEMENT IN A FOR- PROFIT ORGANISATION 1 OBJECTIVES Explain the risk management framework The underlying process and cycle, and resources and people involved The framework can be applied in for

More information

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework & A Tale of Two Criticalities NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.

More information

O OCC BULLETIN OCC 2006-39. Automated Clearing House Activities. Risk Management Guidance

O OCC BULLETIN OCC 2006-39. Automated Clearing House Activities. Risk Management Guidance O OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Automated Clearing House Activities Description: Risk Management Guidance TO: Chief Executive Officers, Chief Risk Officers,

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL FY 2015 INDEPENDENT EVALUATION OF THE EFFECTIVENESS OF NCUA S INFORMATION SECURITY PROGRAM UNDER THE FEDERAL INFORMATION SECURITY MODERNIZATION

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

UF Risk IT Assessment Guidelines

UF Risk IT Assessment Guidelines Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an

More information

Managing TPPPs and TPSs in the Current Regulatory Environment

Managing TPPPs and TPSs in the Current Regulatory Environment November 2015 Managing TPPPs and TPSs in the Current Regulatory Environment Prepared by: Jodie Ruby, Director Audience: This document is intended for managers, directors and executives who deal with business

More information

REGULATORY COMPLIANCE SERVICES for Financial Institutions

REGULATORY COMPLIANCE SERVICES for Financial Institutions REGULATORY COMPLIANCE SERVICES for Financial Institutions TRUPOINT PARTNERS Regulatory Compliance Services for Financial Institutions THIS IS SMART COMPLIANCE. TRUPOINT PARTNERS PROVIDES COMPLIANCE SOLUTIONS

More information

PACB One-Day Cybersecurity Workshop

PACB One-Day Cybersecurity Workshop PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance

More information

Performing Vendor Risk Assessments

Performing Vendor Risk Assessments Performing Vendor Risk Assessments You can outsource the work, but you can t outsource the risk! Presented by Jennifer F Alfafara Consultant, Resources Global Professionals Introduction 2 There is significant

More information

NATIONAL CYBER SECURITY AWARENESS MONTH

NATIONAL CYBER SECURITY AWARENESS MONTH NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

More information

An Information Security and Privacy Perspective for Procurement Services Projects

An Information Security and Privacy Perspective for Procurement Services Projects MANAGEMENT OF DATA: An Information Security and Privacy Perspective for Procurement Services Projects Presentation for: Procurement Services Senior Leadership Meeting Presented by: Ann Nagel, Associate

More information

ESET Secure Authentication

ESET Secure Authentication ESET Secure Authentication Second factor authentication and compliance Document Version 1.2 6 November, 2013 www.eset.com ESET Secure Authentication - second factor authentication and compliance 2 2 Summary

More information

Third Party Relationships

Third Party Relationships 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party

More information

FACTA Identity Theft Red Flags Program. www.chs.acfei.com

FACTA Identity Theft Red Flags Program. www.chs.acfei.com 1 FACTA Identity Theft Red Flags Program Module 1 Fair and Accurate Credit Transactions Act Overview Identity thieves use individual s personal identifiable information to open new accounts and misuse

More information

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Appendix J: Strengthening the Resilience of Outsourced Technology Services Appendix J: Strengthening the Resilience of Outsourced Technology Services Background and Purpose Many financial institutions depend on third-party service providers to perform or support critical operations.

More information

How To Manage A Credit Union Collection System

How To Manage A Credit Union Collection System CUNA Courses Credit union self-study training for staff, managers & volunteers SELLER Best Seller Due to a current change in regulation, this course is being updated. Accounting, Budgeting & Finance Accounting

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for

More information

Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective

Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Rory Guenther, CISA Senior Examiner, Operational Risk Specialist,

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information