Get on First Base with your Regulators and Cyber Security
|
|
- Eugenia Cannon
- 8 years ago
- Views:
Transcription
1 Get on First Base with your Regulators and Cyber Security Secure Banking Solutions Chad Knutson
2 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC Cell: (605)
3 3 Background 10 Years Community Bank Consulting at SBS Experience in Risk Management, ISP Development, and Auditing SBS has worked with over 800 banks in 45 states Relationship with Dakota State University NSA & DHS National Center of Excellence in Information Assurance One of the only universities focusing on community banking security
4 4 Cybersecurity America s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property. Although the threats are serious and they constantly evolve, I believe that if we address them effectively, we can ensure that the Internet remains an engine for economic growth and a platform for the free exchange of ideas. President Obama
5 5 Growth in Banking Bank New Products/Services Mobile Cash Management Consumer Capture Online Account Opening Integrative Teller Machines P2P Payment Systems Cybercrime Increasing Organized Crime Advance Persistent Threats Third Party Customer
6 6 APT vs Organized Crime
7 7 FFIEC Cyber Security Main Site: Board/Senior Management Video: Observations: Assessment_Observations.pdf
8 8 FFIEC Observations
9 9 FFIEC Observations Inherent Risk: Financial institutions need a solid methodology to identify inherent risk from cyber threats. Community banks should ensure the following: Asset-based IT Risk Assessment that identifies: Connection Types Products and Services offered Technologies implemented Specific risks mentioned include: ATM Fraud BYOD Risks Wire and ACH Fraud DDOS Attacks
10 10 FFIEC Observations Preparedness: Following a solid understanding of inherent risks to community banks, institutions need to focus on risk mitigating comments. The FFIEC highlights the following areas: Risk management and oversight involves governance, allocation of resources, and training and awareness of employees. Threat intelligence and collaboration is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision making. Cybersecurity controls controls can be preventive, detective, or corrective External dependency management includes the connectivity to third-party service providers, business partners, customers, or others and the financial institutions expectations and practices to oversee these relationships. Cyber incident management and resilience involves incident detection, response, mitigation, escalation, reporting, and resilience.
11 11 Fresh Update to BCP Guidance
12 12 Cybercrime made easy Underground Markets ty.com/2013/12/car ds-stolen-in-targetbreach-floodundergroundmarkets/ Default Passwords ords Hacking Tools Hacking Toolkits Caller ID Spoofing freecall/ Social Engineer Toolkit Crime as a Service (CAAS) DDOS Exploit Resource Sites Big News Vulnerabilities
13 13 Weak / Default Passwords Numerous password database breaches in 2012/2013 Password Cracking Technology taken to new level with GPU (graphics cards) processor capabilities In 76% of data breaches, weak or stolen user names and passwords were a cause - Verizon
14 14 Password Reuse & Breaches Secure Passwords - 73% of users share the passwords which they use for online banking, with at least one nonfinancial website. With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts Once the bad guys got it, it was very simple to move around [the network]. - Lance Spitzner SANS 59% had same between Yahoo and Sony breaches 67% had same between Sony and Gawker breaches
15 15 Hacking Tools
16 16 KALI Linux
17 17 Caller ID Spoofing
18 18 Social Engineering
19 19 Crime as a Service (CAAS) Growing Threat Built using Botnets Provide services such as: Conduct DDOS Conduct Phishing Anti-Antivirus Services Keylogging and central reporting
20 20 Crime as a Service (CAAS)
21 21 ATM Fraud Increasing
22 22 ATM FFIEC Alert "Unlimited operations Fraud Attack that netted more than $40 million with only 12 debit cards Often begins with a phishing sent to bank employees. Hackers seek to obtain employee credentials to inject malware into a financial institution s system. The ultimate target it the web-based ATM control panel. The attack then hits numerous ATMs using stolen debit card data. Focus on weekends/holidays and Windows XP systems
23 23 USB Theft Find specific style ATM (also windows XP) Drill hold in the casing and insert USB or SD card Hole covered with sticker or patch Infects the computer with malware Each time the criminals simply typed a 12-digit code into the ATM to launch a custom interface Also, required the thief to enter a second code in response to numbers shown on the ATM's screen before they could release the money. Returned to regular screen after 3 minutes. Jackpot at Defcon (caution language)
24 24 Recent Malware Heist NCR ATMs attacked in Malaysia $1 million with the help of malware they d installed on at least 18 ATMs across the country. (Krebs)
25 25 Latest Skimming Techniques Completely Fake ATM s and ATM covers. Keypad overlay instead of camera s. Transmission: devices: cell phone, Wifi, Bluetooth Gluing down the physical enter, cancel and clear keys. Allowing hacker to capture PIN and get the card. Card/Cash Trapping
26 26 CATO Corporate Account Takeover
27 27 What is CATO? Corporate Account Takeover is an evolving electronic crime typically involving the exploitation of businesses of all sizes, especially those with limited to no computer safeguards and minimal or no disbursement controls for use with their bank s online business banking system. These businesses are vulnerable to theft when cyber thieves gain access to its computer system to steal confidential banking information in order to impersonate the business and send unauthorized wire and ACH transactions to accounts controlled by the thieves. Municipalities, school districts, large non-profit organizations, corporate businesses, and any customers that perform electronic transfers are potential targets. Losses from this form of cyber-crime range from the tens of thousands to the millions with the majority of these thefts not fully recovered. These thefts have affected both large and small banks. Texas ECTF
28 28 Corporate Account Takeover FDIC lists this as top threat: responsible for millions of dollars in losses frayed business relationships litigation affecting both financial institutions and commercial accounts. around 85% of cyber attacks are now targeting small businesses. White House Cybersecurity Coordinator
29 Faces of Fraud
30 30 CATO Fraud Losses
31 31 CATO Issues Cyber-criminals are targeting commercial accounts Business/Commercial accounts do not have the same legal protections afforded to consumer accounts (Reg E) If Financial Institutions do not start to prevent fraud in commercial accounts the government will expand legal protections to commercial accounts, what will this COST (Sen. Chuck Schumer (D-NY) Schumer Bill )
32 32 Outcome Who is responsible? 3% 12% 13% Relationship Status 14% 34% 21% 72% 31% Customer Bank Government Law Enforcement Diminished trust Move Money No Change Terminated
33 33 Small Business Security 70% lack basic security controls Get to the basics with each small business Conduct a risk assessment looking for these basic security controls Firewall, Strong passwords, Malware Protection Etc.
34 34 The Legal Battle Commercially Reasonable EMI Case - EMI employee opened and clicked on links within a phishing M in wires stolen, $560,000 was not recoverable. Court rules in favor of small business. Patco Construction's computer infected with Zeus malware and steals $589,000 via ACH (payroll) with net loss of $345,440. Court rules in favor of Bank, then July 3, 2012 appeals court overturned in favor of small business. Court calls a "one-size-fits-all" approach Commercially Unreasonable.
35 35 Win (?) for Banks Choice Escrow and Land Title LLC sued BancorpSouth Inc. for a $440,000 loss via a single wire in March Choice Escrow was offered and explicitly declined in writing the use of dual controls and wire limits. Important Factors: Incident occurred prior to January 2012 Offering of controls was clearly documented
36 36 Recent Incidents May J.T. Alexander & Son Inc. $800,000 in ACH transactions ranging from 5-10K to 60 mules, company has 15 employees with average 30K payroll. April 2013 Chelan County Public Hospital $1M in ACH transactions from payroll account using 96 mules Identified by Brian Krebs December Efficient Services Escrow Group $1.5M in wires (December.4M and January 1.1M). Forced company to close. December 2012 Ascent Builders Inc. $900,000 in wires and ACH covered up by DDOS Identified by Brian Krebs July 2013 Texas Brand Bank (TBB) sues Luna & Luna, LLP. Funds at JP Morgan 1.66M in three separate wire transfers, 2012 U.S. Department of Housing and Urban Development (HUD) funds Bank borrowed 1.66M to corporate customer, went unpaid. Government froze funds.
37 37 Regulatory Guidance FFIEC Specific Supervisory Expectations 1/2012: Risk Assessment Customer Authentication for High-Risk Transactions Layered Security Programs Effectiveness of Certain Authentication Techniques Customer Awareness and Education Conference of State Bank Supervisors (CSBS) Expectations (19 controls) 12/2012: Prevent Detect Respond Resources: FFIEC 2005 Guidance FFIEC Supplement Guidance FIL CSBS Guidance NACHA CATO Group Customer Movement
38 38 FFIEC Risk Assessment Should be updated when new information is obtained, new electronic services offered, or at least every 12 months. It should consider: Changes in internal and external threats Changes in customer base adoption Changes in functionality offered Actual incidents of security breaches, identity theft, or fraud experienced by institution or industry
39 39 FFIEC Layered Security Programs Effective controls that may be incorporated in a layered security program include, but are not limited to: Fraud monitoring and detection Dual authorization Out-Of-Band transaction verification Positive pay Account activity controls or limits on value, volume, timeframes, and payment recipients IP reputation-based blocking tools Polices and procedures for addressing potentially infected customer devices Enhanced control over account maintenance Enhanced customer education
40 40 FFIEC Customer Awareness and Education Efforts should address both retail and commercial accounts and, at a minimum, include: Explanation of protections provided, and not provided, or limitations relative to Regulation E. Explanation of circumstances and through what means unsolicited requests may be made to the customer. Suggestions for the commercial online banking customer to perform a risk assessment and controls evaluation periodically. List alternative risk control mechanisms and resources that customers may consider to mitigate their own risk. List institutional contacts for customers use in the event they notice suspicious activity or security incidents.
41 41 PROTECT Implement processes and controls to protect the financial institution and corporate customers. P1. Expand the risk assessment to include corporate account takeover. P2. Rate each customer (or type of customer) that performs online transactions. P3. Outline to the Board of Directors the Corporate Account Takeover issues. P4. Communicate basic online security practices for corporate online banking customers. P5. Implement/Enhance customer security awareness education for retail and high risk business account holders. P6. Establish bank controls to mitigate risks of corporate accounts being taken over. P7. Review customer agreements. P8. Contact your vendors to regularly receive information regarding reducing the risk of Corporate Account Takeovers.
42 42 DETECT Establish monitoring systems to detect electronic theft and educate employees and customers on how to detect a theft in progress. D1. Establish automated or manual monitoring systems. D2. Educate bank employees of warning signs that a theft may be in progress. D3. Educate account holders of warning signs of potentially compromised computer systems.
43 43 RESPOND Prepare to respond to an incident as quickly as possible (measured in minutes, not hours) to increase the chance of recovering the money for your customer. R1. Update incident response plans to include Corporate Account Takeover. R2. Immediately verify if a suspicious transaction is fraudulent. R3. Immediately attempt to reverse all suspected fraudulent transactions. R4. Send a Fraudulent File Alert through FedLine. R5. Immediately notify the receiving bank(s) of the fraudulent transactions and ask them to hold or return the funds. R6. Implement a contingency plan to recover or suspend any systems suspected of being compromised. R7. Contact law enforcement and regulatory agencies once the initial recovery efforts have concluded. R8. Implement procedures for customer relations and documentation of recovery efforts.
44 44 What is the silver bullet? Stronger Contracts? Multifactor? Out of Band Authentication? Call back procedures? Transaction limits? Insurance?
45 45 Solutions Comprehensive Risk Management Processes Leverage Your ISP! Bank IT Risk Assessment Third Party Risk Assessments Commercial Account Risk Assessment Educate Your Customers Commercial Accounts Third Party Bank IT
46 46 Risk Assessment FFIEC: Review commercial accounts and identify highest risk accounts, and consider: CSBS: New or changing threats to your services Change in customer base Change in functionality offered Actual incidents from breaches, ID theft, and fraud in the industry or institution P1. Expand the risk assessment to include corporate account takeover. P2. Rate each customer (or type of customer) that performs online transactions.
47 47 Customer Awareness and Education Handouts / Pamphlets Posters / Calendars Security Awareness Day InfraGard Certification Social Engineering Tests Games Resources Commercial Customer Roundtable
48 48 Onsite or Online Education
49 49 Continual Improvement What you can do about cybercrime
50 50 Security process Plan Risk Assessment Audits Check Do Information Security Program: Policy, Plans, Procedures
51 51 FDIC - Appendix B to Part 364 A. Information Security Program. Each bank shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. B. Objectives. A bank's information security program shall be designed to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information.
52 52 FDIC - Appendix B to Part 364 Table of Contents I. Introduction A. Scope B. Preservation of Existing Authority C. Definitions II. Standards for Safeguarding Customer Information A. Information Security Program B. Objectives III. Development and Implementation of Customer Information Security Program A. Involve the Board of Directors B. Assess Risk C. Manage and Control Risk D. Oversee Service Provider Arrangements E. Adjust the Program F. Report to the Board G. Implement the Standards
53 53 Risk Management Process 9 Document Information Security Program: Establish an effective set of IT policies Optional Demonstrate Compliance: Reporting Improve the process Additional Action Measure Against Goal Identify Controls Determine Residual Risk: What is the risk after applying controls? System Controls: What system safeguards does the bank want to implement? Determine Inherent Risk: 4 Which assets represent risk to the bank? Inventory: Identify all assets, third parties, or customers. Develop Priorities: Protection Profiles (CIAV) Identify Threats: What are the threats to each asset (including probability and impact of each threat)?
54 54 Information Security Program
55 55 Audit (Check) Components Vulnerability Assessment Internal assessment, comprehensive. Checks for: Missing patches or updates Default settings and passwords Vulnerable systems Penetration Testing External assessment, replicating a hacker. Identifies: Vulnerable systems Exploits vulnerabilities Security warnings Test Intrusion Prevention Systems Social Engineering Tests your people and their responses to social engineering techniques. IT Audit Verifies you are following your Information Security Program Ensures its adequate to meet regulatory requirements and implements industry best practices.
56 Bank 56 Education Third Party Customer How to monitor Cyber Security Issues and Take Action? Conferences and Conventions Technology Conference Association Webinars Risk Assessment Regular Hot Topics Banking Schools Graduate School of Banking Information Security Certifications Audit Policy (ISP) CCBSP Certified Community Banking Security Professional CCBTP Certified Community Banking Technology Professional CCBVM Certified Community Banking Vendor Manager
57 57 Questions Contact Information: Chad Knutson VP SBS Institute Senior Information Security Consultant CISSP, CISA, CRISC Phone:
CYBERSECURITY HOT TOPICS
1 CYBERSECURITY HOT TOPICS Secure Banking Solutions 2 Presenter Chad Knutson VP SBS Institute Senior Information Security Consultant Masters in Information Assurance CISSP, CISA, CRISC www.protectmybank.com
More informationCyber Security 2014 SECURE BANKING SOLUTIONS, LLC
Cyber Security CHAD KNUTSON SECURE BANKING SOLUTIONS 2014 SECURE BANKING SOLUTIONS, LLC Presenter Chad Knutson Senior Information Security Consultant Masters in Information Assurance CISSP (Certified Information
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationFFIEC Supplemental Guidance to Authentication in an Internet Banking Environment. Robert Farmer Senior Technology Compliance Manager
FFIEC Supplemental Guidance to Authentication in an Robert Farmer Senior Technology Compliance Manager 1 888 250 4400 Effective Date The FFIEC Supplement to Authentication in an was issued on June 28,
More informationQuestions You Should be Asking NOW to Protect Your Business!
Questions You Should be Asking NOW to Protect Your Business! Angi Farren, AAP Senior Director Jen Wasmund, AAP Compliance Services Specialist 31 st Annual Conference SHAPE YOUR FUTURE April 23, 2013 Regional
More informationWhat Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationCybersecurity. Regional and Community Banks. Inherent Risks and Preparedness. www.bostonfed.org
Cybersecurity Inherent Risks and Preparedness Regional and Community Banks www.bostonfed.org Disclaimer The opinions expressed in this presentation are intended for informational purposes, and are not
More informationFFIEC CONSUMER GUIDANCE
FFIEC CONSUMER GUIDANCE Important Facts About Your Account Authentication Online Banking & Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationCybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com
Cybersecurity Governance Update: New FFIEC Requirements cliftonlarsonallen.com Overview Up To Date Cybersecurity and Fraud Risks Current threat environment Industry examples and case studies FFIEC Cybersecurity
More informationTop 10 Baseline Cybersecurity Controls Banks Aren't Doing
Top 10 Baseline Cybersecurity Controls Banks Aren't Doing SECURE BANKING SOLUTIONS 1 Contact Information Chad Knutson President, SBS Institute Senior Information Security Consultant Masters in Information
More informationBest Practices: Reducing the Risks of Corporate Account Takeovers
Best Practices: Reducing the Risks of Corporate Account Takeovers California Department of Financial Institutions September 2012 INTRODUCTION A state led cooperative effort, including the United States
More informationSound Business Practices for Businesses to Mitigate Corporate Account Takeover
Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.
More informationCybersecurity Awareness. Part 1
Part 1 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat
More informationHere are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.
Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online. FFIEC BUSINESS ACCOUNT GUIDANCE New financial standards will assist credit
More informationTop Fraud Trends Facing Financial Institutions
Top Fraud Trends Facing Financial Institutions Presented on: October 7, 2015, 2-3 ET Presented by: Ann Davidson - VP of Risk Consulting at Allied Solutions Webinar Agenda 1. Fraud trends in 2015 and beyond
More informationCybersecurity. WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI
Cybersecurity WBA Bank Executives Conference February 2 4, 2015 Milwaukee, WI Dr. Kevin Streff Founder: Secure Banking Solutions, LLC www.protectmybank.com Goals Understand IT cybersecurity law and regulation
More informationCyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014
Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014 Lisa D. Traina, CPA, CITP, CGMA Lisa Traina utilizes her 30+ years of experience as a CPA, CITP and CGMA
More informationCybersecurity Governance Update on New FFIEC Requirements
Cybersecurity Governance Update on New FFIEC Requirements cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, Professional Services Firm
More informationTop Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.
Top Ten Fraud Risks That Impact Your Financial Institution Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC Agenda Education on understanding the fraud risk Take away.. Education to
More informationElectronic Fraud Awareness Advisory
Electronic Fraud Awareness Advisory Indiana Bankers Association Fraud Awareness Task Force February, 2012 Electronic Fraud Awareness Advisory Purpose/Summary The Indiana Bankers Association (IBA) was involved
More informationIT Security Risks & Trends
IT Security Risks & Trends Key Threats to All Businesses 1 1 What do the following have in common? Catholic church parish Hospice Collection agency Main Street newspaper stand Electrical contractor Health
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationPractice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited
Practice Good Enterprise Security Management Presented by Laurence CHAN, MTR Corporation Limited About Me Manager Information Security o o o o Policy formulation and governance Incident response Incident
More informationInformation Technology. A Current Perspective on Risk Management
Information Technology A Current Perspective on Risk Management Topics Covered Information Security Program Common Examination Findings Existing and Emerging Risks ACH/Wire Fraud and Corporate Account
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationSeptember 20, 2013 Senior IT Examiner Gene Lilienthal
Cyber Crime September 20, 2013 Senior IT Examiner Gene Lilienthal The following presentation are views and opinions of the speaker and does not necessarily reflect the views of the Federal Reserve Bank
More informationFFIEC BUSINESS ACCOUNT GUIDANCE
FFIEC BUSINESS ACCOUNT GUIDANCE New financial standards will assist credit unions and business account holders to make online banking safer and more secure from account hijacking and unauthorized funds
More informationOnline Account Takeover. Roger Nettie
Online Account Takeover Roger Nettie CUNA Mutual Group Proprietary Reproduction, Adaptation or Distribution Prohibited CUNA Mutual Group 2013 Session Outline Types of attacks Movement of funds Consumer
More informationAlternatives for Managing Commercial Payments Risk
Alternatives for Managing Commercial Payments Risk FDIC Symposium Arlington, VA May 11, 2010 Deborah Shaw Managing Director, Network Enforcement & Risk Management NACHA The Electronic Payments Association
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationCybersecurity. Are you prepared?
Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data
More informationSupplement to Authentication in an Internet Banking Environment
Federal Financial Institutions Examination Council 3501 Fairfax Drive Room B7081a Arlington, VA 22226-3550 (703) 516-5588 FAX (703) 562-6446 http://www.ffiec.gov Purpose Supplement to Authentication in
More informationWhat is Management Responsible For?
What is Management Responsible For? Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf & Company, P.C Regional
More informationv. ) Case No. PETITION cause of action against Defendant, BancorpSouth Bank ("BancorpSouth"), states as follows:
1 IN THE CIRCUIT COURT OF GREENE COUNTY, MISSOURI DIVISION CHOICE ESCROW AND LAND TITLE, LLC, ) ) Plaintiff, ) ) v. ) Case No. ) BANCORPSOUTH BANK, ) Serve: Rodney Nichols, Agent, ) Carnahan, Evans, Cantwell
More informationCybersecurity Issues for Community Banks
Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street
More information1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.
Part 1: Internal & External Data Breach Vulnerabilities Presented on: Thursday, February 12, 2 3 ET Co presented by: Ann Davidson VP of Risk Consulting at Allied Solutions Joe Majka CSO at Verifone 1 Breakdown
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationOverall, which types of fraud has your organisation experienced in the past year?
1) Overall, which types of fraud has your organisation experienced in the past year? Insider fraud Corporate Account Takeover Consumer Account Takeover ATM/ABM (skimming, ram raid, etc.) Bill pay Cheque
More informationHow To Protect Your Online Banking From Fraud
DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationCybercrime and Regulatory Priorities for Cybersecurity
NRS Technology and Communication Compliance Forum Cybercrime and Regulatory Priorities for Cybersecurity Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L
More informationPresented by: Mike Morris and Jim Rumph
Presented by: Mike Morris and Jim Rumph Introduction MICHAEL MORRIS, CISA Systems Partner JIM RUMPH, CISA Systems Manager Objectives To understand how layered security assists in securing your network
More informationCybersecurity Best Practices
Ten Essential Cybersecurity Best Practices Banking Business Employees Brought to you by: 1 Did you know? One in five small-to-medium-sized companies were the victims of cyber breaches in 2013.1 In 76%
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCorporate Account Take Over (CATO) Guide
Corporate Account Take Over (CATO) Guide This guide was created to increase our customers awareness of the potential risks and threats that are associated with Internet and electronic- based services,
More informationCertification Programs
Certification Programs 2014 The SBS Institute serves community banks by providing educational programs that will certify a banker has the knowledge and skills to protect against todays information security
More informationIRS & Partners Combat Tax-Related Identity Theft What s New for 2016
IRS & Partners Combat Tax-Related Identity Theft What s New for 2016 General Scope of Identity Theft Identity theft costs U.S. victims more than all property crimes combined Identity theft remains number
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationDon t Fall Victim to Cybercrime:
Don t Fall Victim to Cybercrime: Best Practices to Safeguard Your Business Agenda Cybercrime Overview Corporate Account Takeover Computer Hacking, Phishing, Malware Breach Statistics Internet Security
More informationCertification Programs
Registration Questions? Please contact us directly. 507 S. Grand Ave., Lansing, MI 48933 sfisher@mibankers.com (517) 342-9057 Certification Programs 2015 Following the lecture on day 2, students have the
More informationTop Authentication & Identification Methods to Protect Your Credit Union
Top Authentication & Identification Methods to Protect Your Credit Union Presented on: Thursday, May 7, 2 3 ET Co presented by: Ann Davidson VP of Risk Consulting at Allied Solutions Tammy Behnke Credit
More informationCUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud
CUSTOMER SECURITY AWARENESS: A Key Defense Against Corporate Account Takeover & Cyber Fraud Presented by Tom Garcia President / CEO InfoSight, Inc. 2014 InfoSight What we ll cover today 1. The MFA & NACHA
More informationCybersecurity Awareness
Awareness Objectives Discuss the Evolution of Data Security Define Review Threat Environment Discuss Information Security Program Enhancements for Cyber Risk Threat Intelligence Third-Party Management
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationCurrent Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com
Current Trends in Cyber Crime & Payments Fraud cliftonlarsonallen.com Our perspective CliftonLarsonAllen Started in 1953 with a goal of total client service Today, industry specialized CPA and Advisory
More informationNATIONAL CYBER SECURITY AWARENESS MONTH
NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the
More informationTax-Related Identity Theft: IRS Efforts to Assist Victims and Combat IDT Fraud
Tax-Related Identity Theft: IRS Efforts to Assist Victims and Combat IDT Fraud Glenn Gizzi Senior Stakeholder Liaison Marc Standig Enrolled Agent What is tax-related identity theft? Tax-related identity
More informationOnline Cash Manager Security Guide
Online Cash Manager Security Guide You re the One who can protect your business from the threat of a Corporate Account Takeover. 102 South Clinton Street Iowa City, IA 52240 1-800-247-4418 Version 1.0
More informationPresented by Evan Sylvester, CISSP
Presented by Evan Sylvester, CISSP Who Am I? Evan Sylvester FAST Information Security Officer MBA, Texas State University BBA in Management Information Systems at the University of Texas Certified Information
More informationInternet threats: steps to security for your small business
Internet threats: 7 steps to security for your small business Proactive solutions for small businesses A restaurant offers free WiFi to its patrons. The controller of an accounting firm receives a confidential
More informationBriefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.
Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the
More informationOnline security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.
Defeating cybercriminals Protecting online banking clients in a rapidly evolving online environment The threat As the pace of technological change accelerates, so does the resourcefulness and ingenuity
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationYour security is our priority
Your security is our priority Welcome to our Cash Management newsletter for businesses. You will find valuable information about how to limit your company s risk for fraud. We offer a wide variety of products
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More information2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP
2015 CEO & Board University Cybersecurity on the Rise Matthew J. Putvinski, CPA, CISA, CISSP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2011 Wolf & Company, P.C. About Wolf
More informationManaging the Operational Risk of Our Bank
Managing the Operational Risk of Our Bank 1 Managing Operational Risk Has your organizational leadership ever made any of the following comments? The Board wants us to focus on risk management since we
More informationPayments Fraud: It's Not Fun & Games
Payments Fraud: It's Not Fun & Games Claudia Swendseid Senior Vice President Payments Information & Outreach Office Federal Reserve Bank of Minneapolis NACHA Payments 2015 Claudia Swendseid Senior Vice
More informationSmall Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.
Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m. Topics: Explain why it is important for firms of all sizes to address cybersecurity risk. Demonstrate awareness
More informationAre All High-Risk Transactions Created Equal?
Are All High-Risk Transactions Created Equal? How to Minimize FFIEC Exam Pain 1 Lee Wetherington, AAP Director of Strategic Insight ProfitStars @leewetherington Agenda New Supplement to FFIEC Guidance
More informationEnterprise Risk Management Process Improvement. Secure Banking Solutions, LLC
Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com
More informationFranchise Data Compromise Trends and Cardholder. December, 2010
Franchise Data Compromise Trends and Cardholder Security Best Practices December, 2010 Franchise Data Security Agenda Cardholder Data Compromise Overview Breach Commonalities Hacking Techniques Franchisee
More informationCYBERSECURITY EXAMINATION SWEEP SUMMARY
This Risk Alert provides summary observations from OCIE s examinations of registered broker-dealers and investment advisers, conducted under the Cybersecurity Examination Initiative, announced April 15,
More informationTransforming the Customer Experience When Fraud Attacks
Transforming the Customer Experience When Fraud Attacks About the Presenters Mike Young, VP, Product Team, Everbank Manages consumers and business banking products, as well as online and mobile banking
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationACI Response to FFIEC Guidance
ACI Response to FFIEC Guidance Version 1 July 2011 Table of contents Introduction 3 FFIEC Supervisory Expectations 4 ACI Online Banking Fraud Management 8 Online Banking Fraud Detection and Prevention
More informationPreventing Corporate Account Takeover Fraud
Preventing Corporate Account Takeover Fraud Joe Potuzak Senior Vice President Payment Solutions Risk Manager Member FDIC 1 About Our Speaker Joe Potuzak is the Risk Manager for BB&T s Payment Solutions
More informationRetail/Consumer Client. Internet Banking Awareness and Education Program
Retail/Consumer Client Internet Banking Awareness and Education Program Table of Contents Securing Your Environment... 3 Unsolicited Client Contact... 3 Protecting Your Identity... 3 E-mail Risk... 3 Internet
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationCyber Liability Insurance: It May Surprise You
Cyber Liability Insurance: It May Surprise You Moderator Eugene Montgomery, President & CEO Community Financial Insurance Center Panelists Antonio Trotta, Senior Claim Counsel, CNA Specialty William Heinbokel,
More informationPresented By: Corporate Security Information Security Treasury Management
Presented By: Corporate Security Information Security Treasury Management Is Your Business Prepared for a Cyber Incident? It s not a matter of if, it s a matter of when Cyber Attacks are on the Rise; Physical
More informationCybersecurity Risks, Regulation, Remorse, and Ruin
Financial Planning Association of Michigan 2014 Fall Symposium Cybersecurity Risks, Regulation, Remorse, and Ruin Shane B. Hansen shansen@wnj.com (616) 752-2145 October 23, 2014 Copyright 2014 Warner Norcross
More informationWhat s New Collection Fall 2015
What s New Collection Fall 2015 Anita Douglas Senior Stakeholder Liaison December 2, 2015 1 What s New Collection Compliance realignment What s Collection look like today Federal Tax Deposit Alerts Early
More informationCYBERCRIME: What your Bank should be doing to Protect your Business. David Pollino Senior Vice President Fraud Prevention Officer
CYBERCRIME: What your Bank should be doing to Protect your Business David Pollino Senior Vice President Fraud Prevention Officer Agenda Changing Landscape Case of Efficient Services Escrow Group Six key
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationCLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses
CLEAR LAKE BANK & TRUST COMPANY Internet Banking Customer Awareness & Education Program For Businesses Introduction Clear Lake Bank & Trust Company is committed to protecting your business, personal, and
More informationMalware & Botnets. Botnets
- 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationPolicy for Protecting Customer Data
Policy for Protecting Customer Data Store Name Store Owner/Manager Protecting our customer and employee information is very important to our store image and on-going business. We believe all of our employees
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationAuditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement
Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement Copyright Elevate Consult LLC. All Rights Reserved 1 Presenter Ray Guzman MBA, CISSP, CGEIT, CRISC, CISA Over 25
More informationecommercial SAT ecommercial Security Awareness Training Version 3.0
ecommercial SAT ecommercial Security Awareness Training Version 3.0 Welcome The goal of this training course is to provide you with the information needed to assist in keeping your online banking account
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationACH AND WIRE FRAUD LOSSES
ACH AND WIRE FRAUD LOSSES Financial Institution Technology Funnel Matthew G. Brenner Date: September 26, 2013 Orlando, Florida www.lowndes-law.com What We Will Cover Why is this important? Who does this
More information2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.
2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program. Entry Name HFA Submission Contact Phone Email Qualified Entries must be received by
More informationRemote Deposit Quick Start Guide
Treasury Management Fraud Prevention How to Protect Your Business Remote Deposit Quick Start Guide What s Inside We re committed to the safety of your company s financial information. We want to make you
More information