News

Protecting What’s Valuable

icon_star

Tom, our head risk management advisor, walks around with a $100 bill in his pocket.   At training sessions, he’ll set that $100 bill in front of someone and put a stack of his personal bank records next to it.  Then he asks, “Which one should I be more afraid to turn my back on?”

Anyone who works in finance is quick to catch his point.  They know that his personal information is worth far more than $100.  It’s worth more to a crook, and it’s worth more to Tom who’d have to spend at least 10 times that clearing up a case of identity theft.

But what we understand in a training session doesn’t always translate into daily action.  We get hired for enterprise risk management to walk through financial institutions doing risk assessments and social engineering tests.  We know we’re never going to see even a $20 bill lying out.  That’d be heresy in a bank.   But walk by an open cube, and we might find 20 home loan applications ripe for the plucking.

Here are a few daily reminders we’re good at protecting cash: 18-inch-thick steel reinforced concrete vaults, timed vault doors, elaborate alarm systems, cash counted and verified daily, teller drawers locked and stored in the vault overnight, robbery training.

Now ask, how are we reminded about information security?  Remember those loan files sitting out all day and night?

If your bank or credit union is held up at gunpoint and cash is stolen, you only have to tell your regulator and the FBI.  Sure, it’ll make the news, but anyone who hears about it feels bad for the staff and the bank.  The public assumes you did nothing wrong and that you were a victim. (The banks have locks, vaults and alarms after all…) 

However, if your information network is breached, you not only have to tell regulators and authorities, you may have to notify customers.  You’ll get a ton of press and your customers and the public won’t see you as a victim but rather as a business that didn’t do its job.  (Don’t they have a firewall and passwords?)

Now think about the impact on your customers.  When cash is stolen, your customers are fine.  They aren’t out anything.  But when their identity is stolen, they have to work hard to get it back and they never really know if they’re made whole.  (Am I finally through calling everyone and switching things?  Did I get everything? I’m so mad at that bank! )

Like cash security, information security is everyone’s responsibility.  And it’s a cultural shift that needs a champion in your organization.

The truth is, it’s harder to manage information than it is to manage money.  There’s no way to be 100 percent protected when it comes to enterprise risk management, but if you organize yourself, train, and use some better tools, you can limit your risks.  Make yourself better armed than you competitors and you won’t be the “low-hanging fruit.”


Pete Griffith is CEO of Supernal, makers of the Scout™ risk management dashboard.  Find him online at www.supernal.com and on Twitter @SeeScoutRun

Why Commercial Account Theft Is Your Problem

icon_important

Two out of five businesses switch banks due to fraud.  That’s a sobering takeaway from Guardian Analytics 2011 Business Banking Trust study.

For the most part, financial institutions provide online protections to businesses that are similar to what they provide for consumers.  However, it may only be a layered security approach when it should be an enhanced layered security approach, according the FFIEC’s latest authentication guidance.

With their large account balances and frequent transactions, commercial accounts are an attractive target for criminals. If fact, of roughly 500 small and medium-size businesses recently surveyed by Guardian Analytics, 32 percent said they had experienced online fraud in the last 12 months.

Financial institutions pay a real price for lax security, and commercial customer retention is no longer a given.   Fraud victims aren’t automatically giving their institution a second chance.  Yes, it’s an onerous process to move a business banking relationship.  But customers can and will switch to a competitor if they lose trust in their institution’s ability to protect their accounts.  Additionally, with the premium now on top-notch business accounts, your competition is assuredly doing everything to make this switch easier.

I’m not going too far out on a limb when I say financial institutions don’t just handle money anymore.  They handle information.   And that paradigm switch has made it infinitely easier to commit financial crimes.  Your customers’ financial information has been entered into a network countless times.  Do you have any idea where it resides and who is using and protecting it?

It’s time to step up and pay attention.  While 41 percent of the Guardian survey respondents said they didn’t believe their financial institution would cover losses if their company’s assets were stolen, a full 70 percent thought it should.

That’s the notion driving one lobbying organization, the Cyber Looting Awareness and Security Project.  (You’ll find them online at the ominous YourMoneyIsNotSafeInTheBank.org.) The group is urging lawmakers to require institutions to provide commercial customers the same sort of fraud reimbursement it provides to consumers accounts.

Meanwhile, businesses are failing to educate their employees on the dangers of cyber theft.   In one study, 81 Fortune 5000 companies were sent simulated phishing attempts.  Of the 79 businesses that successfully received the email, 43 percent had a least one employee who clicked the link, theoretically opening the network to keyloggers and paving the way for cyber thieves.

In fact, according to the Guardian Analytics study, only 12 percent of businesses are educating employees about not downloading dubious programs and just 10 percent are educating employees about not opening email attachments of unknown origin.  And only 25 percent say they have plans to enforce the use of strong passwords.

What does this mean for the financial community?  It means you have to watch your back.  It’s time to get serious about commercial account protection—that means everything from increasing your own risk assessment activity to offering training for customer employees.

The alternative is loss of reputation, loss of goodwill, and loss of revenue…whether the breach initiated inside your systems or not.

(Get the printer-friendly .pdf version of this article here: Why Commercial Account Theft is Your Problem.)


Pete Griffith is CEO of Supernal, makers of the Scout™ risk management dashboard.  Find him online at www.supernal.com and on Twitter @SeeScoutRun. 

Continuous Risk Management

icon_important

Our Compliance Department performs our annual risk assessment, now the examiners want us to incorporate our risk assessment process into our day to day operations. Why? This is a question we often are asked.  If you are like a lot of institutions, the risk assessment is performed prior to each examination by one or two individuals.  Once the exam is over, the risk assessment report sits on the shelf until next year.  The report, while shared with the Board of Directors, is unfamiliar to the majority of staff.

(Read the full .pdf article: Continuous Risk Management)

Let’s look at the one of the key regulatory requirements of a risk assessment: Manage and Control Risks.  The concept is that as institutions manage risk, they should be able to reduce information breaches and fraud losses while generally increasing information security.

Information security is every employee’s responsibility, not just the person or persons preparing the risk assessment.  The more that staff is involved in the information security process, the better they will be at protection valuable information.  Better information security leads to less fraud losses, and costs associated with information breaches; all of which makes for a better bottom line.

Scout takes your annual process, performed by a few and turns it into a corporate wide risk management tool.  It follows the old saying, “what gets measured, gets done.” Staff gets a convenient, easy to use and time saving tool to track their information security efforts, you get a dashboard that monitors and reports your risk status, enterprise wide.

 

Vendor Management Best Practices Brief

icon_scout

Using a third-party vendor naturally subjects an institution to risks outside its control. From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage. That’s why FFIEC standards for vendor management have become a significant part of regulatory examinations. Examiners are putting a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected.

(Read the full .pdf article: Vendor Management Best Practices Brief)

An educational brief:

Nine Simple Steps to Vendor Management

Using a third-party vendor naturally subjects an institution to risks outside its control. From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage.

That’s why FFIEC standards for vendor management have become a significant part of regulatory examinations. Examiners are putting a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected.

Notably, outsourcing does not remove an institution from liability should vendors fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are making all necessary efforts to safeguard information.

Don’t Sweat the Small Stuff

Vendor management can seem like a tall order, especially when you consider that many banks and credit unions work with more than 100 outside vendors. But oftentimes, institutions make the process harder than it actually is by tackling too many vendor reviews and collecting too much information.

The regulations ask you to look at vendors who have access to customer information or processing systems and those that potentially pose critical risks. For most institutions, that’s usually no more than a dozen vendors. Focus your attention there. Examiners only expect you to concentrate on those relationships that pose critical risks.

Step-by-Step

We’ve analyzed the FFIEC vendor due diligence guidelines and consulted examiners to break the process down into nine simple steps. Here’s how to get started…

Step 1: Start with a list of your vendors.

List anyone you’re doing business with—anyone you outsource to in some function, whether it’s mowing the lawn, cleaning, credit card processing, public relations, or IT.

Step 2: Rate each vendor on criticality

Ask yourself, ‘If this vendor stops providing this service tomorrow, what will it do to my organization.’ If you’ll have to shut your doors or stop providing a service, the vendor is critical. If you might not even notice for a while (gosh that grass is getting long), then that’s a low criticality vendor.

Step 3: Rate each vendor on confidentiality

Identify what each vendor has access to in terms of customer information—account numbers, names, addresses, account info. As with criticality, rank this access high, medium or low.

Step 4: Sort the vendors by rank

Sort your list of vendors by both criticality and confidentiality. A high ranking in either category means you need to pay attention to that vendor. Naturally, 12 to 20 vendors will float to the top in either category. If you have more than two dozen in either group, you’ve scored them too heavily.

Step 5: Normalize your rankings

This is a cross check of sorts. Take a look at all your rankings collectively and make sure they make sense as a group. Is it logical that your high risk vendors are really more critical than the ones below? You’ll often find minor adjustments when you take a high level overview.

Step 6: Identify risks for high ranking vendors

According to the regulations, you need to rate all your vendors. But once that’s done, you only need to focus on the high criticality and high confidentiality providers. Remember these should be relatively short lists.

Identify what risk each of the vendors may pose and what controls they should have in place to temper those risks. For example:

  • This vendor is critical to my operations. What if there’s a fire, flood, or power outage? Do they have a disaster recovery plan? A business continuity plan?
  • What happens if they make an error? Do they have liability insurance?
  • They have access to customer information. What security measures are they taking? What is their response plan if a data breach occurs? Does it work with my response plan?
  • Identify the controls (i.e. risk mitigation efforts) they should have in place to a) secure information and b) minimize the impact on your organization.

Evaluating Specialist Providers

You may feel overwhelmed when it comes to evaluating an IT firm, credit card processor or other complex service provider. Don’t be intimidated. The examiners don’t expect Herculean review efforts. You don’t need to send in your own security testing team. What you do need is assurance the vendor is following industry best practices.

When an examiner asks why you feel comfortable with a certain vendor, provide a rational argument and documentation demonstrating you’ve done your due diligence.

You might request the following:

  • SAS 70 audit report (credit card processors)
  • PCI compliance (credit card processors)
  • Third party certifications
  • Staff experience & education
  • Customer recommendations

You don’t have to understand the intricacies of a vendor’s business. You can secure reasonable proof of quality by relying on third party certifications and other logical evaluation measures.

Scout includes recommended due diligence requests for standard financial institution vendors.

Step 7: Begin your due diligence

Start collecting evidence of those control and risk mitigation processes. Create a file. You want to verify the vendor has a plan in place. See if it meshes with your plan and sounds reasonable. Get a copy of their disaster recovery plan and liability policy. Ask for pertinent staff profiles to determine if they have qualified personnel. Check references and be sure other clients report satisfaction.

Step 8: Request improvements or switch vendors

If the vendor doesn’t have adequate controls in place, you need to have a dialogue and convince them to meet your standards. If you can’t find resolution, you may need to select a different vendor.

Step 9: Reevaluate

Annually, go through your list of vendors and decide if their risk rating needs to be changed. Also, reevaluate your high risk vendors to make sure their controls are appropriate for the current risk environment. Has your relationship changed in the last year? Have security threats evolved? Are their certifications up-to-date and contracts current? Continue to manage your risks and relationships.

Prepare for the Unexpected

The vendor management process helps your organization plan for the unexpected. As you identify the risks, you need to make sure controls and protocols are in place so that should something happen, neither you nor your vendor has a disastrous outcome.

Understand the relationship up front, and make plans to deal with any damaging events. The last thing you want to do in a crisis is spend time figuring out what to do next. And when it comes to public relations, any crisis is better contained when you can show that due diligence was both thorough and thoughtful. Simply put, you don’t want to fail because you forgot to plan.

Scout for Vendor Management

Scout manages the vendor environment in much the same way it tracks your organization’s risk assessment process. Use Scout to:

  • Rank vendor criticality, confidentially and performance.
  • Schedule and be reminded of due diligence reviews based on risks and FFIEC guidelines.
  • Attach supporting documents.

Right from initial use, Scout automates and simplifies vendor management. It guides users through the process, including prompts to request relevant information and conduct reviews.

Scout’s vendor management module was built using FFIEC guidance and includes the agency’s recommended due diligence considerations. Institutions can customize the application, adding their own due diligence criteria.

Users report that consistency and organization improve dramatically with Scout. It helps institutions set consistent review criteria and provides a central storage system for contracts, insurance policies and other essential documentation.

Scout is a risk assessment dashboard that also includes modules for GBLA, Red Flags, and BSA.

Risk Assessment Best Practices Brief

icon_scout

An educational brief:

Risk assessments are key to helping you comply with risk management and data security mandates. They help you identify and understand risks to the confidentiality, integrity and availability of your data and systems. However, many institutions still view risk assessments as tedious and time-consuming annual activities. These institutions fail to recognize that a proper risk assessment will do far more than see you through an examination. A risk assessment saves you both time and money by determining which areas of the company are most vulnerable and helping you prioritize information security spending.

(Read the full .pdf article: Risk Assessment Best Practices Brief)

Here are some best practices based on the collective experience of dozens of banks and credit unions that can help you get the most value from your institution’s investment in risk assessments.

Real-time Risk Management Dashboards.

Examiners today want to see a consistent and repeatable approach to risk management that’s integrated into daily operations. But processes that rely on spreadsheets are a poor choice because they are usually “owned” by part-time compliance officers who can’t easily pass the process on to others. The result: Risk assessments that are neither consistent nor repeatable.

All institutions, even those with the simplest risk management challenges, need to take a process-driven approach to risk assessment:

  • Document how and why you rate a risk, and if something changes, why you made that change. Examiners want to see evidence that you are reviewing and updating your risk assessments throughout the year, so you need an easy way to see change histories for any asset, risk and control.
  • Make the risk assessment process something others can access, understand and use. When a new compliance officer takes over your program, for example, it should instantly make sense and he or she should be able to start using it immediately.
  • Integrate risk management into daily operations. Many institutions still mistakenly assume that risk assessment is a one-time annual event done for examiners. The intent of the regulation, however, is to see evidence that risk assessment is a living and breathing process integrated into operations. You’ll need to show evidence that you work on it throughout the year, not just in the weeks before an exam.
  • Ensure appropriate branch personnel are trained and participate in the process. This is simply impossible if one employee has to travel from branch to branch, collecting and integrating data into a spreadsheet. That eliminates any chance of making risk management a consistent and repeatable process, and further isolates risk assessment from daily operations.

Make reports meaningful. Compliance officers are often unclear about the best way to report to management and boards. So they fall back on dumping raw data into spreadsheets to create dry, dull reports. For executives and board members, who don’t work in this arena, this can lead to confusion and impatience. They’ll fail to grasp the concepts, technicalities and complexities of risk assessment; your risk management priorities and objectives; and the need to invest in risk mitigation activities.

That’s why you should provide intuitive, easy-to-read, color-coded reports, both summary and detailed views. Illustrating risk assessment and risk mitigation concepts and activities graphically will make them easier to understand for your management and board.

Remember that risk is subjective. Financial institutions face dozens of data-related security risks. Some compliance officers believe that their risk management program should focus on reducing all risks to the lowest level. But as with anything in financial services, some risks are acceptable. If you’re unable to prioritize risk in terms of the assets’ criticality and impact on operations, you’ll end up spending far more money, time, and effort than you should. What’s more, you’ll never really achieve the basic objective of any risk assessment program: Identifying which risks are acceptable and which aren’t, and focusing your time and money on mitigating activities that have the highest impact.

Remember that risks are always changing. Don’t assume that the risks you identified two years ago are the same risks you face today. As part of integrating risk management into operations, institutions need to regularly review their assets, risks and controls to ensure they’re up-to-date and comprehensive. Asset lists expand and contract, and assets may assume greater or less importance over time. You need to be sure you’re focusing on the assets and controls that continue to be most critical to your institution. Risks are also always changing, especially when it comes to internet-based activities. Hackers are no longer just interested in being a nuisance. They are becoming increasingly ingenious in developing new ways to electronically commit fraud and siphon money from accounts. It’s essential to always scan the horizon for emerging risks to your IT infrastructure.

Periodically get an outside perspective.

Complacency is always a danger when risk assessment and management activities become mundane or routine. You do the same thing over and over again, and never really step back to look at whether your risk management activities are continuing to meet the changing needs of the institution. So it’s a good idea to periodically get an outside perspective on your program from a banking or compliance management specialist who is tied into the changing regulatory, industry and information security scene, such as an IT consulting firm with deep understanding of the financial services market.

Evaluate software systems carefully. Risk management software is a relatively new niche in the IT industry. Some vendors offer software you load and maintain on your own servers. Others offer web-based subscription services that require no investment in servers or other technology. A growing number of businesses, including many banks and credit unions, prefer the latter approach, since Software as a Service (SaaS) is often less expensive than purchasing software licenses, has little or no IT overhead, can be rolled out to anyone with internet access, and can be updated instantly by vendors with enhancements and new features.

Scout Risk Assessment Dashboard White Paper

icon_note

Scout™ Risk Assessment Software and the IT Audit

Understand the financial value of conducting a risk assessment. Learn how Scout, Supernal’s Risk Management Dashboard, guides institutions through the risk assessment process, providing a more accurate assessment in less time than ever before. Find out how Scout is helping institutions implement the appropriate technology and risk management procedures, allowing them to meet regulatory requirements, demonstrate compliance to examiners, and manage information security expenses.

(Read the full .pdf article: Scout Risk Assessment White Paper)

Risk Assessments: A Necessary First Step

A risk assessment is an internal evaluation to identify and understand risks to the confidentiality, integrity and availability of your data and data systems. It identifies information assets, the risks and vulnerabilities that those assets may be subject to and strategies to mitigate those risks. Risks should include both internal and external threats, natural disasters and even equipment failure.

While some businesses, notably health and financial institutions, are legally obligated to secure their data, the risk assessment process is valuable to any business, particularly those that store customer information.

For companies subject to regulatory audits, a risk assessment is necessary to demonstrate information security. A variety of state and federal regulations, including guidance issued by the Federal Financial Industry Examination Council (FFIEC), require that IT audit planning be based on results from a risk assessment. Companies must identify their critical information assets and develop appropriate information security plans.

The first step in any risk assessment is identifying information assets, including computers, flash drives, paper documents, physical and electronic storage, and more. The assessment evaluates where this information is stored, how it travels from one place to the next and who has access.

Next, the assessment identifies risks pertaining to these information assets. Examples include fires, floods, internal theft, external perpetrators, accidental loss, etc. The assessment illustrates anything that would prevent an organization from accessing its data and controlling its use.

As the final step in the information-gathering stage, an assessment identifies which controls are already in place and working well, those that need improvement, and controls that may be missing.

Once this information is gathered, risk ratings are assigned to the information assets based upon the severity of the risks and the effectiveness of the controls. This analysis may point to holes in an organization’s information security. A risk assessment helps identify which assets are at highest risk and which remediation activities will provide the best return.

What many organizations fail to realize is that a proper risk assessment will do more than see them through an examination. A risk assessment saves an organization both time and money by determining which areas of the company are most vulnerable so spending can be prioritized accordingly.

A Tale of Two Companies

Consider the risk management process at these two hypothetical companies: Company A uses a scattershot approach to risk mitigation, reacting to news reports and whatever concerns become top-of-mind in a given week. Without a plan, every new idea becomes priority, and IT staff are overworked with multiple, sometimes conflicting, directives.

At the end of the year, Company A struggles to report resources allocated and progress made on overall security. Security continues to be a nagging concern, creating stress and confusion for leadership. The regulatory compliance exam is a time-consuming process and results in several mandated improvements within a limited timeframe.

Company B goes through a risk assessment process and determines which areas of the company are most vulnerable. Management prioritizes mitigation activities based on cash available and anticipated return on investment. Staff focus their efforts on those activities.

At the end of the year, Company B has a baseline measurement and can demonstrate significant risk reduction. It has a record of mitigation activity, as well as a plan for next year’s spending. The examination process is smooth and pain-free.

Risk Management Dashboard

A risk management dashboard simplifies the risk assessment process, organizing the risk environment with a defined, consistent system that produces meaningful business intelligence. Scout is a web-based risk assessment application inspired by a former regulator and banking executive. This powerful, all-in-one tool tracks and interprets information assets, risks and controls. As a byproduct of performing the risk assessment in Scout, the scope of the controls audit is defined, prioritizing the most significant areas of review for your auditor. Vendor management and Red Flags risk assessment modules are also included with Scout.

With Scout, an organization can engage in useful, ongoing reviews rather than meaningless once-a-year cram sessions to prepare for the examiner. Backed by a robust 3D database, Scout is far superior to standalone spreadsheets and other tracking alternatives. Its intuitive user interface and advanced algorithms make compliance easier and more cost-effective. Here’s why:

Guided solution: Scout comes preloaded with standard risk assessment data and best practice information. These templates promote rapid deployment and enable financial institutions to quickly identify and monitor focus areas. All information is easily editable to fit an organization’s exact needs and situation.

Once the asset, risk, and control information is complete, Scout automatically defines the scope of the controls audit, telling you when and where to perform preventive reviews and system checks. No more relying on memory or paper files to trigger the necessary audit activities. Scout gives you the big picture so you can plan and budget for future events.

At a basic level, Scout standardizes the risk assessment process and reduces the staff time required to document and maintain assessments. But Scout also provides valuable business intelligence to mitigate future security costs

Web-based: As an online dashboard, Scout is accessible via any secure internet connection. Qualified staff can access the Scout database from home or the road, meaning risk control data is always accessible, even during disaster scenarios. Because Scout is web-based, it requires virtually no maintenance support, no costly hardware to install, and no updates to download. And as regulations change, your risk assessment program naturally evolves, with new releases available at no extra cost.

And, of course, data transmissions are secure and information is safe from loss with continuous backups in protected, redundant data centers. Information is never lost.

Understand at a glance: Scout was designed to provide easy, at-a-glance interpretation of risk information. Its advanced graphic reporting tools provide instant visual recognition of high-risk assets and information security weaknesses. Risk managers can evaluate the risk environment through a variety of dashboard presentations, including charts, color-coded tables and other visual displays.

For more in-depth information, users can navigate and drill down through clickable reports and graphs, using Scout’s full power to dig deeper into those areas that warrant further analysis.

3D database: The complex database behind Scout tracks multiple associations among organizational assets, risks and controls. Change one factor and all associated elements update automatically. Risk managers can quickly and easily extract reports required to meet examiner requests, demonstrate information security to the board of directors, and conduct information security reviews by branch or corporation. These multiple variable data layers provide accurate, usable business information.

Risk & ROI Scenarios

Understanding the current risk environment is valuable, but Scout goes a step further, allowing companies to evaluate hypothetical changes to the security environment. Scout also tracks planned security changes, so risk managers can capture both current and future mitigation activity. Companies can use this information to “test” new controls, demonstrating how changes would impact the risk environment.

This information gives institutions unparalleled opportunity to identify the best value security investments and prioritize projects with the biggest impact.

GLBA

In 1999, Congress passed the Gramm-Leach-Bliley Act (GLBA). A key component of this law requires financial institutions to protect their clients’ personal information. The FFIEC is charged with prescribing uniform principles, standards and report forms for the various federal financial institution regulatory agencies.

Scout was developed by a former financial institution examiner to meet all FFIEC information security guidelines and includes functions that:

• Identify internal and external threats;

• Assess the likelihood of threats;

• Assess the potential impact of threats;

• Update the program as business changes; and

• Provide easy-to-understand reports to the board.

With Scout, you can manage your organization’s risk by institution, branch and (coming soon) department. As required by the FFIEC, organizations must audit their information controls according to the extent of risk identified in the risk assessment. For example, a control that is mitigating a high risk will need to be reevaluated annually, while controls that impact low-risk threats could be audited only once every three years.

Scout generates this controls audit for you automatically, based on information from the risk assessment and FFIEC guidelines. Change a risk rating or an information asset and Scout immediately updates the audit schedule. You’ll always know which control audits your examiner should expect. Plus, Scout allows you to track audit activity, with notes about when controls were tested and by whom—creating wellorganized logs your examiner will appreciate.

Red Flags

The Identity Theft Red Flags Regulations are part of the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the Fair Credit Reporting Act. These rules are jointly issued by the Federal Trade Commission and other regulatory agencies, and became active in 2008.

Each year, more than 8 million consumers fall victim to identity theft, accounting for nearly $50 billion in losses. And according to a study by Michigan State University, more than half of those cases can be traced back to the workplace, where lax business practices gave thieves the opportunity to steal customer information.

Red Flags rules were created to require businesses to take action to prevent identity theft. The rules are clearly applicable to all banks and lending institutions. However, recent interpretations have also found that health care organizations are also obligated, as creditors under the Red Flags rules, and additional applications are still being debated.

The Red Flags rules require organizations to do the following:

• Conduct a risk assessment to identify covered accounts;

• Identify issues that indicate a possible identity theft (the rules provide 26 options as a

starting guide);

• Develop a detection and response procedure for each;

• Create a written program that’s been approved by the board of directors;

• Train employees in implementation;

• Update the program as necessary; and

• Review effectiveness at least once annually.

With Scout, users will spot the warning signs of identity theft and meet federal compliance regulations for tracking and reporting.

Vendor Management

Today, vendor management has become a significant part of the IT examination. Although IT outsourcing is common in the financial services industry—to lower costs and/or improve the quality of IT services—using a third-party vendor naturally subjects an institution to risk outside its control.

Moreover, outsourcing IT services does not remove an institution from liability should vendors fail to meet information security requirements. An effective vendor management program protects an institution by ensuring its vendors are adhering to all applicable compliance requirements.

FFIEC guidance divides vendor management into several components, including vendor risk assessments, service provider selection, contract issues and ongoing monitoring. Once you’ve completed the necessary due diligence to enter into a vendor contract, that vendor relationship must still be managed with ongoing assessments to ensure it is meeting contractual obligations.

Vendor activity must be reviewed at least once a year to determine if the vendor is adhering to the service level agreement and whether or not corrective actions are required. Scout manages the vendor environment in much the same way it tracks internal risk activity.

The application allows users to rank vendor relationships on criticality and vendors’ access to confidential customer information, and then schedules ongoing due diligence activity based on identified risk and FFIEC guidelines. Scout also includes on online file center for storing supporting documents, such as contracts, correspondence and vendor reports.

Summary

Scout is a risk management dashboard that is constantly updated with the latest FFIEC/NIST standards. It is by far the most comprehensive tool available today. Scout includes risk assessments, Red Flags tracking, vendor management and GLBA—all fully integrated in one system, so organizations don’t need to replicate data in multiple places. And Scout makes it virtually effortless to pass exams, since activities and best practices demanded by examiners are built directly into Scout. Finally, because Scout’s fully integrated, real-time risk management dashboard replaces static spreadsheets and cumbersome paper documents, it reduces the time and cost needed to manage operating risks.

Spreadsheets Aren’t Free

(Read the full .pdf article: Spreadsheets Aren’t Free)

An educational brief:

Most financial institutions rely on a patchwork of spreadsheets and documents to catalogue compliance activity. This people-driven system adds untold hidden costs to the compliance process—costs in labor, time, and lost opportunity. Sometimes you have to spend to save, and compliance is one area ripe for dividends. It’s time to automate…for the sake of the bottom line.

More People

As reported in Deloitte’s 2007 Global Banking Industry Outlook, compliance is demanding an ever larger percentage of an institution’s operating budget. As regulations increase, most organizations are responding with additional human resources rather than technology.

In fact, 95% of the financial institutions surveyed said their executives were much more involved in compliance management than in the past, with 40% saying that the time devoted to compliance had increased by more than 25%.

More regulations mean more people—exponentially more people. As regulations increase and as the institution expands, the management task grows larger.

Already compliance costs are growing faster than net revenue. Unless organizations can find a way to automate, they can only expect to allocate increased time and energy to compliance, further eroding financial returns.

Spreadsheets Add Cost

Examiners want to see a consistent and repeatable approach to risk management that’s integrated into daily operations. But processes that rely on spreadsheets are a poor choice because they are usually “owned” by part-time compliance officers who can’t easily pass the system on to others. Spreadsheets aren’t easily managed by multiple parties, and as a result several versions often propagate throughout an organization.

What’s more, spreadsheets lack an audit trail—who changed what, when, and why—that could otherwise provide ready-proof that an organization has made risk management a thoughtful, year-round activity.

Spreadsheets become veritable data silos. Without automation, users must cut and paste information from one data source to another. Without integration, the organization lacks an enterprise-level view of risks, costs and opportunities. Either way, the process is limited and inefficient.

Organizations that automate, on the other hand, control these costs. They streamline processes, eliminate duplication of effort, and trim expense. With automation, organizations use technology—not additional staff—to accomplish risk assessments and track compliance activity.

Remember when email first came on the scene? Andy Grove, former chairman of the board for Intel, prognosticated, “There are two kinds of businesses: those that use email and those that will.” And so it goes with compliance automation; it’s just a matter of how much money you’ll burn on those spreadsheets before you get there.

Here are five hidden ways spreadsheets add costs:

1. Built from Scratch

It takes a good deal of time just to figure out what information to collect and how to best record it. Software systems eliminate that learning curve with built-in FFIEC guidance. Users can choose from ready-to-go templates or edit information to suit their needs.

2. Everything (and we mean everything) is Manual

Copy, cut, paste. Toggle back and forth between worksheets and narrative documents. Scroll, search, and search some more. The whole process is labor intensive and prone to errors in both data entry and analysis. Software systems automatically update associations between interrelated assets and controls, track user changes, send reminder notices, highlight high risk areas, and generate reports.

3. Extended Examinations

Spreadsheets = examiner headaches. The harder it is to pull information for the examiners, the more your costs go up. Lengthy exams are costly as valuable employees are pulled away from their regular jobs. Automated tools deliver commonly requested compliance reports, and users can choose to give examiners direct access to the system.

4. Duplication

Duplicate information means duplicate effort. GBLA, BSA, Red Flags, vendor management, your own institution best practices—they’re all interrelated. Now multiply that across all your locations and business divisions. Spreadsheets can’t integrate that information. Software creates a common framework to manage all those requirements in a consistent, connected format.

5. Mistakes & Lost Opportunities

With spreadsheets the responsibility for analysis lies solely with the individual. It’s a Herculean task to synthesize all that data. And while human analysis will always be critical, it cannot match software for efficiency, accuracy and depth. The right automation tool will demonstrate which assets are most vulnerable and where new security controls will provide the highest return on investment. Automation provides the institution transparency in both its strengths and weaknesses. Spreadsheets, on the other hand, add layers of confusion.

The attachment to spreadsheets is clear. Microsoft Excel is widely popular and most financial professionals have a strong working knowledge of the application. And yes, it has some powerful analysis capabilities. But it can’t support the depth and breadth of information an organization needs to manage compliance activity.

You don’t use a putter to get out of a sand trap. It’s simply not the right tool for the job.

Switch to an automated risk management tool, like Scout, and suddenly the institution gains. You get efficiency, actionable business intelligence, and better security. And much, much easier examination days.

The cost savings are near immediate. Scout users report drastic reductions in time spent on compliance management. That frees up valuable time to refocus on revenue building initiatives.

Don’t waste another dollar. Organizations that rely on spreadsheets will experience a continued escalation of costs, time consuming examinations and possible fines. Failure to automate will jeopardize your competitive position. And that, certainly, is the most costly risk of all.

Whitepaper: Flipping the Cost to Benefit Ratio

(Read the full .pdf article: Whitepaper: Flipping the Cost to Benefit Ratio)

Flipping the Cost to Benefit Ratio:

Leveraging Technology for Regulatory Compliance

Financial institutions are facing unprecedented scrutiny. Even a somewhat mundane compliance failure could lead to financial penalties, regulatory constraints, and reputation damage. How are financial organizations responding? By putting more staff on the job. Yet even as compliance spending outstrips revenue growth, few organizations are seeing real benefit in return.

More people aren’t the only path to compliance. New technology solutions streamline the process, shrinking costs while providing better, actionable business intelligence. Here, we compare the old and new ways to manage these mounting regulations:

Leveraging Technology for Regulatory Compliance

Regulatory requirements were designed to protect the public interest, preserving individual data security and the stability of the financial system. But the rules have mushroomed, creating a tedious and complicated regulatory envi-ronment. For financial institutions, compliance spending is increasing faster than net revenue. Much of these costs are driven by increases in staff, as organizations hire more people to administer complex compliance programs.

Unfortunately, many financial institutions report that compliance activity provides little concrete value. The cost to benefit ratio is drastically unbalanced. Too few institutions realize a worthwhile return in exchange for these grow-ing expenses.

But risk mitigation is not without value. And costs can be controlled through efficiencies and automation. This paper demonstrates how organizations would be better served by leveraging software to manage compliance activity. By automating what is currently a manual process, financial institutions can reduce spending and receive greater benefit from compliance activity.

New burden on smaller financial institutions - Large institutions, often the first focus of regulatory activity, have been able to develop compliance systems to meet the relatively measured pace of regulatory change.

Examiners are now applying the same standard of “zero tolerance” for non-compliance to all sizes of financial institu-tions. New to such intense regulatory oversight, smaller institutions are facing huge implementation and cost chal-lenges to put adequate compliance programs in place.

Financial implications - In return for the higher costs associated with meeting the additional compliance require-ments put in place over the last several years, financial institutions have achieved a more secure operating environ-ment. However, the increasing scope and complexity of these obligations mean compliance spending has grown rapidly and significantly faster than revenues and profits.

Yet the cost of non-compliance is even greater. The industry is seeing fines up to $80 million. Moreover executives and board members are being held personally liable for some security failures. Between crushing remediation costs and the lingering impact of reputation damage, many institutions are rethinking (and increasing) their compliance budgets.

The Technology Gap

As reported in the Deloitte’s 2007 Global Banking Industry Outlook, compliance is demanding an ever larger percent-age of an institution’s operating budget. However, most organizations are addressing the compliance challenge with additional human resources rather than technological innovation. From the report:

• Compliance costs grew faster than net income for institutions surveyed. While compliance spending as a percentage of net income was 2.83% in 2002, it grew to 3.69% by 2006.

• As requirements increased, financial institutions generally responded by applying people resources to monitor compliance rather than leveraging technology.

• Ninety-five percent of the financial institutions surveyed said their executives were much more involved in compliance management than in the past, with 40% saying that the time devoted to compliance had in-creased by more than 25%.

As such, compliance presents a significant area of opportunity to focus on costs controls. Without an alteration in current compliance procedures, organizations can only expect to allocate increased time and energy—proportionate to, or greater than, institution growth.

Inherent Limitations - Most financial institutions rely on a patchwork of spreadsheets and documents to catalogue compliance activity. This requires a people-driven system that is heavily reliant on human memory and personal initiative. Moreover this system increases the burden of analysis, exposing the institution to the natural limitations of human examina-tion.

This fragmented approach also makes it diffi-cult to develop a clear compliance strategy. In many cases, executives lack the informa-tion they need to prioritize key risks since reports are not sufficiently timely, lack com-plete detail, or can’t be readily interpreted.

Software Solutions - Financial institutions have an opportunity to mitigate rising costs and generate greater benefit by applying technology. New risk management applica-tions allow organizations to approach compli-ance comprehensively across all business lines and locations—increasing efficiency, eliminating unnecessary procedures, and providing actionable business reporting.

The ScoutAdvantage

Introducing Scout™, a risk assessment dashboard inspired by a former regulator and banking executive. Scout pro-vides a clear, unambiguous process for managing risk and compliance. As a web-based application, it provides a sin-gle, organization-wide point of reference, eliminating duplication of effort and redundancy. Scout addresses finan-cial institution needs at multiple levels:

Governance - Scout simplifies reporting for internal governance and annual examiner reviews. Reports are generated automatically upon request and include all required elements for board evaluation.

Risk Management - As a risk management solution, Scout enables organizations to identify, assess, quantify, and manage both enterprise and operational risk in accordance with industry standards. It brings together operational risk data in the form of risk assessments, automated alerts, risk libraries, risk analytics, key risk indicators, loss events, risk heat maps, trend charts and summary dashboards. This integrated data provides increased enterprise-wide transparency and highlights issues that need remedial actions.

Regulatory Compliance - As a compliance management solution, Scout provides a common framework and an inte-grated approach to manage multiple compliance requirements. It includes embedded best practices for meeting regulatory guidelines from the FFIEC in the areas of GLBA, BSA, Red Flags, vendor management and more.

ScoutVersus Manual Compliance

Examiners want to see a consistent and repeatable approach to risk management that’s integrated into daily opera-tions. But processes that rely on spreadsheets are a poor choice because they are usually “owned” by part-time compliance officers who can’t easily pass the system on to others. Such a people-reliant approach to compliance exposes the organization to mistakes, requires significant resources, and delivers little practical return.

Scout uses technology—not additional staff—to accomplish risk assessments and track compliance activity. The re-sult is a more reliable system that can be replicated across the organization and applied throughout the year. Infor-mation is complete and accurate, providing executives with timely, actionable information.

Among the most notable advantages:

Track Changes. Use Scout to document risks and changes in data security. When elements change, Scout records both the alteration and a rationale. Examiners want to see evidence that you are reviewing and updating your risk assessments throughout the year. Scout provides that proof with an ongoing forensic trail.

User Independent. Risk assessment tools should be something multiple users can access and understand—without interpretation. When a new compliance officer takes over your program, he or she will be able to understand Scout and start using it immediately.

Shared Access. Reduce the burden on any one compliance officer by sharing responsibility for risk assessment and compliance activity. User-specific login rules can limit access to certain sections or levels of the application. User changes are tracked, supporting transparency and responsibility across the organization.

Automated Reminders. Manual compliance processes rely on human memory and to-do lists. With Scout, users receive automated reminders when review activity is due. Schedules are generated automatically based on the or-ganization’s unique controls and risk scenarios. Scout recommends frequent reviews for high risk assets and occa-sional due diligence for lower risk areas—building greater efficiency into monitoring activity.

Built In Guidance. Scout provides structured guidance, built directly into the application, so organizations don’t have to spend time wading through and interpreting regulatory compliance manuals. Moreover, organizations have ac-cess to pre-populated (but editable) fields using best practice information, making the risk assessment process both faster and easier to understand.

Prioritization. When organizations are unable to pinpoint which assets are at greatest risk, they end up spending far more money, time, and effort than required. Scout analyses all risk information to identify areas of highest need, so organizations can focus their resources on mitigation activities with the highest return on investment.

Interpret At a Glance. Scout uses color coding, heat maps and other visual cues to help users interpret risk data at a glance. Information is available in multiple levels and formats. Clickable displays allow users to drill down for greater detail. Scout eliminates confusion and prevents users from being overwhelmed with an unfiltered ‘data dump.’

Risk Associations. Scout uses a 3D database to capture multiple asset/risk/control associations. Change one factor and all associated elements update automatically.

What If Scenarios. Understanding the current risk environment is valuable, but Scout goes a step further, allowing companies to evaluate hypothetical changes to the security environment. Companies can use this information for project planning and to test new controls, demonstrating how changes would impact the risk environment.

Better Business Intelligence through Cost Control

While the direct costs of regulatory compliance are significant, organizations are undoubtedly experiencing the additional impact of lost opportunities. Expansion and improvement efforts are stymied while investment is focused on compliance.

However, as we’ve outlined here, opportunities exist to control costs through improved process management. The challenge for many financial institutions is to devise the best approach to operationalize compliance across their businesses, given the divisions and sub-divisions that exist in different parts of the enterprise.

The optimum compliance management effort would eliminate duplicative activity, boost transparency, build effi-ciencies into the due diligence and reporting processes, and guide organizations to maximum return on invest-ment. This is where software presents a distinct advantage over manual compliance management efforts.

And while the human contribution to risk management is still paramount, software delivers exponential increases in efficiency and accuracy. It transforms the compliance management process from an un-measurable qualitative process to a quantitative system based on metrics and replicable methodology. The end result is reliable, usable risk management data that can be used to a) satisfy compliance requirements, b) improve institution security, and c) reduce compliance spending.

 

Board Reporting

icon_scout

(Read the full .pdf article: Board Reporting)

Overcome Analysis Paralysis. We tend to overcomplicate reporting.  Consider this your new motto: “Write to express, not to impress.” Your job is to convey to the board—in simple terms they can understand—what you’re doing about security and how it affects the organization.  Eliminate any “geek speak” and focus on making the information accessible.

Your examiner wants to see that the board can understand and actively respond to the information you provide.  No rubber stamps!

Here’s our advice for what to include in three required annual reports:

Information Security Program

  • GLBA Risk Assessment
  • IT Controls Audit & Testing
  • Vendor Management Risk Assessment & Due Diligence Report
  • Information Breaches/Violations
  • Social Engineering Assessment

ID Theft Prevention Program

  • Staff Training
  • Customer Education (newsletters, statement stuffers, website articles)
  • New Initiatives

Vendor Management Program

  • Changes to Service Provide Agreements
  • Vendor Due Diligence Status
  • Any Third-Party Security Breaches

In each summary including the following

1) date of assessment, major findings, and any remediation efforts; 2) updates and current status; and 3) information breaches or lack thereof

Don’t be afraid to toot your own horn.  If you didn’t have any security issues, tell them why.

The institution has not experienced a security breach in the past year.  We attribute security to the following controls: We updated 3000 patches and 4000 virus signatures.  We provided at least one hour of staff training every month. In 2010 we added a social engineering assessment to find out what happens when someone tries to trick or coerce employees into divulging confidential information. We learned ….

Above all, keep it simple. Use basic charts and tables when possible. Remember, you’re trying to pass useful information on to management. And they can’t use it if they can’t understand it.

 

St. Cloud FCU Case Study

icon_note

St. Cloud FCU Makes Compliance a Team Job

St. Cloud Federal Credit Union serves a tri-county area just northwest of Minneapolis.  The credit union offers a full range of financial services with offices in St. Cloud and Sartell, Minnesota.

The Credit Union’s Challenge:

St. Cloud FCU had several people handling compliance issues, but all using different formats.  This made it difficult to present to the board and each year NCUA wanted more and more documentation.

One of the institution’s 2010 goals was to shore up compliance activity.  That meant building a stronger security culture and better documentation, especially in the area of risk assessments.

St. Cloud FCU’s Scout Solution

St. Cloud FCU implemented Scout in June 2010.    With change tracking features, update alerts and delegation tools, Scout provided the platform St. Cloud FCU needed to manage compliance as an organizational endeavor.  Scout’s built-in templates helped guide users through data input, and the Scout dashboard became an easy-to-use resource the entire team could access and understand.

Here’s how the institution – and its members – benefited:

  • Team Compliance.  Thanks to Scout, St. Cloud FCU has a compliance team—in the real sense of the word.  Now everyone in the group understands what’s necessary for compliance and how to track that information. Overall, security awareness is improved.

“We have so much more knowledge,” said Alyce Justin, Executive Vice President and Compliance Officer for St. Cloud FCU.  “Any examiner could come in, and any one of us could explain what we did and why.”

  • Board Reporting.  Before Scout, staff would present the board with a variety of spreadsheets and try to explain the institution’s risk situation.  But with Scout, staff used the built-in tools to generate reports designed specifically for financial boards.  With graphs and color-coded matrices, trouble areas are easily identified and understood.

“We never had a visual to give them before,” said Justin.  “The board loved the Scout reports.”

  • Compliance Training. Whenever an institution implements new software, staff expect hours of training, learning how to import data and use special features.  And sure, there was some of that with Scout.  But for the compliance team at St. Cloud FCU, training was one of the best parts of the whole project.

“Tom didn’t just show us how to use the software, he ran us through risk scenarios at the same time,” said Rollie Trettel, St. Cloud FCU’s Network Administrator.  “We talked about internal security procedures and federal regulations, so the whole process became a really powerful learning experience for the team.”

  • NCUA.   NCUA was present just five months after implementing Scout which made the compliance side of the exam much smoother.  NCUA was familiar with Scout and was glad to see that St. Cloud FCU is now using the same risk assessment methodology throughout the various departments.