Protecting What’s Valuable

Tom, our head risk management advisor, walks around with a $100 bill in his pocket.   At training sessions, he’ll set that $100 bill in front of someone and put a stack of his personal bank records next to it.  Then he asks, “Which one should I be more afraid to turn my back on?”

Anyone who works in finance is quick to catch his point.  They know that his personal information is worth far more than $100.  It’s worth more to a crook, and it’s worth more to Tom who’d have to spend at least 10 times that clearing up a case of identity theft. (more…)

Enterprise Risk Management

 

Simplify risk management and regulatory compliance requirements with the most effective ERM dashboard.

Identify the real risks facing your bank or credit union and establish how to manage them more effectively.  With Scout software, every step of the risk management process – from accurately inventorying assets, risks and controls to building a comprehensive risk management plan – is tracked in one place, so risk, compliance and IT staff can work on assigned risk reduction tasks, be tracked for progress and prepare your institution for your examination.

With real-time reporting, and process tracking software, you can make better decisions and reduce time and costs.  Scout customers get automation and reporting for the following areas:

Request a software demo to see how Scout’s time saving dashboard format, artificial intelligence, reporting, task assignment capabilities and project management will reduce your risk, improve your decision making and save you money.

Why Commercial Account Theft Is Your Problem

Two out of five businesses switch banks due to fraud.  That’s a sobering takeaway from Guardian Analytics 2011 Business Banking Trust study.

For the most part, financial institutions provide online protections to businesses that are similar to what they provide for consumers.  However, it may only be a layered security approach when it should be an enhanced layered security approach, according the FFIEC’s latest authentication guidance. (more…)

Vendor Management Best Practices Brief

Using a third-party vendor naturally subjects an institution to risks outside its control. From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage. That’s why FFIEC standards for vendor management have become a significant part of regulatory examinations. Examiners are putting a stronger focus on the guidelines, pushing organizations to better prepare themselves for the unexpected.

(Read the full .pdf article: Vendor Management Best Practices Brief) (more…)

St. Cloud FCU Case Study

icon_note

St. Cloud FCU Makes Compliance a Team Job

St. Cloud Federal Credit Union serves a tri-county area just northwest of Minneapolis.  The credit union offers a full range of financial services with offices in St. Cloud and Sartell, Minnesota.

The Credit Union’s Challenge:

St. Cloud FCU had several people handling compliance issues, but all using different formats.  This made it difficult to present to the board and each year NCUA wanted more and more documentation.

One of the institution’s 2010 goals was to shore up compliance activity.  That meant building a stronger security culture and better documentation, especially in the area of risk assessments.

St. Cloud FCU’s Scout Solution

St. Cloud FCU implemented Scout in June 2010.    With change tracking features, update alerts and delegation tools, Scout provided the platform St. Cloud FCU needed to manage compliance as an organizational endeavor.  Scout’s built-in templates helped guide users through data input, and the Scout dashboard became an easy-to-use resource the entire team could access and understand.

Here’s how the institution – and its members – benefited:

  • Team Compliance.  Thanks to Scout, St. Cloud FCU has a compliance team—in the real sense of the word.  Now everyone in the group understands what’s necessary for compliance and how to track that information. Overall, security awareness is improved.

“We have so much more knowledge,” said Alyce Justin, Executive Vice President and Compliance Officer for St. Cloud FCU.  “Any examiner could come in, and any one of us could explain what we did and why.”

  • Board Reporting.  Before Scout, staff would present the board with a variety of spreadsheets and try to explain the institution’s risk situation.  But with Scout, staff used the built-in tools to generate reports designed specifically for financial boards.  With graphs and color-coded matrices, trouble areas are easily identified and understood.

“We never had a visual to give them before,” said Justin.  “The board loved the Scout reports.”

  • Compliance Training. Whenever an institution implements new software, staff expect hours of training, learning how to import data and use special features.  And sure, there was some of that with Scout.  But for the compliance team at St. Cloud FCU, training was one of the best parts of the whole project.

“Tom didn’t just show us how to use the software, he ran us through risk scenarios at the same time,” said Rollie Trettel, St. Cloud FCU’s Network Administrator.  “We talked about internal security procedures and federal regulations, so the whole process became a really powerful learning experience for the team.”

  • NCUA.   NCUA was present just five months after implementing Scout which made the compliance side of the exam much smoother.  NCUA was familiar with Scout and was glad to see that St. Cloud FCU is now using the same risk assessment methodology throughout the various departments.

Woodland Bank Case Study

icon_note

Woodland Bank Secures New Loan Production Office

Woodland Bank is a family-owned institution with a 90-year history of service to the families and businesses of Minnesota. With six branch locations throughout the north central region of the state, the bank has established itself as a modern, forward-thinking organization. Woodland Bank opened a separate loan production office, supporting increased residential and commercial development in their area.

The Bank’s Challenge

Woodland Bank was planning to open a loan production office and needed to initiate proper security measures that would protect its customers and comply with regulatory requirements. Even though the office wouldn’t process cash, the bank still needed to secure customer information stored on the server and desktops. Chief Operations Officer, Jenn Spartz, understood the security challenges but needed to communicate this unique environment to her board. She turned to Scout to create a hypothetical risk scenario that would not only double-check her own risk expectations but then help the board decide whether or not to make a deeper investment.

Woodland Bank’s Scout Solution

Woodland Bank had already been using Scout for risk assessments across its six existing locations. That meant COO Jenn Spartz had a strong head start on evaluating the new office’s needs. Scout streamlined the process, enabling her to copy common asset features (such as network information) from existing branches to a risk assessment for the new office. After that it was a matter of simple edits to create a risk assessment consistent with the new facility’s intended design and purpose.

While management understood the loan production office would be different than a full service branch, going through the Scout risk assessment clarified the differences. Not only did Scout help document the risks that were atypical of a traditional branch, it allowed the risk team to test the impact of various security controls and refine facility design.

Highest ROI. Using Scout as a ‘what if’ tool helped the team assess and evaluate additional security measures such as a stronger server room door and more locks. Because the risk assessment revealed vulnerabilities that meant the bank would have to allocate more money, the team wanted to find those security upgrades that would provide the highest return on investment.

Board Approval. Once the risk assessment was complete and recommendations established, the COO used Scout’s graphical reporting tools to present her case to the board. Scout allowed her to illustrate the risk environment and security options in a visual format the board could readily understand.

“Scout has been a great tool for doing ‘what ifs’ and directing future plans. Because of Scout, our board understood the risk environment and decided to enhance the security system for our new loan production facility. And having just completed our annual exam, I’m happy to say our examiners had high praise for both Scout and our compliance process.”

Jenn Spartz – Woodland Bank

 

Upon review, the board agreed that additional controls were required. Scout gave them the information they needed to step back before build-out plans were complete and implement additional security controls that would address the uniqueness of the new loan production facility.

Scout also assisted the bank in meeting a basic regulatory requirement for board oversight. Once the board understood the risk environment, members opted to accept certain risk elements instead of mitigation. The risk environment was understood, communicated, and acknowledged— as required —giving the bank a strong foundation for future security planning.

After implementing Scout, Woodland Bank realized numerous benefits including the following:

  • Spent less administrative time compiling the risk assessment. Woodland Bank’s risk officer spent approximately eight hours on the entire risk mitigation process from initial risk assessment, to risk team meetings and board reporting. This is a fraction of what the process would have required under their old spreadsheet system.
  • Increased facility security by identifying vulnerabilities and presenting the board with a clear picture of the risk environment.
  • Minimized security spending by focusing on those controls that would provide the biggest impact for the dollars invested.
  • Earned examiner approval during an annual audit of the bank’s primary branch locations and established a strong foundation of risk assessment information for the new production office.

 

 

Protecting ACH Transfers

icon_important

Protecting ACH Transfers

(Read the .pdf version: Protecting ACH Transfers.)

New regulations require financial institutions to monitor risk for ACH transactions. Even when a financial institution’s systems are secure, its customers systems may not be.  ACH rules take over where Red Flags rules left off by going beyond consumer protections to mitigating risk in business accounts.  Find out what’s behind the new rules and how your organization can prepare.

As of June 2010, federally insured financial institutions were required to start performing ACH risk assessments.  Regulators are asking organizations to look at ACH processes and wire transfers—however they move money electronically—and mitigate the risk.

Regulators are working with financial institutions to shore up weaknesses within the financial transaction system.  The objective, of course, is to intercept fraud, catch problems early, and make sure these transactions remain secure.

ACH transactions have been occurring for years, but they’re becoming more prevalent.  More consumers—and more businesses—are choosing this option.

And obviously, the crooks are paying attention.  They’re intercepting these connections and creating their own transactions to steal money directly out of customer accounts.

It’s not a bank’s network that’s being compromised.  It’s a customer’s network.  It’s a case of corporate identity theft, pure and simple.  The thieves can authenticate themselves to the bank, as if they were the customer, and transfer money.

The Back Story

In November 2008, the introduction of Red Flags regulation meant that financial institutions would have to start monitoring accounts for evidence of identity theft.  Organizations had to come up with early detection systems.

The thing is…that regulation specifically exempted most business accounts.  The primary obligation was to monitor personal, consumer accounts.

In the ideal scenario, financial institutions adapted the Red Flags guidelines and applied them to their business accounts.  (At least that’s what we advised our clients to do.)  But, many organizations opted to focus on consumer accounts only.  And that’s where the crooks stepped in.

As far as we can tell, the bad guys were paying attention.  They noted the gap and began targeting corporations.

In early 2009, we started seeing evidence that crooks were finding ways to steal corporate identities.  They found a way to get between corporations and their banks to steal money from corporate checking accounts.

The most infamous attack was dubbed the Zeus Banking Trojan.   The trojan was introduced into the corporation network.  From there, it allowed the bad guys to access corporation information as they logged into an internet banking site.  The trojan captured login and other key identification information, so the crooks could later sign on and authenticate themselves as if they were legitimate users.  We call it a man-in-the-middle attack.

It was an attack like that that made Hillary Machinery national news—as least in financial circles.  On November 9, 2009, cyberthieves started transferring money out of Hillary Machinery’s bank account.  They took more than $800,000, over two days, before Hillary noticed the problem.  The company’s bank, PlainsCapital, was able to recover nearly $600,000, but said it shouldn’t be responsible for the rest.

From there, the two organizations entered a veritable war—found on both legal and media fronts.  PlainsCapital sued Hillary Machinery and asked the court to rule that its security practices were reasonably sufficient.  The transfers, they alleged, were made by someone who accessed Hillary’s account information through Hillary’s own systems.

Hillary Machinery responded with a countersuit and a caustic PR campaign. The case generated all sorts of buzz and came to represent the increasing conflict between banks and business customers over responsibility for misappropriated account credentials.

An Everywhere Problem

Some people think that ACH fraud is something that happens in big cities.  Unfortunately, that’s simply not the case.

Consider the widely published account of Wisconsin’s Eau Claire County and how they successfully stopped just this kind of man-in-the-middle attack in January 2010.  In that case, the county’s bank became the hero of the story after it noticed some suspicious wire transfers.

The bank contacted the Eau Claire County treasurer’s office and determined the county had only approved one transfer.  In all, it stopped about $800,000 from being moved to an outside, dummy account.  According to news reports, the FBI suspected Russian hackers were behind the attack.

It takes constant vigilance to maintain security in electronic systems—even in small city Wisconsin.

An ‘It’s Your Problem’ Problem

When the Hillary Machinery and PlainsCapital case settled out of court, we lost out on any kind of legal precedent that would assign liability in cases like these.  So right now, we still don’t know who would be ultimately responsible for these losses.

What we do know is that the ACH regulations will make it a lot harder for a financial institution to throw up its hands and say, “Not my problem.”  Having adequate security will mean more than protecting your own data systems.  It will mean watching out for possible breaches in your customers’ systems too.

The FFIEC published ACH risk assessment guidance in February 2010, and risk assessments were supposed to start as of June 2010. As financial institutions enter their 2011 annual exams, they can bet that regulators are going to be looking for compliance.

Here’s what needs to happen:  Institutions needs to identify all the vendors or systems they’re using to process ACH or wire transfer payments.  They need to obtain as much information as possible on how the security systems work, what risks might be applicable, and how these risks might be mitigated.

The financial institution is responsible for coming up with controls on their end AND educating customers to catch and prevent risks from the other side of the process.

And here’s something else you might not have thought of: Examine your marketing materials.  Be sure you’re not positioning ACH as a tool to prevent theft.  Because it’s not…not anymore.  The risk environment is changing rapidly.  Review what you as an organization could be doing to help educate your customers.

Bottom line, the ACH regulation fills a hole left in the Red Flags rules.  Financial institutions need to work with their customers to prevent these kinds of thefts.  No more finger pointing.  This is an effort to get the two parties to work together.

 

Spreadsheet’s Aren’t Free

Most financial institutions rely on a patchwork of spreadsheets and documents to catalogue compliance activity. This people-driven system adds untold hidden costs to the compliance process—costs in labor, time, and lost opportunity.  Sometimes you have to spend to save, and compliance is one area ripe for dividends.  It’s time to automate…for the sake of the bottom line. (more…)

Vendor Management Best Practices

Nine Simple Steps to Vendor Management

Using a third-party vendor naturally subjects an institution to risks outside its control.  From a data breach to an unexpected shutdown, banks and credit unions are subject to a variety of vendor-related events that could lead to loss of revenue, loss of service or reputation damage. (more…)

Woodland Bank Case Study – Scout for ‘what-if’ analysis

Woodland Bank Secures New Loan Production Office

Woodland Bank is a family owned institution with a 90-year history of service to the families and businesses of Minnesota. With six branch locations throughout the north central region of the state, the bank has established itself as a modern, forward-thinking organization. Woodland Bank opened a separate loan production office, supporting increased residential and commercial development in their area.

The Bank’s Challenge

Woodland Bank was planning to open a loan production office and needed to initiate proper security measures that would protect its customers and comply with regulatory requirements. Even though the office wouldn’t process cash, the bank still needed to secure customer information stored on the server and desktops. Chief Operations Officer, Jenn Spartz, understood the security challenges but needed to communicate this unique environment to her board. She turned to Scout to create a hypothetical risk scenario that would not only double-check her own risk expectations but then help the board decide whether or not to make a deeper investment.

Woodland Bank’s Scout Solution

Woodland Bank had already been using Scout for risk assessments across its six existing locations. That meant COO Jenn Spartz had a strong head start on evaluating the new office’s needs. Scout streamlined the process, enabling her to copy common asset features (such as network information) from existing branches to a risk assessment for the new office. After that it was a matter of simple edits to create a risk assessment consistent with the new facility’s intended design and purpose.

While management understood the loan production office would be different than a full service branch, going through the Scout risk assessment clarified the differences. Not only did Scout help document the risks that were atypical of a traditional branch, it allowed the risk team to test the impact of various security controls and refine facility design.

Highest ROI. Using Scout as a ‘what if’ tool helped the team assess and evaluate additional security measures such as a stronger server room door and more locks. Because the risk assessment revealed vulnerabilities that meant the bank would have to allocate more money, the team wanted to find those security upgrades that would provide the highest return on investment.

Board Approval. Once the risk assessment was complete and recommendations established, the COO used Scout’s graphical reporting tools to present her case to the board. Scout allowed her to illustrate the risk environment and security options in a visual format the board could readily understand.

Upon review, the board agreed that additional controls were required. Scout gave them the information they needed to step back before build-out plans were complete and implement additional security controls that would address the uniqueness of the new loan production facility.

Scout also assisted the bank in meeting a basic regulatory requirement for board oversight. Once the board understood the risk environment, members opted to accept certain risk elements instead of mitigation. The risk environment was understood, communicated, and acknowledged—as required—giving the bank a strong foundation for future security planning.

“The board wasn’t thinking about all the information that’s housed on our networks. Scout helped me put it in perspective for them, and they allocated funds to put additional security in place.” – Jenn Spartz

After implementing Scout, Woodland Bank realized numerous benefits including the following:

Spent less administrative time compiling the risk assessment. Woodland Bank’s risk officer spent approximately eight hours on the entire risk mitigation process from initial risk assessment, to risk team meetings and board reporting. This is a fraction of what the process would have required under their old spreadsheet system.

Increased facility security by identifying vulnerabilities and presenting the board with a clear picture of the risk environment.

Minimized security spending by focusing on those controls that would provide the biggest impact for the dollars invested.

Earned examiner approval during an annual audit of the bank’s primary branch locations and established a strong foundation of risk assessment information for the new production office.

Capture Your Risk with Scout

Scout is a web-based risk assessment dashboard that automates the risk assessment process, tracks security controls, and simplifies the compliance process.

Compliance requirements are increasing. Stop trying to piece together information from a collection of unconnected spreadsheets. Get best practice templates, create clear proof-of-compliance logs and receive automated review schedules.

Scout gives you these competitive advantages:

  • Reduce time spent on compliance
  • Eliminate costly duplication of effort
  • Spend less by identifying the highest ROI
  • Gain useful business information for meaningful security
  • Meet compliance requirements and enjoy smoother exams

The end result is better information security and business continuity—anything less can cost your institution untold amounts in reputational damage, fines and crisis response costs. Proactive mitigation is essential to longterm success.

Scout includes integrated modules for GBLA, controls audit, Red Flags, Vendor Management and BSA.

To learn more about Scout,

call 608.785.7101 or visit

www.supernal.com