Posts

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

By Rob Foxx, CCBTO

I frequently get asked, “How do I or my other non-technical staff help keep my institution safe from electronic threats?” Ransomware is the topic of the day, and I don’t know that there will be changes to that any time soon. There are a few things that can make protecting yourself easier. Good security is done in multiple layers of defense and requires participation of all members of your team.

Involve Your Whole Team

Cybersecurity is the responsibility of all members of the business, not just IT. To that end, everyone needs to know what common tactics are used to compromise your security. Learning how to identify phishing emails as well as business email compromise and reporting these types of events could be the difference between fighting a breach or dodging one. This kind of mindset has been in physical security for a very long time, but it has been a lot slower to be adopted into data security. By educating your staff and yourself and reporting it to the right people in your organization, you can avoid a very common but costly pitfall.

Ensure System Maintenance is Up to Date

The next item is a task that IT performs but is something leadership should both understand the basics of and require accountability for. Keep your systems updated and patched. An alarming number of breaches over the years could have been prevented by simply keeping systems up to date. Microsoft pushes out Windows patches the second Tuesday of every month, which should be reviewed for issues with your environment and deployed as soon as possible. There are tools that make this very easy to perform should you invest in them. Less obvious patches to other software like Adobe Reader, Google Chrome, and even your remote connection software, are equally important. Keeping an inventory of your software assets and checking them regularly for updates and patches can reduce your attack surface. Updates should not only be done, but they should also be reported to management and/or the board of directors at a regular frequency.

Secure Your Passwords

Get secured passwords or, if possible, multi-factor authentication. Insurance companies offering cyber insurance policies are pushing for people to utilize tools such as authenticators on your phone for multifactor authentication. While this is ideal, it may not be in place in many institutions. The National Institute of Standards and Technology (NIST) security framework used by the U.S. Department of Defense recommends longer passwords (16+ characters) without complexity and no expiration unless you have reason to believe it was exposed. Passwords can be as simple as picking out 3 random words such as doorbluecomputer. This is easy to remember and difficult for a computer to guess. If you can’t use multifactor authentication, using a password manager can enable you to use many complex and long passwords that you could never otherwise remember.

Give IT and Security a Seat at the Table

Bring IT and information security into your decision-making process. If this is something that is not being done currently, consider adding these people to the team that makes your highest-level decisions. They will have a perspective on additional costs as well as potential problems and conflicts that may occur. While they may not represent the majority of your staff or income, they speak for a considerable portion of your assets. There are few things as frustrating as going forward with a new project and not having considered how it will work with the rest of your environment or whether you have the hardware or software to support it without extra expenditure of assets. Additionally, there are many problems that exist within a business that your more technical staff could offer a solution to that the rest of the staff may not have known about.

Keep Up With Advancements in Technology

Don’t let technology outpace you. New technologies come out every day, and while you’re not expected to be on the leading edge, you should at least keep a healthy pace with it. For example, if you are using a conventional virus scanner, you are already behind the times. Zero-day exploits (bugs that are either unknown or unpatched) and fileless malware and viruses are also not detected by traditional antivirus products. Fileless attacks are becoming more prevalent, and you can get them any number of ways. It could be as innocent as going to a website and without any need clicking or downloading — without your permission, you could have brought an unwanted problem to your institution. Though a bit on the pricier side compared to traditional antivirus, next-generation products in this field are far more capable than their older counterparts.

Most of the items presented are of a non-technical nature and should be part of making your staff work well with your information security team and vice versa. In our more modern environments of work from home, it is more important than ever to make cybersecurity a part of everyone’s day to day.

Foxx is information security and audit advisor for FIPCO, a WBA Gold Member.

By Paul Gores

With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.

The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.

Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.

If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.

Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.

“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”

While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.

“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”

McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.

In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.

“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.

“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”

Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.

Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.

“There is no institution that’s immune from a potential cyberattack,” Otteson said.

The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.

“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”

If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.

“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.

While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.

Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.

“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.

But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.

“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”

The No. 1 method of attack still is phishing.

“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.

The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.

Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.

“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.

Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.

“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”

There’s no question cybersecurity costs will continue to rise.

“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”

If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.

“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”

Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Midwest Bankers Insurance Services is a WBA Gold Associate Member.

Arctic Wolf Networks is a WBA Bronze Associate Member.

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

Ken Thompson HeadshotBy Kenneth D. Thompson, WBA Board chair, president and CEO of Capitol Bank, Madison

January marks the halfway point of my time as WBA chair and as we transition into a new year, there are undoubtedly new things to look forward to as an industry and as an association.

Our successes in 2021, many of which related to the ongoing uncertainty of the COVID-19 pandemic, taught us all valuable lessons I hope can be brought with us into the new year. From low levels of past-due loans throughout our industry to excess liquidity, it’s safe to say that stepping outside of our routine has resulted in spectacular results.

Looking onward to 2022, I encourage bankers to approach challenges with the same curiosity we have for the past two years. As our industry continues to grow, how will each of us lead the way in making Wisconsin banks efficient, diverse, and robust?

WBA has long known that banks are cornerstones in our communities and as such, should be leaders in embracing societal developments. Technology, for both our customers and employees, has been and should continue to be an aspect that sets our industry apart. In embracing these digital channels, banks have a unique ability to meet the expectations of customers while also supporting them with cybersecurity and best technological practices.

Our ability to advance diversity, equity, and inclusion (DEI) efforts, as well as offer flexibility to employees, has the potential to set our industry apart. This is especially important to consider as we navigate through a competitive hiring and retention landscape.

As we all envision a brighter 2022, it serves us to remember that innovative solutions, such as PPP and advances in online banking, have provided our communities with much-needed assistance in the past. We must not be held back by what we are familiar with. This pandemic has taught us all that some of the most effective answers may not be the ones that have been tried before.

It is essential for banks to approach these situations with caution instead of resistance and as always, WBA remains a valuable resource in education, advocacy, and community involvement for each of us as we look forward to what’s to come in 2022.

This year’s event centers around the theme “Rise”

The Wisconsin Banker’s Association is thrilled to announce that the annual Bank Executives Conference will be back in person February 9–11, 2022 at the Kalahari Convention Center in Wisconsin Dells. This is the premiere event for bank leaders in the state. The theme of this year’s event will be “Rise.” Wisconsin bankers have risen to the occasion over the course of the pandemic, and this conference will address what it will take to be resilient and relevant in 2022.

Networking

Being back in person opens the door for the kind of networking opportunities that bank leaders have been craving for nearly two years. The conference will kick off with a networking reception on Wednesday evening, but bankers are invited and encouraged to arrive earlier for optional afternoon “banker-only” peer group discussions starting at 2:30 p.m. Peer group discussions are geared toward the roles of CEOs, CFOs, credit and lending, operations, and organizational development. Opportunities to connect with fellow bankers, WBA Associate Members, and WBA staff will be plentiful throughout the conference, with an exhibitor Marketplace providing a dedicated space for making connections.

Executive-Level Education

The WBA Bank Executives Conference brings national experts to Wisconsin, while providing tailored programming specific to the needs of banking leaders in our state. Among the trending topics that will be covered at the conference are:

  • Changes that emerged during the pandemic that are now here to stay
  • Talent recruitment and retention
  • Technology, fintech, and digital transformation
  • Cryptocurrency
  • And more!

New Hybrid Option for 2022 A livestream will allow attendees at the bank to view the keynote sessions on February 10 and 11.

The opening keynote session is titled, “Business as Unusual: How to Future-Proof Your Business in Transformational Times.” In this engaging, provocative, and insightful keynote session, acclaimed global futurist and best-selling author Jack Uldrich will not only discuss how the Coronavirus is transforming the world of tomorrow, he will explain why it is accelerating many of the trends that were already at work prior to the epidemic. History reminds us that great crises produce great change — as well as great opportunities. To take advantage of these extraordinary opportunities, businesses must position themselves now to operate in a world where “business as unusual” is the new “usual.” This session will help leaders at every level of an organization leverage ten “unconventional” techniques to succeed in today’s — and tomorrow’s — transformational times.

Dr. Chris Kuehl, managing director of Armada Corporate Intelligence, will present a keynote session, “2022 – The Real Recovery Year?” That honor was supposed to go to 2021, but we all know what happened over the last several months — inflation, labor shortage, supply chain breakdowns, and the repeated resurgence of the virus. Now we have these lingering issues along with the reactions — higher interest rates, efforts to restore, continued engagement by the government. The bankers have been placed squarely in the middle of all this and expected to do most of the heavy lifting. Does that continue and what can we really expect as far as growth and recovery?

For more details on programming and to view the full agenda, please visit www.wisbank.com/bec.

Banking leaders are eager to rise to the challenges ahead of them, and the conference will provide actionable tools and knowledge attendees can bring back to their banks and communities.

Recognition

The 2021 Banker of the Year will be announced at the conference, recognizing a bank CEO or president (or an individual who has recently retired from these positions) who has made an outstanding effort throughout their career in service to their bank, to their community, and to the banking profession.

The Wisconsin Bankers Foundation Financial Education Innovation Award will be presented at a special luncheon on February 10. This prestigious award recognizes a bank’s unique efforts to enhance the financial capability of consumers in their community, whether it’s a new kind of educational game for students, curriculum developed for adult seminars, or some other new or innovative approach to financial education.

The 50- and 60-Year Clubs recognize bankers who have served in the banking industry for 50 and 60 years, respectively. These awards will be presented during the special luncheon at the conference to honor professionals who have dedicated their careers to the banking industry.

Entertainment

Ope! Charlie Berens, best known to Wisconsinites for his viral video series, “The Manitowoc Minute,” will perform at the Chairman’s Dinner Program on Thursday, February 10.

Comedian, Emmy award-winning journalist, and Wisconsin native Charlie Berens — who rose to fame from his video series, “The Manitowoc Minute” — will provide the entertainment for the Chairman’s Dinner Program on February 10. Attendees can expect lots of laughs from the author of the recently released book, “The Midwest Survival Guide: How We Talk, Love, Work, Drink, and Eat. . . Everything With Ranch.” Berens has been featured on Fox, CBS, Funny or Die, TBS Digital, Variety, MTV News, and more. In 2013, he won an Emmy for “The Cost of Water” while reporting for Texas news station KDAF. “The Manitowoc Minute” series has garnered millions of views and paved the way for a sold-out standup comedy tour. Geez, Louise, this is sure to be a hilarious show you won’t want to miss!

Register

To register for the conference, please visit www.wisbank.com/bec. We look forward to seeing you Wednesday, February 9–Friday, February 11 at the Kalahari Convention Center in Wisconsin Dells!

As bankers seek resources for how best to manage and mitigate risks associated with ransomware and other malicious code, don’t forget about the free resources offered by the Conference of State Bank Supervisors (CSBS) which include a ransomware self-assessment tool and resource guide.

The Ransomware Self-Assessment Tool (R-SAT) has 16 questions designed to help banks reduce the risks of ransomware. The Bankers Electronic Crimes Taskforce (BECTF), State Bank Regulators, and the United States Secret Service developed the tool. It was developed to help banks assess their efforts to mitigate risks associated with ransomware and identify gaps for increasing security. The tool provides executive management and the board of directors with an overview of the bank’s preparedness towards identifying, protecting, detecting, responding, and recovering from a ransomware attack.

The resource guide titled CSBS Executive Leadership of Cybersecurity (ELOC) Resource Guide, or “Cybersecurity 101,” is tailored to furnish executives with the necessary tools to better understand and prepare for the threats faced by their bank. The guide addresses challenges faced by both banks and nonbanks and is intended as an easily digestible, non-technical reference guide to help executives develop a comprehensive, responsive cybersecurity program in line with best practices. As each bank is different, the advice in the guide can be easily customized to meet each bank’s unique threats, priorities, and challenges. While the resource guide does not guarantee prevention, it attempts to identify various resources — people, processes, and tools and technologies — that, when properly leveraged, work to reduce a bank’s cybersecurity risk. 

Ransomware Self-Assessment Tool

The Resource Guide

Best Practices for Banks: Reducing the Risk of Ransomware (Developed by the Bankers Electronic Crimes Task Force)

Cybersecurity graphic

By Cassandra Krause 

With a recent uptick in activity, ransomware attacks are a form of cyberattack that has been prevalent in recent news — and for good reason. The effects can be detrimental in terms of monetary loss and reputational damage to the victim. Ransomware is a type of malicious software (a.k.a. malware) that usually encrypts a victim’s files, and the bad actors have upped their game to steal the data first, then threaten to also publish the data to the public. Criminals set their sights on businesses with the goal of extorting money, making community banks prime targets. 

Organized crime networks are becoming increasingly sophisticated. In general, the risk of getting caught for cybercrimes is much lower than for traditional crimes like robbery, and the financial gains are far higher. Ransomware developers write and sell the software to other bad actors for a cut of the profits when they deploy it and collect ransom payment, usually in the form of cryptocurrency, which is hard to trace. Compromised data may also be used to open fraudulent lines of credit. 

“The U.S. is in a ransomware crisis right now,” said Jeff Otteson, vice president of sales at Midwest Bankers Insurance Services (MBIS), a subsidiary of the Wisconsin Bankers Association. He explained that it has created a hard insurance market with carriers tightening up on internal control requirements such as multifactor authentication (MFA) for privileged users (users with the ability to install software or change security settings on critical systems) and encryption of backups. 

In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged $180. 

Prevention 

With the incredibly high stakes in mind, banks are dedicating significant resources to preventing malicious cyberactivity, both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year. 

“There is an industry-standard framework for ransomware prevention and all cybersecurity,” explained FIPCO’s Director InfoSec and Audit Ken Shaurette. FIPCO is also a WBA subsidiary. A good consultant will walk the bank through a comprehensive review of their network security, improving endpoint protection to replace traditional antivirus and endpoint detection solutions, including adding authentication improvements such as MFA, improved password strength, and protecting backups. As more and more of the digital tools that bankers utilize require users to download and install software and updates, depending on signature-based solutions for malware detection is not acceptable — it has become critical to safeguard user, file, network, and device-level activities. 

A bad actor gaining access to a bank’s data may encrypt the data and demand payment in exchange for granting access back to the bank. In this situation, having a data backup is essential.  

“The rule of thumb for data backups is 3-2-1,” said FIPCO Information Security and IT Audit Advisor Rob Foxx. “There should be three copies of all data stored on two different mediums. One of the copies should be stored off site.” 

Ransomware prevention is only one part of a complete cybersecurity system. Experts agree that early detection of unusual activity within a system can help keep a minor incident from quickly escalating into a major incident like a ransomware threat. 

“Ransomware isn’t the first attack,” said Wolf & Company, P.C. Manager of the I.T. Assurance Group Sean Goodwin, who recently presented at WBA’s Secur-I.T. Conference. “Ultimately, it’s on I.T. to put controls in place because an employee will inevitably fall for a phishing email. It becomes a question of whether we can catch that quickly.” 

Social engineering remains the greatest concern; it’s easier for bad actors to trick an employee rather than break through a firewall. Verizon’s 2021 Data Breach Investigations Report found that almost half of the breaches in the financial services industry involved internal actors committing various types of errors. The report stated that the financial sector frequently faces credential and ransomware attacks from external actors, 96% of which are financially motivated (followed by small percentages of motives of espionage, grudge, fun, and ideology). 

Goodwin emphasized that I.T. must be able to act quickly when there’s an indication that someone is accessing something they don’t normally access. “Prevention is ideal. If we can prevent it, that’s best-case scenario, but if not, early detection becomes critical,” he said. This area of solution, known as endpoint detection and response, is rapidly becoming a key point of protection from ransomware and all other malicious events. 

Establishing an incident response program within a bank is an important part of the overall cybersecurity program. 

Preparation 

Creating a culture of cybersecurity awareness throughout the bank is important, so that bank employees are prepared for an incident. Employee training on what to do in the event of an attack should be standard practice. Making security part of the organization’s DNA is a best practice. 

“Every bank needs an incident response plan, and that needs to be approved all the way up through the board. Part of this plan is notification of incidents to the insurance carrier,” said MBIS’s Otteson. 

FIPCO’s Foxx emphasized that the roles and responsibilities in the incident response plan must be clearly defined, and banks should revisit their plan regularly.  

“As the insurance agent, I’m the first call a bank makes when there’s an incident,” said Otteson. “It’s important that banks choose to work with an agency that understands cyber insurance.”  

MBIS insures about 220 banks and has access to a large number of carriers that provide the right coverage for their customers. Otteson recommends reporting all incidents as even a minor incident could result in a claim down the line and having reported that incident when it occurred is key to a successful claim. He says to keep in mind that the owner of the data is liable for it whether the incident occurred in house or with a vendor the bank shared customer data with. 

Mitigation 

It’s important to work with the insurance carrier to ensure that all the bases are covered and that the vendors who participate in the response are approved. Not using the cyber insurance carrier’s approved vendors may result in expenses not being covered under the insurance policy. In the event of a ransomware attack, the insurance agent or bank will immediately notify the insurance carrier. Beazley, a carrier partner of MBIS, maintains a 24/7 helpline, which has become common with other carriers as well. Knowing how to report incidents, when to report, and what to expect is key. 

Holidays and weekends are prime times for ransomware attacks: employees who are in a rush to leave may be more likely to click on a bad link, and with employees away from work, it’s easier for the bad actors to get into the network. Even if a problem is detected, it’s more likely that staff who could help put a stop to the attack may be on vacation or unavailable, buying the criminals more time to take over. 

As soon as a cyber liability claim is made, the insurance carrier’s pre-approved vendors come into play.  

“Nobody has the resources in house to effectively manage ransomware attacks,” said Foxx, who has experience working both within a bank and as an external auditor and consultant. The specialization of skills and the amount of people needed to perform adequate analysis and remediation are so significant that even large banks will not have all the players they need on staff. 

If a bank’s data becomes encrypted and made inaccessible, a vendor such as Tetra Defense would be engaged on forensics. Managed endpoint detection and response vendors such as Cynet can help from detection and prevention to response, including providing digital evidence for a vendor performing forensics. Meanwhile, a vendor such as Coveware would handle ransom negotiations with the criminals. Wolf & Company, P.C.’s Goodwin said that you don’t really know who’s on the other side of the transaction — some criminals may be willing to negotiate and others not. He referred to ransomware as a “niche space in cybersecurity that is now getting more attention.” The criminal organizations involved in these types of attacks in some ways act like a legitimate business in that they rely on their reputation and may even have customer service departments — if they fail, it will hurt their chances of getting more business in the future.  

Typically, in the event of a ransomware attack, a legal firm will handle communications and PR for the bank — putting a statement on the bank’s website, assisting staff with customer phone calls, and determining whom to notify. Getting legal involved early protects all communications and discovery with attorney-client privilege. The requirements for notification vary from state to state, and a bank may have customers in multiple states or even other countries, making the expertise of a legal team invaluable. The language used in communications matters, as the term “breach,” for example, can have different legal implications and potentially create larger issues than terms like “incident,” “situation,” or “event.” Education of staff far in advance using regular testing of the plan is a key factor in mitigating an incident. Inappropriate statements made by employees on social media or even at informal social gatherings can have severe ramifications for the bank. 

Follow Up 

While anyone who experiences a ransomware attack may be eager to breathe a sigh of relief and move on when it is over, it is essential to review the incident and revise the bank’s incidence response plan. Assessing what went well and what needs to be improved are critical steps.  

Goodwin also warns that victims of ransomware are commonly re-targeted. A Cybereason study found that 80% of organizations that previously paid ransom demands confirmed they were exposed to a second attack. He said that once a company has paid a ransom it is known that (1) you were compromised, (2) you do not have proper backups of your files, and (3) you were willing to pay. 

Summary 

Cyberattacks are the biggest risk to a financial institution — even surpassing the risk of past-due loans. The cost of a ransomware attack can be astronomical, with many factors contributing to the price tag, including vendor fees and staff hours to resolve the issue; the cost to inform customers and offer identity or other protections; the loss of destructed data; and the down time of the business. All of this, followed by the loss of customers’ trust (and subsequent loss of their business), has the potential to put a community bank out of business.  

There are safeguards banks can put in place, including a sound incident response plan, improved monitoring with better endpoint detection and response, cyber liability coverage, and employee education. FIPCOMBIS, and a wide range of WBA Associate Members are ready to support banks in keeping their data and that of their customers safe.  

Rose Oswald PoelsBy Rose Oswald Poels

WBA’s Secur-I.T. and BSA/AML Conference was held this week in Wisconsin Dells, and the event draws renewed attention to one of the top issues that members relay to me: cybersecurity. While this issue has been a concern for years, the risk of cyber-related breaches and attacks has grown exponentially in the past 18 months, with more consumers transacting business digitally than ever before. The risk is also further heightened with more employees, including bank employees, working remotely.

Many bank presidents share their frustration with me that cybersecurity seems to be a cost and reputational risk that no one has enough resources to guard fully against. Unfortunately, it is true that for a bank to have an effective cybersecurity strategy, it will require sufficient resources both in terms of staff and money. Respondents to a 2020 Deloitte survey of financial institutions reported spending about 10.9% of their IT budget on cybersecurity on average, up from 10.1% in 2019. In terms of spending per employee, respondents spent about $2,700 on average per full-time employee (FTE) on cybersecurity in 2020, up from about $2,300 the prior year.

Sending your employees to WBA training events on the topic, like today’s conference, is one way to ensure your team stays current on the most recent trends in cybersecurity and incident response techniques. FIPCO also offers assistance to banks in the area of cybersecurity through the services offered in the Information Security and Audit team. FIPCO provides a consultative approach to the review of a bank’s administrative, technical, and physical controls over the computing environment including protecting business systems. The FIPCO team provides consultation and advice to help institutions understand the who, what, where, and why of building an information security program to industry accepted practices that will meet today’s as well as future state, local, and federal regulations, and especially to deal with examiner comments. FIPCO can offer both solutions and expertise to help your bank. Finally, Midwest Bankers Insurance Services provides cyber insurance for your bank to help guard against losses. In their 2021 Cost of a Data Breach Report, IBM Security and the Ponemon Institute calculate that the average total cost of a data breach is $4.24 million, a 10% increase from 2020–2021. The per-record cost of personally identifiable information averaged at $180. If (or more like when in today’s environment) your bank experiences a cyber-related incident, MBIS agents will work side by side with your bank staff and the carrier to work through the proper steps to respond to such incidents.

Cybersecurity will never be an issue that disappears as our world only grows in its reliance on technology. Protecting your bank’s reputation and preserving your customers’ trust are critical to the success of your bank, which means that a cybersecurity breach or more serious incident can be detrimental to these goals. WBA remains an active partner with all of its member banks in helping to ensure your bank and staff are in the best position possible to protect against these threats, as well as respond to them as quickly and efficiently as possible.

According to analyst firm Gartner, extended detection and response (XDR) is a “SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”

You’ll hear plenty of the traditional vendors of antivirus begin to proclaim themselves as an endpoint detection and response (EDR) or XDR solution, trying to keep up with this more advanced tool space. As they continue to either buy up other vendors with the tool sets (then try to bolt them on to their traditional solution) or simply try to remake themselves in the model of an XDR solution in other ways, their final offering often has limitations. Typically, they’ll cover some but not all the areas of a complete XDR solution. They will address hosts and files but not network and users, or network and hosts but not files or users. They’ll miss some of that cohesive security operation defined by Gartner.

A recent article from HelpNetSecurity—a popular information security online publication—titled “XDR and MDR: What’s the Difference and Why Does It Matter?” made the following statement in closing: “An XDR solution without adequate human expertise/staffing behind it will only ever be a tool. With a managed services model in play, you’re getting both the comprehensive technology capabilities and the people required to make it work— which is why managed detection and response (MDR) may be the only acronym that your organization needs.”

This statement is very accurate for the less complete XDR offerings that do not include the managed and monitoring components in their solutions. They become like all the security information and event management (SIEM) and log management solutions that have been pushed at you for years, just becoming another tool that no one has expertise to manage or leverage the benefits that you bought it for. So, what do you have to do? One option is to buy the “managed services” from these tool vendors which can make banks dependent on them.

Another option is to research other solutions that are out there. In addition to Cynet, our Infosecurity consulting services suggest reviewing Gartner’s list of EDR solutions and offerings from WBA Associate Members when completing your due diligence. Complete solutions like Cynet360 include the backing of the Cynet CyOps team without needing to pay extra, bolt on more products, or go looking for the 24x7x365 expertise of another managed provider. This doesn’t mean that you can’t still depend on a managed services provider for another layer of monitoring and managing, but are they independent if they also are who you need to be monitoring? There’s nothing wrong with leveraging the additional layer you’ve come to depend on, but at what added cost to get the independence and expertise like that of a CyOps team that is already baked into the Cynet360 solution? You will still need to explain to your auditor and examiners that you’ve learned the tool adequately enough to understand and generate independent reporting of the activities of the managed third party.

At least when you are answering that questionnaire for your cyber insurance coverage, you’ll be able to check off ‘Yes’ on several questions because you implemented a powerful, more advanced endpoint protection solution.

Shaurette is FIPCO director infoSecurity and audit. Contact him at kshaurette@fipco.com or 608-441-1251.

By, Alex Paniagua

Events

Every successful Information Security Program is built on 3 key elements. It requires decision-making risk management processes, clearly documented Information Security Policies, and an effective IT Audit Program. These elements work in conjunction with each other, feeding the next component information that continually improves the Information Security Program. The IT Risk Assessment process identifies key systems and information, threats against those systems, and helps management identify which controls are necessary to mitigate risk to an acceptable level. The controls have been selected in the risk assessment and are captured and solidified in the Information Security Policies. These controls are then implemented by the institution to mitigate the actual risks. The IT Audit process comes in to validate that the identified controls are successfully implemented in the institutions daily operations and to also ensure they are adequate to address best practice and regulatory guidelines.

A well-developed IT Audit Program will govern this process and provide the Board of Directors with assurances that the Information Security Program is implemented and working. This session will examine in more detail how the IT Audit Program integrates with the Information Security Program and will discuss the following items:

  • Risk-based Audit Models
  • FFIEC IT Audit Requirements
  • FDIC InTREx Expectations
  • Internal/External Audit Processes
  • 6 Basic Audit Steps
  • Engagement Letters
  • Audit Workpapers
  • Reporting and Exception Tracking

Target Audience:  Information security officer, IT manager, risk officer, internal auditor, CIO

Presenter: Ron Jupiter, SBS CyberSecurity, LLC

Registration Option: Live presentation $330

Recording available through December 23, 2023

The FFIEC Cybersecurity Assessment guidance has introduced a new term for our risk management practice: External Dependency Management. We will explore this new term in our guidance and better understand the requirements provided. This new term is a broader description of vendor management, service provider oversight, third party management, and new requirements around customer risk management.

This session will discuss the following topics:

  • Current regulatory Vendor Management landscape
  • Integrating vendor management into the Information Security Program
  • Risk assessing vendors
  • New vendor or product Selection
  • Ongoing vendor management
  • Creating a DYNAMIC vendor management program
  • Leveraging SOC reports for control understanding
  • Integration of customer relationships into risk management process

Target Audience: Information security officer, IT manager, risk officer, internal auditor, and executives looking to understand the risk vendor relationships

Presenter: John Helland, SBS CyberSecurity, LLC

Registration Option: Live presentation $330

Recording available through February 4, 2023

How would you score if asked to name the top 10 IT frauds? How is fraud defined in this context anyway? Since cybersecurity threats will likely increase, now is the time to learn the biggest dangers and how to mitigate them.

After This Webinar You’ll Be Able To

  • Determine if any of the top 10 IT frauds apply to your institution
  • Define and describe key strategies and controls to prevent, monitor, and mitigate risks associated with cybercrime and payment fraud
  • Use technology to detect fraudsters in a way that causes the least irritation and rejection among users
  • Develop a plan to address fraud trends in digital payments

Webinar Details
Fraud is defined as wrongful or criminal deception intended to result in financial or personal gain. Another description of fraud is deceit, trickery, or breach of confidence perpetrated for profit or to gain some unfair or dishonest advantage. Financial institutions must always remain alert for fraud in all forms. IT-related fraud is a risk area where senior management and directors must deepen their understanding and appreciate the hazards and potential losses. Experts expect cybersecurity risk and risk related to illicit financial activity to remain elevated. Remote workers and expanded use of digital banking products present additional opportunities for illicit activity and IT fraud. Is your institution prepared?

Who Should Attend?
This session is designed for information security officers, senior management, directors, and anyone responsible for securing accountholder information.

Take-Away Toolkit

  • Payment fraud protection best practices
  • Checklist of 10 must-have defensive measures to address the top 10 IT frauds
  • List of FFIEC recommendations to address IT fraud
  • Employee training log
  • Interactive quiz
  • PDF of slides and speaker’s contact info for follow-up questions
  • Attendance certificate provided to self-report CE credits

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.

Presenter Bio

John Moeller, CLA

John Moeller is a principal at CLA and their IT and cyber practice leader for financial institutions. For over 30 years, Moeller has served the security and technology needs of financial institutions across the country. His experience includes IT governance and compliance, regulatory guidance, implementation of cybersecurity frameworks, and risk assessments. He is passionate about explaining the why behind recommendations and educating boards and senior management on today’s cybersecurity risks.

Moeller is a frequent speaker on relevant cyber security topics to banking industry groups and associations. He holds several professional certifications, including Certified Information Systems Security Professional, Certified Ethical Hacker, and EC Council – Certified Security Analyst.

Registration Options

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $350 – Both Live & On-Demand Access + Digital Download

According to recent studies, the average user has approximately 100 passwords to remember. As if this isn’t challenging enough, password requirements differ among the myriad of applications we use. With so many passwords to remember, coupled with the never-ending list of password requirements, users are partaking in a risky solution — reusing passwords.

Unfortunately, we’ve seen many organizations have their business email accounts compromised through credential reuse. Business Email Compromise (BEC) can lead to not only propagating further BEC attacks, but also a full-blown data breach and network compromise.

What You’ll Learn

  • The Scenario — What Happened?
  • Typical BEC Attack Scenario Walk-Through
  • How BEC Can Turn Into Full Network Compromise
  • What’s in Your Email?
  • Top Controls to Mitigate BEC Risk
  • Who Should Attend

Who Should Attend

Information Security Officer, IT Manager, Risk Officer, Internal Auditor, and Executives looking to understand the risk around Social Engineering and how to mitigate people risk.

Instructor Bio
Buzz Hillestad is a VP Information Security Consultant and heads the Incident Response team at SBS CyberSecurity in Madison, South Dakota. SBS is a premier cybersecurity consulting and audit firm dedicated to making a positive impact on the banking and financial services industry. Hillestad has a bachelor’s degree in Computer Information Systems for Business and has performed masters work in Information Security at the SANS Institute — an internationally recognized best source for cybersecurity education. Hillestad has been involved with Information Security practice in Healthcare, Banking, Government, and many other industry verticals since 2004 and has helped over 200 organizations improve their information security processes and programs. Hillestad additionally has numerous security publications in magazines such as 45 Magazine and MED Midwest Medical, and speaks nationally on various cybersecurity topics.

Registration Options

Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts $279

  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD + $140
    • Additional Live Access + $75 per person

BACK AGAIN IN 2022: The 2022 Secur-I.T. Conference is now combined with the annual BSA/AML Conference!

The 2022 WBA Secur-I.T. & BSA/AML Conference will be held on September 20-21 at Glacier Canyon Lodge in Wisconsin Dells. The conference will kick off at 8:30 a.m. on Tuesday and adjourn at Noon on Wednesday.

This annual meeting brings together BSA/AML, Operations, Security and Technology banking professionals from all around the state of Wisconsin for education and networking. Attendees will benefit from over 7 hours of presentations from nationally recognized speakers and local professionals; network with more than 125 banking peers; and meet several exhibitors who offer products and services geared to better your bank’s customer experiences, BSA/AML program, security, and technology. You won’t want to miss this great event!

Registration Information

Banker Registration:

The registration fee of $350/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments. If your bank brings multiple attendees, each person after the first registrant is $300/attendee.

To receive the published discount, you must register everyone at the same time.

Associate Member Registration: 

The registration fee of $450/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments.

Refund Policy: A refund, less a $25 administrative fee, is provided for cancellations requested on or before Thursday, September 15, 2022.

Exhibitor Registration:

Exhibit Booths are available for $650 for Associate Members and $1,150 for non-Associate Members. Exhibit booth registrations include one attendee. Additional booth attendees can be registered for $250/attendee. Visit the Information for Exhibitors/Sponsors tab for more information.

From researching address discrepancies to identifying suspicious activity, there’s more to your credit reporting compliance program than just late payment disputes. Is your ID theft program up to date and ready to face today’s challenges?

After This Webinar You’ll be Able To:

  • Understand today’s threats from cyber security to synthetic ID theft
  • Appreciate the elements of a successful ID theft red flags program
  • Assess technological tools – from BSA software to AI
  • Create effective training solutions – from tellers to board chairs
  • Apply examination guidance
  • Update your red flags

Webinar Details

When was the last time your ID theft red flags program was fully assessed? One thing COVID exposed is continuing vulnerability to identity theft and cybersecurity threats. Identity theft continues as one of the top threats to consumers who look to their financial institutions to keep them safe in a dangerous industry.

The regulations identify numerous examples of identity theft warning signs and require every institution to have a written identity theft prevention program. But bad actors continue to evolve and so do their ID theft techniques. It has never been more important to ensure your security program is keeping up with today’s challenges. Join veteran financial services attorney and Certified Fraud Examiner David Reed to gain practical tips and technical guidance to strengthen your ID theft red flags program.

Who Should Attend?

When was the last time your ID theft red flags program was fully assessed? One thing COVID exposed is continuing vulnerability to identity theft and cybersecurity threats. Identity theft continues as one of the top threats to consumers who look to their financial institutions to keep them safe in a dangerous industry.

The regulations identify numerous examples of identity theft warning signs and require every institution to have a written identity theft prevention program. But bad actors continue to evolve and so do their ID theft techniques. It has never been more important to ensure your security program is keeping up with today’s challenges. Join veteran financial services attorney and Certified Fraud Examiner David Reed to gain practical tips and technical guidance to strengthen your ID theft red flags program.

Take-Away Toolkit

  • Updated list of ID theft red flags
  • ID theft program review checklist
  • Employee training log
  • Interactive quiz
  • PDF of slides and speaker’s contact info for follow-up questions
  • Attendance certificate provided to self-report CE credits

Note: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your institution is prohibited. Print materials may be copied for eligible participants only.

Presenter
David A. Reed, JD –
Reed & Jolly, PLLC

Attorney, author, consultant, and nationally recognized trainer, David Reed is a partner in the law firm of Reed & Jolly, PLLC. He provides guidance to financial institutions on establishment and revision of policies and procedures, organizational compliance, collections, security, contractual agreements, regulatory matters, and corporate governance. His engaging speaking style has made him a nationwide lecturer on regulatory compliance, consumer lending, bankruptcy, and collections.

A former trial attorney and vice president and general counsel of a large regional financial institution, Reed is also a Certified Fraud Examiner. He is particularly known as an expert in the areas of operations, bankruptcy, and collections. He has trained state and federal examination staff on numerous issues, including BSA, ID theft red flags, SAFE Act, third-party contract management, and bankruptcy.

Registration Options

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $350 – Both Live & On-Demand Access + Digital Download

Fraud can (and does) lurk around every corner — and electronic payments are no exception. Since the legalities, liabilities, and recovery options vary depending on the situation, your team needs a firm understanding of the rules and ways to mitigate losses. This detailed common-sense webinar is just the ticket.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:

  • Distinguish between the liabilities of the ODFI and RDFI for ACH payment fraud
  • Explain your institution’s responsibilities when acting as the ODFI versus the RDFI
  • Define the return deadlines for consumer accounts and corporate accounts under the Nacha rules regarding ACH fraud
  • Understand how to bring a breach of warranty claim against the ODFI after the return deadlines
  • Identify when Reg E conflicts with the Nacha rules and when your institution must reimburse consumer accounts for ACH fraud
  • Discover ways to encourage the RDFI to return funds to your institution after the ACH fraud is identified

WEBINAR DETAILS

The tremendous increase in electronic payment fraud has caused staggering losses to financial institutions. Your institution’s liability for electronic payment fraud will vary depending on the type of fraud, how it occurred, and whether it was a consumer or commercial account.

The varying legalities are mindboggling. UCC Article 4A permits financial institutions to shift liability to commercial accountholders in certain situations, while Regulation E provides much more protection to consumers. The Nacha rules make the originating depository financial institution (ODFI) ultimately liable for an unauthorized ACH, but it is difficult to get the ODFI to pay after the return deadlines. In all situations, however, the law requires financial institutions to use commercially reasonable security procedures.

This webinar will explain which party is liable for the various types of electronic payment fraud and what can be done to protect your institution from liability in both commercial and consumer situations.

WHO SHOULD ATTEND?

This informative session will benefit all personnel involved on the deposit side, including deposit operations staff and officers, tellers, service representatives, compliance officers, auditors, attorneys, and managers.

TAKE-AWAY TOOLKIT

  • Nacha’s Warranty Claims Tool (to help determine whether your institution will be able to recover funds from the ODFI)
  • Nacha’s Indemnification Agreement (to assist with requesting the return of funds from the RDFI)
  • Employee training log
  • Interactive quiz
  • PDF of slides and speaker’s contact info for follow-up questions
  • Attendance certificate provided to self-report CE credits

Note: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.

MEET THE PRESENTER

Elizabeth Fast JD, CPA – Spencer Fane LLP

Elizabeth Fast is a partner with Spencer Fane Britt & Browne LLP where she specializes in the representation of financial institutions. Fast is the head of the firm’s training division. She received her law degree from the University of Kansas and her undergraduate degree from Pittsburg State University. In addition, she has a master of business administration degree and she is a Certified Public Accountant. Before joining Spencer Fane, she was General Counsel, Senior Vice President, and Corporate Secretary of a $9 billion bank with more than 130 branches, where she managed all legal, regulatory, and compliance functions.

REGISTRATION OPTIONS

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $350 – Both Live & On-Demand Access + Digital Download

It seems like fraudsters are always one step ahead. The battle against sophisticated social engineering attacks continues. Are you keeping up? Join us to learn the latest schemes and defenses.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
• Identify social engineering exploits that may be successful at your institution
• Understand how attackers are using multiple forms of social engineering to gather information throughout your institution
• Detect suspicious calls that may have been overlooked
• Determine areas that may be susceptible to onsite social engineering exploits
• Take steps to protect against complex threats

WEBINAR DETAILS
The previous year saw social engineering attacks increase in both volume and sophistication. The perpetrators of social engineering (SE) attacks are smart, motivated, and persistent. Phishing emails are by far the predominant SE security breach, but the last year also saw deepfakes (a type of artificial intelligence) being used to create convincing images, audio, and video hoaxes. By using artificial, enhanced voice simulation, fraudsters stole $35 million from a bank in the United Arab Emirates. COVID-19 has forced many institutions to close lobbies for extended periods of time and this has contributed to an uptick in successful onsite SE exploits. A combination of multiple types of SE attacks spread over time has contributed to an increase in SE-related losses. Join this insightful webinar to learn how to confront these threats.

WHO SHOULD ATTEND?
This session is designed for chief information security officers, senior management, call center personnel, operations staff, and anyone responsible for securing accountholder information.

TAKE-AWAY TOOLKIT
• List of the most common social engineering test failures
• Checklist of defensive measures to limit social-engineering attack effectiveness
• Questions to ask your IT auditor to scope effective social engineering testing
• PDF of slides and speaker’s contact info for follow-up questions
• Attendance certificate provided to self-report CE credits
• Employee training log
• Interactive quiz

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.

MEET THE PRESENTER — John Moeller, CLA
John Moeller is a principal at CLA in the IT & Cyber Security Services Group. For over 30 years, Moeller has served the technology needs of financial institutions across the country. His experience includes strategic technology planning, technology and vulnerability/risk assessments, controls reviews, information security and business continuity program development, and board of director training.

Moeller is a frequent speaker on information security, IT assessments and strategy, CIO outsourcing, and managed IT services. He holds several professional certifications, including Certified Information Systems Security Professional, Certified Ethical Hacker, and EC Council – Certified Security Analyst. He received a bachelor’s in Information Technology from Capella University.

REGISTRATION OPTIONS

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $320 – Both Live & On-Demand Access + Digital Download

When it comes to a security event or breach, it isn’t a matter of “if” but “when”. No one is immune, no one is 100% secure. Any breach regardless of the type or size can be potentially devasting and the catalyst for breaches continuing to emerge and intensify. 2021 is said to have been a breakout year for ransomware as the cybersecurity attack vector of choice; affected all industries and even single individuals. We now have Ransomware as a Service (RaaS), a pay for use malware. The third quarter of 2021 touts an unprecedented surge of unique phishing website – an increase of over 400 thousand. And if all that isn’t enough, business email compromise (BEC), another damaging form of cybercrime has exploded on the scene. The outcome of an attack can result in huge financial losses but that isn’t the only concern, what about reputation risk?

Financial institutions are particularly vulnerable by the very nature of the business. You have information that thieves want, information they can parley into cold hard cash, if not the cash itself. Your incident response plan should provide confidence that you have the right personnel and procedures in place to deal effectively and timely to s a security breach. And if that isn’t enough, the financial services industry is mandated to implement security controls and a framework for identifying potential risks, monitoring for and detecting unauthorized access mitigating the outcome, effectively responding to the event, and notifying customers, law enforcement and regulators when it does happen. Be sure that examiners will be looking at your Plan.

The incident response plan shouldn’t be just a checklist. You need well thought out detailed procedures/response steps that have been practices and tested to ensure you are as prepared as you can be when a security breach happens.

Covered Topics

  • Is there a Regulatory requirement for a having a plan?
  • What guidance, alerts, bulletins are there surrounding incident response?
  • Roles and responsibilities, who is responsible?
  • What type of things would represent a breach or event?
  • What are the key elements of a Plan?
  • Do we really need a Plan if we outsource IT?
  • We have a disaster recovery plan, isn’t that the same thing?

Who Should Attend?

Senior management, Audit, Compliance, Risk Management, IT Committee, IT Officers, Information/Cyber Security Officers, Operations Officers, anyone interested in developing the IRP.

Presenter

Susan Orr is a leading financial services expert with vast regulatory, risk management, and security best practice knowledge and expertise.

As an auditor and consultant, Orr is dedicated to assisting financial institutions in implementing appropriate policies and controls to protect confidential information and comply with regulatory mandates and best practices. Her expertise as an auditor and former examiner provides her the knowledge and expertise to conduct comprehensive IT general control and data security reviews and assist de novo institutions in the vendor selection process, preparing policies and procedures, and instituting controls. She also consults for numerous security providers and vendors helping them align products and services to meet institution regulatory mandates. Susan is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), and Certified Risk Professional (CRP).

Registration Options

  • Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts – $279
  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD  + $140
    • Additional Live Access + $75 per person

What do 36 hours, May 1, 2022, and computer security have in common? They are all elements of the new reporting requirement for cyber security and ransomware incidents. Will you be ready for the May 1 deadline?

AFTER THIS WEBINAR YOU’LL BE ABLE TO:

  • Implement appropriate practices to discover computer-security occurrences and determine whether they rise to the level of a notification incident
  • Identify critical timing requirements
  • Explain when notification is required to a primary federal regulator and to the banking organization
  • Assess if contractual notification provisions are consistent and compliant with the new law
  • Define a computer-security incident
  • Meet the 36-hour notification requirement after a notification incident

WEBINAR DETAILS
Computer-security incidents targeting the financial services industry have increased in frequency and severity in recent years. In an effort to promote early awareness of emerging threats, banking organizations and bank service providers are now required to comply with mandatory reporting requirements effective May 1, 2022. Proper identification of a triggering incident and timely reporting are critical actions imposed by this final rule.

The reporting requirements expand beyond a cyberattack and include additional types of non-malicious failure of hardware and software, such as a widespread user outage for customers and bank employees. It’s critical that your financial institution understands the various types of incidents that may trigger the notification requirements and develops the appropriate policies and procedures to fulfill the new requirements of this recently issued mandatory rule. Don’t let the 36-hour clock expire without meeting the notification requirement. Join us to learn the details of the final rule and receive recommendations on policies and procedures to assist with mandatory compliance reporting requirements.

Attendance certificate provided to self-report CE credits.

WHO SHOULD ATTEND?
This informative session would best suit compliance officers, information security officers, senior management, business continuity officers, and those responsible for oversight of critical third-party servicers.

TAKE-AWAY TOOLKIT

  • Checklist to aid in making required notification decisions
  • Required notification record
  • Fact sheet explaining the critical components of the final rule
  • Employee training log
  • Interactive quiz

PRESENTER – Molly Stull, Brode Consulting Services, Inc.
Molly Stull began her career as a teller while working on her undergraduate degree and has continued working in the financial industry ever since. She has experienced the growth of a hometown bank, branch mergers, charter changes, name changes, etc. Stull has activated business resumption plans, performed secondary market quality control reviews, processed wires, filed SARs, and coordinated reviews with external auditors and examiners. Her favorite role has always been educating staff and strongly believes that if staff understands the reason for a process they will be more compelled to follow the procedures. Stull holds a bachelor’s from the University of Akron and an MBA from Ashland University.

REGISTRATION OPTIONS

  • $245 Live Webinar Access
  • $245 On-Demand Access + Digital Download
  • $320 Both Live & On-Demand Access + Digital Download