Tag Archive for: Cybersecurity

Posts

,

Embracing a Culture of Cybersecurity

All staff needed to help mitigate risk

By Hannah Flanders

Cyberattacks are ranked as one of the top threats to banks across the country. As these threats continue to become increasingly sophisticated and prevalent throughout our communities, bankers are looking to mitigate the risk for the safety of both their institution and all customers served. As such, administrators — including members of the human resources (HR) department — have been tapped to take on a new role alongside the information technology (IT) department to protect the bank from falling victim.

Prioritizing Cybersecurity

According to Proofpoint’s State of the Phish survey, approximately 79% of U.S. organizations reported at least one successful phishing attack in 2021. As cybercrime continues to rise — costing over $1 trillion a year worldwide, as highlighted in a report by McAfee Center for Strategic and International Studies — it is critical for the success of banks across the country that they establish a culture of cybersecurity.

In the American Bankers Association’s (ABA) Banking Risk and Compliance Management Outlook for 2023, surveyed bankers identified cybersecurity and IT risk to be, overwhelmingly, the top risk priority for the 18 months ahead. With the use of online banking and digital payments skyrocketing, and employee negligence being cited as one of the top reasons banks are put at risk — Proofpoint’s survey highlights that around 27% of employees believe that their organization/IT department will take care of any mistakes. However, as the cost of cybercrime continues to become more expensive for impacted organizations each year, finding ways to educate both consumers and employees of the cyber risks they face will not only help protect information from being compromised, but save banks from contributing to the astounding losses reported by financial institutions each year.

The Federal Bureau of Investigation’s (FBI) Internet Crime Report highlights that in 2021, Wisconsin totaled over $51,800,000 in victim losses. By taking proactive steps in both their cybersecurity protocols and training, banks throughout the state will have the opportunity to save the organization, and their customers, from substantial loss.

While banks make strides to incorporate risk mitigation — such as integrating multifactor authentication (MFA), a bare minimum in preventing bad actors from gaining access to accounts with greater privileges, and following regularly updated guidance from the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) — into their procedures, those seeking to optimize their efforts are looking beyond their IT staff for assistance.

Team Effort

Establishing a culture that embraces cybersecurity begins from the top and requires uniting members throughout various departments. According to Marsh McLennan, a leading professional services firm in risk, strategy, and people, “a robust cybersecurity culture starts from the top of the organization and involves continuous communication and training for leaders across all key functions.” The firm highlights that, as of 2019, nearly 90% of all organizations only included InfoSec/IT, C-suite, risk management, legal, and finance professionals in the management of cyber risk.

“Cyber defense is a team endeavor, not just an IT or a management one,” emphasizes Rob Foxx, director – InfoSec and IT audit services at FIPCO. “Threats apply to all parts of an enterprise, as should defense.”

The Cybersecurity and Infrastructure Security Agency (CISA) highlights that HR professionals play an integral role in detecting, deterring, and mitigating threats by screening candidates prior to employment, managing secure information, and regularly communicating policies.

When HR professionals have a seat at the cyber risk management table, banks not only gain a risk-conscious ally, but also ensure that HR professionals throughout their organization have a strong understanding of the cyber risk policy they utilize in their own day-to-day operations. Additionally, ensuring that the HR team is abreast of the latest cyber risks and mitigation procedures is critical so that said information can be communicated with all staff members.

Playing a Part in Protection

As the U.S. financial sector continues to prioritize cybersecurity — regularly spending up to $3,000 per employee on ongoing cybersecurity education, according to the McAfee report — ensuring that every employee is making the most of their training, testing, or coaching and remains vigilant against all threats to the organization is critical for the safety and security the institution and its customers.

  • The Employee Lifecycle

Of course, HR plays a substantial role in the onboarding and offboarding process to evaluate the quality of incoming employees and ensure that all former staff are no longer granted access to confidential company data upon their departure. Furthermore, given the close ties to all staff members, HR can play an important role in clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues, highlights the Society for Human Resource Management (SHRM).

  • Training

Although cyberattacks continue to cause headaches for businesses across the country, only 64% utilize organization-wide training, according to Proofpoint’s 2022 survey. Training, which is usually administered by the IT department or virtually, has the potential to be strengthened by HR’s involvement. In taking a human-centric approach that emphasizes how all staff members — administrative through executive leadership — play a role in the security of the institution, employee morale is heightened.

Additionally, HR can emphasize and enforce the importance of practicing good cyber habits and encouraging training from the start because of the department’s close connection to all bank staff. HR staff will also notice if staff don’t attend training, regularly fail simulated tests, or display non-compliance with cyber protocols. From there, action can be elevated beyond coaching from IT staff or managers.

“A significant amount of malware is file-less and exists only in the active memory of a computer,” highlights Foxx. “While the next generation of antivirus has the ability to detect more activity than older versions, file-less attacks are just the beginning, and these tools can now detect abnormal user, host, and network activity. Ensuring your team is on the same page is a critical component in mitigating these attacks.”

  • Coordinating Cybersecurity Requirements

In partnership with the IT department, HR should ensure that there are well-documented policies, standards, and best practices for not only averting attacks or breaches, but also for reporting attempted or successful cybercrimes. Throughout their day-to-day tasks, HR professionals are expected to adhere to the organization’s procedures and guidelines as well as communicate this information with staff. Understanding the various protocols, exploits, tools, and resources fraudsters utilize can help members of HR in assisting their staff to build confidence in mitigating a cyber risk. At the very least, Foxx adds, bankers should adhere to cyber security frameworks such as the NIST Cybersecurity Framework or ISO 27001 certifications, which assist organizations in gaining direction and highlighting areas of need.

As more aspects of our daily lives digitalize, and cybercrime and attacks become a regular and unfortunate normality across the banking industry, the need to secure sensitive data has become a widespread effort. It is critical that leaders look throughout their staff for unique perspectives and opportunities to educate. Establishing a culture of cybersecurity could be the difference between a secure and a compromised institution.

Ready to take your cybersecurity to the next step? Visit fipco.com/solutions/it-audit-security to ensure your bank is secure!

FIPCO is WBA subsidiary and Gold Associate Member.

/by
, ,

Identifying and Averting “Festive Fraud”

Bankers emphasize security measures this holiday season

By Rob Foxx, CCBTO

What should be a time of joy and celebration for all can quickly turn into a time of stress and panic. Scams come in many forms — from seemingly innocent to incredibly sophisticated. Knowing these scams and how they work will not only help you defend yourself and your loved ones but assist you in identifying threats to your customers this holiday season.

As technology continues to advance, so too do the number and intricacy of scams we encounter. During the holiday season, consumers are more likely to see a rise in “festive fraud” — or a spike in fraudulent activity associated with holiday shopping.

While porch pirating schemes and fake gift card offers rise during this time of year, bankers should be aware of bad actors attempting to put individuals, businesses, and financial institutions at risk.

Keeping Your Bank Secure

Cybercrime continues to be one of the greatest threats and most expensive forms of fraud to banks across the country. Unfortunately, common schemes can range from phishing or ransomware attacks to identity theft. Schemes which are often disguised as seemingly innocent links or exciting holiday discounts.

Like consumers, banks too face a heightened risk for fraudulent activity at the end of each year. As the holidays quickly approach, bankers should beware that fraudsters not only take advantage of the generosity of the season, but target businesses and offices that may be understaffed. It is critical that individuals remain attentive and leery of unexpected solicitations.

Skepticism is often the first line of defense against bad actors and now’s a great time to ensure every member of your team is prepared for potential threats and that they know how to mitigate the risk. IT professionals and bank leaders should assist all staff members in understanding the various cybercrimes, what they may look like, and how they can impact the bank and its customers.

Make certain that your staff has secure passwords, is using multifactor authentication (MFA), is leery of unknown websites or email addresses, and knows how to report an incident.

In addition, banks should take a moment this holiday season to verify that the organization’s detection methods are properly operating and, in the event of a cyberattack, have a clear response plan. Cyberattacks are most often the result of technological vulnerabilities and human error — make sure your bank is prepared to mitigate this potential risk.

Identifying Consumer Fraud

As fraudulent activity becomes increasingly more difficult to identify, bankers have taken on an important role in educating their customers of, and protecting them from, various schemes.

This holiday season, bankers should advise their customers to be leery of “too good to be true” deals, gift cards from unreputable sellers, urgent or unexpected requests, and fake charities. Consumers and bankers alike should never give out personal information without verifying the legitimacy of the website or person requesting said details.

If a customer reports a fraudulent scam, bankers should not only ensure the individual impacted reports the incident to the local law enforcement, Federal Bureau of Investigation (FBI), and Federal Trade Commission (FTC), but remind them that falling victim to the increasing number of sophisticated fraudsters consumers encounter each day is nothing to be ashamed about.

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
, ,

Passwords: Ensuring Secure Data

How you can be your own best first line of defense against hackers

By Rob Foxx, CCBTO

Depending on how old you are, you will have a different perspective on passwords. The more seasoned professionals would have come in at a time when a minimum of six characters, no capital letters, numbers, or symbols was a commonplace practice. In comparison, passwords today usually consist of eight characters — at least one being one upper case — a number, and a symbol.

With a good computer and access to a vulnerable system, even now those passwords could be cracked by a common tool to brute force into the system in less than six hours. While our technology continues to evolve, unfortunately, so too do the bad actors and threats to our data security.

Digital Security Threats

While some threats are technology based, a consistent number of threats to our passwords are not. Saving a password to a browser is an invitation for trouble. Once you walk away from an unlocked computer, it would not take much effort to log in or even change your credential without your knowledge. There are many tools that can copy these passwords quickly and with very little expertise.

Additionally, those who reuse passwords or only slightly change them is a direct invite to bad actors. If your password was compromised on a common website and associated with your email, someone has that information, and there is a good chance they are going to try it elsewhere. For example, changing a password from Carl!123 to Carl@123 is also risky as a list of passwords associated with users’ names fed into a computer could guess this in seconds rather than hours.

Many people write their passwords down and tape it to a monitor. The inside of a desk drawer, or under the keyboard or mousepad are not much safer a hiding spot.

As many of us are aware, sharing passwords is a bad idea from an accountability point of view. Once someone else has it, you can no longer secure it from being written down or re-shared.

Be aware if your passwords or accounts have been breached in the past. The website have ibeenpwned.com is a staple for those in the information security field. This allows you to check if both passwords and email accounts have been used or discovered in past breaches.

Additional Protective Steps

Like many threats, the best answer is in the hands of the people most at risk. With a little education and a few resources, you could be on your way to making yourself an unappealing target.

  • Multi-Factor Authentication

Multi-Factor Authentication (MFA) is the latest and greatest in terms of locking an account if available. It requires a token or application on your phone to give a random code that matches up to a login service. Using MFA makes unauthorized access very difficult.

  • “Real” Passwords

The NIST (National Institute of Standards and Technology) in their 800-63 publication points out that complexity does not matter to a computer. It only makes it harder for users to remember. Password length makes it exponentially more difficult for a computer to guess or break a password that has not been breached. A 15-character password with all lowercase letters would take a computer an estimated 12 million years to breach. Passwords can be as simple as three unrelated words or based on items found on your desk — coffeelampmouse is a good example. The internet is filled with random password generators, but they are only of limited use as the passwords they generate are impossible to remember.

  • Password Vaults

Password vaults are very reliable and inexpensive or free. They can make and save passwords for you requiring a single password to access all your other passwords. Additionally, they can generate passwords for you. This removes the requirement to come up with something new every time you make a password. Some vaults are cloud based, and for those who are looking for a business version or an entirely offline vault, these are also available.

Armed with the knowledge of the problem and the tools presented you can use them to be your own best first line of defense against people trying to take over your digital life. You would not choose a lawyer, doctor, or bank officer who barely meets minimum requirements to do something important, so do not skimp on the passwords that secure your data with a minimum requirement either. If you have questions, feel free to ask your local IT or information security professional — they are generally very happy to help people safeguard themselves, as it makes their lives easier as well!

Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.

/by
, ,

The New Face of Identity Theft

The rapid growth of synthetic identity fraud

By Hannah Flanders

Like many aspects of our day-to-day lives, the expansion of technology has both enhanced and complicated the ways in which we operate. As more and more of our information lives online, identity theft — once more likely to occur because of a stolen wallet — has also assumed a digital appearance: synthetic identity theft.

What is Synthetic Identity Fraud?

Synthetic identity fraud is defined as the use of a combination of pieces of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.

This form of identity theft has allowed bad actors to combine a stolen Social Security Number (SSN) and other false information — such as a fake name, address, date of birth, or phone number — to create a counterfeit identity to steal funds, escape prosecution, or any other number of criminal and fraudulent activities.

An Alarming Trend

In 2020, the Federal Bureau of Investigation (FBI) named synthetic identity theft as the fastest growing financial crime in the United States. Fraud targets are often those who do not typically use credit or are less likely to monitor their credit activity — including children, homeless individuals, and the elderly. These victims may find themselves blindsided as fraudsters create a new identity, apply for credit, and after years of building good credit by making payments for a time, abandon the account without paying anything back to the financial institution.

While this type of fraud is already difficult to detect due to its elusive or “normal” nature, many bad actors go to incredible lengths to appear as such, states Forbes. In addition to establishing good credit by making payments quickly and on time, some create digital profiles or use P.O. boxes for addresses.

Not only has technology and access to the dark web made PII more accessible to fraudsters, in 2011 the Social Security Administration (SSA) began randomizing the nine-digit social security codes rather than assigning them to individuals based on their geographical location and group number. No longer do social security numbers raise red flags when enrolling or opening accounts “out of state.”

As online banking grows in popularity, so too do concerns for synthetic identity theft. Between prevalent phishing schemes and heightened risks for data breaches — accessing PII and conducting synthetic identity fraud has become much easier than in years prior.

How to be Proactive Against Bad Actors

Inconsistent categorization and reporting make it difficult to identify and mitigate this type of fraud — as far as banks and credit bureaus can tell, these individuals are just like anyone else. . . until they “bust out” or abandon the maxed-out account with no intention of repayment.

After abandoning the false identity’s account, a fragmented file is created. This additional file not only becomes associated with the original SSN but also holds the additional credit report information and other fabricated PII. Unfortunately, this information could negatively impact the credit rating of the real individual.

When working with customers, bankers should advise frequent credit report checks or freezing unused credit at credit bureaus throughout the U.S. as to deter criminals or catch them early.

In addition, customers may take additional steps to protect themselves and their family against synthetic identity theft. One way parents can protect their children from fraudsters is by requesting their child be added to their credit profile. By adding a child to an adult’s credit profile, not only does the child’s own credit profile become established in his or her name and SSN, but the child is also able to begin building their credit.

The Cost of Synthetic Fraud

While victims of identity theft typically are not liable for fraudulent purchases or accounts, as long as they can prove they are the real SSN holder and not the thief, banks and other financial institutions are left to absorb the cost. This scheme is not only incredibly costly to banks across the country — with losses estimated at $20 billion in 2020, according to the Federal Reserve Bank of Boston — but gaps in the U.S. Fair Credit Reporting Act may have also increased the likelihood of repeat offenders.

The Federal Reserve has reported that bad actors are able to ‘flood the financial institution with an overwhelming number of claims’ on their fake accounts, and when creditors are unable to fulfill the investigation in the allotted timeframes, the disputed item is removed from the false credit report and time and time again, fraudsters get away with the act.

“Synthetic IDs are a struggle for community banks to identify,” states Lenore Breit, vice president – compliance manager at Wausau’s Prevail Bank. “Based on a recent presentation, [community banks] most likely have synthetic ID fraud in their deposit and loan accounts that remains undetected with traditional third-party ID verification programs that most community banks use.”

“There are other, more robust ID verification programs available to detect synthetic ID fraud,” adds Breit. “But they are costly and may not interface with legacy software.”

One such software program, the electronic Consent Based SSN Verification service, was created in part by the Economic Growth, Regulatory Relief, and Consumer Protection Act. The electronic service offered by the SSA was created in 2018 to aid financial institutions in combating synthetic identity fraud and verify an authorizing individual’s name, date of birth, and SSN against the SSA records. Services are based on the annual transaction volume and can cost thousands or even millions of dollars.

Common Signs of Synthetic Identification Theft

While difficult to trace, there are a few significant ways bankers can remain attentive to PII and other key indicators of synthetic identity fraud.

Most obvious is ensuring all SSNs match to the PII given. Do not assume a name change or relocation; ask questions or require verification for the sake of your bank and the security and privacy of all customers. This extra step could make all the difference in protecting the personal information of every customer.

If an account is already open, bankers should note applicants who have the same contact information or SSN as well as those with multiple authorized users.

As synthetic identity fraud becomes increasingly prevalent throughout the U.S., it is critical, for the safety of customers and security of all financial institutions, that Wisconsin bankers are prepared to combat this emerging fraudulent activity, caution community members against sharing unnecessary personal information with others, and assist individuals in regaining their rightful identity if necessary.

If you are interested in learning more about synthetic identity fraud, how these schemes can impact your bank or customers, or more ways you can take a stand against bad actors, please contact WBA’s Legal Team at wbalegal@wisbank.com or 608-441-1200.

/by
,

Ensuring the Safety and Security of Wisconsin Communities

Dan PetersonBy Daniel J. Peterson

As technology continues to advance faster than ever before, the importance of staying up to date on the latest trends and best practices for the safety of both the bank and its customers is quickly becoming the number one concern for Wisconsin bankers.

As the last several years have shown, a growing number of consumers throughout the state rely on technology and online banking for their day-to-day needs. It is critical that, for continued success and relevance of our industry, bankers are aware of not only how best to serve our customers through offering modern banking amenities, but how to best protect our communities from increasingly more sophisticated — and prevalent — fraudsters.

For this purpose, in addition to ensuring that all Wisconsin banks remain a safe, secure place for finances and sensitive information, the Wisconsin Bankers Association (WBA) will once again host a combined Secur-I.T. & BSA/AML Conference. The conference specifically targets BSA/AML, operations, security, and technology banking professionals looking to remain educated on our ever-evolving industry.

This year’s annual conference will be held September 20 and 21 at Glacier Canyon Lodge in Wisconsin Dells and features a unique variety of speakers. From local professionals and WBA Associate Members to world-famous cyber security expert and ethical hacker Bryan Seely, WBA’s Secur-I.T. & BSA/AML Conference will assist banking teams in understanding how best to protect against hackers, what trends to watch for in money laundering, and so much more. This is an event you don’t want to miss!

By engaging in conferences such as WBA’s Secur-I.T. & BSA/AML Conference, bank leaders can ensure their staff is gaining the most relevant and up-to-date banking-related information from the most knowledgeable individuals in the industry. Along with over seven hours of presentations focused on the safety and security of our banks and customers, bankers will enjoy networking with professionals from across the state and meeting with exhibitors offering products and services that help community banks further advance their customer service capabilities.

Please visit wisbank.com/Secur-IT to register or for additional details.

Peterson is president and CEO of The Stephenson National Bank & Trust, Marinette, and the 2022–2023 WBA Chair.

/by
,

See Into the Mind of a Cybercriminal

WBA’s Secur-I.T. & BSA/AML Conference returns in 2022

As cybersecurity and fraud continue to be rising topics of discussion throughout the banking industry, bankers are encouraged to stay informed on the latest trends experts are seeing and how regulations will continue to impact Wisconsin banks by attending WBA’s annual Secur-I.T. & BSA/AML Conference held in Wisconsin Dells.

The two-day conference — beginning September 20 and adjourning at noon on September 21 — draws over 125 BSA/AML, operations, security, and technology professionals from around the state for over seven hours of educational presentations and networking.

This year’s keynote session will feature Bryan Seely, a world-famous cyber security expert, ethical hacker, author, and former U.S. Marine. Seely became one of the most famous hackers in 2014 when he became the only person to ever wiretap the United States Secret Service and FBI. Before he was caught, he confessed to the two agencies that there was an issue that needed to
be fixed.

Unlike many hackers, Seely is passionate about fighting for consumers rights, privacy, and educating the public about how to stay safe in a constantly changing technological landscape. In this keynote session, Seely will highlight the different ways in which hackers think and the new, creative ways professionals must approach security in order to protect the most critical information of the business and customers.

In addition to this captivating keynote speaker, the Secur-I.T. & BSA/ AML Conference offers several breakout sessions and networking opportunities that will assist banking professionals from throughout Wisconsin in further developing their bank’s customer experiences, BSA/ AML program, security, and technology capabilities as the banking and technology industries continue to evolve.

/by
,

How Do Business Leaders Protect Data?

By Rob Foxx, CCBTO

I frequently get asked, “How do I or my other non-technical staff help keep my institution safe from electronic threats?” Ransomware is the topic of the day, and I don’t know that there will be changes to that any time soon. There are a few things that can make protecting yourself easier. Good security is done in multiple layers of defense and requires participation of all members of your team.

Involve Your Whole Team

Cybersecurity is the responsibility of all members of the business, not just IT. To that end, everyone needs to know what common tactics are used to compromise your security. Learning how to identify phishing emails as well as business email compromise and reporting these types of events could be the difference between fighting a breach or dodging one. This kind of mindset has been in physical security for a very long time, but it has been a lot slower to be adopted into data security. By educating your staff and yourself and reporting it to the right people in your organization, you can avoid a very common but costly pitfall.

Ensure System Maintenance is Up to Date

The next item is a task that IT performs but is something leadership should both understand the basics of and require accountability for. Keep your systems updated and patched. An alarming number of breaches over the years could have been prevented by simply keeping systems up to date. Microsoft pushes out Windows patches the second Tuesday of every month, which should be reviewed for issues with your environment and deployed as soon as possible. There are tools that make this very easy to perform should you invest in them. Less obvious patches to other software like Adobe Reader, Google Chrome, and even your remote connection software, are equally important. Keeping an inventory of your software assets and checking them regularly for updates and patches can reduce your attack surface. Updates should not only be done, but they should also be reported to management and/or the board of directors at a regular frequency.

Secure Your Passwords

Get secured passwords or, if possible, multi-factor authentication. Insurance companies offering cyber insurance policies are pushing for people to utilize tools such as authenticators on your phone for multifactor authentication. While this is ideal, it may not be in place in many institutions. The National Institute of Standards and Technology (NIST) security framework used by the U.S. Department of Defense recommends longer passwords (16+ characters) without complexity and no expiration unless you have reason to believe it was exposed. Passwords can be as simple as picking out 3 random words such as doorbluecomputer. This is easy to remember and difficult for a computer to guess. If you can’t use multifactor authentication, using a password manager can enable you to use many complex and long passwords that you could never otherwise remember.

Give IT and Security a Seat at the Table

Bring IT and information security into your decision-making process. If this is something that is not being done currently, consider adding these people to the team that makes your highest-level decisions. They will have a perspective on additional costs as well as potential problems and conflicts that may occur. While they may not represent the majority of your staff or income, they speak for a considerable portion of your assets. There are few things as frustrating as going forward with a new project and not having considered how it will work with the rest of your environment or whether you have the hardware or software to support it without extra expenditure of assets. Additionally, there are many problems that exist within a business that your more technical staff could offer a solution to that the rest of the staff may not have known about.

Keep Up With Advancements in Technology

Don’t let technology outpace you. New technologies come out every day, and while you’re not expected to be on the leading edge, you should at least keep a healthy pace with it. For example, if you are using a conventional virus scanner, you are already behind the times. Zero-day exploits (bugs that are either unknown or unpatched) and fileless malware and viruses are also not detected by traditional antivirus products. Fileless attacks are becoming more prevalent, and you can get them any number of ways. It could be as innocent as going to a website and without any need clicking or downloading — without your permission, you could have brought an unwanted problem to your institution. Though a bit on the pricier side compared to traditional antivirus, next-generation products in this field are far more capable than their older counterparts.

Most of the items presented are of a non-technical nature and should be part of making your staff work well with your information security team and vice versa. In our more modern environments of work from home, it is more important than ever to make cybersecurity a part of everyone’s day to day.

Foxx is information security and audit advisor for FIPCO, a WBA Gold Member.

/by
,

Amid Russian Cyberattack Threat, Bankers Focus on Security Measures

By Paul Gores

With cyberattacks on U.S. businesses a possibility as Russia’s war against Ukraine rages on, financial institutions need to make sure their cybersecurity measures are first-rate and up to date, experts say.

The White House has warned that Russia could try to disrupt digital operations and damage the U.S. economy in retaliation for sanctions against Russia after its invasion of Ukraine.

Ransomware attacks on U.S. businesses, some based in Russia, already have been growing in recent years, and recently, the FBI said it discovered and secretly removed malware that hackers from Russia had placed in computer systems worldwide. Some American leaders think Russian President Vladimir Putin still has plans to try to inflict a major cyberattack.

If he does, banks that have been diligent and proactive about protecting their systems from hackers should be less vulnerable to the chaos a cyberattack could cause, experts say.

Banks need to make sure they’ve taken inventory of all of their technology assets and are doing what they can to keep them safe from attackers.

“Know what those assets are — all your software, hardware — and then from there follow your basic cyber hygiene,” said Scott Noles, assistant vice president and information security officer for Mukwonago-based Citizens Bank. “Are they up to date? Have you patched them? Do you have end-of-life software? Do you have anything that’s in your environment that shouldn’t be? Those I think are really mission critical.”

While many assume the Russian government would want to target the biggest banks and core processors to cause the most disruption to the financial system, infiltrating a bank of any size would be a win for attackers, experts say. That’s why it’s important for community banks to ensure techniques cyber crooks often use to bust into an institution’s system, including phishing emails that can be the gateway to a system takeover, will run into a tough defense. Training employees not to respond to infecting emails, whether in the office or working remotely, is one important step.

“Everyone’s digital life, whether it’s at work or at home, is intertwined now,” said Ian McShane, vice president of strategy for the cybersecurity firm Arctic Wolf Networks. “You can get compromised at home and have that lead into your work life as well. Just because you close the door on your laptop at work doesn’t mean you don’t need to remain vigilant. It can be a risk to businesses wherever you are.”

McShane and others stressed that multifactor authentication is crucial. With multifactor identification, users must submit two or more pieces of evidence to verify their identity in order to gain access to a digital resource. An organization must at least make sure that all of its information technology workers are using multifactor authentication.

In addition, McShane said, a bank’s IT pros or security officers should take stock of which machines in the system are accessible from the internet.

“And make sure there is a good reason for those machines to be accessible from the internet as well, because they are going to be the first bastion of adversarial activity,” he said.

Jeff Otteson, vice president of sales for Midwest Bankers Insurance Services, said specialty insurance carriers considering coverage applications from banks are requiring multifactor authentication.

“What the carriers are looking for amongst other internal controls, the big key is multifactor authentication,” he said. “And that multifactor authentication expands to all users, but most important are privileged users which are those users that can access critical systems, install software, and change security settings.”

Otteson said insurers also need to know that critical patches and updates are implemented and deployed, and they want servers and back-ups to be encrypted. Without those measures, “They put themselves at risk,” he said.

Banks must always be diligent and vigilant — and that was expected even before the Russian threat in the wake of the Ukraine invasion.

“There is no institution that’s immune from a potential cyberattack,” Otteson said.

The security measures of vendors that have access to bank data also have to be airtight, said Jeff Kurek, vice president, information services and cyber security for Park Bank in Madison. He said vendors ranging from those managing IT all the way down to the bank’s HVAC company could put a bank at risk if they have access to the internal system.

“We are heavily regulated, we’ve always had information security programs in place, we’ve always been audited,” Kurek said. “But what about our third-party vendors — the vendors that we utilize to provide us our critical services?”

If Russia were to mount a large cyberattack on the U.S., major infrastructure could be key targets, many believe. But cyberattacks could produce side victims like smaller banks. McShane said most incidents are opportunistic.

“They happen because someone clicks on something that they weren’t aware was weaponized, or it was part of another kind of attack or breach or ransomware campaign, and someone has noticed, ‘Hey, we’ve got access to a bank here,’” he said.

While the main goal of a Russian cyberattack would be to disrupt and damage the U.S. and its economy, extortion could be another result. Ransomware thieves normally try to break into an organization that has the insurance coverage and wherewithal to pay a multi-million ransom — an organization like a bank.

Big banks have the money to beef up their defenses in ways that a community bank might not, perhaps leaving the smaller bank more at risk if, say, the bank has let its software age and it no longer is receiving vendor patches to fix vulnerabilities.

“I think the smaller regional banks or city-based institutions don’t have that same luxury of being able to throw money at it,” McShane said.

But experts said no matter what size the bank is, it has to make cyber security a priority and be willing to spend the money to do it. The downside of a breach or extortion is too brutal, they said.

“I believe that any nation states that they’ll (Russia) be attacking, they will go after the biggest targets possible, but they also realize the biggest targets are the ones that are hardest to get into,” said Noles. “So what they’ll be doing is looking at anybody they can get into.”

The No. 1 method of attack still is phishing.

“They are trying to send you a link to see if they can get somebody to click on it, because then they can get credentials, they can get inside environments, they can install malware,” Noles said.

The cost of cybersecurity is increasing, but that’s just reality in today’s increasingly tech-driven world, experts say.

Otteson cited a Financial Crimes Enforcement Network (FinCEN) report showing that during the first half of 2021, financial institutions reported 635 suspicious ransomware-related activities, or 30% more than all reported activity in 2020. FinCEN said more than $590 million in payments tied to ransomware attacks occurred in the first six months of 2021, up from $416 million in all of 2020.

“(Insurance) rates are going up on these lines because the claims have been going up,” Otteson said.

Noles said vendors also can drive up the cost of cybersecurity by pushing new products. Many banks would be better off making sure they are effectively using capabilities of tools they already have purchased, he said.

“What do vendors have to do? They have to sell a new product. They have to sell a new blinky box or a new tool,” Noles said. “So they’re using what I call FUD — fear, uncertainty, and doubt — to get you to spend more money on their products.”

There’s no question cybersecurity costs will continue to rise.

“Probably eight years ago I saw an article of some sort that said ‘bringing IT from the backroom to the board room.’ That sort of stuck with me,” Kurek said. “And what that really means is that cybersecurity should be a strategy to the organization. It’s not just a keep-the-lights-on thing anymore. Cybersecurity is huge. It’s an inherent risk at this point to any company, and it should really be part of your overall company strategy in my opinion.”

If an incident takes place, banks also need to have a solid communication plan for reacting to it, making sure their lawyers, regulators, law enforcement, and customers are informed as promptly as possible.

“They should have a business continuity plan, and they should have an instant response plan, and they should be updating those regularly and they should be testing them regularly,” Kurek said. “And what a better time to test than now.”

Said McShane: “Nothing is more important in security than understanding you’re going to have an incident at some point, and it’s better to be prepared to know what to do when it happens.

Paul Gores is a journalist who covered business news for the Milwaukee Journal Sentinel for 20 years.

Midwest Bankers Insurance Services is a WBA Gold Associate Member.

Arctic Wolf Networks is a WBA Bronze Associate Member.

/by

The Evolution of Information Technology

Thank You, Ken Shaurette, for 13 Years at FIPCO!

By Hannah Flanders

On December 31, 2021 Ken Shaurette retired from FIPCO’s Information Security and Audit Services after 13 years with the company. Shaurette launched his IT career in 1976 after completing his associates degree in data processing. Over the past two decades, he has also garnered a collection of training courses through venders and trade schools as well as certifications by the National Security Agency (NSA) in Information Assessment Methodology. In 2008, Shaurette was hired at FIPCO to build the Information Security and Audit Service from the ground up as its director.

Shaurette shared reflections on how the industry has changed over his decades of experience. When his career began, data was stored centrally in large computer data centers. Slowly, the industry began to give more processing power and ability to manipulate data to users and as the data became increasingly decentralized, security professionals had to establish improved policies and information security programs that addressed data no longer being stored in a big computer center, but out at the desktops anywhere in the company.

As data collection and storage abilities improved, not only did it become more difficult for all the information to be properly secured, it became increasingly important. Regulations have been created today in order to meet the expectation that customer data is equally protected no matter the size of the bank. “Information security [must continue to be] part of our individual and our companies DNA” says Shaurette. “Without security controls, your business can’t grow quickly.”

Shaurette’s perspective has allowed him to help banks throughout Wisconsin protect themselves against serious attacks that could in turn affect growth, reliability, and profits. Shaurette notes that “when it comes to information security 80% is the same regardless of [the] industry when securing the data, 15% is unique to the [banking] industry, and probably 5% is the social atmosphere of [each bank].”

“Over the course of the years, his expertise and service have been greatly appreciated and well-respected by our customers and members,” says Pam Kelly, president of FIPCO. “His passion and unfailing dedication to information security and our members has helped hundreds of bankers keep critical data secure, avoid attackers, and meet the needs of their own communities. Thank you, Ken, for 13 years!”

In his retirement, Shaurette looks forward to spending time with his grandchildren, volunteering, and — he jokes — not writing audit reports. However, he leaves FIPCO customers with one last message in appreciation over that last 13 years, “I may be boating off into the sunset, but the sunrise of a new generation is transitioning behind me, and you will be left in very good hands with Rob Foxx. I’ll be waiting for you to show up for an information security peer group meeting or networking round table on the pontoon boat someday soon. Those that know me, the refreshments are always ready.”

/by
,

It’s Time to Take Action in 2022

Ken Thompson HeadshotBy Kenneth D. Thompson, WBA Board chair, president and CEO of Capitol Bank, Madison

January marks the halfway point of my time as WBA chair and as we transition into a new year, there are undoubtedly new things to look forward to as an industry and as an association.

Our successes in 2021, many of which related to the ongoing uncertainty of the COVID-19 pandemic, taught us all valuable lessons I hope can be brought with us into the new year. From low levels of past-due loans throughout our industry to excess liquidity, it’s safe to say that stepping outside of our routine has resulted in spectacular results.

Looking onward to 2022, I encourage bankers to approach challenges with the same curiosity we have for the past two years. As our industry continues to grow, how will each of us lead the way in making Wisconsin banks efficient, diverse, and robust?

WBA has long known that banks are cornerstones in our communities and as such, should be leaders in embracing societal developments. Technology, for both our customers and employees, has been and should continue to be an aspect that sets our industry apart. In embracing these digital channels, banks have a unique ability to meet the expectations of customers while also supporting them with cybersecurity and best technological practices.

Our ability to advance diversity, equity, and inclusion (DEI) efforts, as well as offer flexibility to employees, has the potential to set our industry apart. This is especially important to consider as we navigate through a competitive hiring and retention landscape.

As we all envision a brighter 2022, it serves us to remember that innovative solutions, such as PPP and advances in online banking, have provided our communities with much-needed assistance in the past. We must not be held back by what we are familiar with. This pandemic has taught us all that some of the most effective answers may not be the ones that have been tried before.

It is essential for banks to approach these situations with caution instead of resistance and as always, WBA remains a valuable resource in education, advocacy, and community involvement for each of us as we look forward to what’s to come in 2022.

/by

Events

, , ,

Building an IT Strategic Plan that Helps You Make Decisions

Does your IT Strategic Plan work for you, or is it just a document that you review once a year? Traditional FFIEC regulatory guidance calls for an IT Strategic Plan that identifies medium-to-long-term goals and allocations of IT resources over a three-to-five-year timeframe.

But how does your IT Strategic Plan help you to make decisions about which types of technology you WANT to deploy and WHO your institution wants to be when it comes to deploying technology?

What You’ll Learn

  • FFIEC Guidance on IT Strategic Planning
  • The Law of Diffusion of Innovation
  • What Kind of Bank Are You?
  • What’s Your Acceptable Level(s) of Risk?
  • Lining Up Risk with Strategy
  • Creating an IT Strategic Plan that can be your “North Star”

Who Should Attend
Information Security Officer, IT Manager, Risk Officer, Internal Auditor, and Executives looking to improve their Information Security Program.

Instructor Bio
John Helland is an Information Security Consultant at SBS CyberSecurity (SBS), a company dedicated to helping organizations identify and understand cybersecurity risks to make more informed and proactive decisions.

Helland maintains Certified Information Security Manager (CISM), Certified Banking Security Manager (CBSM), Certified Banking Vendor Manager (CBVM), and Certified Banking Business Continuity Professional (CBBCP) certifications. He received a degree in Network Security and Administration from Dakota State University.

Helland joined the SBS team in 2021, bringing over 20 years of experience in the IT industry. He specializes in information security management and bridging the gap between information technology and information security.

Helland is passionate about making a difference for his clients and co-workers by providing valuable contributions, making well-informed decisions, and advocating for the best path forward for the project they are collaborating on.

Registration Option

  • Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts – $279
  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD  + $140
    • Additional Live Access + $75 per person
/by
, , , , , , , , , , , , , , , , , , , , ,

GSB – Digital Banking School

Banking continues to evolve — and as consumer preferences have moved from lobby to service multi-channel, multi-touch interactions, the demand for digital banking services has grown exponentially.

This shift — plus pressure from new and non-traditional competitors for all types of financial services — has led to an entirely new banking landscape. To remain competitive today — and viable tomorrow — community banks need to devote attention, staffing and financial resources to innovation, digital product mix, online customer engagement, technological advances, vendor partnerships and more.

GSB’s Digital Banking School is the first school of its kind — focused exclusively on demystifying these sometimes-intimidating topics — to help community banks move into and/or grow in the digital banking space.

This immersive experience will showcase the key elements of a bank’s effective digital strategy and will be led by industry thought leaders who are experts in digital banking and innovation.

What You’ll Gain

  • Defining the Game
  • Get off the Sidelines — Why Digital Banking?
  • Which Version Do You Want to Play?
  • Create Your Team — The People Factor in Digital Banking
  • What Equipment Do You Need?
  • Building the Foundation to Help You Achieve Digital Banking Success
  • Promoting Your Digital Bank and Building Your Brand
  • Technology & Risk: Cybersecurity Challenges

Who Should Attend

Given the scope of all that’s involved in digital banking, we encourage broad participation across all various areas of the bank — and that’s why we’ve priced this school with a single, affordable per-bank fee. We encourage community bank CEOs to attend, along with leadership teams from operations, retail strategy, lending, business development, marketing, technology, project management, cybersecurity and compliance. All will benefit from the program and be better positioned to make the important shifts that drive digital banking success.

When: April 3–27, 2023

Program Fee: $3,300/bank

/by
,

Security Officer Workshop

The 2023 WBA Security Officer Workshop will be offered in a hybrid format this year. You have the option to attend in person at Glacier Canyon Lodge in Wisconsin Dells or attend virtually via livestream.

Bank Security Officers are responsible for supervising the security program which must address five broad areas: physical security, personnel security, information security, crime prevention and detection, and investigations. This is changing!

Banking has evolved into using more technology for customer interaction which is changing the interpretation of the Security Officer role as well as their focus on bank security.

New questions are constantly cropping up: How are new machines affecting your branch layout and the overall safety of your people? How are personal devices affecting your front line staff’s interactions with customers? Although security is the main focus, what other duties should a security officer be familiar with?

Join us for this full day session that delves into the Security Officer role in modern banking.

Who Should Attend:
This full day workshop is for anyone that is responsible for or interested in Bank Security, including but not limited too Security Officers, Cashiers, Training Officers, Branch Managers, HR Managers, Compliance Officers or anyone that is face to face with customers on a daily basis.

Registration:
The registration fee of $175 includes program registration, instruction and materials, refreshment breaks and lunch for those on-sight. A recording will also be avalible once this session has offically ended.

Refund Policy:
A refund, less a $25 administrative fee, is provided for cancellations requested on or before March 17th.

/by
, , , ,

WBA Secur-I.T. & BSA/AML Conference

BACK AGAIN IN 2022: The 2022 Secur-I.T. Conference is now combined with the annual BSA/AML Conference!

The 2022 WBA Secur-I.T. & BSA/AML Conference will be held on September 20-21 at Glacier Canyon Lodge in Wisconsin Dells. The conference will kick off at 8:30 a.m. on Tuesday and adjourn at Noon on Wednesday.

This annual meeting brings together BSA/AML, Operations, Security and Technology banking professionals from all around the state of Wisconsin for education and networking. Attendees will benefit from over 7 hours of presentations from nationally recognized speakers and local professionals; network with more than 125 banking peers; and meet several exhibitors who offer products and services geared to better your bank’s customer experiences, BSA/AML program, security, and technology. You won’t want to miss this great event!

Registration Information

Banker Registration:

The registration fee of $350/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments. If your bank brings multiple attendees, each person after the first registrant is $300/attendee.

To receive the published discount, you must register everyone at the same time.

Associate Member Registration: 

The registration fee of $450/attendee includes conference materials, Tuesday refreshments, lunch and reception; and Wednesday breakfast and refreshments.

Refund Policy: A refund, less a $25 administrative fee, is provided for cancellations requested on or before Thursday, September 15, 2022.

Exhibitor Registration:

Exhibit Booths are available for $650 for Associate Members and $1,150 for non-Associate Members. Exhibit booth registrations include one attendee. Additional booth attendees can be registered for $250/attendee. Visit the Information for Exhibitors/Sponsors tab for more information.

/by
, , ,

The Latest in Social Engineering Attacks – How to Protect Against Complex Threats

It seems like fraudsters are always one step ahead. The battle against sophisticated social engineering attacks continues. Are you keeping up? Join us to learn the latest schemes and defenses.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
• Identify social engineering exploits that may be successful at your institution
• Understand how attackers are using multiple forms of social engineering to gather information throughout your institution
• Detect suspicious calls that may have been overlooked
• Determine areas that may be susceptible to onsite social engineering exploits
• Take steps to protect against complex threats

WEBINAR DETAILS
The previous year saw social engineering attacks increase in both volume and sophistication. The perpetrators of social engineering (SE) attacks are smart, motivated, and persistent. Phishing emails are by far the predominant SE security breach, but the last year also saw deepfakes (a type of artificial intelligence) being used to create convincing images, audio, and video hoaxes. By using artificial, enhanced voice simulation, fraudsters stole $35 million from a bank in the United Arab Emirates. COVID-19 has forced many institutions to close lobbies for extended periods of time and this has contributed to an uptick in successful onsite SE exploits. A combination of multiple types of SE attacks spread over time has contributed to an increase in SE-related losses. Join this insightful webinar to learn how to confront these threats.

WHO SHOULD ATTEND?
This session is designed for chief information security officers, senior management, call center personnel, operations staff, and anyone responsible for securing accountholder information.

TAKE-AWAY TOOLKIT
• List of the most common social engineering test failures
• Checklist of defensive measures to limit social-engineering attack effectiveness
• Questions to ask your IT auditor to scope effective social engineering testing
• PDF of slides and speaker’s contact info for follow-up questions
• Attendance certificate provided to self-report CE credits
• Employee training log
• Interactive quiz

NOTE: All materials are subject to copyright. Transmission, retransmission, or republishing of any webinar to other institutions or those not employed by your agency is prohibited. Print materials may be copied for eligible participants only.

MEET THE PRESENTER — John Moeller, CLA
John Moeller is a principal at CLA in the IT & Cyber Security Services Group. For over 30 years, Moeller has served the technology needs of financial institutions across the country. His experience includes strategic technology planning, technology and vulnerability/risk assessments, controls reviews, information security and business continuity program development, and board of director training.

Moeller is a frequent speaker on information security, IT assessments and strategy, CIO outsourcing, and managed IT services. He holds several professional certifications, including Certified Information Systems Security Professional, Certified Ethical Hacker, and EC Council – Certified Security Analyst. He received a bachelor’s in Information Technology from Capella University.

REGISTRATION OPTIONS

  • $245 – Live Webinar Access
  • $245 – OnDemand Access + Digital Download
  • $320 – Both Live & On-Demand Access + Digital Download
/by
, , ,

New 36-Hour Deadline for Reporting Cyber Security & Ransomware Incidents

What do 36 hours, May 1, 2022, and computer security have in common? They are all elements of the new reporting requirement for cyber security and ransomware incidents. Will you be ready for the May 1 deadline?

AFTER THIS WEBINAR YOU’LL BE ABLE TO:

  • Implement appropriate practices to discover computer-security occurrences and determine whether they rise to the level of a notification incident
  • Identify critical timing requirements
  • Explain when notification is required to a primary federal regulator and to the banking organization
  • Assess if contractual notification provisions are consistent and compliant with the new law
  • Define a computer-security incident
  • Meet the 36-hour notification requirement after a notification incident

WEBINAR DETAILS
Computer-security incidents targeting the financial services industry have increased in frequency and severity in recent years. In an effort to promote early awareness of emerging threats, banking organizations and bank service providers are now required to comply with mandatory reporting requirements effective May 1, 2022. Proper identification of a triggering incident and timely reporting are critical actions imposed by this final rule.

The reporting requirements expand beyond a cyberattack and include additional types of non-malicious failure of hardware and software, such as a widespread user outage for customers and bank employees. It’s critical that your financial institution understands the various types of incidents that may trigger the notification requirements and develops the appropriate policies and procedures to fulfill the new requirements of this recently issued mandatory rule. Don’t let the 36-hour clock expire without meeting the notification requirement. Join us to learn the details of the final rule and receive recommendations on policies and procedures to assist with mandatory compliance reporting requirements.

Attendance certificate provided to self-report CE credits.

WHO SHOULD ATTEND?
This informative session would best suit compliance officers, information security officers, senior management, business continuity officers, and those responsible for oversight of critical third-party servicers.

TAKE-AWAY TOOLKIT

  • Checklist to aid in making required notification decisions
  • Required notification record
  • Fact sheet explaining the critical components of the final rule
  • Employee training log
  • Interactive quiz

PRESENTER – Molly Stull, Brode Consulting Services, Inc.
Molly Stull began her career as a teller while working on her undergraduate degree and has continued working in the financial industry ever since. She has experienced the growth of a hometown bank, branch mergers, charter changes, name changes, etc. Stull has activated business resumption plans, performed secondary market quality control reviews, processed wires, filed SARs, and coordinated reviews with external auditors and examiners. Her favorite role has always been educating staff and strongly believes that if staff understands the reason for a process they will be more compelled to follow the procedures. Stull holds a bachelor’s from the University of Akron and an MBA from Ashland University.

REGISTRATION OPTIONS

  • $245 Live Webinar Access
  • $245 On-Demand Access + Digital Download
  • $320 Both Live & On-Demand Access + Digital Download
/by
, , , , , ,

Responsibilities of the Information Security Officer

Being an information security officer for a financial institution is a big responsibility in today’s world of cyber threats and data breaches.  This presentation is for those who are new to the role or have been the ISO for some time but want to review what is expected and how to be successful. As the ISO, part of your responsibility is building and maintaining the Information Security Program.

While an ISP has many important elements, there are really 3 basic components: Risk Assessment, ISP Policies and Procedures, and Audit. The Risk Assessment will help you make decisions, the Policies and Procedures document the decisions for your institution to implement, and audit verifies that they have been completed and are adequate controls to protect your institution.

What You Will Learn

  • FFIEC Roles and Responsibilities of the ISP
  • Building a Strong Cybersecurity Culture
  • Board Reporting
  • Educational and Certification Paths
  • Strong Risk Assessment Methodology
  • Creating your ISP with Policies and Procedures

Who Should Attend?

Information Security Officer, IT Manager, Risk Officer, Internal Auditor, and Executives looking to improve their Information Security Program.

Presenter
Lynda Hartup is a Senior Information Security Consultant at SBS CyberSecurity (SBS), a company dedicated to helping organizations identify and understand cybersecurity risks to make more informed and proactive decisions.

Hartup maintains her Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Banking Security Manager (CBSM) certifications. She received her Bachelor of Interdisciplinary Studies from the University of Southern Mississippi and completed the Graduate School of Banking at Louisiana State University.

Hartup has 20 years of financial institution experience in various positions, including Information Security Officer and dedicated IT Examiner. She also served for seven years as a Bank Examiner-IT Specialist for the Mississippi Department of Banking. Her specialties lie in IT governance, risk management, and regulatory compliance.

Hartup is passionate about helping her clients maintain the safety and security of their information and assets.

Registration Options

  • Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts – $279
  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD  + $140
    • Additional Live Access + $85 per person
/by
, , , , , ,

New Cybersecurity Incident Notification Rule – What Do You Need to Know?

On November 18th, 2021, the FDIC, Federal Reserve, and OCC jointly published a final rule that imposes a new 36-hour notification requirement on banking organizations and bank service providers following significant cybersecurity incidents. While this new requirement is certainly a big deal, the rule comes with some caveats and more clearly defined standards for reporting.

What You Will Learn:

  • The definitive requirements of the new Incident Notification Rule
  • Definitions of “Incident” and “Notification Incident” specified in the Rule
  • Actions to take immediately
  • How does this new Rule affect the rest of your Incident Response Program
  • Components of an IRP that help achieve the new Rule requirements

Who Should Attend?
Information security officers, IT Managers, risk officers, internal auditors, Board members, or other management team members looking to understand risks from ransomware.

Presenter
Jon Waldman is a co-founder and Senior Information Security Consultant for SBS CyberSecurity, a premier cybersecurity consulting and audit firm dedicated to making a positive impact on the banking and financial services industry. He maintains his CISA and CRISC certifications and received his bachelor of science in computer information systems and his master of science in information assurance with an emphasis in banking and finance security from Dakota State University. Over the last ten years Waldman has helped hundreds of financial institutions across the country create and implement comprehensive, valuable, and manageable Information Security Programs. He also conducts webinars and certification programs for the SBS Institute.

Registration Options

  • Live Plus Five (days) – $265
  • OnDemand Recording – $295
  • CD-ROM – $345
  • Live Plus Six (months) – $365
  • Premier Package – $395
/by
, , ,

Security Officer Reports to the Board: Timing, Contents & Requirements

The implementing regulations of the Bank Protection Act require the security officer to report annually to the board on the “implementation, administration, and effectiveness of the security program.” As banks downsize or right-size, danger in the security area increases. Learn how to educate your board on these issues with skill and diplomacy.

This webinar will review best practices relating to training, inspections, and foreseeable events that should be reported to the board. Learn how the annual written report should be prepared, presented, and reported. Security officers and board members will garner valuable resources that can provide statistics, facts, and information to reduce liability.

Many financial institutions are satisfied if regulators don’t take issue with the board report or the security program. However, don’t wait for a lawsuit against the security officer, management, and the board (both jointly and individually) to discover your report was missing key items. Information that could help during litigation is very different than what regulators examine for compliance. Be aware that the report is not just for the board – a much larger audience will review it if something goes wrong.

Attendance certificate provided to self-report CE credits.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
Report foreseeable events that could bring liability against the board
Identify information that should be reported to the board annually
Present major problems to the board with limited time
Explain why the security officer/risk management department should report to the board in person
Understand what is included in the security function
Keep records that will make board reporting easier

WHO SHOULD ATTEND?
This informative session was designed for auditors, security officers, risk management staff, senior management, and board members responsible for the security function.

TAKE-AWAY TOOLKIT
Sample annual board report
Sample top sheet for board reporting
Special report form
Incident report form
Security tips
Employee training log
Interactive quiz

ABOUT THE PRESENTER – Barry Thompson, CRCM Thompson Consulting Group, LLC
Barry Thompson is an international speaker, trainer, consultant, and writer. He is a security and compliance “guru” for a leading national training organization and regularly presents security conferences for trade groups – he has trained over 51,000 financial professionals.

Barry is recognized worldwide, presenting in Brussels, Belgium to European bankers on internal fraud; at the United Nations on identity theft; and to Japanese bankers on bank security. Barry has worked in the financial services industry for over four decades, and has held the positions of security officer, compliance officer, treasurer, senior vice president, and executive vice president. He has handled over 900 security cases and has been involved with investigations and prosecutions at the federal, state, and local levels. Barry is the author of 101 Security Tips for the Beginning Security Officer and has been interviewed by Newsweek, Computer World, USA Today, and other national publications.

REGISTRATION OPTIONS
Live Webinar Access – $245
On-Demand Access + Digital Download – $245
Both Live & On-Demand Access + Digital Download – $320

/by
, , , , , , , ,

E-Sign for Lending – Challenges and Solutions

A global information security organization reported that 85 of 100 financial institutions experienced fraud in the digital account opening process. It’s crucial that financial institutions use multilayered methods for fraud screening. Yet, consumers expect more digital access at a time that cybersecurity has become a significant threat. What steps should be taken to verify the customer’s identity in view of an increased risk of identity theft?

Covered Topics

  • What are the rules? Learn about Federal regulations for E-Sign and the Uniform Electronic Transactions Act (UETA).
  • Which lending regulations are related to E-Sign and have specific provisions for compliance?
  • What are “digital signatures”?
  • Common questions, resources, exam procedures
  • Learn the Six-Step Process for Consumer Consent
  • Basic Steps for E-Sign Implementation
  • Tips for cybersecurity and fraud detection of identity theft

Who Should Attend?
This session is beneficial for lenders, loan administration, compliance officers, IT staff, auditors, customer service, security officers.

Presenter
Susan Costonis is a compliance consultant and trainer. She specializes in compliance management along with deposit and lending regulatory training.

Costonis has successfully managed compliance programs and exams for institutions that ranged from a community bank to large multi-state bank holding companies. She has been a compliance officer for institutions supervised by the OCC, FDIC, and Federal Reserve. Costonis has been a Certified Regulatory Compliance Manager since 1998, completed the ABA Graduate Compliance School, and graduated from the University of Akron and the Graduate Banking School of the University of Colorado. She regularly presents to financial institution audiences in several states and “translates” complex regulations into simple concepts by using humor and real life examples.

Registration Options

  • Live Access, 30 Days OnDemand Playback, Presenter Materials and Handouts – $279
  • Available Upgrades:
    • 12 Months OnDemand Playback + $110
    • 12 Months OnDemand Playback + CD  + $140
    • Additional Live Access + $75 per person
/by
WBA logo

questions@wisbank.com

608-441-1200

4721 S Biltmore Ln.
Madison, WI 53718

Get our Newsletter!
Subscribe