Posts

The Wisconsin Bankers Association offers for your use the following consumer education column. Your bank is free to use this as a community column in your local newspaper, a letter to the editor, a press release or in any other way you see fit. The purpose is to give our members an easy-to-use tool for promoting the banking industry to Wisconsin's communities.

Identity theft is on the top of many consumers' minds these days, with new data breaches announced seemingly weekly. As masses of Americans turn to credit monitoring, fraud alerts, and other solutions to prevent their identities from being stolen, one group sometimes slips through the cracks: children. Parents: don't forget that your child has a social security number, so their identity could be stolen and used to take out fraudulent loans that could damage their ability to buy a car, get student loans, rent an apartment, or even get a job in the future. Below are some steps to consider to help protect your children from ID theft: 

Watch for red flags.
First, keep an eye out for common signs that your child's identity has been used to obtain credit. These include an influx of mailed credit card and/or loan offers addressed to your child, a notice from the IRS that your child didn't pay income tax or was claimed as a dependent, and collections calls for bills addressed to your child. When your child gets older, being denied a bank account, driver's license, or government benefits (such as Medicaid) are also indications that their identity may have been stolen. 

Check your child's credit report.
The next step to take is similar to what you would do to protect your own identity: check their credit report. It's a bit more complex when the credit report you're requesting is your child's (versus your own), but it is an important step. Contact the major credit bureaus (Equifax, Experian, and TransUnion) to find out the specific documentation they require. You'll likely need to mail in copies of your child's birth certificate and/or their Social Security card, as well as a copy of your own ID. Keep in mind that your child may not have a credit report-and that's a good thing! It means your child's identity has not been used by criminals to obtain credit in their name. 

Consider a credit freeze.
If you find that your child has a credit report, consider placing a freeze on it. This is especially important to consider if your child's identity has been stolen, since it will help prevent future instances of their information being used to obtain credit. Wisconsin's Child Credit Protection Act allows parents and legal guardians to place a freeze on their child's credit record. By freezing their credit with each of the major credit bureaus, you will prevent criminals from taking out credit using your child's identity. Each credit bureau has a different process for freezing credit, so contact them to find out the steps if you are interest in a credit freeze for your child(ren). Keep in mind, the bureaus charge a fee to freeze and unfreeze credit, so you'll want to consider how close your child is to legitimate credit requests (such as student loans or a first credit card) before taking this step. 

If you suspect your child's identity has been stolen, visit www.identitytheft.gov for step-by-step guidance on what to do next. 

An archive of Consumer Columns is available online at www.wisbank.com/ConsumerColumns.

By, Amber Seitz

Security considerations for modern branch technology

As branch networks evolve from brick-and-mortar transaction centers into technology-friendly customer interaction spaces, banks must also be diligent in their work to update their security strategy. A 20th-century security plan won't protect a 21st-century branch network. Unfortunately, there's no universal approach that will work for every institution. "Any time you're adding new technology or moving to something new, there's no easy answer," said Randy Phillips, vice president of security management at Thompson Consulting Group, LLC. "It's really a case-by-case basis because it depends on how much technology you're adding." Instead, bank security officers should align their current strategy to their branch network with a close look at their vulnerabilities from a holistic perspective. 

Adopt a Holistic Perspective

Modern branch networks are less a collection of separate buildings and more a true network, a group of interconnected pieces working in tandem. Therefore, updating the security strategy to accommodate modern networks requires a perspective shift. "It doesn't require changes so much as it requires looking at security concerns from the past in a different way, as an ecosystem rather than as separate pieces," said Jim Stanger, FI solutions team leader at Edge One, Inc. "You need to look at your security more holistically." Protecting innovative branch networks that rely on more automation than past models requires reviewing security in a new way, according to Barry Thompson, managing partner at Thompson Consulting Group, LLC. 

That holistic view necessitates an understanding of how each piece of the network interacts with the others, whether it's an ATM at a remote location, a complimentary Wi-Fi connection, or a new mobile app. "Any time you're looking at new technology, you need to look at the interoperability, how all the parts will work together," said Phillips. "Research it and spend the time to choose wisely, because the last thing you want is to make a purchase and then discover that it's not as efficient as you'd anticipated or it opens you up to new vulnerabilities you hadn't expected." Bank security officers must identify and defend against new and transforming vulnerabilities related to both physical security and information security, and the best way to do so is to evaluate current security from the perspective of a criminal. "Everybody's probably heard it before, but any situation where you're the security officer you have to think like the bad guy," Phillips said. "What are they doing and how are they trying to do it?"

Information Security

With today's rapidly evolving technology landscape, keeping up with the industry is vital for information security, which is one of the most common security concerns today, according to Dawn Staples, president/CEO of Superior Savings Bank. "These concerns evolve as quickly as the previous vulnerability has been addressed. Maintaining an effective information security policy that is frequently updated and followed, along with a vigilant eye on emerging trends is essential." An ongoing system for monitoring and improving security is especially critical as the machines banks use to deliver services to their customers become more complex, such as video ATMs and interactive teller machines. "Protect the terminals today but also have a system for protecting them on an ongoing basis," Stanger advised. Having a system in place to regularly install security updates is vital, as modern machines are far more complex than their past counterparts. "These solutions are just as much software as they are hardware, today," said Stanger, referring to ATMs. 

Even entirely digital system components such as Wi-Fi and electronic banking products should be reviewed and monitored as part of the overall branch network, since they can become gateways for criminals to access other areas of the network. "Layered security is a primary focus with all of our electronic banking products," said Staples. "Multifactor authentication, firewalls, and VPNs are just a few of the strategies that are commonly used." When it comes to offering internet access to customers, the best protection is to separate it from the connection used by branch network components and internal processes. "If you're providing free Wi-Fi for visitors and customers, you must ensure that the connection is completely separate from the connection used by the bank's internal computers and systems," Thompson stressed. "Otherwise someone in the parking lot can start using your internet." The good news is, safer and more secure technology is developed as rapidly as criminals find ways to exploit current technology. "As technology advances, additional protections are available for personal transactions, whether it's banking or any other cloud-based activity," said Staples. 

Physical Security

When it comes to physical security, a holistic perspective requires banks to consider how the new devices impact customer safety, even as they provide additional convenience. "The biggest change is to give more consideration to the fact that we're moving some of our security exposure to the customer," Phillips said. He explained that self-service machines such as interactive ATMs place the responsibility for cash handling on the customer, and many people still don't trust machines to dispense the correct amount. "They're still going to stand there and count the money," he said. "So, look at the surroundings."

This customer-centric view also applies when considering the physical layout of the branch, including the placement of teller pods (if they are being installed). "The size of the teller pod and how you position it within the branch creates issues for physical security," said Thompson. For example, he cautioned banks against positioning pods in such a way that would allow customers to view the computer screens on nearby pods, potentially revealing other customers' account information. "It's crime prevention through environmental design," he explained. Fortunately, as with many information security components, improvements are constantly being made to the physical elements of branch networks. "Many of these new technologies have self-monitoring capabilities, detecting skimming devices on ATMs, for example," Phillips said. 

One thing that hasn't changed, and isn't likely to: prevention and preparation are critical elements in an effective bank security strategy. "Vigilance for what's happening today, with an eye for what's happening tomorrow," said Stanger. "It's best to buy umbrellas before it starts raining."

Edge One, Inc is a WBA Associate Member

By, Amber Seitz

Events

Cybersecurity threats continue to rapidly evolve in sophistication and are occurring with increased frequency. Daily, we hear news about new data breach, dangerous strain of malware, innovative hacking schemes, and targeted efforts of organized crime groups. In fact, cybersecurity news has become so pervasive that it’s not even shocking news to most people anymore. This session will provide detailed information on how to prevent the latest information security threats or ways to mitigate the latest vulnerabilities.

The discussion will include:

  • Network compromises and data breaches
  • ATM Jackpotting and unlimited operations
  • New internet-based vulnerabilities
  • Commercial account takeover
  • Business email compromise
  • Standards for protecting information systems (NIST, SANS, ISO)
  • Advanced controls to mitigate risk (DLP, SIEM, App Whitelisting, Next Gen Firewalls, Network Segregation, Incident Response, Continual Monitoring, Forensics)
  • How to tie standards and controls to the IT Risk Assessment and IT Audit Program

Target Audience:  Information security officer, IT manager, risk officer, internal auditor, CIO, and executives looking to better understand cybersecurity risks.

Presenter
SBS CyberSecurity, LLC

Registration Option
Live presentation $330

Recording available through July 22, 2022

The thing about Incident Response, just like Business Continuity (and insurance), is that we all hope the scenarios we know can happen never actually occur. However, the point of planning is to anticipate the bad things happening and have a plan to deal with those incidents, should they occur.

While can be difficult to document a response for Incident Response scenarios that have never occurred, building out step-by-step scenarios into an Incident Response Playbook might just save your organization time, money, resources, or even the business itself is something bad does happen. How do you create your own Incident Response Playbook?

This presentation will cover the following areas/topics:

  • Regulatory requirements of an Incident Response Plan (IRP)
  • Components of a valuable IRP
  • Threat Assessments
  • What is an Incident Response Playbook?
  • Testing Your Incident Response Playbook
  • Using Your Playbook to improve your IRP

Target Audience: Information security officer, IT manager, risk officer, internal auditor, CIO.

Presenter
SBS CyberSecurity, LLC

Registration Options
Live presentation $330

Recording available through September, 3 2022

It’s time to shift our thinking when it comes to security awareness training. Yearly education and testing just doesn’t cut it in today’s cyber world. Security awareness is a topic we should have in front of our people on a much more consistent basis.

However, as we all know, creating a culture in any environment involves more than words or flipping a switch — it involves thoughtful and deliberate action across the organization, as well as accountability for that culture. Culture also has to start at the TOP of the organization, or it will be meaningless downstream. Overall, the goal of a Culture of Cybersecurity is to make security the first think we think about, as opposed to the last.

Join us for this session will include:

  • Cyber Threat’s New normal
  • People, Process, and Technology — which is the weakest link?
  • Compliance-based security awareness training
  • Proactive Security Awareness Training
  • Building an Effective Security Awareness Training Program
    • Directors/Executive Management
    • Employees
    • Customers
  • Topical training ideas
  • Why accountability matters most

Target Audience: Incident response team, information security officer, IT manager, risk officer, internal auditor, and IT focused staff.

Presenter
SBS CyberSecurity, LLC

Registration Options
Live presentation $330

Recording available through August 13, 2022

This webinar covers common versions of global cash flow (GCF) analysis being used by bankers, with a focus on GCF as part of the underwriting process in most medium- to smaller-sized businesses and self-employed lending situations. A major issue is how to adjust or reduce the personal cash flow for income taxes and living expenses. Because of differences in how a personal debt-to-income (DTI) is derived versus a business debt service coverage (DSC), some type of adjustment must be made before combining personal and business data. This leads to a discussion of the advantages and disadvantages of adjusting for income taxes and living expenses, versus adjusting the required coverage factor. Another major issue is capital gains and other items within the broader recurring/non-recurring decision category. A case study is used to illustrate key points.

Topics to be covered include:

  • Personal DTI versus business DSC
  • Approaches to imputing a personal living expense factor
  • Regulatory discussion of living expenses and capital gains (losses)
  • Analytical and conceptual issues:
    • Mixing two approaches to debt coverage
    • Using averages for debt coverage ratios
    • Recurring vs. non-recurring items
    • Where is the cash flow (if any) when a capital gain is listed?

Target Audience: Branch managers, consumer lenders, mortgage bankers, private bankers, small business lenders, commercial lenders, credit analysts, loan review specialists, special assets officers, lending managers, and credit officers

Presenter
Richard Hamm, Advantage Consulting & Training

Registration Options
Live presentation $330

Recording available through January 18, 2023

Explore the fundamental building blocks of a repeatable framework for cybersecurity and information security issues. Your information security program can be more than a document created for compliance. We will help develop a program that provides your institution with clear direction and guidance that meets and exceeds regulatory expectations while addressing real-world risks.

Some bank programs implemented today are a collection of documents pulled together over the years, that exists primarily to satisfy regulatory requirements. The Information Security Program should be a coordinated set of policies that work together to implement a unified set of controls across the organization. A daily playbook used by employees to fight cybercrime and not a collection of documents to satisfy auditors and examiners.

Discussion Topics

  • Regulatory Requirements
  • Purpose of repeatable cybersecurity frameworks
  • Program Basics for a solid frameworkITris
  • Detailed explanation of framework components
  • Next steps for a comprehensive, valuable, repeatable framework
  • Making decisions with the framework
  • See new issues and technologies automatically handled by a solid framework

Target Audience
Incident response team, information security officer, IT manager, risk officer, internal auditor, and IT focused staff members

Presenter
SBS CyberSecurity, LLC

Registration Option
Live presentation $330

Recording available through April 28, 2022

The implementing regulations of the Bank Protection Act require the security officer to report annually to the board on the “implementation, administration, and effectiveness of the security program.” As banks downsize or right-size, danger in the security area increases. Learn how to educate your board on these issues with skill and diplomacy.

This webinar will review best practices relating to training, inspections, and foreseeable events that should be reported to the board. Learn how the annual written report should be prepared, presented, and reported. Security officers and board members will garner valuable resources that can provide statistics, facts, and information to reduce liability.

Many financial institutions are satisfied if regulators don’t take issue with the board report or the security program. However, don’t wait for a lawsuit against the security officer, management, and the board (both jointly and individually) to discover your report was missing key items. Information that could help during litigation is very different than what regulators examine for compliance. Be aware that the report is not just for the board – a much larger audience will review it if something goes wrong.

Attendance certificate provided to self-report CE credits.

AFTER THIS WEBINAR YOU’LL BE ABLE TO:
Report foreseeable events that could bring liability against the board
Identify information that should be reported to the board annually
Present major problems to the board with limited time
Explain why the security officer/risk management department should report to the board in person
Understand what is included in the security function
Keep records that will make board reporting easier

WHO SHOULD ATTEND?
This informative session was designed for auditors, security officers, risk management staff, senior management, and board members responsible for the security function.

TAKE-AWAY TOOLKIT
Sample annual board report
Sample top sheet for board reporting
Special report form
Incident report form
Security tips
Employee training log
Interactive quiz

ABOUT THE PRESENTER – Barry Thompson, CRCM Thompson Consulting Group, LLC
Barry Thompson is an international speaker, trainer, consultant, and writer. He is a security and compliance “guru” for a leading national training organization and regularly presents security conferences for trade groups – he has trained over 51,000 financial professionals.

Barry is recognized worldwide, presenting in Brussels, Belgium to European bankers on internal fraud; at the United Nations on identity theft; and to Japanese bankers on bank security. Barry has worked in the financial services industry for over four decades, and has held the positions of security officer, compliance officer, treasurer, senior vice president, and executive vice president. He has handled over 900 security cases and has been involved with investigations and prosecutions at the federal, state, and local levels. Barry is the author of 101 Security Tips for the Beginning Security Officer and has been interviewed by Newsweek, Computer World, USA Today, and other national publications.

REGISTRATION OPTIONS
Live Webinar Access – $245
On-Demand Access + Digital Download – $245
Both Live & On-Demand Access + Digital Download – $320

October 3-7, 2022
Fluno Center for Executive Education
Madison, Wisconsin
Enrollment Deadline: September 6

KEY INFORMATION SECURITY STRATEGIES

Online bank fraud has been described as epidemic, with numbers that are staggering — it’s estimated that U.S. banks lose $1.5 billion to phishing attacks annually. Consider also that mobile devices are now ubiquitous and hackers are getting ever-more sophisticated in their ability to gain access to sensitive data and it’s clear that there is a need for proactive IT security offense and defense to stop attacks including phishing, malware, coordinated denial of service attacks, hacktivist breaches and more. The threats to the banking sector are multiple and significant — both financially and reputationally. Today’s bank customer is rightfully concerned about online banking fraud and studies show that the majority of customers would change banks if they became a victim of fraud at their current institution. Security breaches not only cost significant dollars, but they also erode consumer trust. Being proactive is key.

Don’t miss this innovative school that’s designed by, and especially for, information security officers in the financial industry. This state-of-the-art program will broaden your understanding of the business of banking including key drivers of bank profitability, along with an in depth, interactive and hands-on study of the latest IT security techniques and strategies.

The school uses a mix of lecture, small group discussions and interactive computer labs. The hands-on, computer-based simulation labs will allow you to explore penetration and vulnerability testing, security attacks, early detection of data breaches and more. You’ll spend class time diving deep with IT security experts and knowledgeable colleagues who will become a network to call upon for years to come. Apply today to take advantage of this opportunity to learn from experts in the banking industry about today’s key issues in information assurance.

WHO SHOULD ATTEND

Whether you’re a veteran Information Security Officer or new to the IT security field, this powerful program will give you the skills and knowledge to effectively secure your bank’s and your customers’ most sensitive information.

Click More Information to view the full school details on gsb.org.

There are three phases to creating an Information Security Program for financial institutions: 1) planning and preparation, 2) implementation, and 3) testing and verification. When it comes to testing your ISP, one of the big questions you should ask – both of yourself and your auditor(s) – is “where does our risk really lie?” Are you testing your ISP because you have to, or are you testing your ISP because you really want to protect your institution and your customer’s data from a cyber attack?

Covered Topics

People, Process, and Technology
Minimum Requirements for Testing Your ISP
Best Practices for Testing Your ISP
Reactive Testing vs. Proactive Testing
Additional Security Testing to Consider

Who Should Attend?
Information Security Officer, IT Manager, Risk Officer, Internal Auditor, CIO, and Executives looking to understand the Cybersecurity Assessment process, common weaknesses in controls, and how to address them.

Presenter
Cody Delzer, CISA, CDPSE, is a SVP Information Security Consultant for SBS CyberSecurity, LLC of Madison, SD who has a Bachelor of Science Degree in Computer and Network Security from Dakota State University and 13 years’ experience in IT and IT Security; 3 years in Systems Operations and 10 years in Information Assurance. Cody has worked with over 300 Financial Institutions and other private industry organizations across the United States.

Registration Options

“Live” Web connection – $265
6-month “OnDemand” website link only – $295
CD-ROM and e-materials only – $345
Live plus OnDemand website link – $365
Premier Package: Live, OnDemand link, and CD-ROM plus – $395