Usernames and passwords are not enough: multi-factor authentication is a must.
99% of Account Compromise attacks can be stopped according to a recent study. Use of Multi-Factor Authentication (MFA) across all access points is one of the single best tools available to protect against ransomware, corporate account takeover (CATO) and business email compromise (BEC).
Regulators recently released guidance relating to access and authentication. The new guidance reinforces the need for financial institutions to better authenticate users (customers, employees and third parties) to protect information systems, accounts, and data.
The release also references the importance of multi-factor authentication in supporting compliance with consumer financial protection laws, laws that address Customer Identification Program (CIP), Customer Due Diligence (CDD) requirements, identity theft prevention, and the enforceability of electronic agreements.
Multi-Factor Authentication: More Than a Password
Multi-factor authentication is using more than just a password, from separate sources, to verify authenticity of access. For example, using a password together with a code sent to your smartphone when logging into online banking. Implementation of multi-factor authentication should be considered at every access point including for online banking customers; employees working from home for VPN access; and requiring multi-factor for desktop access within the financial institution’s offices.
Last Revised in 2004, FFIEC Updates IT Operations Handbook
The FFIEC released a new booklet in the IT Examination Handbook which provides expanded guidance to help financial institution examiners assess the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations. The new booklet replaces the “Operations” booklet issued in July 2004. Technology has changed substantially since 2004 and institutions should review the updated booklet to ensure they are appropriately identifying risks and are prepared for their next exam.
Vendor Management - 3rd, 4th and 5th Party Risk
The FDIC, OCC and FRB issued a request for comment relating to management of third-party vendors. Of specific interest is the risk created by your vendors when they in turn outsource to other vendors. Regulators are expecting bankers to have knowledge of and perform risk assessments on every vendor in the supply chain for critical activities.
Pro-Tip: If you are currently in the vendor selection process, consider items in the proposed guidance during your selection process. It will put you ahead of the game with vendor due diligence and at your next exam.
Conducting Due Diligence on FinTechs
Some FinTech firms, especially those in an early or expansion stage, do not have the Information security, experience, financial strength, or audit and internal control maturity of traditional, established firms that work with financial institutions. The FDIC, FRB and OCC released Conducting Due Diligence on Financial Technology Companies – A Guide for Community Banks as a resource for institutions considering a FinTech business relationship.
FDIC - Conducting Due Diligence on Financial Technology Companies
FRB - Agencies Issue Guide to Help Community Banks Evaluate Fintech Relationships
OCC - Third-Party Relationships: Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks
Cyber Insurance. Higher Premiums, Less Coverage
The increased volume of cyber threats and increased clams has resulted in unfavorable loss ratios for insurance underwriters. As a result, many institutions are seeing large increases in premiums and changes that reduce policy coverages.
The FFIEC issued the Joint Statement Cyber Insurance and Its Potential Role in Risk Management Programs in April 2018. The release states “Purchasing cyber insurance does not remove the need for a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure. An effective system of controls remains the primary defense against cyber threats.” The release provides sound guidance for institutions considering the purchase of cyber coverage – should it continue to be available at a price and with coverages that are desirable.
Claim Denied - Triggering OFAC, FinCEN and Bank Secrecy Act Violations
We wrote last year about the US Treasury stating that ransomware payments – either directly or with the financial institution as a conduit – were likely violations of AML laws. Insurers are now scanning OFAC lists to determine if payment is legal prior to determining if they will pay a claim.
FBI Warns of Increased Ransomware Threat on Holiday Weekends
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published an alert warning of increased threat risk in the days leading up to 3-day weekends based upon observance of past attacks that occurred in 2021. Threat actors use 3-day weekends to reduce the chance of being discovered quickly. Employees should be made aware of theheightened risk of ransomware, wire transfer, corporate account takeover (CATO) and other frauds in the days leading up to holiday weekends.
The Cybersecurity and Infrastructure Security Agency (CISA) (an operational component under Department of Homeland Security) recently released a fact sheet for protecting information from ransomware breaches. The guide includes well known security suggestions such as use of strong SPAM filters, ensuring devices are properly configured, having a robust patch management system for software updates, conducting regular vulnerability assessments, use of anti-virus software and implementing a cybersecurity user awareness and training program. The guide twice recommends use of multi-factor authentication.
Cyber Criminals Targeting Employees to Deploy Ransomware
Cyber criminals are now offering employees at targeted firms a percentage of the take if they are able to successfully install ransomware on their employer’s computer networks. While a number of institutions use simulated phishing attacks to test employees, simulating a potential bribe likely opens legal risk and creates challenges with trust and corporate culture within organizations.
New Anti Anti-Money Laundering Tools for Criminals
Designed for cyber-criminals, a new software allows criminals to input data and see how their transaction might be flagged by AML software or linked to known criminal activity by providing a percentage of probability as to the risk of their criminal activities. No word yet on the due diligence cyber-criminals are doing on their vendors...
The Great Attrition
More than 15 million US workers have quit their jobs since April 2021, a record pace disrupting businesses. The trend is impacting bank IT departments as well with stronger compensation packages and opportunities outside of the banking industry. The pandemic has played a part, having changed perspectives on work life balance. Has your institution’s IT department been impacted by attrition? Reach out to us at Solutions@BankOnITUSA.com, we’d love to share how others are approaching backfilling in creative new ways.
Delays in PC Shipments
Two major PC makers, HP Inc. and Dell Technologies Inc., said that demand for computers outpaced their ability to satisfy customer orders. The semiconductor shortage, COVID-19 pandemic, port backlogs and weather have all had an adverse impact on the supply chains relied upon to produce everything from PCs to pickup trucks.