Last month, the Risk Advisory Services Team attended the Community Banking Technology Forum hosted by the Federal Reserve in Richmond. Bryan and I divided up the conference, so he attended Day 1, and I attended Day 2. He previously talked about the ideas that stuck with him from that forum, and this is my take on what I heard at the forum. If you didn’t get the chance to read his article yet, fear not, you can always check it out on our website.

bank-audit

Business Continuity Planning

  • The presenter mentioned that his bank has started incorporating a self-assessment (based on the FFIEC’s Business Continuity Planning Examination Procedures) in their Business Continuity risk management process. They’re trying to being proactive about responding to business continuity and risk management concerns by getting a jump on asking themselves the same questions the examiners will be asking. It reminded me of the intent of the FFIEC Cybersecurity Assessment Tool, and I think it’s a great idea to help identify areas you may not think of.
  • This bank also developed a systematic process to walk through for each component of the bank to identify realistic RTOs, RPOs, and Maximum Allowable downtimes for each. This included factoring in interdependent ties within the organization. That sounds like a simple thing, but it’s easy for bank components to build their recovery plans in an isolated way that can overlook reliance and can affect their ability to come up with realistic recovery time frames.

Financial Crimes Panel Insights

  • There were some interesting insights that the panelist from the Secret Service field office in Richmond had to offer, but some of the most interesting were the scams they’re actually seeing in the wild:
    • Gas Pump/ATM Skimmers: Fraudsters are looking for ATMs or gas pumps that aren’t checked often and are out of the line of sight of and employee or cameras and may not be well lit. He recommended, if it’s not already occurring, to set up a periodic check of those machines and the employee could tug on the card scanner itself to do a cursory check on if it’s been tampered with or not.
    • Instagram Scams: This one is a variation on the old-school check kiting scams where someone on Instagram will post about the opportunity to use an empty debit card account for a potential accomplice on Instagram to use for check kiting purposes. However, the potential accomplice ends up being the actual victim of this particular scam.
    • Wire Fraud w/ Real Estate Companies: This can be done in several ways, but ultimately the fraudster will redirect the wired money to a different account than it was originally intended to go to during a real estate purchase.
  • The two recommendations the panelist gave that struck me most were:
    • Educate your customers on how to go about protecting themselves against known scams. This benefits them and your organization.
    • Patch your hardware and software as soon as possible after a patch has been released. It could mean the difference in a serious information breach and avoiding it altogether.

Role of IT in Cybersecurity

  • It was hard to narrow down everything that I caught during this part of the forum into just a few notes that stuck with me, but I would say the main thing that caught my attention here was that cyber incidents are not solely defined as IT incidents. A fraudster can use IT in some way to carry out their attack, but the majority of the attack may occur outside of the cyber realm such as misappropriation of resources, physical compromise of an organization, and social engineering via fake news.
  • I also found it interesting that she stressed keeping an eye on geo-political events to possibly predict where and what type of attacks may be unleashed based on what’s happening in the news. The example used was for nation state attacks, but it could just as easily be domestic attacks from a disgruntled group within your own country.

Cybersecurity Risk Management

  • The last part of the day focused on managing your cybersecurity risk. There was a lot to take in from this presentation too, but there were a couple of big highlights for me. Focus your cybersecurity protection program on those areas with the highest return on investment for your organization. That will be different for different organizations in different industries.
  • Protect your core asset (which includes data) and build your controls out from that core. These will include access privilege controls, good monitoring practices to detect potential breaches, and an effective vendor management program to identify possible areas of concern with the people you pay to support your organization in some way.

It was really great to get to hear from the presenters that were able to make it that day and to get a chance to talk to everyone I ran into on breaks. I have to reiterate Bryan’s comments from few weeks ago in that we really appreciated the opportunity to attend the Community Banking Technology Forum this year!


laura-combsLaura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.

Learn more about Laura