Regulatory agencies have been busy this year! This seems to be the year of FILs, OCC Bulletins, and FFIEC documents. Some that came out earlier than that are also seeing an increase in attention. Make sure these areas of information security are addressed in your program (or are at least on your radar) before your next exam:
- Social Media – The FFIEC released final guidance on social media risk management expectations in December, 2013. To be clear, banks with more social media presence will obviously have more work to do, but even if you're not using social media sites, you still have a few new requirements. The purpose of the guidance is to let you know you need a social media risk management program. The first step would be assessing your risk level surrounding social media and then to determine what your institution should do regarding the other risk management components listed in the FFIEC's guidance. Those include things like employee training, social media monitoring, policies/procedures for social media use, board reporting, etc.
- Account Takeover (ATO/CATO) – Since the release of the FFIEC's Supplement to Authentication in an Internet Banking Environment, several state banking agencies have vamped up their CATO best practice standards. It looks like most are using the standards put out by the Texas Electronic Crimes Taskforce. We expect to see those Protect, Detect, Respond CATO standards implemented in more and more states in the future. The sooner you incorporate ATO/CATO security controls and expand incident response procedures to specifically address account takeover, the better.
- Vendor Management – For the last several years, security and compliance consultants have enjoyed following the lone guidance surrounding vendor management program expectations – put out by the FDIC. In the last six months, though, the OCC and Federal Reserve have issued their own guidance standards for your vendor management program. All three have different requirements, so you need to just read through the guidance published by your regulatory agency and ensure you're meeting their expectations. You may need to beef up your contract review and initial vendor significance assessments depending on what you are currently doing. Another difference in the OCC guidance that I've seen get some attention in the last few months is whether the bank needs or has a "contingency plan" for the vendor relationship, meaning are you prepared for what would happen if the relationship ended.
- Distributed Denial of Service (DDoS) – DDoS attacks are on the rise, and so is examiner focus. From what we've seen, there aren't any specific items they're looking for…just that you address DDoS attacks in your Information Security Program. I think the best thing you can do here is to look into DDoS protection services offered by your Internet Service Provider (or website/Internet banking vendor if you outsource Internet banking and your website) and also to prepare for how best to respond to a DDoS attack. Most DDoS attacks are meant to serve as a distraction while someone attempts to commit fraud (usually through ACH and wire services), so implementing/lowering a call-back threshold for cash management services if you're experiencing a DDoS attack could save your bank some trouble. Just like with all things, though, the best place to start is by assessing the risk.
Of course, you'll have other security controls and documentation to answer for on your next exam, but I wanted to let you know some of the new things we've noticed examiners wanting to see this year. Be prepared to answer them and good luck!