Nebraska Banker September/October 2016

I was recently invited to celebrate the birthday of a friend and was a bit confused when I arrived at the party. My friend is in a "seasoned" phase of life and there were bright pink decorations everywhere. As it turns out, my friend was sharing this birthday party with a very special person: a little girl who turned one year old. So much attention goes into this moment of newness. Every attendee needs several photos on their smartphone to show their friends later. My friend took a few minutes to open some cards, then it was back to the baby for the ever popular "baby destroys a cake" act.

As humans, we are fascinated by new things. We gush over new babies, drool over new technology, and while some may disagree, we anxiously anticipate new regulation.

Each day, I arrive at the office to support an information security and compliance software suite. On some of those days, a new guidance is released by the FFIEC or one of the Agencies. Within hours of one of these releases, our team responds to countless people who contact us inquiring about our awareness of the new guidance and our intentions to help banks address it. Last year, when the FFIEC released the Cybersecurity Assessment Tool, you would have thought Moses was descending from the mountain with a new set of commandments. Hundreds of people began to reach out to us for assistance.

After all the anxiety about the Cybersecurity Assessment last year, few people have inquired about how to keep the assessment up to date. Perhaps there are no questions because they understand the tool now or maybe this is a case of new guidance versus "seasoned" guidance.

Are you mindful of the "seasoned" aspects of your Information Security Program? Ask yourself a few self-assessment questions to find out. Here are a few to help you get started:


  • Do I need to update my cybersecurity assessment?
    Have you had changes in your business since the last time you looked at this assessment? If so, you should reevaluate your cybersecurity risk and maturity. Assessing cybersecurity preparedness is a must regardless of whether you're using the FFIEC's tool or not.

  •       Do I need to update my social media risk management program?
    The "Social Media: Consumer Compliance Risk Management Guidance" was on track to be one of the hottest topics of 2013, but was quickly overshadowed by the hype of potential new cybersecurity guidance.  It is important  to remember that the social media guidance was created to help banks address risks related to social media, which do still exist today.

  •       Do I need to update my customer security awareness materials?
    Have there been changes since 2011 in how your customers can access their funds and what protections are available? Maybe you now offer a mobile app you didn't have when the "FFIEC Supplement to Authentication in an Internet Banking Environment" was released. These kinds of changes definitely warrant updates to your educational materials.


These are just a few supervisory expectations we see overlooked from time-to-time. Whether we are talking about new guidance, relationships with close friends, or even upgrading to "the next big thing" in smartphone technology, take some time to evaluate where you are, appreciate the things which brought you here, and remember: age does not lessen importance.

Alyssa Pugh is a Security+ certified Tandem Software Support specialist for CoNetrix. Tandem is a security and compliance software suite designed to help financial institutions develop and maintain their Cybersecurity Assessments, Social Media Risk Management Programs, Internet Banking Security Programs, and Information Security Programs. To learn about how CoNetrix can help you, visit our website at or email