Cyberattacks no longer just impact the targeted organization but often have a ripple effect that harms partners, service providers, customers, and others. As data breaches trend up, organizations will be forced to spend more money to recover and ensure they have the appropriate solutions in place to prevent attacks without disrupting normal business. The role of the information security officer (ISO) is more important than ever when it comes to ensuring organizations are taking every precaution to avoid becoming victims.

The following topics should be considered by all financial institutions as part of reviewing the Information Security Program and implemented as deemed necessary.

Bank Protection Act of 1968

With the transition to remote audits and exams, an emphasis on the Bank Protection Act of 1968 has been incorporated into IT audits to ensure the organization is adequately managing and monitoring physical security in alignment with regulation and risk. Physical in-person security checks can be a struggle with the trend of remote audits by external auditors and examiners. Typically, videos or photos are used to examine physical security as part of the audit. As an additional step, a security officer should be officially named to ensure all requirements of a thorough physical security program are implemented, including an annual report to the board of directors.

FFIEC Updated Guidance

The FFIEC released updated guidance in August 2021 regarding authentication and access measures, which included bullet points of emphasis on customer awareness and education programs. Institutions should be making improvements and adjustments accordingly. An emphasis on specific policies will be incorporated into audits as well. A customer awareness program should include any cash management customers, specifically ACH originators and merchant remote deposit customers, and the ability to ensure they are aware of security protocols and abide by the expectations set forth in the respective agreements.

New/Updated Policies

The following policies should be documented within an Information Security Program, and some have become formal recommendations by examiners and regulators within the last 12 months.

• Imaging Policy: Address the storage of critical documents to ensure readability and accuracy, responsibility, procedure, and disposal of original documents.
• ATM/Debit Card Management Policy: Include policy and procedures to address the following: application process, employees authorized to order/issue cards, card activation procedures, PIN change procedures, receipt of returned PIN mailers, receipt of returned debit cards, logging documentation, contacting the customer for pick up/address changes, length of time to hold cards prior to being logged and destroyed.
• Instant Issue Policy: Describe the instant issue environment, authorized access, security controls (both physical and logical), dual control, inventory, monitoring, internal audits, and related procedures.
• Internet Banking Policy: Designate responsibility of the program, summarize all Internet banking services, describe the risk assessment process, define transaction processes, determine appropriate training, and ensure all aspects of the Internet banking program are adequately addressed. Also, reference FFIEC Authentication and Access to Financial Institution Services and Systems (Aug. 2021) as appropriate.
• Multi-Factor Authentication: Enhancing network security with MFA solutions helps increase data-center security, boosts cloud security for a safer remote working environment, and minimizes cybersecurity threats. Additional controls surrounding administrative access to directory services, network backup environments, network infrastructure, organization’s endpoints/servers, remote access (employees and vendors), and firewall management are recommended.

Many cybersecurity insurance vendors are now requiring organizations to complete a self-attestation to renew policies. Included within the attestation is the verification of multi-factor authentication for remote access users and administrative users.

Contract Review Procedures

The vendor management program continues to evolve and requires diligent monitoring and research, especially for those vendors deemed critical to operations. Furthermore, the FFIEC has outlined contract review guidelines within the Information Security Booklet which should be used as a guide in evaluating new contracts and renewals for risk.

Formal contract review procedures should be developed and include, but not be limited to, the following: scope of service, performance standards, security and confidentiality, controls, audit requirements, reports available for review, business resumption or contingency plans, subcontracting, ownership and license of data, dispute resolution, termination, assignment, regulatory compliance, and breach notification procedures.

Microsoft365 Controls Assessment

To mitigate multiple cyber threats, an independent assessment of the Microsoft365 environment should be performed after implementation and occasionally thereafter. The independent assessment should evaluate the environment and ensure the organization has implemented appropriate controls to mitigate risks including malware, third-party app access, data loss prevention, external sharing, advanced threat protection, and permissions.

Backup Best Practices

It is critical to maintain offline, encrypted data backups and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important to implement a range of disaster recovery measures to prevent and mitigate ransomware attacks, including keeping multiple backups on and off site, replicating critical data, encrypting data, and air-gapped backup.

An additional step is immutable backups. An immutable backup is a backup file that cannot be altered in any way. It should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss. By keeping an archive of immutable backups, you can guarantee recovery from a ransomware attack by finding and recovering the last clean backup you have on record.

If a third party or managed service provider is responsible for maintaining and securing your organization’s backups, ensure they are following the applicable best practices. Using contract language to formalize your security requirements is also a best practice.