By Toni Lapp October 1 – The EMV liability shift is upon us, and as of Oct. 1, retailers are liable for fraudulent transactions if an EMV chip card is presented, but the point-of-sale equipment hasn’t been updated. Yet by many accounts, most Americans do not even know what an EMV chip card is or how it provides enhanced security over magnetic stripe cards. Of those who are aware of the new cards, one survey reported that the majority (53 percent) had not yet received replacement cards. (more…)
Search Results: Security
September 28 – The SEC’s Office of Compliance Inspections and Examinations has issued a risk alert as it ramps up its second phase of examinations designed to bolster cybersecurity in the financial industries. The first phase kicked off in In April 2014, when OCIE published their initial announcement on the program as part of their vision for improving cyber security for the securities and financial markets.
September 17 – As retailers push new credit card and payment technologies to secure consumer data, a Parks Associates industry report finds consumer concerns of data vulnerabilities are widespread across the Internet of Things, including 40% of U.S. broadband households who are worried about the security of smartphones.
September 11 – Vantiv, Inc., a leading provider of payment processing services and related technology solutions for merchants and financial institutions of all sizes, has launched OmniShield Assure, a security bundle designed to assist in protecting consumer card data, significantly reduce the chance of counterfeit fraud and enhance payment processing security to help merchants with PCI 3.1 compliance requirements.
August 21 – The Payments Security Task Force and the EMV Migration Forum has announced the launch of the industry-wide CHIP IN Education Initiative.
“After only one successful transaction, consumers understand how to use their new chip cards. We want to make their first impression with chip technology a positive one, and make paying with chip the ‘new normal’ this year,” said Randy Vanderhoof, director of the EMV Migration Forum. “To meet this goal, the EMV Migration Forum and the Payments Security Task Force are asking the industry to expand education efforts by participating in the new CHIP IN Education Initiative.”
GoChipCard.com is a comprehensive site providing instructions for successful chip card transactions along with information about what chip cards are, the security they deliver and reference materials for consumers, issuers and merchants.
What Is the CHIP IN Education Initiative?
The same cross-industry organizations that delivered the GoChipCard.com educational website are now asking industry stakeholders to chip in and help expand efforts to educate consumers and small businesses about the new cards appearing in their wallets and their stores.
How Can Industry Participants Help?
The initiative provides issuers, merchants, acquirers and others with educational messages and materials that can be shared through social media and other channels.
For those that sign up to join the initiative, participants will receive a weekly email which includes:
Pre-drafted social media posts and hashtags
Free educational downloads including useful visual aids, training guides, FAQs, infographics and more
Ways to use resources to maximize educational value
Media interview tips
Methods to encourage visits to GoChipCard.com
“Awareness and these resources help make that first chip card transaction a positive experience, whether you’re shopping or helping your customer,” said Carolyn Balfany, senior vice president, MasterCard. “This is the latest in a series of steps that we’re taking to help all U.S. customers and cardholders to understand the many benefits of the upgrade to chip.”
“The CHIP IN Education Initiative is another tool we can use to support the transition to chip technology in the U.S. All of those in the payments ecosystem have demonstrated a shared commitment to easing the transition to chip technology, and, through continued collaboration on initiatives like CHIP IN, we can help educate consumers and small businesses as to how chip technology can help reduce fraud and increase payment security,” said Stephanie Ericksen, vice president of Risk Products at Visa, Inc.
Join the CHIP IN Education Initiative here: www.emv-connection.com/chip-in.
The first weekly email will be sent during the week of August 24th, so industry participants are encouraged to join before then.
“We look forward to seeing everyone chip in to make the U.S. EMV chip migration a success,” added Vanderhoof.
August 19 – The Payments Security Task Force and the EMV Migration Forum have announced the launch of the industry-wide CHIP IN Education Initiative.
On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness. The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.
tandem Cybersecurity Assessment provides a quick, easy, electronic way to complete the FFIEC cybersecurity self-assessment. Users log in to tandem and complete a questionnaire to generate their institution’s inherent risk profile and maturity level. Results live in tandem for tracking and reporting on a regular basis.
The tandem Cybersecurity Assessment tool is launching in phases and will be available as a free or professional version. Some of the key features provided by the tool will include the ability to compare results with similar financial institutions, a variety of graphs and reports for analyzing data and improving cybersecurity, including a report template for the board of directors, and a plan of action template to improve maturity levels if applicable.
The tool is an integrated module in tandem, an online software suite for managing information security and compliance. Other modules include: Risk Assessment, Vendor Management, Business Continuity Planning, Identity Theft Prevention Program, Audit Management, Social Media Management, Compliance Management, and more.
tandem Cybersecurity Assessment by CoNetrix warrants an Innovative Solutions Award because:
- The tool is an electronic way to complete the FFIEC cybersecurity assessment.
- The streamlined process will help financial institutions save time, avoid gaps or simple errors, and easily see where to improve.
- The solution will provide a variety of reports and graphs to assist institutions in analyzing and understanding their data and making informed decisions to improve their cybersecurity.
- The tool is free to financial institutions with pro features coming soon.
- tandem subscribers can access the tool in the same interface as other modules for efficient security and compliance management.
Following recent cyberattacks and system compromises — as well as regulatory updates — financial institutions have experienced the need to improve their ability to combat cybercrime. CSI’s Cybersecurity Risk Assessment is designed to help an organization gauge the level of risk associated with its cyber presence, identify and evaluate existing cybersecurity controls and evaluate the need for additional security measures.
As part of the Cybersecurity Risk Assessment, CSI Regulatory Compliance experts will perform a thorough top-to-bottom review, which includes:
- Identification and classification of applicable systems
- Calculation of inherent and residual risk
- Evaluation of controls
Following the full assessment, the institution receives a cybersecurity risk assessment report, which contains all values and scores from each step of the assessment process, including inherent and residual risk scores for each applicable system. As a result, institutions will gain a clearer picture of where they may need additional controls, and can then make the necessary adjustments to further reduce risk to an acceptable level.
Key reasons CSI’s Cybersecurity Risk Assessment deserves an Innovative Solution Award:
- CSI’s team of experts provide decades of industry knowledge and experience in compliance, IT security and risk management to ensure that existing risk is quickly identified and eliminated.
- Based on CSI’s CISSP, CISM, CISA certifications and many more, the Cybersecurity Risk Assessment team is able to provide financial institutions with a comprehensive report containing all values and scores from each step of the cybersecurity risk assessment process.
- CSI’s reporting capabilities show inherent and residual risk scores for each applicable system, providing financial institutions with a clear picture of where they may need additional controls to reduce risks.
- As new threats emerge, CSI keeps pace with the latest cybersecurity risk factors, enabling banks to stay secure and compliant without focusing added time and energy on prevention.
Computer Services, Inc. (CSI)
July 6 – Recent high-profile cyber attacks demonstrate that these incidents can significantly affect capital and earnings. In light of this, a cybersecurity assessment tool has been released by the Federal Financial Institutions Examination Council to help its member institutions identify their risks and assess their cybersecurity preparedness. (more…)
Financial institutions can expect even more regulatory guidance this year in response to the growing threat vector for cybercrime. Thieves have gotten smarter, and technology has gotten more complex. We have evolved from worms, viruses, spyware, and botnets to more targeted cyber espionage involving advanced, persistent threats, dynamic trojans, and stealth botnets. Attacks have become blended, involving combinations of physical, technical, and social engineering techniques. Many industry experts believe that there are even more sophisticated scams to come. To learn more about Cybersecurity, click here.
Here are some key items to improve your cybersecurity awareness strategy:
Cyber Risk Management and Oversight
The tone should be a top-down approach for building a security culture. Your financial institution should develop a strategy at the board and executive levels for ongoing awareness and understanding of cybersecurity threats. The Federal Financial Institutions Examination Council (FFIEC) has provided a clear message that it expects senior management and the board of directors to understand that cybersecurity is part of everyday business. Banking executives should be getting more directly involved with security and risk assessments. Consider making cybersecurity a standing topic for every IT committee and board meeting.
There should be timely reports to senior management that include meaningful information addressing your institution’s vulnerability to cyber risks and ability to mitigate those risks. The information should allow senior management to prioritize resource allocations and inform the board of directors.
Threat Intelligence and Collaboration
To understand and stay current on cybersecurity issues for your financial institution and industry sector, you should take advantage of resources for threat intelligence and collaboration. This may include subscribing to bulletins, alerts, and guidance from the FFIEC, the Department of Homeland Security, CERT, industry data breach reports, and other relevant sources.
A resource that many regulatory examiners are expecting financial institutions to use is the Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is an industry forum for collaborating on critical security threats facing the financial service industry. It can be found by going to www.fsisac.com.
For combating cyber threats and developing effective risk mitigation tactics, financial institutions are recognizing the need for cooperation among their peers. Information sharing should not be seen as a competitive issue but as an essential strategy. Peer groups and relevant banking association conferences are a great way to network.
Your business strategy should be aligned with your cybersecurity strategy. Operational risk issues must be viewed in terms of their impact on the entire enterprise, not just IT. You should account for how risk will be managed now and in the future.
Your financial institution should continue to identify, measure, mitigate, and monitor risks. The risk assessment should adequately address all reasonable internal and external threats. The controls in your policies and procedures should be driven by the risk assessment. Stronger emphasis should be put on monitoring so that attacks can be detected in the early stages to mitigate the impact. Independent testing of these key controls can determine whether they adequately mitigate cybersecurity threats.
External Dependency Management
Even if you outsource your IT operations, your financial institution is still responsible for protecting customer information. With increasing reliance on third parties, you need to do proper due diligence when selecting service providers and performing ongoing monitoring of existing service providers. Both the Federal Reserve Board of Governors and the Office of the Comptroller of the Currency released guidance in late 2013 pertaining to risks of outsourcing and working with third-party relationships.
Incident Management and Resilience
Prepare your incident response program for potential cyber attacks. Then, test it using a common event such as malware or spear phishing.
Very few financial institutions have qualified staff for incident response involving sophisticated cybercrime. In haste, you may inadvertently destroy evidence that could identify the methodology of the attack or help you to identify the cyber criminals. Make sure you have contact information and arrangements with certified and experienced professionals for fraud and forensics services. Companies offering these services often have guaranteed response times to help investigate the attack or compromise, mitigate exposure, and limit reputational damage. Their job is to help you recover to normal operations.
In conclusion, cyber threats are not a fad, but the new normal. Financial institutions will have to decide where they will spend their dollars for stronger detection and monitoring of sophisticated malware. We must realize that this is not an IT problem, but an enterprise problem involving senior management and the board of directors.
Mark Scholl, CISA, CISSP, MCSE, CEH, is a partner at Wipfli LLP.