BankNews April 2015

Search Results: Security

2015 ISA ENTRY – CoNetrix: tandem Cybersecurity Assessment

On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool to help financial institutions identify their risks and assess their cybersecurity preparedness. The assessment tool is designed to provide a repeatable and measurable process for banks and credit unions to measure their cybersecurity preparedness over time.

tandem Cybersecurity Assessment provides a quick, easy, electronic way to complete the FFIEC cybersecurity self-assessment. Users log in to tandem and complete a questionnaire to generate their institution’s inherent risk profile and maturity level. Results live in tandem for tracking and reporting on a regular basis.

The tandem Cybersecurity Assessment tool is launching in phases and will be available as a free or professional version. Some of the key features provided by the tool will include the ability to compare results with similar financial institutions, a variety of graphs and reports for analyzing data and improving cybersecurity, including a report template for the board of directors, and a plan of action template to improve maturity levels if applicable.

The tool is an integrated module in tandem, an online software suite for managing information security and compliance. Other modules include: Risk Assessment, Vendor Management, Business Continuity Planning, Identity Theft Prevention Program, Audit Management, Social Media Management, Compliance Management, and more.

tandem Cybersecurity Assessment by CoNetrix warrants an Innovative Solutions Award because:

  • The tool is an electronic way to complete the FFIEC cybersecurity assessment.
  • The streamlined process will help financial institutions save time, avoid gaps or simple errors, and easily see where to improve.
  • The solution will provide a variety of reports and graphs to assist institutions in analyzing and understanding their data and making informed decisions to improve their cybersecurity.
  • The tool is free to financial institutions with pro features coming soon.
  • tandem subscribers can access the tool in the same interface as other modules for efficient security and compliance management.


2015 ISA ENTRY – CSI’s Cybersecurity Risk Assessment

Following recent cyberattacks and system compromises — as well as regulatory updates — financial institutions have experienced the need to improve their ability to combat cybercrime. CSI’s Cybersecurity Risk Assessment is designed to help an organization gauge the level of risk associated with its cyber presence, identify and evaluate existing cybersecurity controls and evaluate the need for additional security measures.

As part of the Cybersecurity Risk Assessment, CSI Regulatory Compliance experts will perform a thorough top-to-bottom review, which includes:

  • Identification and classification of applicable systems
  • Calculation of inherent and residual risk
  • Evaluation of controls

Following the full assessment, the institution receives a cybersecurity risk assessment report, which contains all values and scores from each step of the assessment process, including inherent and residual risk scores for each applicable system. As a result, institutions will gain a clearer picture of where they may need additional controls, and can then make the necessary adjustments to further reduce risk to an acceptable level.

Key reasons CSI’s Cybersecurity Risk Assessment deserves an Innovative Solution Award:

  1. CSI’s team of experts provide decades of industry knowledge and experience in compliance, IT security and risk management to ensure that existing risk is quickly identified and eliminated.
  2. Based on CSI’s CISSP, CISM, CISA certifications and many more, the Cybersecurity Risk Assessment team is able to provide financial institutions with a comprehensive report containing all values and scores from each step of the cybersecurity risk assessment process.
  3. CSI’s reporting capabilities show inherent and residual risk scores for each applicable system, providing financial institutions with a clear picture of where they may need additional controls to reduce risks.
  4. As new threats emerge, CSI keeps pace with the latest cybersecurity risk factors, enabling banks to stay secure and compliant without focusing added time and energy on prevention.

Computer Services, Inc. (CSI)

FFIEC Rolls Out Cybersecurity Assessment Tool

July 6 – Recent high-profile cyber attacks demonstrate that these incidents can significantly affect capital and earnings. In light of this, a cybersecurity assessment tool has been released by the Federal Financial Institutions Examination Council to help its member institutions identify their risks and assess their cybersecurity preparedness. Continue reading “FFIEC Rolls Out Cybersecurity Assessment Tool” »

Does Your Cybersecurity Awareness Program Meet Expectations?

By Mark Scholl


Financial institutions can expect even more regulatory guidance this year in response to the growing threat vector for cybercrime. Thieves have gotten smarter, and technology has gotten more complex. We have evolved from worms, viruses, spyware, and botnets to more targeted cyber espionage involving advanced, persistent threats, dynamic trojans, and stealth botnets. Attacks have become blended, involving combinations of physical, technical, and social engineering techniques. Many industry experts believe that there are even more sophisticated scams to come. To learn more about Cybersecurity, click here.

Wipfli_logo_notagHere are some key items to improve your cybersecurity awareness strategy:

Cyber Risk Management and Oversight

The tone should be a top-down approach for building a security culture. Your financial institution should develop a strategy at the board and executive levels for ongoing awareness and understanding of cybersecurity threats. The Federal Financial Institutions Examination Council (FFIEC) has provided a clear message that it expects senior management and the board of directors to understand that cybersecurity is part of everyday business. Banking executives should be getting more directly involved with security and risk assessments. Consider making cybersecurity a standing topic for every IT committee and board meeting.

There should be timely reports to senior management that include meaningful information addressing your institution’s vulnerability to cyber risks and ability to mitigate those risks. The information should allow senior management to prioritize resource allocations and inform the board of directors.

Threat Intelligence and Collaboration

To understand and stay current on cybersecurity issues for your financial institution and industry sector, you should take advantage of resources for threat intelligence and collaboration. This may include subscribing to bulletins, alerts, and guidance from the FFIEC, the Department of Homeland Security, CERT, industry data breach reports, and other relevant sources.

A resource that many regulatory examiners are expecting financial institutions to use is the Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC is an industry forum for collaborating on critical security threats facing the financial service industry. It can be found by going to

For combating cyber threats and developing effective risk mitigation tactics, financial institutions are recognizing the need for cooperation among their peers. Information sharing should not be seen as a competitive issue but as an essential strategy. Peer groups and relevant banking association conferences are a great way to network.

Cybersecurity Controls

Your business strategy should be aligned with your cybersecurity strategy. Operational risk issues must be viewed in terms of their impact on the entire enterprise, not just IT. You should account for how risk will be managed now and in the future.

Your financial institution should continue to identify, measure, mitigate, and monitor risks. The risk assessment should adequately address all reasonable internal and external threats. The controls in your policies and procedures should be driven by the risk assessment. Stronger emphasis should be put on monitoring so that attacks can be detected in the early stages to mitigate the impact. Independent testing of these key controls can determine whether they adequately mitigate cybersecurity threats.

External Dependency Management

Even if you outsource your IT operations, your financial institution is still responsible for protecting customer information. With increasing reliance on third parties, you need to do proper due diligence when selecting service providers and performing ongoing monitoring of existing service providers. Both the Federal Reserve Board of Governors and the Office of the Comptroller of the Currency released guidance in late 2013 pertaining to risks of outsourcing and working with third-party relationships.

Incident Management and Resilience

Prepare your incident response program for potential cyber attacks. Then, test it using a common event such as malware or spear phishing.

Very few financial institutions have qualified staff for incident response involving sophisticated cybercrime. In haste, you may inadvertently destroy evidence that could identify the methodology of the attack or help you to identify the cyber criminals. Make sure you have contact information and arrangements with certified and experienced professionals for fraud and forensics services. Companies offering these services often have guaranteed response times to help investigate the attack or compromise, mitigate exposure, and limit reputational damage. Their job is to help you recover to normal operations.

In conclusion, cyber threats are not a fad, but the new normal. Financial institutions will have to decide where they will spend their dollars for stronger detection and monitoring of sophisticated malware. We must realize that this is not an IT problem, but an enterprise problem involving senior management and the board of directors.

Upcoming Event:

Cybersecurity Threats – Principles for Understanding, Managing, and Monitoring
Your Information Systems

On-Site Training offered in three locations for your convenience:
August 25 – Minneapolis, Minnesota
August 27 – Madison, Wisconsin
November 18 – Johnston, Iowa

Recorded Webinar:
IT Examination Hot Topics

Scholl   Mark Scholl, CISA, CISSP, MCSE, CEH, is a partner at Wipfli LLP.





70 Percent of Consumers Are Losing Faith in Passwords, Want Additional Account Security

June 5 – Against a backdrop of hundreds of millions of personal records being stolen through account hacks and data breaches, TeleSign has released its new Consumer Account Security Report, revealing that 70 percent of consumers lack a high degree of confidence that their passwords can adequately protect their online accounts. Additionally, about the same amount (72 percent) are in search of additional help to secure accounts.

Continue reading “70 Percent of Consumers Are Losing Faith in Passwords, Want Additional Account Security” »

Information Security

Managing risks requires a proactive approach

By Charles Cheatham

 A bank’s information security risks include not just regulatory risk, but also financial risk (from unauthorized transactions arising from data breaches), reputation risk (loss of customers’ trust and loss of business), and business continuity risk (system failure, destruction or corruption of data, or unavailability of electronic information because of hackers, disaster, or other business interruptions).

Continue reading “Information Security” »

Payment Method Security and the Expanding Role of Chip & Pin

April 21 – With the increased awareness of major data breaches and the ever-expanding prevalence of credit card fraud, payment transaction security has become an important discussion in this country. A significant portion of this discussion has revolved around the role of EMV or “Chip & Pin” technology for credit cards as a more secure payment method.

Continue reading “Payment Method Security and the Expanding Role of Chip & Pin” »

The Evolving Issue of Data Security

By Toni Lapp

With EMV being phased in this year in the United States, 2015 could go down as a pivotal year in data security. Or not. EMV in and of itself is only part of the fraud-fighting solution, and is certainly not a magic bullet against all fraud. Its security features are intended to prevent in-person fraud at point-of-purchase. Unfortunately, there are myriad other ways to penetrate the security of financial institutions.

Continue reading “The Evolving Issue of Data Security” »

Security First Bank Agrees to Merge with SunPac Financial

February 20 – Security First Bank has announced the execution of a definitive agreement for the merger of Security First Bank into Los Angeles based SunPac Financial. Under the terms of the definitive agreement for the merger, shareholders of Security First Bank shareholders will have the right to receive $10.50 in cash for each share of stock. The agreement has been approved by the boards of both companies. The transaction will close following the receipt of regulatory and shareholder approval, which is expected to occur by the end of the second quarter of 2015.


“We are so pleased to join forces with Security First Bank, which will serve as our initial platform providing the necessary infrastructure to expand banking activities in Fresno and into the Los Angeles market,” said V. Charles “Charlie” Jackson, CEO of SunPac Financial. “Our plan is to allocate capital to expand Security First’s presence, lending activities and commitment to the Fresno market. In addition, we plan to establish a commercial and private banking presence in the Los Angeles market.”

The combined expertise will provide a strong platform allowing an affinity of successful partnerships between Fresno and Los Angeles business communities. The headquarters of SunPac Financial will be in downtown Los Angeles, however, the Security First office location will remain and conduct business as usual.

“This merger will bring together exceptional talent, technology and the potential of growth through expanded and new business relationships and additional capital,” commented Security First CEO Robert Hemsath. “The value-added capital and products will truly benefit our business community.”


SunPac Financial is advised by Keefe, Bruyette & Woods as its financial advisor and Manatt, Phelps & Phillips, LLP as its legal counsel. Security First Bank was advised by MJ Capital Partners, LLC as its financial advisor and Grady and Associates as its legal counsel.

About SunPac Financial

In July, 2014, SunPac, LLC, was formed as an investment vehicle to explore developing a commercial and private bank serving the Southern California marketplace. The management team is comprised of seasoned banking executives who have had experience in leading and operating other California based community banks. SunPac Financial, Inc. is a subsidiary that was set up to facilitate the bank merger.

About Security First Bank

Founded in 2007 by local investors, Security First Bank is devoted to providing superior banking products and services at competitive rates while maintaining personal banking relationships. Security First Bank’s primary goal is to help businesses be more successful, productive and efficient by providing personal one on one service, financial expertise and the latest banking technology. Security First Bank is a solid and secure financial institution that puts the customer first and works hard to deliver exceptional results. Additional information can be found at

Forward-Looking Statements

This press release may contain forward-looking statements regarding SunPac Financial, Security First Bank and the proposed merger. These statements involve certain risks and uncertainties that could cause actual results to differ materially from those in the forward-looking statements. Such risks and uncertainties include, but are not limited to, the following factors: regulatory approvals of the merger may not be obtained or adverse regulatory conditions may be imposed in connection with such regulatory approvals and conditions to the closing of the merger may not be satisfied. There is no obligation to revise or publicly release any revision or update to reflect events or circumstances that occur after the date on which such statements were made.

Canadians Prioritize Security Over Convenience, Speed When Making Payments

February 19 – Ahead of Fraud Prevention Month, a new study commissioned by Visa Canada showed Canadian consumers still prioritize payment security above all else. Two thirds (66 per cent) of credit cardholders ranked security as the most important element of a credit card transaction, surpassing convenience (14 per cent) and speed (10 per cent). Additionally, nearly half (48 per cent) of credit cardholders report they worry about fraud when shopping online.

Continue reading “Canadians Prioritize Security Over Convenience, Speed When Making Payments” »

Kryptronic Internet Software Solutions