|
November 17, 2002
FYI
- The Bank of Butterfield is assuring its customers that
their accounts are safe after the bank’s corporate website was
hacked over the weekend. http://www.bermudasun.bm/cgi-local/edpull.pl?cat=01News&ord=03&ed=2002-11-06
FYI
- Computer Break-Ins: Your Right to
Know -
California law now demands that the public be
informed when government or corporate databases are breached. http://www.businessweek.com/technology/content/nov2002/tc20021111_2402.htm
FYI - Last week we covered the "Electronic Delivery of
Federally Mandated Disclosures" from the FFIEC Internet
guidelines. A reader reminded us that the Federal Reserve
rescinded the mandatory compliance with the interim final rules for
electronic disclosure on 8/3/01. http://www.federalreserve.gov/boarddocs/press/boardacts/2001/20010803/default.htm
FYI - A last-minute addition to a proposal for a Department of
Homeland Security would punish malicious computer hackers with life
in prison. http://news.com.com/2100-1001-965750.html?tag=cd_mh
FYI - Canadian Imperial Bank of Commerce confirmed on Thursday it
was closing its no-frills U.S. electronic banking operations that
were dragging down profits. http://biz.yahoo.com/rc/021114/financial_cibc_1.html
INTERNET
COMPLIANCE - Fair Housing Act
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
regulator.
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in
person" applications. Accordingly, information about these
applicants' race or national origin and sex must be collected. An
institution that accepts applications through electronic media
without a video component, for example, the Internet or facsimile,
may treat the applications as received by mail.
INTERNET SECURITY - We continue our review of the
FDIC paper "Risk Assessment Tools and Practices or Information
System Security."
RISK ASSESSMENT/MANAGEMENT
A thorough and proactive risk assessment is the first step in
establishing a sound security program. This is the ongoing process
of evaluating threats and vulnerabilities, and establishing an
appropriate risk management program to mitigate potential monetary
losses and harm to an institution's reputation. Threats have the
potential to harm an institution, while vulnerabilities are
weaknesses that can be exploited.
The extent of the information security program should be
commensurate with the degree of risk associated with the
institution's systems, networks, and information assets. For
example, compared to an information-only Web site, institutions
offering transactional Internet banking activities are exposed to
greater risks. Further, real-time funds transfers generally pose
greater risks than delayed or batch-processed transactions because
the items are processed immediately. The extent to which an
institution contracts with third-party vendors will also affect the
nature of the risk assessment program.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
42. Does the institution provide the consumer with a
reasonable opportunity to opt out such as by:
a. mailing the notices required by §10 and allowing the
consumer to respond by toll-free telephone number, return mail, or
other reasonable means (see question 22) within 30 days from the
date mailed; [§10(a)(3)(i)]
b. where the consumer opens an on-line account with the
institution and agrees to receive the notices required by §10
electronically, allowing the consumer to opt out by any reasonable
means (see question 22) within 30 days from consumer acknowledgement
of receipt of the notice in conjunction with opening the account; [§10(a)(3)(ii)]
or
c. for isolated transactions, providing the notices required
by §10 at the time of the transaction and requesting that the
consumer decide, as a necessary part of the transaction, whether to
opt out before the completion of the transaction? [§10(a)(3)(iii)]
IN CLOSING - The
Gramm-Leach-Bliley Act, best practices, and examiners recommend a
penetration study of your Internet connection. The
Vulnerability Internet Security Test Audit (VISTA)
is an independent penetration study of {custom4}'s
network
connection to the Internet that meets the regulatory requirements.
As
professional IT auditors, we provide an independent review of the
vulnerability test results and an audit letter to your Board of Directors
certifying the test results. For answer to your questions about
vulnerability testing go to https://internetbankingaudits.com/frequently_asked_questions.htm.
|
