FYI - FDIC Bracing for Bank Failures - From the WSJ - The Federal Deposit Insurance Corp. is taking steps to brace for an increase in failed financial institutions as the nation's housing and credit markets continue to worsen. http://calculatedrisk.blogspot.com/2008/02/fdic-bracing-for-bank-failures.html

FYI - Banks: Losses From Computer Intrusions Up in 2007 - U.S. financial institutions reported a sizable increase last year in the number of computer intrusions that led to online bank account takeovers and stolen funds, according to data obtained by Security Fix. The data also suggest such incidents are becoming far more costly for banks, businesses and consumers alike.  http://blog.washingtonpost.com/securityfix/2008/02/banks_losses_from_computer_int.html

FYI - Lawsuit targets Lifeblood - A lawsuit has been filed against Lifeblood, Mid-South Regional Blood Center, after laptop computers with personal information of roughly 321,000 blood donors came up missing and are presumed stolen. http://www.commercialappeal.com/news/2008/feb/19/lawsuit-targets-lifeblood/

FYI - Poor IT Security Blamed for Bank Fraud - Société Générale could have prevented fraud that cost billions by imposing tighter controls on traders, a report concluded. Inadequate IT security allowed a trader at French bank Société Générale to make a series of unauthorized transactions that ultimately cost the bank €4.9 billion (US$7.2 billion), an internal investigation has found. http://www.pcworld.com/article/id,142756/article.html?tk=nl_dnxnws

FYI - Missouri AG sues Texas data broker over ID theft claims - The Missouri Attorney General's Office has filed a lawsuit against a Texas-based data broker that contends the company sold the Social Security numbers of some Missouri residents. http://www.scmagazineus.com/Missouri-AG-sues-Texas-data-broker-over-ID-theft-claims/article/107152/

FYI - OKC woman charged with violating health privacy law - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme. http://www.kten.com/global/story.asp?s=7914206

FYI - Patients' medical histories stored on stolen laptop - The computer held "extensive" data on the psychiatric and personal histories of participants in a medical study, as well as information on whether they had suffered physical or sexual abuse. http://news.scotsman.com/scotland/Patients39-medical--histories-stored.3811245.jp

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Laptop theft breaks data protection law But financial firm faced no punishment - Skipton Financial Services (SFS) has been found to have been in breach of the Data Protection Act by the Information Commissioner's Office (ICO) - but has escaped without any punishment.
http://www.silicon.com/financialservices/0,3800010322,39170125,00.htm?r=1
http://www.itpro.co.uk/internet/news/170154/skipton-financial-lose-unencrypted-laptop.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (1 of 2)

A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

6. Determine if unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately monitored, reported and followed up.  Attacks on shared secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]