REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

Community Bank Technology Conference - If you have nothing on your plate, plan to attend the Independent Community Bankers of America’s Community Bank Technology Conference, September 12-14, 2012 in Las Vegas. I will be speaking Thursday on auditing community banks. For more information please visit http://www.icba.org/events/eventdetail.cfm?EventID=199421. 

FYI - Federal appeals court raps bank over shoddy online security - The case marks another sign that banks are being taken to task for inadequate wire transfer systems - A construction company in Maine may stand a greater chance of recovering some of the $345,000 it lost in fraudulent wire transfers that it blames on poor online banking practices of its bank. http://www.computerworld.com/s/article/9228796/Federal_appeals_court_raps_bank_over_shoddy_online_security?taxonomyId=17

FYI - Appellate ruling leaves bank security responsibilities unclear - A federal appeals court has reversed a lower court's decision, ruling that the security measures implemented by a Main bank were "commercially unreasonable" to protect its business customers. http://www.scmagazine.com/appellate-ruling-leaves-bank-security-responsibilities-unclear/article/249523/?DCMP=EMC-SCUS_Newswire

FYI - Cyber security market to reach $120B by 2017 - The value of the global cyber security market is expected to reach $120 billion by 2017, driven by changing threats and technologies, according to a recent report. http://www.scmagazine.com/cyber-security-market-to-reach-120b-by-2017/article/249084/?DCMP=EMC-SCUS_Newswire

FYI - ‘The Analyzer’ Gets Time Served for Million-Dollar Bank Heist - “The Analyzer,” was quietly sentenced in New York this week to time served for a single count of bank-card fraud for his role in a sophisticated computer-hacking scheme that federal officials say scored $10 million from U.S. banks. http://www.wired.com/threatlevel/2012/07/tenenbaum-sentenced/

FYI - EU court rules resale of used software licenses is legal -- even online - Europe's highest court ruled on Tuesday that the trading of "used" software licenses is legal and that the author of such software cannot oppose any resale. http://www.computerworld.com/s/article/9228762/EU_court_rules_resale_of_used_software_licenses_is_legal_even_online?taxonomyId=17

FYI - U.S. Cyber Challenge and Delaware Universities to Host 3rd Annual Cyber Security Summer Camp & Competition - Top Cyber Security Talent will Convene for Training & Competition as Nation Strives to Fill Need for Network Security Professionals. http://www.prnewswire.com/news-releases/us-cyber-challenge-and-delaware-universities-to-host-3rd-annual-cyber-security-summer-camp--competition-161795705.html

FYI - GAO - Information Technology Reform: Progress Made but Future Cloud Computing Efforts Should be Better Planned. http://www.gao.gov/products/GAO-12-756

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Server breached at a Vancouver-area school - A computer server housing personal medical data on nearly 13,000 students and staff at Canada's British Columbia Institute of Technology (BCIT) was breached. http://www.scmagazine.com/server-breached-at-a-vancouver-area-school/article/249193/?DCMP=EMC-SCUS_Newswire

FYI - Phisher Faces Up To 50 Years For Role In $1.5 Million Scam - An Atlanta man faces a stiff sentence this week following his conviction for the role he played in a phishing scam that defrauded customers of several major financial institutions out of some $1.5 million. http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/240003111/phisher-faces-up-to-50-years-for-role-in-1-5-million-scam.html

FYI - AT&T won't pursue hacker phone bill - AT&T Monday decided not to pursue a phone bill for nearly $900,000 run up on a Massachusetts company's phone system by hackers. http://www.upi.com/Odd_News/2012/07/09/Company-owes-14M-for-hackers-calls/UPI-60611341865435/?spt=hs&or=on

FYI - Yahoo confirms breach, passwords appear not encrypted - Yahoo on Thursday confirmed that its database was hacked to steal about 400,000 usernames and passwords of members who belong to the company's Contributor Network, which formerly was known as Associated Content. http://www.scmagazine.com/yahoo-confirms-breach-passwords-appear-not-encrypted/article/250002/?DCMP=EMC-SCUS_Newswire

FYI - Formspring disables user accounts after password leak - The social networking Q&A site Formspring has been hacked, and hundreds of thousands of password hashes were leaked. http://www.scmagazine.com/formspring-disables-user-accounts-after-password-leak/article/249852/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 8: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank's identity and regulatory status of the bank prior to entering into e-banking transactions.

To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should ensure that adequate information is provided on their websites to allow customers to make informed conclusions about the identity and regulatory status of the bank before they enter into e-banking transactions.

Examples of such information that a bank could provide on its own website include:

1)  The name of the bank and the location of its head office (and local offices if applicable).

2)  The identity of the primary bank supervisory authority(ies) responsible for the supervision of the bank's head office.

3)  How customers can contact the bank's customer service center regarding service problems, complaints, suspected misuse of accounts, etc.

4)  How customers can access and use applicable Ombudsman or consumer complaint schemes.

5)  How customers can obtain access to information on applicable national compensation or deposit insurance coverage and the level of protection that they afford (or links to websites that provide such information).

6)  Other information that may be appropriate or required by specific jurisdictions.
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE  (Part 1 of 2)

Financial institutions have used insurance coverage as an effective method to transfer risks from themselves to insurance carriers. Insurance coverage is increasingly available to cover risks from security breaches or denial of service attacks. For example, several insurance companies offer e - commerce insurance packages that can reimburse financial institutions for losses from fraud, privacy breaches, system downtime, or incident response. When evaluating the need for insurance to cover information security threats, financial institutions should understand the following points:

! Insurance is not a substitute for an effective security program.
! Traditional fidelity bond coverage may not protect from losses related to security intrusions.
! Availability, cost, and covered risks vary by insurance company.
! Availability of new insurance products creates a more dynamic environment for these factors.
! Insurance cannot adequately cover the reputation and compliance risk related to customer relationships and privacy.
! Insurance companies typically require companies to certify that certain security practices are in place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]