July 31, 2019 - Midwest Economy Index Points to Slower Growth in June - The Midwest Economy Index decreased to –0.31 in June from –0.22 in May. Contributions to the June MEI from three of the four broad sectors of nonfarm business activity and three of the five Seventh Federal Reserve District states decreased from May. www.chicagofed.org/~/media/publications/mei/2019/mei-june2019-pdf.pdf

July 31, 2019 - NCUA Offering Grants to Mentor Minority Depository Institutions - The National Credit Union Administration is offering grants of up to $25,000 for a new pilot mentoring program for small low-income credit unions that are also designated as minority depository institutions. www.ncua.gov/newsroom/press-release/2019/ncua-offering-grants-mentor-minority-depository-institutions

July 31, 2019 - NCUA Issues Prohibition Notices - The National Credit Union Administration issued two prohibition orders and five prohibition notices in July. These individuals are prohibited from participating in the affairs of any federally insured financial institution. www.ncua.gov/newsroom/press-release/2019/ncua-issues-prohibition-notices-3

July 31, 2019 - Community Reinvestment Act: Guidelines for Requesting Designation as a Wholesale, Limited Purpose, or Special Purpose Bank - The Office of the Comptroller of the Currency is issuing this bulletin to inform national banks, federal savings associations, and federal branches of foreign banking organizations subject to the Community Reinvestment Act about guidelines for requesting a designation as a wholesale or limited purpose bank for CRA purposes or requesting confirmation of its exemption as a special purpose bank under CRA regulations. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-40.html

July 31,2019 - Community Reinvestment Act: Guidelines for Requesting Approval of a Strategic Plan - The Office of the Comptroller of the Currency is issuing this bulletin to inform national banks, federal savings associations, and federal branches of foreign banking organizations about current guidelines for requesting approval to be evaluated under the Community Reinvestment Act using the strategic plan option or to request approval to amend an approved CRA strategic plan. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-39.html

July 31, 2019 - OCC Consolidates Supervision Support Functions, Announces New Units - The Office of the Comptroller of the Currency today announced realignment of approximately 150 staff members to create two new units, consolidating bank supervision support, risk analysis, and oversight of national trust banks and significant service providers. www.occ.gov/news-issuances/news-releases/2019/nr-occ-2019-84.html

July 31, 2019 - New Federal Reserve Bank of Kansas City report to help bridge digital divide - The Federal Reserve Bank of Kansas City announced today a new report, Disconnected: Seven Lessons on Fixing the Digital Divide, focused on broadband access, economic impact and solutions for communities to narrow the digital divide. www.kansascityfed.org/~/media/files/publicat/newsroom/2019/digitalinclusion_reportrelease_final.pdf

July 31, 2019 - Notice of a Meeting under Expedited Procedures - A closed meeting of the Board of Governors of the Federal Reserve System was held at on July 30, 2019 and continued at 9:00 a.m. on July 31, 2019. Matter(s) considered: Discussion of Monetary Policy Issues. www.federalreserve.gov/aboutthefed/boardmeetings/20190730closed.htm

July 31, 2019 - Federal Reserve issues FOMC statement - Information received since the Federal Open Market Committee met in June indicates that the labor market remains strong and that economic activity has been rising at a moderate rate. Job gains have been solid, on average, in recent months, and the unemployment rate has remained low. www.federalreserve.gov/newsevents/pressreleases/monetary20190731a.htm

July 30,2019 - NCUA - Registration Now Open for NCUA Liquidity and Interest-Rate Risk Webinar - The webinar is scheduled to begin at 2 p.m. Eastern and run approximately one hour. Participants will be able to log into the webinar and view it on their computers or mobile devices using the registration link. www.ncua.gov/newsroom/press-release/2019/registration-now-open-ncua-liquidity-and-interest-rate-risk-webinar

July 30, 2019 - FDIC Annual Publication Examines Potential Credit and Market Risks - The Federal Deposit Insurance Corporation today published its 2019 Risk Review, an annual publication highlighting emerging risks and exposures in the banking system. www.fdic.gov/news/news/press/2019/pr19070.html

July 30, 2019 - Statistical Release - Seasonal Factors for Motor Vehicle Sales - G.17 - The Federal Reserve Board has re-estimated seasonal factors for new motor vehicle sales, using data through April 2019. These factors are estimated once per year using X13-ARIMA. The factors will be revised again in the summer of 2020. www.federalreserve.gov/releases/g17/mv_sales_sf.htm

July 26, 2019 - Regulatory Relief: Guidance to Help Financial Institutions and Facilitate Recovery in Areas of Texas Affected by Severe Storms and Flooding.   www.fdic.gov/news/news/financial/2019/fil19045.html

July 26, 2019 - Regulatory Relief: Guidance to Help Financial Institutions and Facilitate Recovery in Areas of Missouri Affected by Severe Storms, Tornadoes, and Flooding.   www.fdic.gov/news/news/financial/2019/fil19044.html

July 26, 2019 - FDIC Makes Public June Enforcement Actions - The FDIC issued a total of 14 orders in June 2019, and is publishing one issued in May 2019. www.fdic.gov/news/news/press/2019/pr19068.html

July 26, 2019 - Report to the Congress on the Profitability of Credit Card Operations of Depository Institutions, July 2019 - Analyzes the profitability over time of depository institutions' credit card activities by examining the performance of larger institutions that specialize in such activities and of a sample of smaller commercial banks that offer a range of credit services. Also reviews trends in credit card pricing, including changes in interest rates. www.federalreserve.gov/publications/credit-card-profitability.htm

July 26, 2019 - Advanced Notice of a Meeting under Expedited Procedures - A closed meeting of the Board of Governors of the Federal Reserve System will be held under expedited procedures at 10:00 a.m. on July 30, 2019. Matter(s) considered: Discussion of Monetary Policy Issues. www.federalreserve.gov/aboutthefed/boardmeetings/20190730closed.htm

July 26,2019 - Credit and Liquidity Programs and the Balance Sheet - Recent balance sheet trends, weekly chart update.  www.federalreserve.gov/monetarypolicy/bst_recenttrends.htm

July 26, 2019 - Agencies complete resolution plan evaluations and extend deadline for certain firms - The Federal Reserve Board and the Federal Deposit Insurance Corporation today announced several resolution plan actions, including completing their evaluations of the 2018 resolution plans for 82 foreign banks and extending the deadline for the next resolution plans from those firms, as well as 15 domestic banks.
Press Release: www.federalreserve.gov/newsevents/pressreleases/bcreg20190726a.htm
Press Release: www.fdic.gov/news/news/press/2019/pr19069.html
_________________________________

July 25, 2019 - Comptroller's Handbook: Revised and Updated Booklets and Rescissions - The Office of the Comptroller of the Currency today issued a fully revised �Corporate and Risk Governance� booklet of the Comptroller�s Handbook. In addition, the OCC is issuing an updated �Internal and External Audits� booklet of the Comptroller�s Handbook with changes that are more limited in scope. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-38.html

July 25, 2019 - Federal Reserve Board announces termination of enforcement actions with Mesaba Bancshares, Inc. and First National Financial Services, Inc. www.federalreserve.gov/newsevents/pressreleases/enforcement20190725a.htm

July 24, 2019 - Operational Risk: Fraud Risk Management Principles - The Office of the Comptroller of the Currency is issuing this bulletin to inform national banks, federal savings associations, and federal branches and agencies of sound fraud risk management principles. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-37.html

July 24, 2019 - OCC Announces Executive Assignments - The Office of the Comptroller of the Currency today announced Beverly Cole would become the Deputy Comptroller of the Northeastern District and Beth Dugan and Mark Richardson would become Deputy Comptrollers for Large Bank Supervision. www.occ.gov/news-issuances/news-releases/2019/nr-occ-2019-83.html

July 24, 2019 - Federal Reserve Bank of Kansas City Announces First Quarter Small Business Lending Survey Results - The quarterly survey of U.S. banks provides data on lending activity and terms for small businesses, a critical source of employment and economic growth for the country. www.kansascityfed.org/~/media/files/publicat/newsroom/2019/smallbusinesslendingsurvey-1stqtr2019.pdf

July 24,2019 - Kansas City Fed publishes new book on the history of America's black banks - The Federal Reserve Bank of Kansas City today announced the publication of its latest history book, Let Us Put Our Money Together: The Founding of America�s First Black Banks.  www.kansascityfed.org/newsroom/newsreleases/2019/letusputourmoneytogether

July 24, 2019 - FDIC Announces Meeting of Advisory Committee on Community Banking - The Federal Deposit Insurance Corporation today announced that it will hold a meeting of the Advisory Committee on Community Banking on Tuesday, July 30. www.fdic.gov/news/news/press/2019/pr19067.html

July 23, 2019 - Mortgage Lending: Lending Standards for Asset Dissipation Underwriting - The Office of the Comptroller of the Currency encourages banks1 to offer responsible residential mortgage loans to help meet consumers� credit needs. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-36.html

July 23, 2019 - High Volatility Commercial Real Estate: Notice of Proposed Rulemaking - The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation are issuing a notice of proposed rulemaking to seek comment on the treatment of land development loans for purposes of the one- to four-family residential properties exclusion in the definition of high volatility commercial real estate exposure in the agencies� regulatory capital rule. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-35.html
 
July 23, 2019 - OCC Issues Consent Order of Prohibition and $50,000 Civil Money Penalty Against Former General Counsel of Rabobank N.A. - The consent order prohibits Mr. Weiss from participating in the affairs of any federally insured depository institution and assesses a $50,000 civil money penalty for violations of law and unsafe or unsound practices alleged in the notice of charges issued on March 25, 2019.  https://occ.gov/news-issuances/news-releases/2019/nr-occ-2019-82.html

July 23, 2019 - Statement Regarding Insurance Policies for Directors and Officers - The purpose of this letter is to make state member banks, bank holding companies, and savings and loan holding companies and Reserve Bank staff aware that insurance policies offering indemnification for directors and officers may include exclusionary provisions that potentially limit coverage and leave institution affiliated parties of covered financial institutions liable for excluded claims. www.federalreserve.gov/supervisionreg/srletters/SR1912.htm

July 23,2019 - Statistical Release - Finance Companies - G.20.  www.federalreserve.gov/releases/g20/current/g20.htm

July 23, 2019 - Agencies release public sections of resolution plans for eight large banks - The Federal Reserve Board and the Federal Deposit Insurance Corporation today released the public sections of eight large domestic firms' resolution plans, which are required by the Dodd-Frank Act and commonly known as living wills.
Press Release - www.federalreserve.gov/newsevents/pressreleases/bcreg20190723a.htm
Press Release - www.fdic.gov/news/news/press/2019/pr19066.html
 
July 22, 2019 - Chicago Fed National Activity Index - Index points to economic growth near historical trend in June - The Chicago Fed National Activity Index ticked up to �0.02 in June from �0.03 in May.  www.chicagofed.org/~/media/publications/cfnai/2019/cfnai-july2019-pdf.pdf

July 22, 2019 - The Macroeconomic Effects of the 2018 Bipartisan Budget Act - By Jeffrey R. Campbell , Filippo Ferroni , Jonas D. M. Fisher , Leonardo Melosi - In the first quarter of 2018, the Bipartisan Budget Act became law. www.chicagofed.org/publications/economic-perspectives/2019/2

July 22, 2019 - Volcker Rule: Final Rule - On July 22, 2019, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the U.S. Commodity Futures Trading Commission, the Federal Deposit Insurance Corporation, and the U.S. Securities and Exchange Commission published a final rule implementing amendments to section 13 of the Bank Holding Company Act, commonly known as the Volcker rule. www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-32.html

July 22, 2019 - St. Louis Fed Connects CRA-Eligible Projects and Potential Funders - The Federal Reserve Bank of St. Louis is hosting a live Investment Connection event on Wednesday, July 24, to bring together nonprofit organizations and financial institutions interested in lending to and investing in projects within the Little Rock area that meet Community Reinvestment Act requirements. www.stlouisfed.org/news-releases/2019/07/22/st-louis-fed-connects-cra-eligible-projects-with-potential-funders

July 22,2019 - Interagency Webinar - Revisions to the Framework for Margin Requirements for Non-Centrally Cleared Derivatives - The FDIC, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency are jointly hosting a webinar on revisions to the framework for margin requirements for non-centrally cleared derivatives that have been adopted by the Basel Committee on Banking Supervision and the International Organization of Securities Commissions. www.fdic.gov/news/news/financial/2019/fil19042.html

July 22, 2019 - Advanced Notice of a Meeting under Expedited Procedures - A closed meeting of the Board of Governors of the Federal Reserve System will be held under expedited procedures at 10:00 a.m. on July 24, 2019. Matter(s) considered: Periodic Briefing and Discussion on Financial Markets, Institutions, and Infrastructure www.federalreserve.gov/aboutthefed/boardmeetings/20190724closed.htm

July 22, 2019 - Federal bank regulatory agencies and FinCEN improve transparency of risk-focused BSA/AML supervision - As a result of a working group established by the U.S. Department of the Treasury's Office of Terrorism and Financial Intelligence, the federal bank regulatory agencies and the U.S. Department of the Treasury's Financial Crimes Enforcement Network today issued a joint statement as part of continuing efforts to improve transparency into their risk-focused approach to Bank Secrecy Act/anti-money laundering supervision.
Press Release: www.federalreserve.gov/newsevents/pressreleases/bcreg20190722a.htm
Press Release: www.fdic.gov/news/news/press/2019/pr19065.html
Press Release: www.occ.gov/news-issuances/news-releases/2019/nr-ia-2019-81.html
Press Release: www.occ.treas.gov/news-issuances/bulletins/2019/bulletin-2019-33.html
Press Release: www.ncua.gov/newsroom/press-release/2019/federal-bank-regulatory-agencies-and-fincen-improve-transparency-risk-focused-bsaaml-supervision

July 19, 2019 - Flooding and Finances: Hurricane Harvey�s Impact on Consumer Credit By Daniel Hartley , Eleni Packis , Ben Weintraut - This article examines consumers� borrowing behavior and debt levels in the wake of Hurricane Harvey. www.chicagofed.org/publications/chicago-fed-letter/2019/415

July 19, 2019 - St. Louis Fed's Bullard Discusses "Public and Private Currency Competition" - Federal Reserve Bank of St. Louis President James Bullard discussed �Public and Private Currency Competition� on Friday at the Central Bank Research Association�s 2019 Annual Meeting. www.stlouisfed.org/news-releases/2019/07/19/bullard-discusses-public-and-private-currency-competition

July 19, 2019 - FEDS Notes - Who Owns U.S. CLO Securities? - Emily Liu and Tim Schmidt-Eisenlohr - The U.S. leveraged loan market has grown substantially in recent years with more and more loans bought by collateralized loan obligations. www.federalreserve.gov/econres/notes/feds-notes/who-owns-us-clo-securities-20190719.htm

July 19,2019 - Credit and Liquidity Programs and the Balance Sheet - Recent balance sheet trends, weekly chart update.  www.federalreserve.gov/monetarypolicy/bst_recenttrends.htm

July 19, 2019 - FEDS Notes - Substitutability of Monetary Policy Instruments - Cynthia Doniger, James Hebden, Luke Pettit, and Arsenios Skaperdas - In response to the 2007-2009 global financial crisis, the Federal Reserve and other major central banks turned to unconventional policy measures such as asset purchase programs to provide further accommodation after short-term policy rates reached their effective lower bounds. www.federalreserve.gov/econres/notes/feds-notes/substitutability-of-monetary-policy-instruments-20190719.htm

July 18, 2019 - NCUA - �It�s a Story about Expanding Opportunity� - NCUA Board Chairman Hood Talks about Financial Literacy, Community Service at Destinations Credit Union Event - Destinations Credit Union, a federally insured, state-chartered credit union headquartered in Baltimore, has been designated a low-income credit union by the National Credit Union Administration and the Maryland Commissioner of Financial Regulation. www.ncua.gov/newsroom/press-release/2019/its-story-about-expanding-opportunity

July 18, 2019 - NCUA - Appraisal Rule Will Help Boost Economic Activity, Job Creation in Communities. www.ncua.gov/newsroom/press-release/2019/appraisal-rule-will-help-boost-economic-activity-job-creation-communities

July 18, 2019 - NCUA Chairman Rodney E. Hood Remarks - Grand Opening of HOPE Inside Office at Destinations Credit Union, Parkville, MD.  www.ncua.gov/newsroom/speech/2019/ncua-chairman-rodney-e-hood-remarks-grand-opening-hope-inside-office-destinations-credit-union

July 18, 2019 - Measuring the Liquidity Profile of Mutual Funds - Sirio Aramonte, Chiara Scotti, and Ilknur Zer - We measure the liquidity profile of open-end mutual funds using the sensitivity of their daily returns to aggregate liquidity. www.federalreserve.gov/econres/feds/files/2019055pap.pdf
____________________________

U.S. mayors resolve to no longer pay ransomware attackers - The United States Conference of Mayors issued a resolution at its 87th annual meeting to stand united against paying ransoms when their municipality is hit with a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/u-s-mayors-resolve-to-no-longer-pay-ransomware-attackers/

FEC: Campaigns Can Use Discounted Cybersecurity Services - The U.S. Federal Election Commission (FEC) said today political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws, provided those companies already do the same for other non-political entities. https://krebsonsecurity.com/2019/07/fec-campaigns-can-use-discounted-cybersecurity-services/

Facebook to pony up $5 billion in FTC settlement - Facebook said in the spring it expected to pay a $5 billion fine to the Federal Trade Commission (FTC) in the wake of the Cambridge Analytica scandal and it now looks like the company will do just that in after the commission approved settlement with the social media giant for violating a 2011 consent decree. https://www.scmagazine.com/home/security-news/privacy-compliance/facebook-to-pony-up-5-billion-in-ftc-settlement/

Premera Blue Cross to cough up $10 million to 30 states over data breach - Premera Blue Cross has consented to pay $10 million as compensation for a nearly year-long data breach that impacted more than 10.4 million health patients, the Washington state�s Attorney General Bob Ferguson announced yesterday. https://www.scmagazine.com/home/security-news/legal-security-news/premera-blue-cross-to-cough-up-10-million-to-30-states-over-data-breach/

How to operationalize threat intelligence - Security practitioners face so many trials and tribulations as they protect and defend their organizations. In order to seek the best possible protection, they need to have an understanding of the threats which pose the greatest risk and how to address them proactively. https://www.scmagazine.com/home/opinion/executive-insight/how-to-operationalize-threat-intelligence/

CISOs vs. the board - For Fortune 1000 CISOs and CSOs, reporting to their boards of directors is, at best, a complicated and disquieting situation. CISOs must be specific and technical, but not too specific nor technical. They must be honest and comprehensive, but they also need to know which truths are best left unsaid. https://www.scmagazine.com/home/security-news/cisos-vs-the-board/

Computer password inventor Fernando Corbat� dies at 93 - Pioneering computer scientist Fernando �Corby� Corbat�, regarded as the inventor of the computer password and a key contributor in the development of time-sharing computer systems, died last Friday, July 12, in Newburyport, Massachusetts at the age of 93. https://www.scmagazine.com/home/network-security/computer-password-inventor-fernando-corbato-dies-at-93/

Lucky break: Cracked windshield helps hacker find bug in Tesla - Hackers typically crack software, but web application security researcher Sam Curry quite literally cracked his Tesla Model 3 and discovered a vulnerability that earned him a hefty reward from the car maker�s bug bounty program. https://www.scmagazine.com/home/network-security/tktkttktktktktk-lucky-break-cracked-windshield-helps-hacker-find-bug-in-tesla/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Magecart group compromises 17,000 domains by overwriting Amazon S3 buckets - One of the �Magecart� cybercriminal groups has infected more than 17,000 web domains with JavaScript-based payment card-skimming code by developing an automated process for finding and compromising misconfigured Amazon S3 buckets, researchers have reported. https://www.scmagazine.com/home/security-news/magecart-group-compromises-17000-domains-by-overwriting-amazon-s3-buckets/

Agent Smith Android malware infiltrates 25 million devices - A new variant of mobile malware dubbed �Agent Smith� has already infected 25 million devices, 15 million of which are in India. https://www.scmagazine.com/home/security-news/malware/a-new-variant-of-mobile-malware-dubbed-agent-smith-has-already-infected-25-million-devices-15-million-of-which-are-in-india/

L.A. County Health Services Department contractor breach leaks patient data - A data breach at a Los Angeles County Department of Health Services contractor resulted in the compromise of data from 14,591 patients. http://www.scmagazine.com/home/security-news/data-breach/a-data-breach-at-a-l-a-county-department-of-health-services-contractor-resulted-in-the-compromise-of-data-from-several-thousand-patients/

Triple cyberattacks hit New Bedford, Gila and Syracuse schools - The cyber onslaught against municipalities continued last week with New Bedford, Mass., Gila County, Ariz., and the Syracuse, N.Y., school district all being subjected to attacks. https://www.scmagazine.com/home/security-news/ransomware/triple-cyberattacks-hit-new-bedford-gila-and-syracuse-schools/

A City Paid a Hefty Ransom to Hackers. But Its Pains Are Far From Over. - Audrey Sikes, city clerk of Lake City, Fla., has a thing for documents: She does not like losing them. https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html

Malware attack on county computers - LP County website, government email servers out of operation - All La Porte County government emails, and the county website, remained out of commission late Tuesday following a malware virus attack that affected the system on Saturday morning. https://www.thenewsdispatch.com/news/article_d9809e48-7e8d-52d5-9d08-5d6c1adab2a2.html

Sprint customer data breached via Samsung website flaw - Threat actors gained unauthorized access to an undisclosed number of Sprint customer accounts via a compromised Samsung website. https://www.scmagazine.com/home/security-news/data-breach/sprint-is-notifying-customers-that-threat-actors-gained-unauthorized-access-to-an-undisclosed-number-of-customer-accounts-via-a-compromised-samsung-website/

2.2 million Clinical Pathology Laboratories patients exposed in AMCA breach - The list of companies impacted by the American Medical Collection Agency (AMCA) data breach has grown, with Clinical Pathology Laboratories (CPL) now reporting that the PHI of about 2.2 million customers may have been affected. https://www.scmagazine.com/home/security-news/data-breach/2-2-million-clinical-pathology-laboratories-patients-exposed-in-amca-breach/

Data dump suggests that Evite data breach affected 100M accounts - A new addition to the data breach reference website �Have I Been Pwned?� seemingly reveals that more than 100 million accounts were compromised in this year�s data breach of the event-planning service Evite. https://www.scmagazine.com/home/security-news/data-breach/data-dump-suggests-that-evite-data-breach-affected-100m-accounts/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
 Board and Management Oversight - Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.
   
   Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.
   
   To ensure effective response to unforeseen incidents, banks should develop: 
   
   1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.
   
   2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.
   
   3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.
   
   4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.
   
   5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.
   
   6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.
   
   7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.
   
   8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - PHYSICAL SECURITY
  
  The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.
  
  The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:
  
  ! Aircraft crashes
  ! Chemical effects
  ! Dust
  ! Electrical supply interference
  ! Electromagnetic radiation
  ! Explosives
  ! Fire
  ! Smoke
  ! Theft/Destruction
  ! Vibration/Earthquake
  ! Water
  ! Wireless emissions
  ! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.3 Protection Against Interruption of Operations  (1 of 2)

HGA's policies regarding continuity of operations are derived from requirements stated in OMB Circular A-130. HGA requires various organizations within it to develop contingency plans, test them annually, and establish appropriate administrative and operational procedures for supporting them. The plans must identify the facilities, equipment, supplies, procedures, and personnel needed to ensure reasonable continuity of operations under a broad range of adverse circumstances.

COG Contingency Planning

COG (Computer Operations Group) is responsible for developing and maintaining a contingency plan that sets forth the procedures and facilities to be used when physical plant failures, natural disasters, or major equipment malfunctions occur sufficient to disrupt the normal use of HGA's PCs, LAN, server, router, printers, and other associated equipment.

The plan prioritizes applications that rely on these resources, indicating those that should be suspended if available automated functions or capacities are temporarily degraded. COG personnel have identified system software and hardware components that are compatible with those used by two nearby agencies. HGA has signed an agreement with those agencies, whereby they have committed to reserving spare computational and storage capacities sufficient to support HGA's system-based operations for a few days during an emergency.

No communication devices or network interfaces may be connected to HGA's systems without written approval of the COG Manager. The COG staff is responsible for installing all known security-related software patches in a timely manner and for maintaining spare or redundant PCs, servers, storage devices, and LAN interfaces to ensure that at least 100 people can simultaneously perform word processing tasks at all times.

To protect against accidental corruption or loss of data, COG personnel back up the LAN server's disks onto magnetic tape every night and transport the tapes weekly to a sister agency for storage. HGA's policies also stipulate that all PC users are responsible for backing up weekly any significant data stored on their PC's local hard disks. For the past several years, COG has issued a yearly memorandum reminding PC users of this responsibility. COG also strongly encourages them to store significant data on the LAN server instead of on their PC's hard disk so that such data will be backed up automatically during COG's LAN server backups.

To prevent more limited computer equipment malfunctions from interrupting routine business operations; COG maintains an inventory of approximately ten fully equipped spare PC's, a spare LAN server, and several spare disk drives for the server. COG also keeps thousands of feet of LAN cable on hand. If a segment of the LAN cable that runs through the ceilings and walls of HGA's buildings fails or is accidentally severed, COG technicians will run temporary LAN cabling along the floors of hallways and offices, typically restoring service within a few hours for as long as needed until the cable failure is located and repaired.

To protect against PC virus contamination, HGA authorizes only System Administrators approved by the COG Manager to install licensed, Copyright 2015ed PC software packages that appear on the COG-approved list. PC software applications are generally installed only on the server. (These stipulations are part of an HGA assurance strategy that relies on the quality of the engineering practices of vendors to provide software that is adequately robust and trustworthy.) Only the COG Manager is authorized to add packages to the approved list. COG procedures also stipulate that every month System Administrators should run virus-detection and other security-configuration validation utilities on the server and, on a spot-check basis, on a number of PCs. If they find a virus, they must immediately notify the agency team that handles computer security incidents.

COG is also responsible for reviewing audit logs generated by the server, identifying audit records indicative of security violations, and reporting such indications to the Incident-Handling Team. The COG Manager assigns these duties to specific members of the staff and ensures that they are implemented as intended.

The COG Manager is responsible for assessing adverse circumstances and for providing recommendations to HGA's Director. Based on these and other sources of input, the Director will determine whether the circumstances are dire enough to merit activating various sets of procedures called for in the contingency plan.