Financial Institutions Insights July/August 2015 A timely information and idea statement 4 steps to effective stress testing for community bank loan portfolios You don’t have to stress over stress tests By: Nick Hahn, Justin Freeman, Dan Shumovich, and Shalene Jacobson Download white paper Regulators are pushing community banks to improve stress testing of their commercial real estate and subprime loan portfolios. The good news is that community banks don’t have to follow the stricter stress testing processes mapped out for larger banks in section 165 of the Dodd-Frank law. The bad news? That leaves them without a specific regulatory road map to follow. 4 steps to effective stress testing for community bank loan portfolios offers a common-sense, four-step process for developing a stress testing regime that will both satisfy regulators and help banks better manage their credit risk: • • • • Understand your portfolio and its risk factors Ensure you have sufficient, up-to-date data Test for risk Take appropriate actions to control your risk going forward This step-by-step guide will help community banks better understand and effectively respond to mounting stress testing pressure from regulators. It will also help position them to better understand and control their credit risks. Read 4 steps to effective stress testing for community bank loan portfolios today, and stop stressing over stress testing. Protecting your financial institution from social engineering attacks Not all cyberattacks come through cyberspace By: Loras Even When you think of cyberattacks, your first thought may be of high-tech hacking attempts, but some threats are far simpler. Social engineering attacks are designed to trick your employees into granting access to systems or divulging information that helps attackers gain that access through lowor often no-tech means. Consider this example: A hacker drops a USB drive in your bank’s lobby, maybe with a note taped to it that says “grandma’s birthday pictures.” A well-meaning employee picks it up, assuming it belongs to one of your customers, and plugs it into one of your computers, hoping to find information that will help them return it. Maybe it really has pictures of a birthday party on it. But it also has malicious code that has now opened your system to attack. Social engineering attacks can come in many forms—by phone, email, snail mail, in person or through social media. So it’s important that you train your employees to be wary. Following are some effective strategies for combating social engineering. • Telephone attacks. Social engineering phones calls often involve an attacker pretending to be a member of your own organization, a customer or another party, such as a vendor, presenting what seems to be a valid request for information. For example, a common scam is a call that purports to be from your information technology (IT) vendor, claiming that there is an issue with an employee’s computer or security credentials. The number on the employee’s caller ID may even match your IT vendor’s number—attackers can use spoofing devices to hide the number they are actually calling from. The employee is then duped into giving the fraudster information that grants them access to the system. But not all threats are that direct. Attackers often make a series of calls, gradually gathering the information they need to appear more credible to the next caller. The call alleging to be from your IT department could simply ask the employee to “confirm” that they are running a specific program, which gives the attacker one more piece of information they need about your systems. So what can employees do? Train them to understand that every phone call could be an attack. They should be on guard when they get a call from anyone they don’t personally recognize, especially if that person starts asking for information Protecting your financial institution, continued on page 3 ©2015 McGladrey LLP. All Rights Reserved. Used with Permission. Financial Institutions Insights 4 steps to help evaluate a cloud computing provider By: Ryan Elmer While the banking industry has been relatively slow to embrace cloud computing, experts say the industry’s need to drive down IT costs may finally prompt more institutions to consider the move. Despite potential benefits to the bottom line, bank executives need to understand that the cloud computing option is not without risk. Bank leaders still need to be highly vigilant about IT risk management, particularly since data-rich cloud sites are becoming a much more attractive target for global hackers. According to a recent survey by cloud provider Netskope, up to 15 percent of business cloud users have had their credentials compromised through subpar password practices, and 8 percent of corporate cloud storage files were found to be in violation of data leak prevention policies.1 Additionally, hackers successfully exploited a “Heartbleed” vulnerability in Open SSL encryption software used by a large number of companies, including Community Health Systems, Inc., which reported that 4.5 million patient records had been stolen last year.2 Is your bank considering the cloud as a processing or storage location for business-critical data? If so, remember that you are still responsible for assessing, supervising and enforcing provider performance, managing provider risks and maintaining reliable data access security. To help achieve these goals, consider the following steps: Do a cost-benefit analysis. Most banks have a surprisingly high amount of data, images, processes and files that are candidates for migration to the cloud. But a study by Vision Solutions reported that 60 percent of IT leaders did not conduct a migration cost analysis before choosing to move ahead with a cloud computing initiative.3 For that reason, it’s smart to do an assessment that includes potential savings in hardware, software and backup investments, expenses for possible system downtime and IT staff time during a migration, and the ongoing cost of network administration support. Remember, an ill-considered cloud migration can result in extended system downtime, business interruptions and unhappy customers. Choose the hosting environment that best meets your needs. In general terms, the cloud is a virtual computing platform, in which a bank’s actual data may be stored or processed in connected servers anywhere in the world. On the other hand, a cloud subset known as a hosted environment still works as an offsite computing resource, but with data stored in a defined location. In a hosted environment, a bank has direct access to a shared or dedicated server, making it easier for IT staff to align security protocols with that system. In a classic cloud environment, providers host data on multiple connected servers. While this does enhance reliability, it can make it harder for a bank’s IT team to choose cybersecurity controls that compensate for data spread across multiple servers. Classify and segregate your data. This begins with a basic data review process, separating publicly available material (such as staff lists, locations, marketing materials or other nonproprietary items) and nonpublic personal information (such as customer names, addresses, account numbers or financial information). If the bank opts to migrate nonproprietary public data to a shared server or multiple connected servers, that choice poses little risk. While the best option for storing customer-sensitive information may be on a single in-house or dedicated hosting server, this data can also reside in a shared cloud environment that has strong encryption features. 1 Netskope cloud report Jan. 2015 2 Heartbleed hack still a threat six months after discovery 3 Put your money where your cloud is To read more, go to: http://mcgladrey.com/content/mcgladrey/ en_US/our-insights/newsletters/financial-institutions-insights/ four-steps-to-help-evaluate-a-cloud-computing-provider.html Successfully vetting forensics firms Key considerations when selecting a forensics provider By: Andy Obuchowski Download article Data security is a growing concern for organizations, and the need for qualified forensics resources in investigations or legal proceedings has never been more critical. Finding the right fit for your organization is difficult as the market becomes crowded with providers rushing to address a developing need. Many are reputable, qualified resources, but others are new to forensics and might not provide the necessary skills and experience you require. A case can be severely damaged due to improper vetting of a forensics firm or individual expert, and there is no going back to square one. This is a key process up front, and cutting corners can cost you more in the end. For example, an unqualified firm may underestimate the scope of the work or perform it inadequately, and the actual costs can be much higher and the timeframe for delivering results can be stretched beyond your deadlines. An experienced, qualified firm can set realistic expectations and timelines at the onset, and dramatically reduce the potential for errors, unexpected costs or increased timelines. You must know how to choose the right resources for your needs, and your approach can be the determining factor in winning a court case. ©2015 McGladrey LLP. All Rights Reserved. Used with Permission. Incident Response Guide By: Andy Obuchowski and Daimon Geopfert Download guide In today’s environment, it is likely that all companies will eventually experience an information security incident. Timing is critical when diagnosing the nature and origin of the incident, and outlining the appropriate reaction. The speed and accuracy of response are important factors in addressing issues and protecting networks and systems. To help organizations identify and respond to information security incidents, McGladrey has developed a comprehensive Incident Response Guide. The guide includes data privacy incident checklists, as well as key steps to take to respond to a potential breach. It also details examples, assessment questions, containment processes and where to look for evidence for a number of common incidents, including: • • • • Malware intrusion Internal or external unauthorized network access Social engineering attacks Lost or stolen computers, devices or media The guide also includes common security and privacy assessment areas, detailing processes that organizations may fail to address when developing a data security platform. In addition, the document provides an appendix of potential evidence sources and how they can help you to identify and investigate a suspected incident. With an increasing number of threats, organizations must be prepared to respond quickly and thoroughly to minimize damage to critical systems and sensitive data. Protecting your financial institution, continued from page 1 or if the call deals with an area with high exposure, such as a wire transfer. One effective defense? Simply ask to call them back at the number the bank has on file for that contact. Whether the caller purports to be a co-worker, a customer or a vendor, your institution should have a contact number for them. By calling them back at that number, employees can ensure they are talking to the right party. Also, there is certain information employees should never give out over the phone, such as account numbers and passwords. • Email attacks. Attackers can pose a variety of questions via email to either trick employees into granting direct access to your systems or to gain information about your personnel, technology or operations that they can then use for further attacks. Hackers also use emails to trick employees into clicking on links that can launch attacks on your system. Again, the key is vigilance. Train employees to realize that every email could be an attack and to be particularly suspicious of emails asking for information, even if the email seems to be coming from a trusted contact. Unlike a phone call, where the employee would recognize the voice of that contact, an email shows only an address. That address can be spoofed or that party’s account could have been hacked. Just as with phone calls, an easy and effective defense is to write back, but not by replying to the email. Instead, write a new message directly to the address for that contact confirming that the request is from them. In the case of a suspicious message from a trusted contact, for instance, a request from a co-worker for information that you know that co-worker already has, call them or talk to them directly. • Social media attacks. Attackers can use social media to gather a wealth of information about an individual or target that they can then use to lend legitimacy to other social engineering attacks. As employees increasingly use platforms like LinkedIn for networking, the amount of information they can inadvertently reveal increases. For example, an employee in your IT department might list the specific applications he has experience with at your bank, which could provide valuable insights into your IT security to an attacker. Train employees not to reveal information that could damage your security on their social media profiles. Attackers also can use social media to slowly build trust with a targeted contact. Remember, that stranger you’ve been exchanging messages with on LinkedIn for the last six months is still a stranger. Finally, attackers can use social media to gain a wealth of information about someone that they can then use to lend credence to their other social engineering attacks. Employees should realize that just because a caller says he went to school with Bill and played on the lacrosse team with him doesn’t mean that caller actually knows him. • In person attacks. Attackers can actually walk in to your bank in person looking to breach your security—the USB drive example earlier is just one example. Attackers can pose as customers claiming to have lost their wallets and try to gain access to account information. They have posed as utility workers claiming they need access to utility areas due to an emergency or to perform regular maintenance. Having specific procedures in place at your branches for dealing not only with customers but utility workers, vendors and others will prepare your employees to deal with these attacks. Social engineering attacks are a real threat, but with some basic training, they are a threat that can be controlled. For too many banks, though, training is a once-a-year activity that employees come to see as a formality. Periodic training refreshers throughout the year, along with bulletins that share known attack methods, will help keep employees on their toes. Also, when it comes to training, don’t forget your executives. They aren’t immune. In fact, when it comes to social engineering, they are often in the position to do the most damage. ©2015 McGladrey LLP. All Rights Reserved. Used with Permission. 315 N. Cedar Bluff Road Knoxville, TN 37923 Address Service Requested Information provided in this publication has been obtained by Pugh CPAs from sources believed to be reliable. However, Pugh CPAs guarantees neither the accuracy nor completeness of any information and is not responsible for any errors or omissions or for results obtained by others as a result of reliance upon such information. This publication does not, and is not intended to, provide legal, tax or accounting advice. McGladrey Alliance is a premier affiliation of independent accounting and consulting firms. McGladrey Alliance member firms maintain their name, autonomy and independence and are responsible for their own client fee arrangements, delivery of services and maintenance of client relationships. McGladrey Alliance is a business of McGladrey LLP, a leading professional services firm providing tax and consulting services. McGladrey is the brand under which McGladrey LLP serve clients’ business needs. McGladrey, the McGladrey logo and the McGladrey Alliance signatures are used under license by McGladrey LLP. For additional copies or change of address, contact Pugh CPAs. For more information, contact Daniel C. Franklin, CPA, CBA, CITP, CGMA, CGFM, at (865) 769-0660, or e-mail him at dfranklin@pughcpas.com. Visit our website at www.pughcpas.com Financial Institutions Insights July/August 2015 Printed in the USA ©2015 McGladrey LLP. All Rights Reserved. Used with Permission. Financial Institutions Insights July/August 2015 4 steps to effective stress testing for community bank loan portfolios You don’t have to stress over stress tests Protecting your financial institution from social engineering attacks Not all cyberattacks come through cyberspace 4 steps to help evaluate a cloud computing provider Successfully vetting forensics firms Key considerations when selecting a forensics provider Incident Response Guide