Financial Institutions Insights
July/August 2015
A timely information and idea statement
4 steps to effective stress testing for community bank loan portfolios
You don’t have to stress over stress tests
By: Nick Hahn, Justin Freeman, Dan Shumovich, and Shalene Jacobson
Download white paper
Regulators are pushing community banks to improve stress
testing of their commercial real estate and subprime loan
portfolios. The good news is that community banks don’t have to
follow the stricter stress testing processes mapped out for larger
banks in section 165 of the Dodd-Frank law. The bad news? That
leaves them without a specific regulatory road map to follow.
4 steps to effective stress testing for community bank loan
portfolios offers a common-sense, four-step process for
developing a stress testing regime that will both satisfy
regulators and help banks better manage their credit risk:
•
•
•
•
Understand your portfolio and its risk factors
Ensure you have sufficient, up-to-date data
Test for risk
Take appropriate actions to control your risk going forward
This step-by-step guide will help community banks better
understand and effectively respond to mounting stress testing
pressure from regulators. It will also help position them to
better understand and control their credit risks.
Read 4 steps to effective stress testing for community bank
loan portfolios today, and stop stressing over stress testing.
Protecting your financial institution from social engineering attacks
Not all cyberattacks come through cyberspace
By: Loras Even
When you think of cyberattacks, your first thought may be
of high-tech hacking attempts, but some threats are far
simpler. Social engineering attacks are designed to trick
your employees into granting access to systems or divulging
information that helps attackers gain that access through lowor often no-tech means.
Consider this example: A hacker drops a USB drive in
your bank’s lobby, maybe with a note taped to it that says
“grandma’s birthday pictures.” A well-meaning employee picks
it up, assuming it belongs to one of your customers, and plugs
it into one of your computers, hoping to find information
that will help them return it. Maybe it really has pictures of a
birthday party on it. But it also has malicious code that has
now opened your system to attack.
Social engineering attacks can come in many forms—by phone,
email, snail mail, in person or through social media. So it’s
important that you train your employees to be wary. Following
are some effective strategies for combating social engineering.
• Telephone attacks. Social engineering phones calls often
involve an attacker pretending to be a member of your
own organization, a customer or another party, such as a
vendor, presenting what seems to be a valid request for
information. For example, a common scam is a call that
purports to be from your information technology (IT)
vendor, claiming that there is an issue with an employee’s
computer or security credentials. The number on the
employee’s caller ID may even match your IT vendor’s
number—attackers can use spoofing devices to hide the
number they are actually calling from. The employee is then
duped into giving the fraudster information that grants
them access to the system. But not all threats are that direct.
Attackers often make a series of calls, gradually gathering
the information they need to appear more credible to the
next caller. The call alleging to be from your IT department
could simply ask the employee to “confirm” that they are
running a specific program, which gives the attacker one
more piece of information they need about your systems.
So what can employees do? Train them to understand that
every phone call could be an attack. They should be on guard
when they get a call from anyone they don’t personally
recognize, especially if that person starts asking for information
Protecting your financial institution, continued on page 3
©2015 McGladrey LLP. All Rights Reserved. Used with Permission.
Financial Institutions Insights
4 steps to help evaluate a cloud computing provider
By: Ryan Elmer
While the banking industry has been relatively slow to embrace
cloud computing, experts say the industry’s need to drive
down IT costs may finally prompt more institutions to consider
the move. Despite potential benefits to the bottom line, bank
executives need to understand that the cloud computing option
is not without risk. Bank leaders still need to be highly vigilant
about IT risk management, particularly since data-rich cloud sites
are becoming a much more attractive target for global hackers.
According to a recent survey by cloud provider Netskope, up to
15 percent of business cloud users have had their credentials
compromised through subpar password practices, and 8
percent of corporate cloud storage files were found to be in
violation of data leak prevention policies.1 Additionally, hackers
successfully exploited a “Heartbleed” vulnerability in Open SSL
encryption software used by a large number of companies,
including Community Health Systems, Inc., which reported that
4.5 million patient records had been stolen last year.2
Is your bank considering the cloud as a processing or
storage location for business-critical data? If so, remember
that you are still responsible for assessing, supervising and
enforcing provider performance, managing provider risks and
maintaining reliable data access security. To help achieve these
goals, consider the following steps:
Do a cost-benefit analysis. Most banks have a surprisingly
high amount of data, images, processes and files that are
candidates for migration to the cloud. But a study by Vision
Solutions reported that 60 percent of IT leaders did not
conduct a migration cost analysis before choosing to move
ahead with a cloud computing initiative.3 For that reason, it’s
smart to do an assessment that includes potential savings
in hardware, software and backup investments, expenses
for possible system downtime and IT staff time during a
migration, and the ongoing cost of network administration
support. Remember, an ill-considered cloud migration can
result in extended system downtime, business interruptions
and unhappy customers.
Choose the hosting environment that best meets your
needs. In general terms, the cloud is a virtual computing
platform, in which a bank’s actual data may be stored or
processed in connected servers anywhere in the world. On the
other hand, a cloud subset known as a hosted environment still
works as an offsite computing resource, but with data stored in
a defined location. In a hosted environment, a bank has direct
access to a shared or dedicated server, making it easier for IT
staff to align security protocols with that system. In a classic
cloud environment, providers host data on multiple connected
servers. While this does enhance reliability, it can make it harder
for a bank’s IT team to choose cybersecurity controls that
compensate for data spread across multiple servers.
Classify and segregate your data. This begins with a basic data
review process, separating publicly available material (such as
staff lists, locations, marketing materials or other nonproprietary
items) and nonpublic personal information (such as customer
names, addresses, account numbers or financial information). If
the bank opts to migrate nonproprietary public data to a shared
server or multiple connected servers, that choice poses little risk.
While the best option for storing customer-sensitive information
may be on a single in-house or dedicated hosting server, this
data can also reside in a shared cloud environment that has
strong encryption features.
1
Netskope cloud report Jan. 2015
2
Heartbleed hack still a threat six months after discovery
3
Put your money where your cloud is
To read more, go to: http://mcgladrey.com/content/mcgladrey/
en_US/our-insights/newsletters/financial-institutions-insights/
four-steps-to-help-evaluate-a-cloud-computing-provider.html
Successfully vetting forensics firms
Key considerations when selecting a forensics provider
By: Andy Obuchowski
Download article
Data security is a growing concern for organizations, and the
need for qualified forensics resources in investigations or legal
proceedings has never been more critical. Finding the right
fit for your organization is difficult as the market becomes
crowded with providers rushing to address a developing need.
Many are reputable, qualified resources, but others are new
to forensics and might not provide the necessary skills and
experience you require.
A case can be severely damaged due to improper vetting
of a forensics firm or individual expert, and there is no
going back to square one. This is a key process up front, and
cutting corners can cost you more in the end. For example,
an unqualified firm may underestimate the scope of the
work or perform it inadequately, and the actual costs can be
much higher and the timeframe for delivering results can be
stretched beyond your deadlines. An experienced, qualified
firm can set realistic expectations and timelines at the onset,
and dramatically reduce the potential for errors, unexpected
costs or increased timelines.
You must know how to choose the right resources for your
needs, and your approach can be the determining factor in
winning a court case.
©2015 McGladrey LLP. All Rights Reserved. Used with Permission.
Incident Response Guide
By: Andy Obuchowski and Daimon Geopfert
Download guide
In today’s environment, it is likely that all companies will
eventually experience an information security incident.
Timing is critical when diagnosing the nature and origin of the
incident, and outlining the appropriate reaction. The speed
and accuracy of response are important factors in addressing
issues and protecting networks and systems.
To help organizations identify and respond to information
security incidents, McGladrey has developed a comprehensive
Incident Response Guide. The guide includes data privacy
incident checklists, as well as key steps to take to respond
to a potential breach. It also details examples, assessment
questions, containment processes and where to look for
evidence for a number of common incidents, including:
•
•
•
•
Malware intrusion
Internal or external unauthorized network access
Social engineering attacks
Lost or stolen computers, devices or media
The guide also includes common security and privacy
assessment areas, detailing processes that organizations may
fail to address when developing a data security platform. In
addition, the document provides an appendix of potential
evidence sources and how they can help you to identify and
investigate a suspected incident. With an increasing number
of threats, organizations must be prepared to respond quickly
and thoroughly to minimize damage to critical systems and
sensitive data.
Protecting your financial institution, continued from page 1
or if the call deals with an area with high exposure, such as a
wire transfer. One effective defense? Simply ask to call them
back at the number the bank has on file for that contact.
Whether the caller purports to be a co-worker, a customer or
a vendor, your institution should have a contact number for
them. By calling them back at that number, employees can
ensure they are talking to the right party. Also, there is certain
information employees should never give out over the phone,
such as account numbers and passwords.
• Email attacks. Attackers can pose a variety of questions via
email to either trick employees into granting direct access to
your systems or to gain information about your personnel,
technology or operations that they can then use for further
attacks. Hackers also use emails to trick employees into
clicking on links that can launch attacks on your system.
Again, the key is vigilance. Train employees to realize
that every email could be an attack and to be particularly
suspicious of emails asking for information, even if the email
seems to be coming from a trusted contact. Unlike a phone
call, where the employee would recognize the voice of that
contact, an email shows only an address. That address can
be spoofed or that party’s account could have been hacked.
Just as with phone calls, an easy and effective defense is to
write back, but not by replying to the email. Instead, write
a new message directly to the address for that contact
confirming that the request is from them. In the case of a
suspicious message from a trusted contact, for instance, a
request from a co-worker for information that you know that
co-worker already has, call them or talk to them directly.
• Social media attacks. Attackers can use social media to
gather a wealth of information about an individual or target
that they can then use to lend legitimacy to other social
engineering attacks. As employees increasingly use platforms
like LinkedIn for networking, the amount of information they
can inadvertently reveal increases. For example, an employee
in your IT department might list the specific applications
he has experience with at your bank, which could provide
valuable insights into your IT security to an attacker. Train
employees not to reveal information that could damage
your security on their social media profiles. Attackers also
can use social media to slowly build trust with a targeted
contact. Remember, that stranger you’ve been exchanging
messages with on LinkedIn for the last six months is still a
stranger. Finally, attackers can use social media to gain a
wealth of information about someone that they can then use
to lend credence to their other social engineering attacks.
Employees should realize that just because a caller says he
went to school with Bill and played on the lacrosse team with
him doesn’t mean that caller actually knows him.
• In person attacks. Attackers can actually walk in to your
bank in person looking to breach your security—the USB
drive example earlier is just one example. Attackers can
pose as customers claiming to have lost their wallets and try
to gain access to account information. They have posed as
utility workers claiming they need access to utility areas due
to an emergency or to perform regular maintenance. Having
specific procedures in place at your branches for dealing not
only with customers but utility workers, vendors and others
will prepare your employees to deal with these attacks.
Social engineering attacks are a real threat, but with some basic
training, they are a threat that can be controlled. For too many
banks, though, training is a once-a-year activity that employees
come to see as a formality. Periodic training refreshers
throughout the year, along with bulletins that share known
attack methods, will help keep employees on their toes. Also,
when it comes to training, don’t forget your executives. They
aren’t immune. In fact, when it comes to social engineering,
they are often in the position to do the most damage.
©2015 McGladrey LLP. All Rights Reserved. Used with Permission.
315 N. Cedar Bluff Road
Knoxville, TN 37923
Address Service Requested
Information provided in this publication has been obtained by Pugh CPAs from sources believed to be
reliable. However, Pugh CPAs guarantees neither the accuracy nor completeness of any information
and is not responsible for any errors or omissions or for results obtained by others as a result of reliance
upon such information. This publication does not, and is not intended to, provide legal, tax or
accounting advice.
McGladrey Alliance is a premier affiliation of independent accounting and consulting firms. McGladrey
Alliance member firms maintain their name, autonomy and independence and are responsible for their
own client fee arrangements, delivery of services and maintenance of client relationships. McGladrey
Alliance is a business of McGladrey LLP, a leading professional services firm providing tax and consulting
services. McGladrey is the brand under which McGladrey LLP serve clients’ business needs. McGladrey,
the McGladrey logo and the McGladrey Alliance signatures are used under license by McGladrey LLP.
For additional copies or change of address, contact Pugh CPAs.
For more information, contact Daniel C. Franklin, CPA, CBA, CITP, CGMA, CGFM, at (865) 769-0660, or
e-mail him at dfranklin@pughcpas.com.
Visit our website at www.pughcpas.com
Financial Institutions Insights
July/August 2015
Printed in the USA
©2015 McGladrey LLP. All Rights Reserved. Used with Permission.
Financial Institutions Insights
July/August 2015
4 steps to effective stress testing for
community bank loan portfolios
You don’t have to stress over stress tests
Protecting your financial institution from
social engineering attacks
Not all cyberattacks come through cyberspace
4 steps to help evaluate a cloud
computing provider
Successfully vetting forensics firms
Key considerations when selecting a
forensics provider
Incident Response Guide