The Coalfire Blog
Cyber Security Fraud in the Banking Industry: Lessons Learned in OCC Examiner Training
January 03, 2012, Rick Dakin, CEO, Co-founder and Chief Security Strategist
In late October 2011, Coalfire participated in a day of IT audit training with about 35 bank examiners. As you would expect, we covered a lot of previously hot topics. The conversation changed as we started talking about the amount of fraud being realized by community banks and credit unions.
<< Go Back
The real discussion started when one of the examiners relayed a heartbreaking story about a family-owned bank that incurred losses from fraud that hit at the exact same time as some escalating loan loss reserves were recognized. The situation at the bank went from bad to worse, with their very survival at risk.
The examiners agreed that some of the loan loss situations could not have been anticipated, but essentially the fraud form of cyber crime could have been prevented. The mood in the audience was that the focus on cyber security and compliance with the FFIEC guidelines would be reviewed in much more depth in 2012 than was the case in 2011. I made a note to get with our friends in the banking sector and help prepare for a much more active and demanding series of IT compliance audit activities in 2012. The actual losses resulting from preventable cyber fraud is driving the forward momentum.
The new FFIEC Authentication Guidelines have already caused some confusion. What does each bank or credit union have to do to be in compliance with the new guidelines? They must prevent the increasing fraud but the guidelines are still not clear.
Each institution has to conduct a security risk assessment and select justified controls. It sounds much easier than the process turns out to be. In many cases, the control adjustments impact not only the remote access and online access but the entire infrastructure of the bank’s IT systems, IT policy changes, user training, administrative oversight, authentication mechanisms, network segmentation, placement and strength of the encryption and so on. The IT audit group enthusiastically discussed a full range of risks and justified controls and the potential implications.
I have already seen that one $280 million bank has been asked to provide a risk assessment and control rationalization plan. The bar is getting higher. We simply have to take the time to get ready for 2012. The threat is real … the wave of new audits is near, and the readiness is questionable.
- Rick Dakin
Blog post currently doesn't have any comments.