The FFIEC proposes guidance on social media - can you stay two steps ahead?

Dirk Anderson, Managing Director, Professional Services

On January 22, 2013, the FFIEC put out a press release called “Financial Regulators Propose Guidance on Social Media”.  We should begin by saying that even without a social media presence, every company should address social media risks in their annual risk assessment. In this day and age where the average person has a smartphone, laptop, and a tablet, everyone is aware of social media. But what exactly is social media?

Social media can be defined in several ways, but we refer to it as web-based and mobile-based technology used to facilitate interactive communication between organizations, communities and individuals. With 1.06 billion active users on Facebook, 800 million unique visitors a day to YouTube, 400 million tweets a day on Twitter, and 200 million registered users on LinkedIn, it’s no wonder that the average company has a social Media presence. This is why the FFIEC is seeking feedback on rules that they will set forth. In particular they are seeking:

  1. Ways in which social media is used
  2. Impact on financial institutions
  3. Risk management related to social media presence

So what is the GOOD, the BAD, and the UGLY on social media? It’s a good thing because it’s a cost- effective mechanism to reach a broad audience in a short period of time. The majority of customers, especially the younger generation, partake in some form of social media. More importantly, banks and credit unions are often focus on community building, and social media is a great way to foster that connection. In addition, customer service can also be provided via postings and message forums. The benefits are endless, but at the same time social media generates a new list of problems. 

Obviously social media increases your public footprint, but with more exposure comes increased risk. What types of risks are we referring to? There are four basic types of risk that affect social media: Compliance, Legal, Reputational, and Operational.  These risks can be introduced in a variety of ways:

  • Compliance – Employee and customer data is posted to a social media site
  • Legal – Information posted contains copyrighted material without proper permission
  • Reputation – An employee, or someone from the public, posts negative feedback
  • Operational – Information submitted to social media is submitted at risk of non-ownership

What should you do to mitigate these risks?

  • Update your risk assessment to reflect social media concerns
  • Develop a social media policy
  • Educate employees on the usage of what employees (and the public) can and cannot do
  • Identify and monitor social media presence from an appointed Social Media Officer

A financial institution should weigh the risks of a social media presence, keeping in mind that the success of social media exposure requires consistent vigilance.

Dirk Anderson


Dirk Anderson — Managing Director, Professional Services

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS