Information Technology Archives - Young & Associates

Credit Unions: Prepare for increased cybersecurity exam scrutiny in 2025

Written by admin on February 24, 2025. Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Management & Planning.

By Mike Detrow, CISSP; Director of IT & IT Audit, Young & Associates

Is your credit union ready for stricter NCUA cybersecurity examinations?

There have been some signals over the past few years that the NCUA is focusing more attention on cybersecurity and may be increasing scrutiny in this area during upcoming exams. In this article, I will identify these signals and also provide steps that credit unions can take to prepare for this potential in their next exam.

Looking back at the NCUA’s Letters to Credit Unions from January 2022 through present, we see the following regarding cybersecurity:

January 2022: The NCUA continues to develop updated information security examination procedures
January 2023: The NCUA will continue to have cybersecurity as an examination priority
January 2024: The NCUA will continue to prioritize cybersecurity as a key examination focus
October 2024: The NCUA provided the following reporting statistics regarding the cyber incident response notification rule: “From September 1, 2023, the effective date of the NCUA’s cyber incident notification rule, through August 31, 2024, federally insured credit unions reported 1,072 cyber incidents. Seven out of ten of these cyber incident reports were related to the use or involvement of a third-party vendor.”
- This letter also identifies the following four key focus areas for boards of directors:
  - Ongoing cybersecurity education for the board of directors and credit union employees
  - Approval of a comprehensive information security program that includes risk assessments, security controls and incident response plans and is reviewed and updated at least annually
  - Oversight of operational management
  - Ensuring that an effective incident response plan is in place and includes specific requirements
January 2025: Cybersecurity remains a top supervisory priority and the NCUA urges each credit union’s board of directors to prioritize cybersecurity as a top oversight and governance responsibility

What do these cybersecurity trends mean for credit unions?

While the NCUA has identified cybersecurity as an examination focus area or priority in their supervisory priority statements for 2023, 2024, and yet again for 2025, the key information that identifies the potential for a more significant regulatory change is identified in the October 2024 letter. This letter states that 1,072 cyber incidents were reported over a one-year period and that seven out of ten of these incidents were related to the use or involvement of a third-party vendor.

While the information provided does not include any details about the severity of these incidents or how many may be attributed to a single vendor or single credit union, it would be hard for this number of reported cyber incidents not to get the attention of examiners and credit union management when it averages out to nearly three incidents per day. At a minimum, these statistics identify the need for better oversight of vendors by credit unions and potentially regulators. It also indicates that approximately 320 of the reported cyber incidents were not specifically attributable to the use or involvement of a vendor, which points to potential deficiencies in cybersecurity controls at the affected credit unions.

How credit unions can prepare for 2025 cybersecurity exams

The identification of key focus areas for boards of directors in the October 2024 letter is also noteworthy. This spells out specific recommendations for a credit union’s training program, information security program, oversight of operational management, and the incident response plan.

The recommendations for the oversight of operational management are very specific and include the following:

Set clear expectations regarding the due diligence of third-party vendors with respect to information security.
Ensure that cybersecurity is a core value within the credit union and influences decision-making.
Provide access to cybersecurity expertise and an adequate budget for the appropriate cybersecurity technologies and tools.
Place an emphasis on vulnerability management, patch management, application and website whitelisting and blacklisting and threat intelligence.
Engage external parties with appropriate expertise to conduct audits of the cybersecurity program.
Establish a framework for ongoing reporting of the status of the cybersecurity program including risk assessments, risk management and control decisions, service provider arrangements, results of testing and any recommended changes to the program.
Protection of data backups including secure storage and other controls to protect from ransomware as well as periodic testing to verify the recoverability of data.
Ongoing training for members to promote sound cybersecurity practices.

This is a potential indication that there will be more regulatory focus on evaluating the effectiveness of the board’s cybersecurity oversight and additional efforts to hold the board accountable if it does not take steps to promote cybersecurity as a core value within the credit union to mitigate potential cybersecurity threats.

How should credit union leaders prepare?

The board of directors and senior management should ensure that the credit union puts each of the recommendations identified in the October 2024 Board of Director Engagement in Cybersecurity Oversight (24-CU-02) letter into practice. While some credit unions may have internal resources to help with this process, many credit unions will benefit from having an independent consultant review their information security program, policies and procedures, incident response plan, vendor management practices, and technical security controls to identify areas for improvement to comply with the NCUA’s recommendations. The consultant can provide templates and other resources for management to use to implement the recommended improvements. The consultant can also be engaged to assist the credit union with the implementation of the recommended improvements.

How can Young & Associates help?

Young & Associates offers the following services to both evaluate and improve your cybersecurity program and security controls by identifying weaknesses and assisting with corrective actions to help you better protect your credit union from current cybersecurity threats.

IT Audits
Internal and External Vulnerability Assessments
Internal and External Network Penetration Testing
Social Engineering Tests
Policy templates, including an Incident Response Plan designed specifically for credit unions
Cybersecurity Program Development

For more information about our cybersecurity consulting services, contact us today.

The rising need for virtual chief information security officers

Written by admin on July 31, 2024. Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Management & Planning.

By Mike Detrow, CISSP, Director of IT & IT Audit, and Noah Lennon, CISA, Consultant, Young & Associates

Emerging trends in technologies, such as cloud computing and artificial intelligence, have significantly increased the complexity of the IT environments at community financial institutions. This has led to heightened regulatory requirements and demands for increased compliance efforts from an already stressed internal staff. Even the most skilled internal staff may find it challenging to manage the increased workload of managing the information security program, IT audits, and regulatory risk, which can lead to repercussions from regulators or security incidents.

For many, the need for dedicated information security management is abundantly clear, but affording and finding dedicated professionals in their communities is not an easy task. While you may already be using the services of a managed services provider (MSP) that may provide some support in this area, most MSPs are focused on IT infrastructure rather than information security programs. Virtual Chief Information Security Officers (vCISOs) are growing in popularity as a solution to this problem as they offer numerous benefits over a dedicated ISO, which are not only limited to cost savings.

Key benefits of virtual chief information security officers services for financial institutions

Some of the benefits that a vCISO can provide include:

Document templates

vCISOs maintain templates for documents such as policies, incident response plans, business continuity and disaster recovery plans, or can simply provide recommendations for enhancements of existing documents. Additionally, vCISOs have exposure to a breadth of policies across the many clients using their services, which allows constant improvements to the financial institution’s own policies and documentation.

Audit/exam preparation

vCISOs can help financial institutions prepare for an audit or exam by making sure that documentation is kept up to date and can help with the documentation gathering process to make sure it is well organized when it is provided to the regulator or auditor. vCISOs are also aware of recent audit/exam findings received by other clients and can help prevent your financial institution from receiving these same findings by addressing the identified issues prior to your next audit/exam.

Routine tasks

vCISOs know the activities that need to be completed each year and can skillfully lead them. These activities include vendor reviews, user access reviews, employee and board training, policy revisions and approvals, strategic planning, end of life monitoring, IT steering committee meetings, and more.

Security monitoring

vCISOs can help to verify that appropriate security controls are implemented for the financial institution’s information systems, ensure that appropriate logging is configured, and help to monitor logs and alerts to detect and investigate security events.

Vendor contacts

vCISOs work with a variety of vendors in the financial industry and can attest to their quality of work, which can assist the financial institution in choosing quality service providers. Leveraging existing rapport between the vCISO and service providers enables smoother transitions between vendors and clarity in the expectations for the relationship.

Plan testing exercises

vCISOs routinely help their clients perform business continuity and incident response tests, so they already develop testing scripts to make the testing process more efficient and productive. vCISOs can also help to ensure that teams appropriately document these tests for regulatory compliance and board reporting.

Incident response

vCISOs may have experience in responding to incidents that their other clients have experienced. You can use this knowledge to implement controls that help prevent an incident at your financial institution or allow you to respond more efficiently if you experience one.

Selecting the right virtual chief information security officers

So now that you are considering the idea of hiring a vCISO, how do you know what to look for? To help with this process, we have identified some of the criteria that you should consider when selecting a vCISO.

Industry expertise and regulatory understanding

One of the first characteristics to look for is a partner that focuses exclusively on financial institutions, or at a minimum has a division with this focus and understands the specific regulatory requirements from the FFIEC and your specific regulatory agency. While some firms may claim to cover all industries, there are differences in the regulatory requirements for various industries and you need a partner that truly understands the requirements that you must meet. In addition, while many financial institutions may share similarities, they also differ in available local providers, customer demands, regulators, technology, and complexity, so you need to make sure your partner customizes their processes and deliverables with flexibility to meet your specific needs.

Proactive approach and value addition

A vCISO should also provide value by regularly introducing new ideas to enhance the information security program, strengthen the security culture, and improve efficiency in routine processes. You should not need to continuously ask your partner for recommendations for improvements.

Integrated documentation systems

Another consideration is how the vCISO maintains documentation. While some smaller and less complex institutions may do okay with multiple standalone documents and spreadsheets, you can save time and ultimately money, and limit the potential for errors as you update data, by using an integrated system to share data for various purposes such as the information security risk assessment, vendor risk assessment and business continuity plan.

Maintaining service quality

One potential concern with using a vCISO is that unlike an CISO employed by the financial institution, vCISOs have multiple clients and may be less loyal to your financial institution than a full-time employee. To avoid potential issues associated with this type of relationship, just like any other vendor, you must perform appropriate due diligence and continuously monitor your vCISO to ensure that they are providing an acceptable level of service for your institution.

The strategic value of virtual chief information security officers services

In closing, not only can vCISOs help financial institutions meet regulatory and technological goals without the costs associated with a full-time employee, they also bring a broad range of prior experience from working with multiple financial institutions. If you are struggling to stay on top of increasing technologies and related regulations, a vCISO can be an invaluable resource in ensuring your financial institution is successful.

Your trusted IT consulting partner

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services tailor solutions to help you navigate the complexities of technology while ensuring regulatory compliance and information security.. Contact us today to learn more about how we can support your institution’s IT needs.

Internal audit: Your third line of defense in third-party risk management

Written by admin on July 31, 2024. Posted in Advice, Blog, Compliance & Regulations, Consultation, Cybersecurity & Information Security, Information Technology, Internal Audit, Management & Planning, Risk Management.

By Jeanette McKeever, CCBIA, director of internal audit, Young & Associates

In today’s financial landscape, banks and credit unions increasingly rely on third-party vendors to meet regulatory demands, leverage technological advancements and maintain competitive edges. However, these relationships introduce various types of risks in internal audit, from compliance and operational risks to reputational and strategic risks. Amidst economic uncertainty, increased digitalization and growing supervisory attention, many financial institutions are reviewing their third-party risk management (TPRM) frameworks to ensure they are robust and comprehensive.

Here, the role of internal audit becomes indispensable. Internal audit’s role in TPRM goes beyond mere compliance. By leveraging their unique skills and perspectives, internal auditors can help institutions identify, monitor and control risks while achieving strategic goals.

Understanding third-party risk in banking

Third-party relationships and their associated risks require careful management. Ineffective oversight of the complex operational, financial, technological, and legal agreements governing these extended business relationships can lead to brand or reputation damage, data security breaches, and significant financial losses. Additionally, such oversight failures can result in errors in financial reporting, compounding the challenges and potential impacts on the institution.

Financial institutions are entrusting an increasing percentage of their operations to third parties, prompting regulators to scrutinize these relationships more closely. The updated interagency guidance from the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB) and the Office of the Comptroller of the Currency (OCC) outlines the regulatory expectations for managing third-party risks throughout the relationship lifecycle: planning, due diligence, selection, contract negotiation, ongoing monitoring and termination.

Monitoring vendor performance is also a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) specifies the criteria for assessing vendor performance in their 2007 supervisory letter SL No. 07-01, “Evaluating Third-Party Relationships.” This guidance emphasizes key areas for third-party relationship management, including risk assessment and planning, due diligence, risk management, monitoring, and control.

The role of internal audit in third-party risk management

Though Chief Risk Officers are typically responsible for managing third-party risks, internal audit plays a crucial role as the third line of defense. Internal auditors bring essential skills, capabilities, and perspectives to thoroughly examine TPRM programs, identifying gaps or areas for improvement that might have been missed by the second line of defense. The board relies on internal auditors as an extra layer of security to ensure that third-party risks are properly identified and assessed, appropriate internal controls are in place, and timely risk intelligence is generated to inform decision-making.

Leveraging internal audit to improve third-party risk controls

Internal audit can contribute significantly to managing third-party risks through various areas:

Pinpointing critical contracts: Internal auditors can assist in identifying high-risk third parties and ensure they receive more frequent scrutiny. This can help with prioritizing risk management efforts.
Assessing risk management programs: They can evaluate the effectiveness of third-party due diligence processes and controls, conducting research to gauge the risk level and reputation of third parties.
Reviewing compliance with governance standards: Internal auditors can verify if the financial institution’s processes for selecting and managing third parties adhere to governance requirements and include necessary risk and compliance clauses in contracts.
Evaluating and improving risk controls: They can assess the effectiveness of risk management controls, ensure regulatory compliance, and check for “right to audit” clauses in third-party agreements.
Facilitating informed decision-making: Auditors offer valuable insights into third-party risks. They also evaluate decision-making and contract management processes. This ensures that these processes align with the bank or credit union’s strategic objectives. Additionally, auditors verify that the processes provide sufficient risk protection.
Assessing performance and identifying opportunities: They review global third-party performance, detect inconsistencies, and recommend best practices for effective risk and performance management.

Integrating internal audit into third-party risk management strategies

1. Independent vendor risk assessment and identification

Conducting a risk assessment is essential for the initial decision-making process regarding whether to establish a third-party relationship. Internal auditors bring an independent perspective to the assessment and identification of third-party risks. They can perform thorough risk assessments to identify all third-party relationships and associated risks. This independent evaluation helps ensure no significant risk is overlooked, and it provides a holistic view of the financial institution’s third-party risk landscape.

2. Vendor due diligence and selection oversight

The due diligence process equips management with the necessary information to evaluate both the qualitative and quantitative aspects of potential third parties, determining whether a relationship will support the financial institution’s strategic and financial goals while mitigating identified risks.

If your financial institution has its own internal audit team, involving them in the due diligence process for vetting potential third-party relationships can be highly beneficial. Though not prevalent practice in community banks and credit unions yet, leveraging your institution’s third line of defense can enhance third-party risk management processes and provide an extra layer of protection.

Internal audit teams can provide oversight during the due diligence and selection phases of third-party relationships. They can assess the processes used for selecting third parties to confirm that the institution has effective policies and procedures in place. By ensuring thorough due diligence, internal auditors help identify potential risks early on. Their oversight includes evaluating the third party’s operational quality, compliance capabilities, risk profile, and long-term viability.

3. Contract management and compliance

Financial institution management should ensure that the specific expectations and obligations of both the financial institution and the third party are clearly defined in a written contract before finalizing the arrangement. Board or committee approval is required for many material third-party relationships, and significant contracts should be reviewed by appropriate legal counsel before finalization. The level of detail in contract provisions will depend on the scope and risks associated with the third-party relationship. Effective contract management is crucial for mitigating third-party risks. This involves not just due diligence but also thorough processes in agreement formation, publication, activation, compliance with service delivery, analysis, optimization, and offboarding.

The internal audit function can engage in contract management in two key areas:

Auditing the overall contract management process.
Reviewing active contracts with critical vendors.

Auditing the contract management process

An effective contract management process is crucial for maintaining strong performance across your institution. Even minor inefficiencies can lead to significant issues, particularly when your financial institution aims to grow and scale. A robust contract management system contributes to a thriving institution.

Regular audits of your contract management lifecycle can reveal hidden costs and growth opportunities. These audits should assess process deficiencies, compliance issues, and historical management practices. Start by identifying key stages in your process and setting benchmarks for measurement. Key stages often include planning, due diligence, selection, contract negotiation, ongoing monitoring, and termination, as outlined in regulatory guidance.

Evaluate your management practices within each stage. Is the contract management process clearly defined? Are roles and responsibilities assigned? Who ensures compliance with service-level agreements (SLAs)? Addressing these questions through a contract management audit can help identify risks and gaps, ensuring a more effective and efficient process.

Reviewing active contracts with critical vendors

Begin by inventorying and segmenting critical vendors based on risk levels to identify those most critical to audit. Incorporate audits of high-risk and important service provider contracts into your annual audit plan. Gain an understanding of the key risks associated with each service provider and thoroughly review their contracts.

Internal auditors can review critical third-party contracts to ensure they include comprehensive risk and compliance clauses. This includes verifying that contracts have “right to audit” provisions, which allow the institution to monitor third-party compliance continuously. Once you’ve established your audit rights, you can start the contract audit by assessing key legal and business risks. Look for deficiencies and compliance issues in the contract, and consider conducting on-site reviews if your audit rights permit. An efficiency audit may also be warranted to ensure services are delivered as per the contract and service level agreements.

After completing the audit, validate the results, identify root causes, and propose solutions. Finally, communicate the results to the contract owner and key stakeholders, ensuring they are informed of the findings and recommended actions.

4. Ongoing monitoring and reporting

Once a third-party relationship is established, continuous monitoring is essential to manage evolving risks. Internal audit can play a vital role in developing and implementing monitoring frameworks that track third-party performance, compliance and risk exposure. Regular audits and reviews can provide senior management with timely risk intelligence. This enables informed decision-making and ensures that effective internal controls are in place.

5. Internal audit collaboration with risk management functions

Internal audit of third-party risk management becomes more effective when auditors and risk managers collaborate and share information. This allows both to leverage each other’s abilities and tools. By working closely with risk, compliance and other departments, internal auditors can ensure that third-party governance policies and procedures are consistently applied across the bank or credit union.

By integrating third-party risk assessments with audit plans, both auditors and risk management teams can eliminate redundancies in the risk evaluation processes. This approach also helps standardize the risk language used. It offers management teams and boards a comprehensive view of the financial institution’s third-party risk profile. This collaboration integrates TPRM into the overall risk management strategy, enhancing the institution’s ability to manage third-party risks.

Building a robust third-party risk management framework

To effectively manage third-party risks, financial institutions should establish a comprehensive TPRM framework. TPRM necessitates a framework that holds the board of directors and senior management accountable. It requires them to adjust the principles based on the size, scope and criticality of the products or services provided by third parties. This framework should be consistently applied across the institution and integrated into its operational, risk, and compliance management activities. As discussed, key components of a robust TPRM framework include:

Defining and Inventorying Third-Party Vendors: Internal audit can assist in identifying and inventorying all third-party relationships, categorizing them by risk level and criticality.
Risk Appetite Assessment: Assessing the bank or credit union’s risk appetite concerning third-party relationships, particularly those in high-risk locations or industries.
Enhanced Vendor Due Diligence: Conducting enhanced due diligence for critical third-party relationships, ensuring alignment with the institution’s risk profile and regulatory requirements.
Ongoing Monitoring and Performance Standards: Establishing and maintaining rigorous monitoring and performance standards for third-party relationships, ensuring continuous compliance and risk management.
Training and Awareness: Providing training for stakeholders on TPRM processes and the importance of effective third-party risk management.

Risk-based internal audit for financial institutions

With regulatory bodies calling for enhanced third-party oversight, the imperative for thorough risk and assurance functions has never been greater. These functions must delve deeply into the third-party network. This helps to ensure that critical risks and compliance requirements are diligently managed and monitored. Internal auditors are pivotal in this endeavor and should seek to broaden their role in fortifying third-party risk management.

At Young & Associates, we understand the critical importance of robust TPRM processes. We offer expert consulting services to help banks and credit unions strengthen their internal audit functions, risk management, and more. By leveraging our expertise, financial institutions can enhance their third-party risk management frameworks, ensuring compliance, mitigating risks and achieving strategic objectives. Ultimately, effective TPRM is not just about regulatory compliance; it’s about creating a resilient and thriving financial institution.

For more information on how Young & Associates can support your internal audit needs, click here.

Qualities of a good managed services provider (MSP)

Written by admin on April 29, 2024. Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation.

By: Mike Detrow, CISSP, Director of IT & IT Audit at Young & Associates

Due to the challenges of finding qualified employees to fill internal IT positions and the increased complexity of technology solutions, many community financial institutions have either outsourced the management of their information systems to a managed services provider (MSP), or they are considering this move.

But how do you know that you currently have, or you are choosing the right partner? In this article, we will discuss the qualities you should look for in an MSP to help you evaluate your current MSP and select the right partner if you want to outsource the management of your information systems.

Understanding financial institution needs

First, it is important to understand that financial institutions are unique from other industries, and a local MSP that primarily works with manufacturing companies may not understand the security requirements of a financial institution. Financial institutions are highly regulated and undergo routine IT audits/assessments due to the significant amount of sensitive and personally identifiable information that they maintain, alongside the substantial financial assets under their protection.

Many MSPs may not be familiar with the regulatory and security requirements associated with banking and therefore may not be prepared to work with examiners/auditors or respond effectively to exam/audit recommendations.

The drawbacks of national managed services providers

A national MSP may not be appropriate for a small community financial institution either as you may end up being a little fish in a big pond and may not get the attention that you need. Financial institutions that we work with have already experienced this with some of the large core processing vendors where it is difficult to get good support as a small institution. Additionally, obtaining managed IT services from your core processing vendor may make converting to a different core processor more challenging.

The value of local and regional managed services providers

So, how do you find a good partner? Based on our experience working with numerous MSPs through the IT Audit process, we typically see that community financial institutions get the most value from working with local or regional MSPs that have existing experience working with numerous financial institutions.

These MSPs already understand the regulatory and security requirements that financial institutions face, and they have experience with the appropriate tools and configuration practices to secure the institution’s information systems.

5 key qualities of good managed services providers

Some of the good qualities that we see from these MSPs include:

Proactively identifying and presenting new tools to enhance the institution’s information security posture.
Working as a partner by learning about the institution and customizing solutions to its unique needs.
Maintaining detailed and accurate documentation for the institution’s system configurations and ongoing monitoring.
Being responsive to initial and follow up exam/audit documentation requests.
Being responsive to exam/audit recommendations by implementing remediation measures in a timely manner.

Managed services provider red flags to watch out for

Some of the red flags that we see from other MSPs include:

Providing security status reports that contain errors or are hard to understand.
Lack of detailed and accurate documentation for the institution’s system configurations and ongoing monitoring.
Failing to notify the institution prior to making changes that may compromise security or impact system availability.
Slow response to documentation requests for exams/audits or charging additional fees to provide this information.
Refusing to implement exam/audit recommendations due to lack of technical knowledge or in cases where the recommendations do not fit into the MSP’s “standard configuration.”

Ensuring the right partnership

It is important to remember that you are ultimately responsible for any problems that occur from selecting the wrong MSP. Whether this decision leads to an insecure environment or just makes your job more difficult as the liaison between the institution and the MSP.

Just like any other vendor, you must continuously monitor your MSP to ensure that they are providing acceptable service levels. You should consider replacing the MSP if they are not meeting your expectations. While it may seem like a big task to replace your MSP, having the right partner will not only help to ensure that appropriate security controls are implemented, but it should also make your job easier as the liaison.

Your trusted IT consulting partner

At Young & Associates, we understand the unique needs and challenges faced by financial institutions. Our IT consulting services help you navigate the complexities of technology solutions while ensuring regulatory compliance and information security. Contact us today to learn more about how we can support your institution’s IT needs.

NCUA cybersecurity priority: What credit unions need to know

Written by admin on February 16, 2024. Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Network Penetration Testing, Social Engineering, Vulnerability Assessment.

In the ever-changing landscape of financial services, cybersecurity emerges as a paramount concern for credit unions and their members. As regulatory scrutiny on information security intensifies each year, it’s essential for credit unions to stay vigilant and adaptable. This involves drawing insights from incident response exercises, threat intelligence, and industry benchmarks to bolster resilience and agility while ensuring compliance amidst evolving threats.

Understanding the NCUA supervisory priority of information Sscurity

In 2024, the National Credit Union Administration (NCUA) emphasizes the critical importance of cybersecurity as part of its regulatory oversight. This highlights the urgent need for credit unions to strengthen their cyber defenses and resilience. In the face of an increasingly complex threat landscape, credit unions must prioritize cyber security measures to protect member data and maintain seamless operations. From rigorous information security examinations to strict compliance with NCUA’s information security requirements, credit unions must uphold stringent standards to ensure operational continuity and safeguard sensitive information. In today’s digitally interconnected and rapidly advancing technological landscape, it’s vital to adopt a proactive approach to detecting and responding to cyber risks with utmost precision.

Six key considerations for credit union cyber security compliance

1. Holistic risk assessment and management

Credit unions must adopt a proactive stance towards risk management by conducting thorough assessments of cyber threats, vulnerabilities, and potential impact scenarios. At the core of effective cybersecurity governance lies the comprehensive risk assessment process. By identifying and prioritizing potential threats, vulnerabilities, and impact scenarios, credit unions lay the groundwork for developing targeted risk mitigation strategies.

2. Vendor risk management

Ensuring effective cybersecurity compliance for credit unions demands vigilant vendor risk management. The NCUA underscores the criticality of reviewing third-party contracts to discern incident reporting obligations. This comprehension of responsibilities and liabilities outlined in vendor contracts fosters seamless collaboration, prompt response to cyber incidents, and adherence to reporting requirements.

3. Incident monitoring and documentation protocols

Credit unions must implement robust incident monitoring and documentation protocols to strengthen cyber resilience. Swift detection and containment of cyber threats are facilitated by effective incident monitoring, while comprehensive documentation enables timely reporting and compliance with regulatory mandates. By maintaining detailed records of cyber incidents, credit unions enhance transparency and accountability in their cybersecurity practices.

4. Robust incident response plans

Establishing robust incident response plans is pivotal for credit union cybersecurity compliance. It is imperative to update these plans to align with reporting requirements. By ensuring that response protocols are synchronized with regulatory mandates, credit unions can streamline incident resolution and minimize potential damages effectively. Simplify compliance with NCUA cybersecurity standards and cyber incident reporting requirements using Y&A’s customizable Incident Response Plan for Credit Unions. With a detailed incident response policy, guidance for specific incidents, a sample membership notification letter, and an incident response form, ensure your credit union is well-prepared for any security event. Read more about the plan here.

5. Adherence to NCUA regulatory standards

Compliance with regulatory standards, including the NCUA’s Cyber Incident Notification Reporting Rule, is non-negotiable. Credit unions must ensure timely and accurate reporting of cyber incidents, enhancing transparency, accountability, and regulatory compliance.

6. Continuous monitoring and improvement

Cybersecurity is not a static endeavor; it demands continuous monitoring, evaluation, and improvement. Credit unions should embrace a culture of vigilance and adaptation, empowering stakeholders to remain abreast of emerging threats and evolving best practices. This commitment to continuous improvement ensures that credit unions remain resilient in the face of evolving cybersecurity challenges.

Empowering credit unions: Tailored cybersecurity solutions from Young & Associates

As the NCUA places increased emphasis on information security, credit unions must prioritize compliance, resilience, and proactive risk management strategies. At Young & Associates, we understand the nuanced challenges and opportunities inherent in cybersecurity governance. Our dedicated team of professionals stands ready to support credit unions in navigating the complexities of cybersecurity risk management, compliance, and strategic planning.

We offer tailored solutions to address your specific needs and concerns. Our customizable Incident Response Plan provides a structured framework for swift and effective response to cyber incidents, ensuring the protection of member data and the integrity of your institution.

Additionally, our full suite of IT consulting services offers comprehensive support to credit unions. Our IT audits provide an independent assessment of your environment, helping you implement controls to manage your risk effectively. Furthermore, our vulnerability assessments and penetration tests identify any weaknesses in your network, enabling proactive threat mitigation.

You’re not alone on your cybersecurity journey. With Young & Associates by your side, you can navigate the complexities of cybersecurity with confidence and peace of mind. Together, we can strengthen your cyber defenses, uphold regulatory compliance, and safeguard the interests of your members and institution.

Contact us today to learn more about how we can support your credit union’s cybersecurity goals. Let’s embark on this journey together towards a more secure and resilient future.

Helpful links:

Notable changes in the new ransomware self-assessment tool

Written by admin on January 22, 2024. Posted in Advice, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit.

By: Mike Detrow, CISSP

The Bankers Electronic Crimes Taskforce, state bank regulators, and the United States Secret Service first released the Ransomware Self-Assessment Tool (R-SAT) in October 2020. The tool for banks is used to evaluate their preparedness for a ransomware attack and to help identify additional controls that should be implemented to increase a bank’s security.

A number of state banking departments worked together to evaluate banks that suffered a ransomware attack between January 1, 2019 and December 31, 2022, and the Conference of State Bank Supervisors used this information to publish a report in October 2023 that identifies the lessons learned by these banks¹.

Key findings from the ransomware lessons report

This report identifies the following significant findings:

Lack of completion and proper use of the R-SAT to identify gaps in a bank’s security controls to prevent or mitigate the effects of a ransomware attack
Lack of multi-factor authentication or improperly configured multi-factor authentication
Lack of proper understanding of social media and methods for monitoring social media platforms to address the potential dissemination of misinformation that may affect a bank’s reputation

A new version of the R-SAT, released in October 2023, identifies additional security considerations that banks will need to evaluate regarding their preparedness for a ransomware attack.

Notable additions to R-SAT

Notable additions to the new version of the R-SAT include:

Specific questions added in item 3 regarding the services provided by the cyber insurance carrier to respond to a ransomware attack
A column was added in item 4 to identify services that are based in a cloud environment
Item 5 is a new question asking if any data is housed in a location outside of the United States
Item 10 now asks about the frequency of employee security awareness training
Item 11 is a new question asking if the institution performs phishing test exercises at least quarterly
Item 12 identifies additional questions regarding backup data validation and recovery capabilities
Item 13 includes additional questions regarding the implementation of multi-factor authentication
Item 14 includes several new additional preventative controls that should be considered
Item 18 includes additional ransomware response procedures that should be included in the incident response plan

Security control enhancements recommended by Young & Associates

Through the IT Audits and consulting work that Young & Associates performs, we also see value in:

Proper understanding of the use of cloud-based services and appropriate policies governing their use
Providing cybersecurity training to employees throughout the year that identifies current threats rather than just one annual training session
Performing employee phishing tests at least quarterly rather than just once a year
Performing an authentication assessment and implementing multi-factor authentication for all critical systems and applications

To help prevent or mitigate the potential effects of a ransomware attack and to prepare for their next IT examination, banks should review the report regarding the ransomware lessons learned by banks that suffered an attack. Complete the updated R-SAT by using the following link to access these resources: https://www.csbs.org/ransomware-self-assessment-tool

Strengthening bank security against ransomware

As cyber risks become more prevalent, managing your technology infrastructure and security is paramount. Young & Associates provides financial institution IT consulting to help protect community banks and credit unions from internal and external threats.

Credit union cybersecurity: Actionable cyber threat defense

Written by admin on November 7, 2023. Posted in Advice, Blog, Consultation, Cybersecurity & Information Security, Information Technology, IT Audit, IT Program Design & Implementation, Network Penetration Testing, Social Engineering, Vulnerability Assessment.

In an era dominated by technology, the financial sector faces a growing menace in the form of cyberattacks. Credit unions, along with their members’ sensitive data, have become prime targets for cybercriminals. To safeguard against these evolving threats, credit unions must proactively fortify their cybersecurity defenses.

As the financial industry changes, cybercriminals adapt, so credit unions must prioritize cybersecurity planning. This article discusses steps and measures credit unions can take to protect their operations and member data from cyber threats.

Understanding the cyber threat landscape

The increase in cyberattacks on credit unions, as well as their affiliated CUSOs and vendors, has brought cybersecurity vulnerabilities into sharp focus. It’s essential to recognize that cyber threats are no longer a distant possibility, but a tangible reality that demands immediate attention. Cybercriminals employ a range of tactics, including ransomware, phishing, and Distributed Denial-of-Service (DDoS) attacks, all with the potential to disrupt operations, compromise data, and tarnish the reputation of credit unions.

Taking action: Security controls for credit unions

In a realm where financial innovation and digital transformation reign, protecting sensitive data and ensuring uninterrupted services takes precedence. However, this progress is accompanied by the challenge of cyber threats, demanding a proactive approach to security.

To counter the evolving threat landscape, credit unions must adopt specific actions and security controls that reinforce their defenses. These measures not only safeguard their operations but also uphold the confidence and trust of their members. Let’s explore the steps credit unions can take to strengthen their cybersecurity and defend against cyber threats.

1. Implement strong access controls

Effective access controls form the first line of defense against unauthorized access. Credit unions should enforce stringent access policies, ensuring that only authorized personnel have access to critical systems and sensitive data. Implement role-based access controls (RBAC) to limit privileges based on job roles, and regularly review and update permissions to maintain a least-privilege approach.

2. Fortify with multi-factor authentication (MFA)

Incorporate MFA for all critical systems, applications, and accounts in your credit union. This extra layer of security forms a significant hurdle for unauthorized access attempts and provides protection against phishing attacks. MFA necessitates users to offer additional confirmation apart from a password, thereby boosting security.

3. Prioritize patching and updating systems

Addressing vulnerabilities promptly is critical to preventing potential breaches. Outdated software and unpatched systems are prime targets for cyber attackers. Regularly update and patch operating systems, software applications, and security solutions to address known vulnerabilities and reduce the risk of exploitation. Stay informed about security advisories and updates from the software provider and relevant cybersecurity agencies.

4. Enhance member and employee cybersecurity awareness

Cyber threats evolve continuously, and so should employee knowledge. Educating your employees about cyber threats is one of the most effective ways to mitigate risks. Provide ongoing training to employees to help them recognize and respond to social engineering, the latest cyber threats, other common attack techniques, and best practices to keep them vigilant and informed. Awareness empowers your team to become a crucial line of defense. Equally important is educating members about safe online practices to prevent them from falling victim to scams or attacks.

5. Reinforce email security and anti-phishing measures

Email remains a primary vector for cyberattacks. Implement sophisticated email security systems that inherently possess phishing identification and prevention features. Use SPF, DKIM, and DMARC to stop email spoofing and make emails more authentic, lowering the chance of successful phishing.

6. Conduct regular penetration testing and vulnerability assessments

Proactively identify vulnerabilities by conducting regular penetration testing and vulnerability assessments. This allows credit unions to uncover weaknesses in their systems, applications, and infrastructure before cybercriminals can exploit them.

7. Craft a robust incident response plan

Prepare for the worst by developing a comprehensive incident response plan. Regularly test this plan to ensure your credit union is ready to respond swiftly and efficiently to a cyberattack. This plan should outline steps to take in case of a cyber incident, clearly define roles, responsibilities, communication protocols, and procedures, and rehearse different attack scenarios to minimize downtime and mitigate damages.

8. Manage vendor risk strategically

Your credit union’s security isn’t solely dependent on your internal measures—it extends to third-party vendors as well. Review and assess the cybersecurity practices of vendors providing services to your credit union. Ensure they adhere to robust security standards and regularly evaluate their security posture to safeguard your ecosystem. Learn more about effective vendor due diligence evaluations in this blog.

9. Network segmentation and DDoS protection

Network segmentation involves dividing the network into smaller segments to limit lateral movement in the event of a breach. Execute network partitioning to confine possible security breaches and reduce their effects. This approach restricts attackers’ ability to move freely within the network, containing the impact and reducing the potential damage. Protect against DDoS attacks by filtering and limiting traffic to prevent disruptions to your services.

10. Safeguard through regular data backups, testing and recovery planning

Ransomware attacks can paralyze credit unions by encrypting critical data. Regularly back up your data and test the recovery process to ensure quick and effective restoration in case of an attack. Backups reduce the likelihood of data loss and minimize the temptation to pay ransoms.

11. Encourage sharing of threat intelligence

Get involved in communities that share threat intelligence in order to keep updated on new cyber threats and trends. Collaborating with industry peers enhances your understanding of evolving attack tactics, enabling you to adapt and protect your credit union effectively.

12. Sustain vigilance with continuous monitoring and updates

Cyber threats are ever-evolving, making continuous monitoring and prompt patch application essential. Monitor network traffic, logs, and systems for any unusual activities that could indicate a breach. Timely identification of suspicious activities enables credit unions to respond promptly and mitigate potential damage. Stay up to date with the latest security updates and promptly implement patches to close potential vulnerabilities.

13. Engage with cybersecurity experts

Consider seeking guidance from cybersecurity experts or firms specializing in the financial sector, like Young & Associates. Our industry-specific insights can provide credit unions with tailored solutions to address the unique challenges posed by cyber and information security threats.

Credit unions can strengthen their security and protect their operations, member data, and reputation by taking proactive cybersecurity measures. To protect against cyberattacks, credit unions must stay alert and take necessary actions as threats change and become more advanced. Remember, protecting against cyber threats is not just a responsibility—it’s a necessity for the digital age.

Partnering with Young & Associates: Expert cybersecurity solutions

In the face of escalating cyber threats, credit unions are seeking expert guidance and support to bolster their security measures. At Young & Associates, we understand the dynamic challenges that credit unions face in the realm of cybersecurity. We offer IT consulting, audit, and technical testing services to help strengthen your credit union’s defenses.

Our experienced experts provide valuable knowledge to help protect your institution from cyber threats with effective strategies and solutions. Y&A offers cybersecurity solutions ranging from comprehensive security audits to technical testing that uncovers vulnerabilities. We tailor our services to suit the unique needs of credit unions in this digital age. We will help your credit union understand and navigate cybersecurity. Contact us to learn more.

Considerations for AI adoption at community financial institutions

Written by admin on October 24, 2023. Posted in Advice, Consultation, Information Technology.

By: Mike Detrow, CISSP

You have probably seen the headlines claiming that artificial intelligence (AI) models such as ChatGPT will soon replace many human jobs. Marketing campaigns are also touting its use by vendors to improve the effectiveness of their data analysis tools. If you haven’t thought about the application of AI for banking operations, you will likely be evaluating it soon. Just as with any other risk management practice, it is best to evaluate new technologies proactively. As opposed to waiting until your vendors force you or your employees begin using them without your knowledge.

The purpose of this article is to identify the risks associated with machine learning and generative AI that you should consider as you are evaluating use cases for it at your financial institution. Machine learning is the use of training data and algorithms that allow computers to imitate intelligent human behavior more realistically. Generative AI uses machine learning to allow a computer to generate new content such as text, images, video, or sounds.

The role of AI in financial institutions: A look at practical applications

First, let’s explore potential use cases for artificial intelligence in community financial institutions. Some of the applications that we have seen so far include:

Fraud prevention and detection
Automation of loan origination, underwriting, and deposit account opening
Network security management and monitoring
Risk management and business decision making
Document development, such as job descriptions, policies, and marketing materials

Risk factors for implementation in community financial institutions

Next, let’s examine some potential risks associated with the use of artificial intelligence in community banks and credit unions. One of the biggest concerns with the use of AI is the security of non-public information. Entering such data into an AI model that is not under the complete control of the financial institution or one of the institution’s vendors introduces the risk of this information being disclosed, resulting in the potential misuse of this sensitive data.

In addition to security concerns, there are other risks that should be considered. Results provided by AI-driven decision-making models could be biased based on the data that was used to train the model. Also, the information provided by AI models may be inaccurate or misleading.

Building a strong foundation for AI risk management

Now that you are aware of the risks associated with artificial intelligence, what should you do to evaluate its potential within your bank or credit union? To safeguard your financial institution in the era of rapid AI adoption, it’s imperative to set guidelines early. The first step is to establish a group within your institution that will provide oversight for AI. If you already have an IT Steering Committee, this role will likely be assigned to this committee as it should already include the appropriate employees for this task. If you do not have an IT Steering Committee, you should consider establishing a cross-functional group of employees drawn from various areas of the institution to handle AI oversight.

The first initiative for your AI oversight group should include a discovery process to identify any existing use of AI at the financial institution. It is possible that employees are already using ChatGPT to help develop marketing materials, for writing scripts or macros, or they may be using web browser plugins to improve productivity. Some of your vendors may also be using AI for various tasks associated with delivering services to your financial institution or customers, such as AML models, loan underwriting, and website virtual assistants or chatbots.

This group should develop a plan to identify any employee use of AI, whether it be through engaging in conversations with employees or potentially through employing the use of web traffic analysis. Keep in mind that your IT staff may not be the only employees that are potentially using AI within your financial institution.

Additionally, your oversight group should review vendor documentation and, if deemed necessary, reach out to vendors to determine how they may be using AI. The discovery process can determine whether current or prior employee or vendor use of AI has put any non-public data at risk. You can then take appropriate actions to address potential data misuse and prevent further inappropriate AI usage.

Once the oversight group has identified existing utilization of AI by employees and vendors and addressed any potential security concerns, the next step is to formally establish the institution’s risk appetite related to AI. This is achieved by documenting it within a policy that will be approved by the board and provided to employees for their acknowledgement. You should consider the following criteria within your policy:

Definition of AI and the associated risks
Authorization Process: Clearly defined IT Steering Committee approval requirements for new use cases.
Vendor Risk Management: Due diligence practices for new vendors and ongoing monitoring of existing vendors to understand their AI usage and the potential risks involved.
Acceptable Use: Employee guidelines for the usage of AI models such as ChatGPT and browser plugins, data security, output verification process, etc.
Ethical and Legal Requirements: Guidelines for nondiscrimination, regulatory compliance, and adherence to other institution policies.
Intellectual Property Protection: Measures to safeguard intellectual property rights and copyrighted material.
Incident Response: Procedures to detect and report any suspected security incidents.

Note: It is likely not feasible to implement an outright ban of AI at the financial institution within your policy. Especially as some of your vendors are likely already using AI or will be using it in the near future.

The use of AI expected to increase very rapidly over the next few years. It is imperative to establish guidelines for its use as early to limit the potential for its misuse.

Y&A’s solution for secure AI adoption and risk preparedness

In the rapidly evolving landscape of artificial intelligence integration within the financial sector, striking a balance between reaping the potential benefits of this technology and practicing effective risk management can be challenging. It’s crucial to adopt a risk-ready approach to scaling AI integration in order to safeguard the future of your institution. The proliferation of AI applications shows no signs of slowing. This makes it wise to proactively address risks before regulatory measures come into effect.

To streamline the process of addressing risk, we offer a customizable AI policy for your financial institution’s specific needs. Click here to learn more about this product.

For any questions, reach out to Mike Detrow, Director of Information Technology, at mdetrow@younginc.com or contact us on our website.

Penetration tests and vulnerability scans: What’s the difference?

Written by admin on March 28, 2023. Posted in Information Technology.

By: Brian Kienzle, CISSP, OSCP and Mike Detrow, CISSP

As we discuss technical testing techniques with financial institutions, we still see a lot of confusion about the difference between a vulnerability scan and a penetration test (pen test). In the past, and even nowadays, these two terms are sometimes used interchangeably. However, a true pen test is quite different from a simple vulnerability scan.

A vulnerability scan is an assessment performed by running a scanning application like Nessus or Qualys. With these applications, the assessor inputs the target IP address ranges or DNS names, clicks scan, and then waits for the results. Scans are important tools for detecting and mitigating several types of vulnerabilities; however, they are limited, since they generally rely on fingerprints of known vulnerabilities.

A pen test, on the other hand, can be thought of as a highly technical audit. A pen tester will use a wide variety of techniques and tools, often including vulnerability scanners, to discover and exploit vulnerabilities. The tools that are used will be different depending on what network services and device types are encountered.

One of the biggest differences between a scan and a pen test is that a pen test will exploit vulnerabilities. This minimizes false positives and lets you know exactly what a vulnerability’s real impact is in your unique environment.

Are vulnerability scans worthless? No, but it is important to understand their strengths and weaknesses. Scanning software cannot think; it can only discover what it has been programmed to discover. It is valuable for finding low-hanging fruit, but its inherent design limitations prevent it from detecting certain vulnerabilities, such as vulnerabilities requiring custom exploitation, fuzzing, or guided brute-force attacks. Discovery and exploitation of these vulnerabilities requires investigation by an experienced security professional.

How do you tell which one you’re getting?

It takes a hacker to know how a hacker will try to exploit the devices on your network. Unlike vulnerability scans, pen tests require a lot of time and expertise. These are not perfect indicators, but can be helpful in determining what type of service is being performed:

The proposal should give some detail about the overall penetration testing. True penetration testing by its nature is somewhat open-ended but should always involve manual investigation and exploitation of any discovered vulnerabilities.
Engagement price can be an indicator. If the cost of your penetration test is very low, that could mean the pen test is simply a vulnerability scan. It would not make business sense to sell such a skill and time-intensive engagement so cheaply.
If the findings do not include step-by-step instructions to exploit the specific vulnerability, that could be an indicator that the findings are automatically generated.
Hackers and penetration testers are often self-taught, so certifications may not be strictly necessary. However, if this is an area of consideration, more weight should be given to certifications whose exam processes are practical exploitation tests, rather than multiple-choice exams. Certifications like this include Offensive Security Certified Professional (OSCP) and Licensed Penetration Tester (LPT).

When should you get penetration tests or vulnerability scans?

Vulnerability scans and pen tests are different types of tools and therefore should be applied in different situations. Because of the lower cost and time restraints of vulnerability scans, they should be conducted more frequently. Regular vulnerability scans help to identify vulnerabilities in a timely manner, which allows IT staff to limit the time that these vulnerabilities remain exploitable on the network by remediating the vulnerabilities soon after they are discovered.

Vulnerability scans can even be performed by financial institution staff or by the financial institution’s Managed Service Provider (MSP). This is typically more cost-effective than hiring an independent party to perform frequent scans. However, it is still important to have an independent party perform an annual vulnerability scan to verify that the financial institution’s vulnerability management processes are effective.

Pen test frequency will typically vary based on a financial institution’s network infrastructure and vulnerability management practices. External pen tests may commonly be performed annually. However, a financial institution may choose to perform internal pen tests annually, biennially, or even less frequently. Management should use a risk-based approach to determine the frequency of pen tests by considering the following factors:

Significance of data stored on internal systems
Frequency of network infrastructure changes
Complexity of network infrastructure or network operating system
Any network services or applications developed in-house, such as intranet sites
Demand from examiners

If you have any questions about the differences between vulnerability scans and pen tests, or you would like to get more information about the testing services that Young & Associates has to offer, please contact Mike Detrow, Director of IT, at mdetrow@younginc.com or 330.422.3447. We look forward to helping you maximize the return on your technology investments.

The importance of documentation to support your information security program

Written by admin on December 5, 2022. Posted in Cybersecurity & Information Security, Information Technology.

By: Mike Detrow, CISSP, and Brian Kienzle, CISSP, OSCP

Written records are generally more trustworthy than human memory. Examiners and auditors typically take the following stance: if it isn’t formally documented, it didn’t happen. It is usually not possible to accurately recall all the details from an activity that we performed six months to a year ago. That is why it is important to formally document your monitoring activities to ensure that the specific details about any work performed is available for your reference and for examiners and auditors to review.

Common documentation gaps

Proper documentation has generally improved in recent years; however, there are still some areas where we commonly see documentation gaps. Some of these areas where we continue to note weaknesses in documentation during our IT Audit engagements include:

User access reviews

We commonly see a checklist or spreadsheet that identifies various systems/applications and the date(s) that the user access was reviewed. While this format can help to provide a summary of the dates when system/application user access was reviewed, it does not allow an examiner/auditor to understand what was reviewed, any exceptions that were found, nor any changes that were made because of the review. A better approach is to document the review on the actual system reports or screenshots, or to document the review process in a write-up that identifies the review process and any noted exceptions or changes made as a result of the review.

Vendor monitoring

We still see some instances where ongoing vendor reviews are not formally documented using a checklist or a formal write-up of the details associated with the review and any exceptions that were noted. In these cases, the institution may only have a spreadsheet where they indicate that various vendor documents were reviewed on a specific date. However, this does not allow an examiner/auditor to understand the details about the review, nor does it identify any exceptions that were noted. This same issue occurs with the review of the complementary user entity controls that are identified in vendor SOC reports. Institutions should ensure that they formally document their implementation of each complementary user entity control.

Firewall audits

Often we see a simple statement in minutes or in an email chain that indicates that a firewall audit was performed. However, this isn’t enough information to know if the firewall audit was comprehensive enough to know if the firewall is properly configured. At a bare minimum, a firewall audit should include a review of all firewall access rules for appropriateness and a review of security services, such as intrusion prevention, and web content filtering. Documentation of this review, showing all areas of the firewall configuration that were reviewed is an essential piece of documentation.

E911 testing

Voice over IP (VoIP) telephone systems communicate with emergency services differently than traditional phone lines. If an IP phone is moved to a different physical location, but the corresponding address information is not updated, then incorrect address information could be seen by emergency responders when that phone is used to dial 911. E911 testing ensures that proper address information is seen by emergency responders. We check that this testing is occurring during our IT audits, and documentation of this testing is the primary method we use to verify this.

While it can sometimes seem like the time spent to formally document your activities is unproductive, especially when some institutions are working with limited staffing, it is critical to maintain this documentation to allow examiners/auditors and the board to have confidence that the institution’s information systems are being managed and monitored appropriately.

Young & Associates offers a variety of IT consulting services to help your financial institution comply with regulations, protect against vulnerabilities, and provide seamless IT service to your customers For more information on this article, or to learn more about how Young & Associates can assist you with your IT needs, visit our website at www.younginc.com or contact us at mgerbick@younginc.com.

Embracing new technology ̶ “Lead, follow, or get out of the way”

Written by admin on July 27, 2022. Posted in Information Technology, Management & Planning.

By Bill Elliott, CRCM; director of compliance education, Young & Associates

I have been teaching for Young and Associates for over 20 years. Twenty years ago, when I asked about “the percentage of customers that enter your lobby in any given month,” the answers I got from attendees were usually around 80 percent. Twenty years later, the answers are almost always under 25 percent. Just recently a banker in a seminar told me that they have a branch that has almost no foot traffic.

The reason for this change is obvious ̶ why go to the bank or credit union when you can do it electronically? And the generations of customers coming up are more than willing to figure out how to do it on their smartphone. Since banking via your smartphone is readily available to anyone who has a decent cell signal, it is hard to argue with that position.

The problem for financial institutions is the constant struggle with technology and finding ways to leverage it better and faster. And the last two years of COVID have exacerbated the problem greatly, as customers were either reluctant to leave their homes, or institutions were unable to service customers except through perhaps the drive-through window. The result of all this is that some financial institutions have lost customers due to the lack of technology, while others have done very well because they had the technology available and could enable it to serve their customers.

Another question I ask in seminars is, “How many of you believe that you will get to retirement before your institution is opening accounts online?” If I have a 60-something person in the crowd, maybe I will get a hand raised. For everyone else, they can see it is either here or coming soon.

Embracing change

Management sometimes is reluctant to embrace change, which is understandable, as few enjoy it. But not changing may come at a cost that your organization is not willing to pay. To remain independent, financial institutions must step out of the comfort zone of, “We have always done it this way” and embrace the technology necessary for their survival and for their consumers’ needs. Pretending that it simply isn’t going to happen will not work ̶ it has already happened.

One of our clients is situated in an area where cows outnumber people three to one. Around 90 percent of their mortgage applications come in electronically and the bank encourages applicants to do it electronically, as that speeds the process up. A loan that closes faster means that the organization makes more money earlier, certainly a worthwhile goal.

On the deposit side, watch any football game, and major financial institutions tout the abilities that are available to the customer using their smartphone. One bank indicates that you can open a checking account online in five minutes. I’ve never tried it, but since the average customer takes more than five minutes to choose their check style, I’m not sure it is 100% accurate. But it is the wave of the future, or perhaps I should say the wave of the present.

After you decide why your organization wants to invest and leverage new technology (gain more customer insight, improve customer experience, penetrate new markets, etc.), here are some basics that you need to consider:

First, what systems are available that interface easily with your core processing system? If you cannot interface, you probably ought not be interested. The goal is to make everything flow from space to space to space with a minimum of human intervention, with high-quality information at each step to support why you are making this investment. While admittedly that means your staff must pay attention to get everything correct early in the process, once you do that, completing the transaction should be fairly simple. If your core processing system supports very little that would be useful to you in this new electronic banking world, it is possible that you may need to consider replacing it with something a little more flexible.
Second, you need to have the ability internally to manage the new processes and technologies. And you need to ensure that you have the training available to your staff so that they understand their role and responsibilities necessary to support your customer base.

More to consider

There is no question that all this costs money ̶ but not doing anything also carries costs. Some of the cost of new technology may be offset by closing branches that are not necessary as these new delivery systems grow and mature. Closing a branch has its own real dollar costs, and management must assure that the closure will not impact the organization’s Community Reinvestment Act or fair lending positions. All this needs to be considered – and maybe discussed with regulators – before closing a branch. And even if you do not close a branch, some savings is possible with a reduction in your overall staffing levels.

I personally have a checking account that I really don’t need anymore, but I have several bills paid out of that checking account directly. Since the account is free, I’ve never bothered to do anything other than adequately fund the account, because moving all those transactions to my “main” checking account seems just too cumbersome. So, the technology keeps me a customer.

Once customers begin to intertwine bill pay, budget models and other products, they may think long and hard before unpacking all these services to move the account and business somewhere else. The digital experience is just as impactful to the overall customer experience as face-to-face contacts. And an integrated digital platform may help retain customers that may not be thrilled with your organization; however, the digital experience becomes so difficult to “unpack” that they accept their pain points and continue to remain customers. This retention provides you the time to address their pain points and transform them into advocate customers speaking highly of your quality of services to others.

“Lead, follow, or get out of the way”

Years ago, I heard the phrase, “Lead, follow, or get out of the way.” That certainly is our world today. Your best possible position is to be a leader. If you choose to follow, you may do just fine. But if you try to simply get out of the way, you may find yourself in a difficult position. So, you must consider your options here, and frankly do it very quickly.

Many in the industry are talking about Banking as a Platform (BaaP), Digital Transformation, and Banking as a Service (BaaS). These are all different concepts, yet all very relevant and available. It is our hope you make the choice to “lead” or “follow” closely and have your customers or new markets choose you for banking services. Please do not “get out of the way,” as it will be more challenging for you and your organization in the long run. Given how quickly technology and related issues advance, the “long run” is now measured in shorter and shorter time frames.

For more information on this article and how Young & Associates can assist your organization to position your organization to leverage technology to better serve your customers, contact us at mgerbick@younginc.com or 330.422.3482.

Considering anti-money laundering software for your institution

Written by admin on July 27, 2022. Posted in Compliance & Regulations, Information Technology.

By: Edward Pugh, CAMS, consultant

For many financial institutions, one of the most impactful purposes of the Anti-Money Laundering Act of 2020 is the encouragement of technological innovation and the adoption of new technology by financial institutions to more effectively counter money laundering and the financing of terrorism. While a requirement to adopt technology in the AML space is not spelled out, the encouragement is being meted out in regulatory exams. Industry professionals have noted that the asset-size thresholds for scrutiny of the adoption of technology (or lack thereof) is decreasing.

AML advantages

Aside from regulatory expectations, there are many advantages in adopting AML technology solutions, which include better detection capability, more efficient workflows, better information flow, and many others. There is a plethora of providers in the marketplace offering a wide range of products and capabilities. However, the aim of this article is to lay out some considerations once the decision to adopt new technologies has been made.

Here are some things to consider:

Risk Assessment. Your institution’s BSA/AML risk assessment should drive the technology selection process. It is important to be able to demonstrate that the technology does in fact mitigate the risks that were assessed. The risk assessment can also serve as a guide in determining the sophistication of the software needed; a lot of products in the market may offer many features and options that may not be necessary.
Data. Data quality is the most important aspect of implementing AML software technology. Any implementation will require time to be devoted to data cleansing and mapping. Most vendors offer varying levels of assistance depending on your needs. Whether this part of the process is handled in-house or through a vendor, there will be costs associated with data preparation.
Future-proof. While no technology can be “future-proof,” it is important to have a platform that is robust and can handle upgrades or changes in your institution’s core software and any ancillary systems that may be feeding data into the AML software. There should also be a clear process for updates as regulations, laws, and criminal typologies change or are discovered.
Maintenance. BSA/AML evolves constantly. Financial institutions and their customers continually change. Over time, fine-tuning scenarios and thresholds is an important periodic activity. Some software allows the institution to conduct changes to the model while others require more vendor involvement. It’s an important area to consider when choosing between the numerous options.
Efficiency. Properly implemented, quality AML platforms will reduce the compliance burden in your institution. However, it is important to note that there will be “growing pains” in the beginning. One of the most common surprises is the often-dramatic increase in alerts generated. This is usually due to new scenarios being monitored, and much more transaction data being monitored. It can also be due to data quality issues that can arise during implementation. This surge in alerts is temporary. The efficiency comes as the system is fine-tuned and staff becomes more acquainted with the platform and its capabilities.

More on AML

One final thought: Think big, start small. AML platforms can be customized and upgraded. For many institutions, the choices are overwhelming. Of course, there are many other factors that must be taken into account, especially cost. Having a clear understanding of the above-mentioned considerations will help weigh the cost considerations in choosing between the many options available in the marketplace.

For more information on the selection of AML software, contact us at mgerbick@younginc.com or 330.422.3482. And if your institution has AML software in place, please read the following article, AML Validation & Review, to learn more about how we can assist your financial institution in the validation and review of your existing AML software. Our BSA team is uniquely qualified to guide you through this often complicated and technical process, and we look forward to working with you to achieve your goals.