Originally proposed back in January 2013, and following a comment period in which they received and evaluated 81 official comments, the FFIEC has at last released their final guidance for financial institutions engaging in social media activities. I expect all the regulatory agencies to adopt it soon (the FDIC has already, and pretty much verbatim). […]
FFIEC Issues Proposed Social Media Guidance
(UPDATED – Added link to public comments) Just out, this document is really a request for comments on the proposed guidance, but final guidance is likely to follow this very closely…and very quickly. As many financial institutions are probably getting their social media policies together now (or updating existing policies), this is a must read. […]
Technology Service Providers and the new SOC reports
What do all of the 2012 changes to the IT Examination Handbooks have in common? They are all, directly or indirectly, related to vendor management. I had previously identified vendor management as a leading candidate for increased regulatory scrutiny in 2012, and boy was it. (Not all of my 2012 predictions fared as well, I’ll […]
Managing Social Media Risk – LinkedIn Edition
By now everyone has heard about the breach at LinkedIn, where 6.5 million email password hashes were leaked (over half of which have been cracked, or converted into plain text). Those who read this blog regularly know how I feel about social media in general: “So managing social media risk boils down to this: You […]
5 Keys to Understanding a SOC 2 Report
Although I have written about these relatively new reports frequently, and for some time now, it still remains a topic of great interest to financial institutions. Fully 20% of all searches on this site over the past 6 months include the terms “SOC” or “SOC 2”, or “SAS 70”. Some of this increased interest comes […]
SOC 2 vs. SAS 70 – 5 reasons to embrace the change
The SOC 2 and SOC 3 audit guides have recently been released by the AICPA, and the SAS 70 phase-out becomes effective tomorrow. The more I learn about these new reports the more I like them. First of all, as a service provider to financial institutions we will have to prepare for this engagement (just […]
SOC Report Selection & Evaluation Aids
With the SAS 70 phasing out on 6/15, financial institutions have a dual challenge; determining the best report to request, and evaluating the report they are provided. To assist with this challenge, I’ve created two documents. The first, or Step 1, is a SOC Selection Flowchart, which is available here. This will assist in determining […]
Risk Managing Social Media – 4 Challenges
Twitter, LinkedIn, Facebook, Google+…the decision to establish an on-line presence is a very popular topic these days, and it is extremely easy to do, but effectively managing social media risk can be frustratingly complicated. In many ways. it just doesn’t lend itself to traditional risk management techniques, so the standard pre-entry justification process is much […]
UPDATE – New Proposed Cyber Incident Notification Rules Finalized
Last updated March 30, 2022. Currently, financial institutions are required to report a cyber event to their primary federal regulator under very specific circumstances. This requirement dates back to GLBA, Appendix B to Part 364 and states that FI incident response plans (IRP’s) should contain procedures for: “Notifying its primary Federal regulator as soon as […]
Hot Topic: Ransomware on the Radar (Updated)
Both the State banking regulators and the Treasury Department have issued recent advisories to financial institutions regarding the ransomware threat. Ransomware is defined as a form of malicious software (“malware”) designed to block access to a computer system or data, often by encrypting data or programs, in order to extort ransom payments from victims in […]
FFIEC Issues Statement on Pandemic Planning
Background Similar to the Joint Statement on Destructive Malware issued in January in response to heightened geopolitical cyber risks from foreign actors, the FFIEC just released an Interagency Statement on Pandemic Planning in response to the current COVID-19 epidemic. Similar to the Destructive Malware statement, this statement does not impose any additional regulatory expectations on […]