|
April 14, 2002
FYI
- Summary
of “Lessons Learned” and Implications for Business Continuity February
13, 2002 - Discussion note prepared by staffs of the Federal
Reserve, the New York State Banking Department, the Office of the
Comptroller of the Currency, and the Securities and Exchange
Commission, for discussion at a meeting on February 26, 2002 at the
Federal Reserve Bank of New York.
www.occ.treas.gov/netbank/discussionnote.pdf
FYI - Two
months after the Sept. 11 terrorist attacks, the lack of corporate
disaster recovery and business continuity planning was still
widespread, according to a newly released survey.
http://www.computerworld.com/storyba/0,4125,NAV47_STO69705,00.html
FYI
- Most large corporations and government agencies have been attacked
by computer hackers, but they frequently do not inform authorities
of the breaches, an FBI survey finds. http://www.usatoday.com/life/cyber/tech/2002/04/08/fbi-survey.htm
INTERNET
COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)
Financial institutions that advertise deposit products and services
on-line must verify that proper advertising disclosures are made in
accordance with all provisions of the regulations. Institutions
should note that the disclosure exemption for electronic media does
not specifically address commercial messages made through an
institution's web site or other on-line banking system. Accordingly,
adherence to all of the advertising disclosure requirements is
required.
Advertisements should be monitored for recency, accuracy, and
compliance. Financial institutions should also refer to OSC
regulations if the institution's deposit rates appear on third party
web sites or as part of a rate sheet summary. These types of
messages are not considered advertisements unless the depository
institution, or a deposit broker offering accounts at the
institution, pays a fee for or otherwise controls the publication.
Disclosures generally are required to be in writing and in a form
that the consumer can keep. Until the regulation has been reviewed
and changed, if necessary, to allow electronic delivery of
disclosures, an institution that wishes to deliver disclosures
electronically to consumers, would supplement electronic disclosures
with paper disclosures.
INTERNET SECURITY - We begin a new series
from the FDIC “Security Risks Associated with the
Internet.” While this
Financial Institution Letter was published in December 1997, the
issues still are relevant.
This FDIC paper alerts financial institutions to the fundamental
technological risks presented by use of the Internet. Regardless of
whether systems are maintained in-house or services are outsourced,
bank management is responsible for protecting systems and data from
compromise.
Security Risks
The Internet is inherently insecure. By design, it is an open
network which facilitates the flow of information between computers.
Technologies are being developed so the Internet may be used for
secure electronic commerce transactions, but failure to review and
address the inherent risk factors increases the likelihood of system
or data compromise. Five areas of concern relating to both
transactional and system security issues, as discussed below, are:
Data Privacy and Confidentiality, Data Integrity, Authentication,
Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic
mail, travel openly over the Internet and can be monitored or read
by others. Given the volume of transmissions and the numerous paths
available for data travel, it is unlikely that a particular
transmission would be monitored at random. However, programs, such
as “sniffer” programs, can be set up at opportune locations on a
network, like Web servers (i.e., computers that provide services to
other computers on the Internet), to simply look for and collect
certain types of data. Data collected from such programs can include
account numbers (e.g., credit cards, deposits, or loans) or
passwords.
Due to the design of the Internet, data privacy and confidentiality
issues extend beyond data transfer and include any connected data
storage systems, including network drives. Any data stored on a Web
server may be susceptible to compromise if proper security
precautions are not taken.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
8) Do the initial, annual, and revised privacy notices include
each of the following, as applicable: (Part 2 of 2)
e) if the institution discloses nonpublic personal information
to a nonaffiliated third party under §13, and no exception under §14
or §15 applies, a separate statement of the categories of
information the institution discloses and the categories of third
parties with whom the institution has contracted; [§6(a)(5)]
f) an explanation of the opt out right, including the method(s)
of opt out that the consumer can use at the time of the notice; [§6(a)(6)]
g) any disclosures that the institution makes under
§603(d)(2)(A)(iii)
of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]
h) the institution's policies and practices with respect to
protecting the confidentiality and security of nonpublic personal
information; [§6(a)(8)] and
i) a general statement--with no specific reference to the
exceptions or to the third parties--that the institution makes
disclosures to other nonaffiliated third parties as permitted by
law? [§6(a)(9), (b)] |
