REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Report to the Congress - Report to the Congress on the Use of the ACH System and Other Payment Mechanisms for Remittance Transfers to Foreign Countries.  www.federalreserve.gov/publications/other-reports/files/ACH_report_201304.pdf

FYI - CISPA 'dead' in Senate, privacy concerns cited - The chairman of a key Senate committee cited "insufficient" privacy protections in the cybersecurity bill, recently passed by the House. A new report says the Senate is drafting separate bills. http://www.zdnet.com/cispa-dead-in-senate-privacy-concerns-cited-7000014536/

FYI - DoJ Secretly Granted Immunity to Companies that Participated in Monitoring Program - The Justice Department agree to grant internet service providers that participated in a new cybersecurity monitoring program legal authorization to monitor and intercept communications traffic, according to documents obtained by the Electronic Privacy Information Center.
http://www.wired.com/threatlevel/2013/04/immunity-to-internet-providers/
http://www.scmagazine.com/controversial-government-program-gives-isps-immunity-from-wiretapping-laws/article/290797/?DCMP=EMC-SCUS_Newswire

FYI - Judge rejects FBI's bid to hack computer of suspect in attempted cyberheist - Warrant request too broad, fails to meet 4th amendment standards - A federal court in Houston has rejected an FBI request for a warrant to hack into the computer of a suspect in an attempted cyberheist. http://www.computerworld.com/s/article/9238699/Judge_rejects_FBI_s_bid_to_hack_computer_of_suspect_in_attempted_cyberheist?taxonomyId=17

FYI - Here’s a Good Reason to Encrypt Your Data - There’s many reasons to password-protect - or encrypt - one’s digital data. Foremost among them is to protect it during a security breach.
http://www.wired.com/threatlevel/2013/04/encrypt-your-data/
Text of Ruling: http://ia601700.us.archive.org/6/items/gov.uscourts.wied.63043/gov.uscourts.wied.63043.3.0.pdf

FYI - DDoS attacks increase across industries - While distributed denial-of-service (DDoS) attacks aimed at major banks have recently garnered the majority of headlines around the nation, finance isn't the only industry grappling with the challenges of the prevalent threat, according to a new study. http://www.scmagazine.com/study-ddos-attacks-increase-across-industries/article/290112/?DCMP=EMC-SCUS_Newswire

FYI - Panel seeks to fine tech companies for noncompliance with wiretap orders - A government task force is preparing legislation that would pressure companies such as Face­book and Google to enable law enforcement officials to intercept online communications as they occur, according to current and former U.S. officials familiar with the effort. http://www.washingtonpost.com/world/national-security/proposal-seeks-to-fine-tech-companies-for-noncompliance-with-wiretap-orders/2013/04/28/29e7d9d8-a83c-11e2-b029-8fb7e977ef71_story.html

FYI - U.S. response to bank cyberattacks reflects diplomatic caution, vexes bank industry - The United States, concerned that Iran is behind a string of cyberattacks against U.S. banking sites, has considered delivering a formal warning through diplomatic channels but has not pursued the idea out of fears that doing so could escalate hostilities, according to American officials. http://www.washingtonpost.com/world/national-security/us-response-to-bank-cyberattacks-reflects-diplomatic-caution-vexes-bank-industry/2013/04/27/4a71efe2-aea2-11e2-98ef-d1072ed3cc27_story.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - AP Twitter hack looks like a security tipping point - Getting hacked on Twitter is fast becoming a rite of passage for big corporations, but Tuesday's attack on the Associated Press could be a tipping point and shows that social networks must do more to keep their users safe, security experts said.
http://www.computerworld.com/s/article/9238637/AP_Twitter_hack_looks_like_a_security_tipping_point?taxonomyId=17
http://www.theregister.co.uk/2013/04/23/hacked_ap_tweet_dow_decline/

FYI - LivingSocial updates encryption practices after password breach affects 50m - After a massive breach impacted more than 50 million of its customers, the daily-deal website LivingSocial has updated its password encryption method to bolster security. http://www.scmagazine.com/livingsocial-updates-encryption-practices-after-password-breach-affects-50m/article/291042/?DCMP=EMC-SCUS_Newswire

FYI - Syrian Hacktivists Hit Guardian Twitter Feeds - The Syrian Electronic Army (SEA) announced Sunday that it took over 11 Twitter feeds belonging to Britain's Guardian newspaper, including its book, film, photography and travel feeds, as well as multiple journalists' accounts.
http://www.informationweek.com/security/attacks/syrian-hacktivists-hit-guardian-twitter/240153800
http://www.bbc.co.uk/news/technology-22351987

FYI - LivingSocial hacked; 50 million affected - Hackers target LivingSocial, stealing the personal data of more than 50 million people in an enormous security breach. Daily deals Web site LivingSocial is the latest database target for hackers, who have compromised the personal information of more than 50 million people.
http://news.cnet.com/8301-1009_3-57581718-83/livingsocial-hacked-50-million-affected/

FYI - Army database housing sensitive data on major US dams breached - The U.S. Army Corps of Engineers (USACE) has confirmed that a national database, which contains sensitive information on potentially hazardous U.S. dams, was accessed by an “unauthorized individual.” http://www.scmagazine.com/report-army-database-housing-sensitive-data-on-major-us-dams-breached/article/291574/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Business Resumption and Contingency Plans

The contract should address the service provider’s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution’s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.

Sub-contracting and Multiple Service Provider Relationships

Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider’s significant subcontractors.

Cost

The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.

National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical systems of the institution. For example, distributed denial of service attaches (DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions. 

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).