REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - U.S. warns industry of heightened risk of cyberattack - The U.S. government on Thursday warned of a heightened risk of a cyberattack that could disrupt the control systems of U.S. companies providing critical services such as electricity and water. http://www.washingtonpost.com/world/national-security/us-warns-industry-of-heightened-risk-of-cyberattack/2013/05/09/39a04852-b8df-11e2-aa9e-a02b765ff0ea_story.html

FYI - White House Orders Agencies to Follow New Open Data Standards - Government agencies must collect and publish new information in open, machine-readable and, whenever possible, non-proprietary formats, according to a White House executive order and open data policy published Thursday.
http://www.nextgov.com/big-data/2013/05/white-house-orders-agencies-follow-new-open-data-standards/63068/?oref=ng-HPtopstory
Text of Executive Order: http://cdn.govexec.com/media/gbc/docs/pdfs_edit/050913jm1.pdf

FYI - FBI says it doesn't need a warrant to snoop on private email, social network messages - An FBI guidance manual says the law enforcement agency is able to access U.S. residents' email, Facebook and Twitter messages, and private documents, without breaching the Fourth Amendment. http://www.zdnet.com/fbi-says-it-doesnt-need-a-warrant-to-snoop-on-private-email-social-network-messages-7000015075/

FYI - Judge Allows Evidence Gathered From FBI’s Spoofed Cell Tower - An Arizona judge has denied a motion to suppress evidence collected through a spoofed cell tower that the FBI used to track the location of an accused identity thief. http://www.wired.com/threatlevel/2013/05/rigmaiden-cell-tower-evidence/

FYI - Feds Drop Hacking Charges in Video-Poker Glitching Case - They know when to fold ‘em. Las Vegas prosecutors targeting two men who took advantage of a software bug to win a small fortune at video poker have dropped all hacking charges from the case, cashing out an 18-month legal battle over the applicability of the 1986 Computer Fraud and Abuse Act. http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/

FYI - U.S. government becomes 'biggest buyer' of malware - Summary: Amid a growing battle between federal government agencies and hackers, cyberwarriors, and cyber-enemy nation states, the U.S. is ramping up its malware stockpile to 'hack back' at those who attack it. http://www.zdnet.com/u-s-government-becomes-biggest-buyer-of-malware-7000015242/

FYI - Online crime clearinghouse received nearly 290K complaints in 2012 - The number of fraud complaints lodged with the Internet Crime Complaint Center actually fell in 2012, but the amount of alleged losses to victims rose. http://www.scmagazine.com/online-crime-clearinghouse-received-nearly-290k-complaints-in-2012/article/293361/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Feds Charge 8 Alleged Mules in $45 Million Global Cyber Bank Heist - Eight suspects have been charged in New York for their alleged roles in a global cybercrime ring that authorities say involved the theft of more than $45 million from financial institutions in two cyber heists. http://www.wired.com/threatlevel/2013/05/eight-charged-in-bank-heist/

FYI - Hackers hit domain registrar, access credit card data and passwords - A Denver-based domain name provider has suffered a breach where customers' personal data, including encrypted passwords and credit card information, was compromised. http://www.scmagazine.com/hackers-hit-domain-registrar-access-credit-card-data-and-passwords/article/292696/

FYI - Indiana University hospital laptop stolen, contains data on 10K patients - Thieves stole a laptop containing the personal information of several thousand patients of Indiana University (IU) Health Arnett Hospital. This marks the second breach in more than a year for the university's health system. http://www.scmagazine.com/indiana-university-hospital-laptop-stolen-contains-data-on-10k-patients/article/293088/?DCMP=EMC-SCUS_Newswire

FYI - Bloomberg: Yes, reporters had access to client data - The editor in chief of Bloomberg News has admitted that reporters were able to access limited client information via Bloomberg terminals, an error he calls "inexcusable." http://news.cnet.com/8301-1009_3-57584159-83/bloomberg-yes-reporters-had-access-to-client-data/

FYI - Indian computer authorities to investigate what led to $45 million ATM heist - The two payment processors that were attacked to pull off a daring global ATM heist have been named, according to a report. http://www.scmagazine.com/indian-computer-authorities-to-investigate-what-led-to-45-million-atm-heist/article/293360/?DCMP=EMC-SCUS_Newswire

FYI - Website hack leads to credit card breach of nearly 10K at N.C. medical practice - Hackers exploited a vulnerability in a North Carolina medical practice's website to access a database with thousands credit card numbers and other personal information. http://www.scmagazine.com/website-hack-leads-to-credit-card-breach-of-nearly-10k-at-nc-medical-practice/article/293319/?DCMP=EMC-SCUS_Newswire

FYI - Administrative error exposes personal data of 10,200 neurology patients - A New York State medical practice mistakenly emailed the personal information of several thousand patients to other individuals it was treating. http://www.scmagazine.com/administrative-error-exposes-personal-data-of-10200-neurology-patients/article/293538/?DCMP=EMC-SCUS_Newswire

FYI - Which presents the biggest cyber threat to U.S. companies? Out of a small list of options, we asked our readers who they believed presented the biggest cyber threat to U.S. companies. Here are the results of the poll along with additional statistics. http://www.scmagazine.com/which-presents-the-biggest-cyber-threat-to-us-companies/slideshow/1328/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Dispute Resolution

The institution should consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period.

Indemnification

Indemnification provisions generally require the financial institution to hold the service provider harmless from liability for the negligence of the institution, and vice versa. These provisions should be reviewed to reduce the likelihood of potential situations in which the institution may be liable for claims arising as a result of the negligence of the service provider.

Limitation of Liability

Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, consideration should be given to whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider’s failure to perform its obligations.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - This completes our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks.  This week we review Information Sharing.

Information sharing among reliable and reputable experts can help institutions reduce the risk of information system intrusions. The OCC encourages management to participate in information-sharing mechanisms as part of an effort to detect and respond to intrusions and vulnerabilities. Mechanisms for information sharing are being developed by many different organizations, each with a different mission and operation. In addition, many vendors offer information sharing and analysis services. Three organizations that are primarily involved with the federal government's national information security initiatives are the Financial Services Information Sharing and Analysis Center (FS/ISAC), the Federal Bureau of Investigation (FBI), and Carnegie Mellon University's CERT/CC.

The FS/ISAC was formed in response to Presidential Decision Directive 63: Critical Infrastructure Protection (May 22, 1998), which encourages the banking, finance, and other industries to establish information-sharing efforts in conjunction with the federal government. The FS/ISAC allows financial services entities to report incidents anonymously. In turn, the FS/ISAC rapidly distributes information about attacks to the FS/ISAC members. Banks can contact FS/ISAC by telephone at (888) 660-0134, e-mail at admin@fsisac.com or their Web site at http://www.fsisac.com.

The FBI operates the National Information Protection Center Infraguard outreach effort. Since Infraguard supports law enforcement efforts, Infraguard members submit two versions of an incident report. One complete version is used by law enforcement and contains information that identifies the reporting member. The other version does not contain that identifying information, and is distributed to other Infraguard members. Banks can contact the FBI by contacting local FBI field offices or via e-mail at nipc@fbi.gov. 

CERT/CC is part of a federally funded research and development center at Carnegie Mellon University that helps organizations identify vulnerabilities and recover from intrusions. It provides up-to-date information on specific attacks (including viruses and denial of service) and collates and shares information with other organizations. CERT/CC does not require membership to report problems. Banks can contact CERT/CC by phone at (412) 268-7090 or e-mail at cert@cert.org.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 3 of 3)

C. Opt Out Right 

1)  Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

a.  Are clear and conspicuous (§§3(b) and 7(a)(1));

b.  Accurately explain the right to opt out (§7(a)(1));

c.  Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (§7(a)(1)); and

d.  Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (§7(d)).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

a.  Timeliness of delivery (§10(a)(1));

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c.  Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (§§10(a)(1)(iii), 10(a)(3)); and

d.  Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (§7(e), (f), (g)).