REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- U.S. warns industry of heightened risk of cyberattack - The U.S.
government on Thursday warned of a heightened risk of a cyberattack
that could disrupt the control systems of U.S. companies providing
critical services such as electricity and water.
White House Orders Agencies to Follow New Open Data Standards -
Government agencies must collect and publish new information in
open, machine-readable and, whenever possible, non-proprietary
formats, according to a White House executive order and open data
policy published Thursday.
Text of Executive Order:
FBI says it doesn't need a warrant to snoop on private email, social
network messages - An FBI guidance manual says the law enforcement
agency is able to access U.S. residents' email, Facebook and Twitter
messages, and private documents, without breaching the Fourth
Judge Allows Evidence Gathered From FBI’s Spoofed Cell Tower - An
Arizona judge has denied a motion to suppress evidence collected
through a spoofed cell tower that the FBI used to track the location
of an accused identity thief.
Feds Drop Hacking Charges in Video-Poker Glitching Case - They know
when to fold ‘em. Las Vegas prosecutors targeting two men who took
advantage of a software bug to win a small fortune at video poker
have dropped all hacking charges from the case, cashing out an
18-month legal battle over the applicability of the 1986 Computer
Fraud and Abuse Act.
U.S. government becomes 'biggest buyer' of malware - Summary: Amid a
growing battle between federal government agencies and hackers,
cyberwarriors, and cyber-enemy nation states, the U.S. is ramping up
its malware stockpile to 'hack back' at those who attack it.
Online crime clearinghouse received nearly 290K complaints in 2012 -
The number of fraud complaints lodged with the Internet Crime
Complaint Center actually fell in 2012, but the amount of alleged
losses to victims rose.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Feds Charge 8 Alleged Mules in $45 Million Global Cyber Bank Heist -
Eight suspects have been charged in New York for their alleged roles
in a global cybercrime ring that authorities say involved the theft
of more than $45 million from financial institutions in two cyber
Hackers hit domain registrar, access credit card data and passwords
- A Denver-based domain name provider has suffered a breach where
customers' personal data, including encrypted passwords and credit
card information, was compromised.
Indiana University hospital laptop stolen, contains data on 10K
patients - Thieves stole a laptop containing the personal
information of several thousand patients of Indiana University (IU)
Health Arnett Hospital. This marks the second breach in more than a
year for the university's health system.
Bloomberg: Yes, reporters had access to client data - The editor in
chief of Bloomberg News has admitted that reporters were able to
access limited client information via Bloomberg terminals, an error
he calls "inexcusable."
Indian computer authorities to investigate what led to $45 million
ATM heist - The two payment processors that were attacked to pull
off a daring global ATM heist have been named, according to a
Website hack leads to credit card breach of nearly 10K at N.C.
medical practice - Hackers exploited a vulnerability in a North
Carolina medical practice's website to access a database with
thousands credit card numbers and other personal information.
- Administrative error exposes personal data of 10,200 neurology
patients - A New York State medical practice mistakenly emailed the
personal information of several thousand patients to other
individuals it was treating.
- Which presents the biggest cyber threat to U.S. companies? Out of
a small list of options, we asked our readers who they believed
presented the biggest cyber threat to U.S. companies. Here are the
results of the poll along with additional statistics.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
The institution should consider including in the contract a
provision for a dispute resolution process that attempts to resolve
problems in an expeditious manner as well as provide for
continuation of services during the dispute resolution period.
Indemnification provisions generally require the financial
institution to hold the service provider harmless from liability for
the negligence of the institution, and vice versa. These provisions
should be reviewed to reduce the likelihood of potential situations
in which the institution may be liable for claims arising as a
result of the negligence of the service provider.
Limitation of Liability
Some service provider standard contracts may contain clauses
limiting the amount of liability that can be incurred by the service
provider. If the institution is considering such a contract,
consideration should be given to whether the damage limitation bears
an adequate relationship to the amount of loss the financial
institution might reasonably experience as a result of the service
provider’s failure to perform its obligations.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
This completes our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Information Sharing.
Information sharing among reliable and reputable experts can help
institutions reduce the risk of information system intrusions. The
OCC encourages management to participate in information-sharing
mechanisms as part of an effort to detect and respond to intrusions
and vulnerabilities. Mechanisms for information sharing are being
developed by many different organizations, each with a different
mission and operation. In addition, many vendors offer information
sharing and analysis services. Three organizations that are
primarily involved with the federal government's national
information security initiatives are the Financial Services
Information Sharing and Analysis Center (FS/ISAC), the Federal
Bureau of Investigation (FBI), and Carnegie Mellon University's
The FS/ISAC was formed in response to Presidential Decision
Directive 63: Critical Infrastructure Protection (May 22, 1998),
which encourages the banking, finance, and other industries to
establish information-sharing efforts in conjunction with the
federal government. The FS/ISAC allows financial services entities
to report incidents anonymously. In turn, the FS/ISAC rapidly
distributes information about attacks to the FS/ISAC members. Banks
can contact FS/ISAC by telephone at (888) 660-0134, e-mail at firstname.lastname@example.org
or their Web site at http://www.fsisac.com.
The FBI operates the National Information Protection Center
Infraguard outreach effort. Since Infraguard supports law
enforcement efforts, Infraguard members submit two versions of an
incident report. One complete version is used by law enforcement and
contains information that identifies the reporting member. The other
version does not contain that identifying information, and is
distributed to other Infraguard members. Banks can contact the FBI
by contacting local FBI field offices or via e-mail at email@example.com.
CERT/CC is part of a federally funded research and development
center at Carnegie Mellon University that helps organizations
identify vulnerabilities and recover from intrusions. It provides
up-to-date information on specific attacks (including viruses and
denial of service) and collates and shares information with other
organizations. CERT/CC does not require membership to report
problems. Banks can contact CERT/CC by phone at (412) 268-7090 or
e-mail at firstname.lastname@example.org.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 3 of 3)
C. Opt Out Right
1) Review the financial institution's opt out notices. An opt out
notice may be combined with the institution's privacy notices.
Regardless, determine whether the opt out notices:
a. Are clear and conspicuous (§§3(b) and 7(a)(1));
b. Accurately explain the right to opt out (§7(a)(1));
c. Include and adequately describe the three required items of
information (the institution's policy regarding disclosure of
nonpublic personal information, the consumer's opt out right, and
the means to opt out) (§7(a)(1)); and
d. Describe how the institution treats joint consumers (customers
and those who are not customers), as applicable (§7(d)).
2) Through discussions with management, review of the institution's
policies and procedures, and a sample of electronic or written
records where available, determine if the institution has adequate
procedures in place to provide the opt out notice and comply with
opt out directions of consumers (customers and those who are not
customers), as appropriate. Assess the following:
a. Timeliness of delivery (§10(a)(1));
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the consumer agrees; or as a necessary step
of a transaction) (§9).
c. Reasonableness of the opportunity to opt out (the time allowed
to and the means by which the consumer may opt out)
(§§10(a)(1)(iii), 10(a)(3)); and
d. Adequacy of procedures to implement and track the status of a
consumer's (customers and those who are not customers) opt out
direction, including those of former customers (§7(e), (f), (g)).