May 7, 2000
FYI - The Federal Reserve Board announced its approval of the notice of The Charles Schwab Corporation, San Francisco, California, to become a bank holding company by acquiring U.S. Trust Corporation, New York, New York, and its bank and nonbank subsidiaries, including United States Trust Company of New York, New York, New York.
FYI - Electronic Commerce, Banking, and Payments - Remarks by Vice Chairman Roger W. Ferguson, Jr. At the 36th Annual Conference on Bank Structure and Competition, Chicago, Illinois
INTERNET SECURITY - After implementing a defense strategy and monitoring for new attacks, hacker activities, and unauthorized insider access, management should develop a response strategy. The sophistication of an incident response plan will vary depending on the risks inherent in each system deployed and the resources available to an institution. In developing a response strategy or plan, management should consider the following:
1) The plan should provide a platform from which an institution can prepare for, address, and respond to intrusions or unauthorized activity. The beginning point is to assess the systems at risk, as identified in the overall risk assessment, and consider the potential types of security incidents.
2) The plan should identify what constitutes a break-in or system misuse, and incidents should be prioritized by the seriousness of the attack or system misuse.
3) Individuals should be appointed and empowered with the latitude and authority to respond to an incident. The plan should include what the appropriate responses may be for potential intrusions or system misuses.
4) A recovery plan should be established, and in some cases, an incident response team should be identified.
5) The plan should include procedures to officially report the incidents to senior management, the board of directors, legal counsel, and law enforcement agents as appropriate.
Today's products not only can detect intrusions in real-time, but can automatically respond to intrusions. Depending on the software, information systems personnel can be notified on a real-time basis during an attack, rather than detect the attack afterward during a manual log review. Methods of notification can include e-mail, pager, fax, audio alarm, or message displays on a computer monitor. Responses can include shutting down the system, logging additional information, and disabling a user's account (e.g., by disallowing a particular user account or Internet address). Access can be disabled for a period sufficient for information systems personnel to review the attack information or verify the user. Also, an institution can add warning banners to protected systems, notifying users that they are accessing a protected computer system.
When determining an appropriate response, a distinction should be made between incidents in which actual changes to a system are suspected (e.g., changing audit logs) versus incidents in which system misuse is suspected (e.g., unauthorized system access). Attempts to actually change the system or data may warrant notifying a security officer, who could reconfigure the identified weaknesses and/or communication paths. An appropriate response to system misuse may include automatic log-off, warning messages, or notifying the appropriate personnel.
Not only are attacks often undetected, in many cases identified attacks are not reported. Institutions should develop a plan to respond to unauthorized activities and involve law enforcement when appropriate. Institutions should report suspected computer crimes and computer intrusions on Suspicious Activity Reports (SARs) in accordance with the guidelines outlined in Financial Institution Letter 124-97, "Suspicious Activity Reporting," dated December 5, 1997.
INTERNET COMPLIANCE - Federal savings associations may engage in prudent innovation through the use of emerging technology. The rule permits Federal savings associations to use, or participate with others to use, electronic means or facilities to perform any function, or provide any product or service, as part of an authorized activity. The rule also requires each savings association (state- or federally- chartered) to notify OTS 30 days before it establishes a transactional web site. Savings associations that present supervisory or compliance concerns may be subject to additional procedural requirements. Finally, the rule includes a conforming change to OTS's service corporation regulation, reflecting a recent statutory change.
INTERNET COMPLIANCE: Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.
Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.
Pursuant to the regulations, disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.
FYI - If you intend to make disclosures available from your web site, you should be sure the disclosures will print on common type printers, such as an inkjet. We have found that printing on a laser printer has different margins and will sometimes cut off printing on an inkjet printer. Knowing that both ink jets and lasers are in use, we would recommend that the required disclosures be available regardless of the type of printer being used, which can usually be accomplished using a single sheet htm format without boarders or frames.
IN CLOSING - For those of you that did not get the "Love Letter Worm," you were fortunate. To all others, we hope you had a response policy that worked effectively to restore your computer operations. We suggest that if you were infected with the "Love Letter Worm" you notify your local FBI office as well as your regulatory agency.