REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Community Bank Technology Conference -
If you have nothing on your plate, plan to attend the Independent
Community Bankers of America’s Community Bank Technology Conference,
September 12-14, 2012 in Las Vegas. I will be speaking Thursday on
auditing community banks. For more information please visit
- The Federal Financial Institution Examination Council Agencies
consider cloud computing to be another form of outsourcing with the
same basic risk characteristics and risk management requirements as
traditional forms of outsourcing.
- Homeland Security warns of hackers targeting popular Niagara
software - The Department of Homeland Security on Friday warned that
a popular system used by organizations around the world to manage
millions of machines and devices over the Internet is vulnerable to
attack from hackers.
- FBI Investigating Major Chinese Firm for Selling Spy Gear to Iran
- The FBI has launched an investigation into allegations that a top
Chinese maker of phone equipment supplied Iran with U.S.-made
hardware and software, including a powerful surveillance system, in
violation of federal laws and a trade embargo, according to The
- Chemical giant foils infected USB stick espionage bid -
Malware-laden drive falls into the right hands - An attempt to
infiltrate the corporate systems of Dutch chemical giant DSM by
leaving malware-riddled USB sticks in the corporation's car park has
- Yahoo closes security hole that led to password breach - Yahoo
said Friday that it has fixed a security vulnerability that allowed
hackers to seize roughly 450,000 unencrypted email addresses and
passwords belonging to members of its content-sharing platform.
- Rap artist busted on credit card fraud charges - A California
rapper has been charged with buying 27,257 stolen credit card
numbers and making fraudulent purchases, the U.S. attorney's office
in Seattle said Thursday.
- GAO - Cybersecurity: Challenges in Securing the Electricity Grid -
The threats to systems supporting critical infrastructures are
evolving and growing.
- Data sharing, standards pose challenges to power grid - Better
coordination, actionable information, and risk awareness are needed
to protect the country's critical infrastructure, especially the
power grid, according a congressional watchdog report.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers post 450K credentials pilfered from Yahoo - Credentials
posted in plain text appear to have originated from the Web
company's Yahoo Voices platform. The hackers say they intended the
data dump as a "wake-up call."
- Formspring springs a leak: 28 MILLION passwords reset after raid -
At least OUR hashes were salted, says CEO - Formspring has told its
28 million users to change their passwords following the discovery
of a security breach.
- Billabong is latest password breach victim, 21k exposed - More
than 21,000 unencrypted usernames and passwords have been stolen
from Australian surfwear company Billabong and posted online to
- Yahoo session hijacking likely culprit of Android spam -
Researchers have turned up new evidence that the spam messages
originally suspected to have been sent by an Android botnet may
actually have been the result of a vulnerability in the Yahoo
Android mail client.
- FDA investigates how confidential files went public - The Food and
Drug Administration is investigating how a document-management
company apparently inadvertently made public 75,000 pages of
confidential files about how medical devices were approved at the
agency, the Wall Street Journal reports.
- Oil Companies Spring a Leak, Courtesy of Anonymous - Five top
multinational oil companies have been targeted by members of
Anonymous, who published about 1,000 email addresses for accounts
belonging to the firms, as well as hashed and unencrypted passwords.
- Nvidia probes breach of hashed passwords - Nvidia said the
information released about users, however, was already public in its
forum - Nvidia said it is investigating the release of encrypted
passwords from its user forums, another significant data breach
following recent compromises at Yahoo and LinkedIn.
- Personal data of 2.4 million Ontario voters at risk - Two USB
drives holding personal information of 2.4 million voters living in
electoral districts in the Waterloo region in Southern Ontario,
Canada, were reported missing for the past three months by Elections
Ontario, a non-partisan agency that oversees general elections in
- Estonian hacker sentenced for Dave and Buster's card theft - A
member of hacking ring that embarked on a daring cyber crime spree
from 2005 to 2008 has been sentenced to seven years in prison,
federal prosecutors announced Wednesday.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 9: Banks should take appropriate measures to ensure
adherence to customer privacy requirements applicable to the
jurisdictions to which the bank is providing e-banking products and
Maintaining a customer's information privacy is a key responsibility
for a bank. Misuse or unauthorized disclosure of confidential
customer data exposes a bank to both legal and reputation risk. To
meet these challenges concerning the preservation of privacy of
customer information, banks should make reasonable endeavors to
1) The bank's customer privacy policies and standards take account
of and comply with all privacy regulations and laws applicable to
the jurisdictions to which it is providing e-banking products and
2) Customers are made aware of the bank's privacy policies and
relevant privacy issues concerning use of e-banking products and
3) Customers may decline (opt out) from permitting the bank to
share with a third party for cross-marketing purposes any
information about the customer's personal needs, interests,
financial position or banking activity.
4) Customer data are not used for purposes beyond which they are
specifically allowed or for purposes beyond which customers have
5) The bank's standards for customer data use must be met when
third parties have access to customer data through outsourcing
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
INSURANCE (Part 1 of 2)
Insurance coverage is rapidly evolving to meet the growing number of
security-related threats. Coverage varies by insurance company, but
currently available insurance products may include coverage for the
! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of
financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public
relations consultants, security and computer forensic consultants,
programmers, replacement systems, etc.
Financial institutions can attempt to insure against these risks
through existing blanket bond insurance coverage added on to address
specific threats. It is important that financial institutions
understand the extent of coverage and the requirements governing the
reimbursement of claims. For example, financial institutions should
understand the extent of coverage available in the event of security
breaches at a third - party service provider. In such a case, the
institution may want to consider contractual requirements that
require service providers to maintain adequate insurance to cover
When considering supplemental insurance coverage for security
incidents, the institution should assess the specific threats in
light of the impact these incidents will have on its financial,
operational, and reputation risk profiles. Obviously, when a
financial institution contracts for additional coverage, it should
ensure that it is aware of and prepared to comply with any required
security controls both at inception of the coverage and over the
term of the policy.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
25. Does the institution permit
each of the joint consumers in a joint relationship to opt out?
26. Does the opt out notice to joint consumers state that either:
a. the institution will consider an opt out by a joint consumer as
applying to all associated joint consumers; [§7(d)(2)(i)] or
b. each joint consumer is permitted to opt out separately?