Corporate bank accounts targeted in online fraud - Criminals have
tried to steal an estimated $100 million from corporate bank
accounts using targeted malware and money mules, the FBI said.
Judge spanks lawyer for leaking personal details in brief -
'Negligent, inattentive electronic filing' - A judge has chastised a
lawyer for including the social security numbers and birthdays of
179 individuals in an electronic court brief, ordering him to pay a
$5,000 sanction and provide credit monitoring.
Browser cookie handling could widen web attack space - Attacker
could gain free reign over principal production domain. A web
security researcher has revealed a major new threat to most websites
due to the contradictory way that cookies and the domain name system
Corporate Breaches Increase Chances Of Consumer ID Theft, Study Says
- When their data is leaked by a business, individuals are four
times more likely to suffer identity theft - Consumers who have
received data breach notifications within the past year are at a
much greater risk for fraud than typical consumers, according to a
Apple iPhones hit by major worm attack after a Rick Astley 'joke'
spirals out of control - Users of the Apple iPhone have been warned
of the first major worm to hit the handset.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Men allegedly broke into computers of former employer - Poor
password hygiene indictment - Federal authorities on Wednesday filed
intrusion charges against two men accused of accessing the computer
systems of their former employer.
Computer theft suit bites feds for $751K - The federal government
paid out $751,750 to avoid a class action lawsuit after personal
information was stolen from a Canada Revenue Agency office.
Bord Gáis implements new security regime after major data breach -
Encryption is to be deployed on all Bord Gáis laptops and workers
are to receive classroom training and awareness on data protection
following an investigation on the loss of laptops containing details
of 75,000 customers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 1 of 3)
1. Banks should adopt appropriate processes for evaluating decisions
to outsource e-banking systems or services.
a) Bank management should clearly identify the strategic purposes,
benefits and costs associated with entering into outsourcing
arrangements for e-banking with third parties.
b) The decision to outsource a key e-banking function or service
should be consistent with the bank's business strategies, be based
on a clearly defined business need, and recognize the specific risks
that outsourcing entails.
c) All affected areas of the bank need to understand how the
service provider(s) will support the bank's e-banking strategy and
fit into its operating structure.
2. Banks should conduct appropriate risk analysis and due diligence
prior to selecting an e-banking service provider and at appropriate
a) Banks should consider developing processes for soliciting
proposals from several e-banking service providers and criteria for
choosing among the various proposals.
b) Once a potential service provider has been identified, the bank
should conduct an appropriate due diligence review, including a risk
analysis of the service provider's financial strength, reputation,
risk management policies and controls, and ability to fulfill its
c) Thereafter, banks should regularly monitor and, as appropriate,
conduct due diligence reviews of the ability of the service provider
to fulfill its service and associated risk management obligations
throughout the duration of the contract.
d) Banks need to ensure that adequate resources are committed to
overseeing outsourcing arrangements supporting e-banking.
e) Responsibilities for overseeing e-banking outsourcing
arrangements should be clearly assigned.
f) An appropriate exit strategy for the bank to manage risks should
it need to terminate the outsourcing relationship.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
conclude our series on the FFIEC interagency Information Security Booklet.
MONITORING AND UPDATING
Financial institutions should evaluate the information gathered to
determine the extent of any required adjustments to the various
components of their security program. The institution will need to
consider the scope, impact, and urgency of any new threat. Depending
on the new threat or vulnerability, the institution will need to
reassess the risk and make changes to its security process (e.g.,
the security strategy, the controls implementation, or the security
Institution management confronts routine security issues and events
on a regular basis. In many cases, the issues are relatively
isolated and may be addressed through an informal or targeted risk
assessment embedded within an existing security control process. For
example, the institution might assess the risk of a new operating
system vulnerability before testing and installing the patch. More
systemic events like mergers, acquisitions, new systems, or system
conversions, however, would warrant a more extensive security risk
assessment. Regardless of the scope, the potential impact and the
urgency of the risk exposure will dictate when and how controls are
the top of the newsletter
IT SECURITY QUESTION:
Determine whether, where appropriate, the system securely links the
receipt of information with the originator of the information and
other identifying information, such as date, time, address, and
other relevant factors.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
37. For annual notices only, if the institution does not
employ one of the methods described in question 36, does the
institution employ one of the following reasonable means of
delivering the notice such as:
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer