The E-mail Banking News
(Bank Regulatory News)

July 2019

Yennik, Inc. has clients in 43 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) s well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit
FFIEC information technology audits - As a former bank examiner with over 40 years IT audit experience, I will bring an examiner's perspective to the FFIEC information technology audit for bankers in Texas, New Mexico, Colorado, and Oklahoma.

FYI - Train maker's coder goes loco, choo-choo-chooses to flee to China with top-secret code – allegedly - Good luck ever finding this guy again after, dare we say, his life jumped the tracks - A software developer fled to China from America with vital train transportation system computer code, US prosecutors have alleged.

U.S. mayors resolve to no longer pay ransomware attackers - The United States Conference of Mayors issued a resolution at its 87th annual meeting to stand united against paying ransoms when their municipality is hit with a ransomware attack.

FEC: Campaigns Can Use Discounted Cybersecurity Services - The U.S. Federal Election Commission (FEC) said today political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws, provided those companies already do the same for other non-political entities.

Facebook to pony up $5 billion in FTC settlement - Facebook said in the spring it expected to pay a $5 billion fine to the Federal Trade Commission (FTC) in the wake of the Cambridge Analytica scandal and it now looks like the company will do just that in after the commission approved settlement with the social media giant for violating a 2011 consent decree.

Premera Blue Cross to cough up $10 million to 30 states over data breach - Premera Blue Cross has consented to pay $10 million as compensation for a nearly year-long data breach that impacted more than 10.4 million health patients, the Washington state’s Attorney General Bob Ferguson announced yesterday.

How to operationalize threat intelligence - Security practitioners face so many trials and tribulations as they protect and defend their organizations. In order to seek the best possible protection, they need to have an understanding of the threats which pose the greatest risk and how to address them proactively.

CISOs vs. the board - For Fortune 1000 CISOs and CSOs, reporting to their boards of directors is, at best, a complicated and disquieting situation. CISOs must be specific and technical, but not too specific nor technical. They must be honest and comprehensive, but they also need to know which truths are best left unsaid.

Computer password inventor Fernando Corbató dies at 93 - Pioneering computer scientist Fernando “Corby” Corbató, regarded as the inventor of the computer password and a key contributor in the development of time-sharing computer systems, died last Friday, July 12, in Newburyport, Massachusetts at the age of 93.

Lucky break: Cracked windshield helps hacker find bug in Tesla - Hackers typically crack software, but web application security researcher Sam Curry quite literally cracked his Tesla Model 3 and discovered a vulnerability that earned him a hefty reward from the car maker’s bug bounty program.


FYI - Magecart group compromises 17,000 domains by overwriting Amazon S3 buckets - One of the “Magecart” cybercriminal groups has infected more than 17,000 web domains with JavaScript-based payment card-skimming code by developing an automated process for finding and compromising misconfigured Amazon S3 buckets, researchers have reported.

Agent Smith Android malware infiltrates 25 million devices - A new variant of mobile malware dubbed “Agent Smith” has already infected 25 million devices, 15 million of which are in India.

L.A. County Health Services Department contractor breach leaks patient data - A data breach at a Los Angeles County Department of Health Services contractor resulted in the compromise of data from 14,591 patients.

Triple cyberattacks hit New Bedford, Gila and Syracuse schools - The cyber onslaught against municipalities continued last week with New Bedford, Mass., Gila County, Ariz., and the Syracuse, N.Y., school district all being subjected to attacks.

A City Paid a Hefty Ransom to Hackers. But Its Pains Are Far From Over. - Audrey Sikes, city clerk of Lake City, Fla., has a thing for documents: She does not like losing them.

Malware attack on county computers - LP County website, government email servers out of operation - All La Porte County government emails, and the county website, remained out of commission late Tuesday following a malware virus attack that affected the system on Saturday morning.

Sprint customer data breached via Samsung website flaw - Threat actors gained unauthorized access to an undisclosed number of Sprint customer accounts via a compromised Samsung website.

2.2 million Clinical Pathology Laboratories patients exposed in AMCA breach - The list of companies impacted by the American Medical Collection Agency (AMCA) data breach has grown, with Clinical Pathology Laboratories (CPL) now reporting that the PHI of about 2.2 million customers may have been affected.

Data dump suggests that Evite data breach affected 100M accounts - A new addition to the data breach reference website “Have I Been Pwned?” seemingly reveals that more than 100 million accounts were compromised in this year’s data breach of the event-planning service Evite.

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight
- Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimize problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.
   Effective incident response mechanisms are critical to minimize operational, legal and reputational risks arising from unexpected events such as internal and external attacks that The current and future capacity of critical e-banking delivery systems should be assessed on an ongoing basis may affect the provision of e-banking systems and services. Banks should develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services, including those originating from outsourced systems and operations.
   To ensure effective response to unforeseen incidents, banks should develop: 
   1)  Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans.
   2)  Mechanisms to identify an incident or crisis as soon as it occurs, assess its materiality, and control the reputation risk associated with any disruption in service.
   3)  A communication strategy to adequately address external market and media concerns that may arise in the event of security breaches, online attacks and/or failures of e-banking systems.
   4)  A clear process for alerting the appropriate regulatory authorities in the event of material security breaches or disruptive incidents occur.
   5)  Incident response teams with the authority to act in an emergency and sufficiently trained in analyzing incident detection/response systems and interpreting the significance of related output.
   6)  A clear chain of command, encompassing both internal as well as outsourced operations, to ensure that prompt action is taken appropriate for the significance of the incident. In addition, escalation and internal communication procedures should be developed and include notification of the Board where appropriate.
   7)  A process to ensure all relevant external parties, including bank customers, counterparties and the media, are informed in a timely and appropriate manner of material e-banking disruptions and business resumption developments.
   8)  A process for collecting and preserving forensic evidence to facilitate appropriate post-mortem reviews of any e-banking incidents as well as to assist in the prosecution of attackers.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  The confidentiality, integrity, and availability of information can be impaired through physical access and damage or destruction to physical components. Conceptually, those physical security risks are mitigated through zone-oriented implementations. Zones are physical areas with differing physical security requirements. The security requirements of each zone are a function of the sensitivity of the data contained or accessible through the zone and the information technology components in the zone. For instance, data centers may be in the highest security zone, and branches may be in a much lower security zone. Different security zones can exist within the same structure. Routers and servers in a branch, for instance, may be protected to a greater degree than customer service terminals. Computers and telecommunications equipment within an operations center will have a higher security zone than I/O operations, with the media used in those equipment stored at yet a higher zone.
  The requirements for each zone should be determined through the risk assessment. The risk assessment should include, but is not limited to, the following threats:
  ! Aircraft crashes
  ! Chemical effects
  ! Dust
  ! Electrical supply interference
  ! Electromagnetic radiation
  ! Explosives
  ! Fire
  ! Smoke
  ! Theft/Destruction
  ! Vibration/Earthquake
  ! Water
  ! Wireless emissions
  ! Any other threats applicable based on the entity's unique geographical location, building configuration, neighboring entities, etc.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.4.3 Protection Against Interruption of Operations  (1 of 2)

HGA's policies regarding continuity of operations are derived from requirements stated in OMB Circular A-130. HGA requires various organizations within it to develop contingency plans, test them annually, and establish appropriate administrative and operational procedures for supporting them. The plans must identify the facilities, equipment, supplies, procedures, and personnel needed to ensure reasonable continuity of operations under a broad range of adverse circumstances.

COG Contingency Planning

COG (Computer Operations Group) is responsible for developing and maintaining a contingency plan that sets forth the procedures and facilities to be used when physical plant failures, natural disasters, or major equipment malfunctions occur sufficient to disrupt the normal use of HGA's PCs, LAN, server, router, printers, and other associated equipment.

The plan prioritizes applications that rely on these resources, indicating those that should be suspended if available automated functions or capacities are temporarily degraded. COG personnel have identified system software and hardware components that are compatible with those used by two nearby agencies. HGA has signed an agreement with those agencies, whereby they have committed to reserving spare computational and storage capacities sufficient to support HGA's system-based operations for a few days during an emergency.

No communication devices or network interfaces may be connected to HGA's systems without written approval of the COG Manager. The COG staff is responsible for installing all known security-related software patches in a timely manner and for maintaining spare or redundant PCs, servers, storage devices, and LAN interfaces to ensure that at least 100 people can simultaneously perform word processing tasks at all times.

To protect against accidental corruption or loss of data, COG personnel back up the LAN server's disks onto magnetic tape every night and transport the tapes weekly to a sister agency for storage. HGA's policies also stipulate that all PC users are responsible for backing up weekly any significant data stored on their PC's local hard disks. For the past several years, COG has issued a yearly memorandum reminding PC users of this responsibility. COG also strongly encourages them to store significant data on the LAN server instead of on their PC's hard disk so that such data will be backed up automatically during COG's LAN server backups.

To prevent more limited computer equipment malfunctions from interrupting routine business operations; COG maintains an inventory of approximately ten fully equipped spare PC's, a spare LAN server, and several spare disk drives for the server. COG also keeps thousands of feet of LAN cable on hand. If a segment of the LAN cable that runs through the ceilings and walls of HGA's buildings fails or is accidentally severed, COG technicians will run temporary LAN cabling along the floors of hallways and offices, typically restoring service within a few hours for as long as needed until the cable failure is located and repaired.

To protect against PC virus contamination, HGA authorizes only System Administrators approved by the COG Manager to install licensed, Copyright 2015ed PC software packages that appear on the COG-approved list. PC software applications are generally installed only on the server. (These stipulations are part of an HGA assurance strategy that relies on the quality of the engineering practices of vendors to provide software that is adequately robust and trustworthy.) Only the COG Manager is authorized to add packages to the approved list. COG procedures also stipulate that every month System Administrators should run virus-detection and other security-configuration validation utilities on the server and, on a spot-check basis, on a number of PCs. If they find a virus, they must immediately notify the agency team that handles computer security incidents.

COG is also responsible for reviewing audit logs generated by the server, identifying audit records indicative of security violations, and reporting such indications to the Incident-Handling Team. The COG Manager assigns these duties to specific members of the staff and ensures that they are implemented as intended.

The COG Manager is responsible for assessing adverse circumstances and for providing recommendations to HGA's Director. Based on these and other sources of input, the Director will determine whether the circumstances are dire enough to merit activating various sets of procedures called for in the contingency plan.


July 11, 2019 - GAO - Agricultural Lending: Information on Credit and Outreach to Socially Disadvantaged Farmers and Ranchers Is Limited.

July 10, 2019 - FDIC Releases Initial Sections of its Applications Procedures Manual - The manual provides direction for professional staff assigned to review and process applications, notices, and other requests submitted to the FDIC.

July 10, 2019 - Testimony by Chair Jerome H. Powell - Semiannual Monetary Policy Report to the Congress - Before the Committee on Financial Services, U.S. House of Representatives, Washington, D.C.

July 10, 2019 - Minutes of the Federal Open Market Committee, June 18-19, 2019 - A summary of economic projections made by Federal Reserve Board members and Reserve Bank presidents for the meeting is also included as an addendum to these minutes.

July 9, 2019 - Simplifications to the Capital Rule Pursuant to the Economic Growth and Regulatory Paperwork Reduction Act of 1996 - The federal banking agencies are adopting a final rule that simplifies for non-advanced approaches banking organizations the generally applicable capital rules and makes a number of technical corrections.

July 9, 2019 - Speech by Vice Chair for Supervision Quarles on stress testing: a decade of continuity and change Vice Chair for Supervision Randal K. Quarles At "Stress Testing: A Discussion and Review," a research conference sponsored by the Federal Reserve Bank of Boston, Boston, Massachusetts.

July 9, 2019 - Welcoming remarks by Chair Powell Chair Jerome H. Powell At "Stress Testing: A Discussion and Review," a research conference at the Federal Reserve Bank of Boston, Boston, Massachusetts.

July 9, 2019 - Agencies adopt final rule to exclude community banks from the Volcker Rule - Five federal financial regulatory agencies announced on Tuesday that they adopted a final rule to exclude community banks from the Volcker Rule, consistent with the Economic Growth, Regulatory Relief, and Consumer Protection Act.
Press Release:
Press Release:
Press Release:

July 9, 2019 - Agencies simplify regulatory capital rules - The federal bank regulatory agencies today issued a final rule that reduces regulatory burden by simplifying several requirements in the agencies' regulatory capital rules.
Press Release:
Press Release:
Press Release:

July 9, 2019 - Federal Reserve System white paper examines the effects of synthetic identity payments fraud - Synthetic identity payments fraud is a fast-growing but little-understood problem that affects individuals, financial institutions, government agencies, and private industry.

July 8, 2019 - Statistical Release - Consumer Credit - G.19 - In May, consumer credit increased at a seasonally adjusted annual rate of 5 percent. Revolving credit increased at an annual rate of 8-1/4 percent, while nonrevolving credit increased at an annual rate of 4 percent.

July 8, 2019 - Credit and Liquidity Programs and the Balance Sheet - Recent balance sheet trends, weekly chart update.

July 8, 2019 - Legal Developments - Section 19 letters, October 26, 2018 (2 letters), March 19, 2019 (4 letters), April 10, 11, 12 (3 letters), 18, and 30.

July 5, 2019 - Reduced Reporting in Call Reports for Covered Depository Institutions - The federal banking agencies have adopted the attached final rule to implement Section 205 of the Economic Growth, Regulatory Relief, and Consumer Protection Act. 

July 5, 2019 - Reduced Reporting in Call Reports for Covered Depository Institutions - On June 21, 2019, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation published the attached final rule to implement Section 205 of the Economic Growth, Regulatory Relief, and Consumer Protection Act.

July 5, 2019 - FOIA - Chair Powell's calendar, May 2019.

July 5, 2019 - Report to the Congress - Monetary Policy Report - The Federal Reserve Act requires the Federal Reserve Board to submit written reports to Congress containing discussions of "the conduct of monetary policy and economic developments and prospects for the future."

July 2, 2019 - Statement from St. Louis Fed on Possible Appointment of Christopher Waller to Board of Governors:


July 3, 2019 - FDIC Issues List of Banks Examined for CRA Compliance - The list covers evaluation ratings that the FDIC assigned to institutions in April 2019.

July 3, 2019 - Final Rule Revising the Board's Delegation Rules for Certain Types of Applications, Notices, and Requests - The purpose of this letter is to inform financial institutions and other members of the public that the Board has expanded the types of applications, notices, and requests for which the Federal Reserve Banks have delegated authority to act.

July 3, 2019 - Federal Reserve Board announces it is seeking individuals to serve on its Insurance Policy Advisory Committee - The Federal Reserve Board on Wednesday announced that it is seeking individuals to serve on its Insurance Policy Advisory Committee on International Capital Standards and Other Insurance Issues.

July 2, 2019 - OCC Releases CRA Evaluations for 23 National Banks and Federal Savings Associations - The Office of the Comptroller of the Currency today released a list of Community Reinvestment Act performance evaluations that became public during the period of June 1, 2019 through June 30, 2019.

July 2, 2019 - OCC Hosts South Dakota Workshop for Board Directors and Bank Management - The Office of the Comptroller of the Currency will host a workshop in Sioux Falls, South Dakota, at the Holiday Inn Sioux Falls � City Centre, August 6-7, for directors, senior management team members, and other key executives of national community banks and federal savings associations supervised by the OCC. 

July 1, 2019 - Covered Savings Associations Implementation: Covered Savings Associations - On May 24, 2019, the Office of the Comptroller of the Currency issued a final rule to allow federal savings associations with total consolidated assets of $20 billion or less, as reported by the association to the Comptroller on its call report as of December 31, 2017, to elect to operate as covered savings associations.

July 1, 2019 - Statistical Release - Foreign Exchange Rates - G.5 - The table below shows the average rates of exchange in JUNE 2019 together with comparable figures for other months. Averages are based on daily noon buying rates for cable transfers in New York City certified for customs purposes by the Federal Reserve Bank of New York. 

July 1, 2019 - When do low-frequency measures really measure transaction costs? - Mohammad R. Jahan-Parvar and Filip Zikes - We compare popular measures of transaction costs based on daily data with their high-frequency data-based counterparts.

July 1, 2019 - The Effects of Bank Capital Buffers on Bank Lending and Firm Activity: What Can We Learn from Five Years of Stress-Test Results? - Jose M. Berrospide and Rochelle M. Edge - Abstract: We use bank-firm matched data from regulatory filings to study how the capital buffers that large U.S. banks must satisfy to "pass" the quantitative component of the Federal Reserve's CCAR stress tests impact banks' C&I lending and firms' C&I loan volumes, overall debt, investment spending, and employment.

July 1, 2019 - Speech by Vice Chair Clarida on the Federal Reserve's review of its monetary policy strategy, tools, and communication practices - Vice Chair Richard H. Clarida At "The Bank of Finland Conference on Monetary Policy and Future of EMU [Economic and Monetary Union]," Helsinki, Finland.

FYI - Don't forget to follow me on LinkedIn at where I post a weekly question on IT and cybersecurity auditing.

You can receive the regulatory press releases every week by subscribing to
The E-mail Banking News at  There is no charge for the e-newsletter.  
Contact R. Kinney Williams at if you have any questions.

PLEASE NOTE:  Some of the above links may not function properly because the regulatory agency has changed the URL.  Please e-mail us at if we can be of assistance.  

Back Button

Return to the Community Banker Home Page