Written by Bernadette Clair, Senior Regulatory Compliance Counsel
Federal Financial Institutions Examination Council (FFIEC) members recently issued a statement advising financial institutions of a material security vulnerability in the Bourne-again shell (Bash) system software, referred to as “Shellshock.” The statement outlines the agencies’ risk management expectations. From the statement:
“While vendors are working to patch and update their systems, the FFIEC member agencies expect financial institutions to conduct a risk assessment and address the Shellshock vulnerability as part of ongoing information security and incident response plans. Financial institutions should take the following steps, as appropriate:
- Identify all servers, systems, and appliances that use vulnerable versions of Bash and follow appropriate patch management practices, including conducting a vulnerability scan to detect if the patch is installed and testing to ensure a secure and compatable configuration.3
- Apply mechanisms to filter malicious traffic to vulnerable services such as appropriate Web application firewall signatures.
- Monitor systems for malicious or anomalous activity and update signatures for intrusion detection and prevention systems.
- Ensure that all third-party service providers are taking appropriate action to identify and mitigate risk and monitor the status of vendors’ efforts to address the vulnerability.
- Review systems to determine if this vulnerability has been exploited and, if necessary, conduct a forensic examination to determine the potential effects of any breach.” (Footnote omitted)
The statement also includes references for monitoring threats and vulnerabilities and is available in its entirety here.
Cyber Security Awareness. October is also cyber security awareness month. NCUA recently took this opportunity to remind credit unions about its Cyber Security Resources page and that cyber security remains a priority.
Consumer Compliance Outlook. The Third Quarter 2014 issue of the Federal Reserve’s Consumer Compliance Outlook is now available. One of the articles features responses to questions received during an April 10, 2014, webinar held by the Federal Reserve System. Although the article, Consumer Compliance Management Program – Common Concerns and Best Practices Webinar Questions and Answers, is directed at Board supervised institutions, it is a useful read and touches on several topics of interest – the development of compliance management programs, compliance risk assessments, vendor management and regulatory change management. Here’s an excerpt from just one of the Q&A’s:
“Are there examples of a change management process that you can share with us?
Given the changing regulatory landscape with additional responsibilities of banks under new or revised regulations and pressures to follow competitors as new products are introduced in the marketplace, establishing a change management process can be an effective tool not only to manage changes but also to track any steps the institution has taken to mitigate potential harm and risks to consumers and the institution. The methods of developing and implementing a change management process may vary based on the institution’s size, complexity, and resources available.
Change management should be a structured and disciplined process that can be repeated since change can always be expected. The RFS Program describes that an effective change management process:
- requires management and staff from all affected functions — potentially including compliance, accounting, risk, internal audit, and line management — to review and recommend a response or change proposal for senior management or board approval that clearly articulates expected results. The entire life cycle of a product or service affected by the change must be considered, whether it involves the introduction of a new product or service or a change affecting existing bank operations.
- incorporates appropriate approval processes associated with implementation.
- requires that operating policies and procedures are updated to provide clear guidance to staff on how to comply with all legal or regulatory requirements.
- requires that staff be properly trained regarding the change.
- incorporates monitoring of the deployment of the new or revised process, product, or service.
- requires a review after implementing a change to determine whether the actions taken achieved the expected results.14” (Footnote omitted)
This Q&A, and the remainder of the article, may be found in its entirety here.
Outlook Live Webinar on Fair Lending. The Federal Reserve System is also hosting a free webinar entitled “2014 Federal Interagency Fair Lending Hot Topics” on Wednesday, October 22, 2014, from 2:00 p.m.–3:30 p.m. Eastern. The webinar will feature representatives from various federal agencies, including NCUA, and will discuss emerging fair lending issues and hot topics. Additional details and registration is available here.