In this presentation, you will
-Gain an understanding of leading edge risk management practices for Credit Unions.
-Gain insight on the Board and Supervisory Committees’ role in the internal control structure.
Recognize areas of potential weakness in the organization.
Gain an understanding of the regulatory environment and impact on risk management.
3. About CBIZ and Mayer Hoffman McCann P.C.
With offices in major cities throughout the United States, CBIZ is one of
the nations leading providers of outsourced business services, including
accounting and tax, internal audit, risk management, and a wide range
of consulting services. CBIZ is strategically associated with Mayer
Hoffman McCann P.C. (MHM). MHM is an independent public
accounting firm with more than 280 shareholders in more than 35
offices. MHM specializes in attest services for mid-market and growing
businesses, with a specialty practice devoted to financial institutions.
Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top
accounting providers in the country.
4. Topics to include:
• Information Security
– Social Engineering Audit
– Security Awareness Program
• Interest Rate Risk Management/Model Validation
• Vendor Management Best Practices
5. Learning objectives
• Gain an understanding of leading edge risk management
practices for Credit Unions
• Gain insight on the Board and Supervisory Committees’
role in the internal control structure.
• Recognize areas of potential weakness in the
organization.
• Gain an understanding of the regulatory environment and
impact on risk management.
7. Information Security Program - Defined
Is the written plan created and implemented by a
credit union to identify and control risks to
information and information systems and to
properly dispose of information.
8. Information Security Program
• Should address security guidelines safeguarding
the confidentiality and security of information and
proper disposal.
• Should address privacy rules limiting the credit
union’s disclosure of nonpublic personal
information to unaffiliated third parties.
9. Board and Supervisory Committee
Responsibilities
• Ensure that information security program is
developed, implemented, and maintained
• Approve the information security program
• Oversee the implementation and maintenance of
the program
10. The Regulatory Scene
• Important security regulations and industry
standards:
– Gramm-Leach Bliley Act (GLBA)
– Fair and Accurate Credit Transactions Act (FACTA)
– Payment Card Industry Data Security Standards (PCI
DSS)
11. Gramm-Leach-Bliley Act (GLBA)
• Requirements
– Implementing and maintaining a comprehensive
information security program
– Assessing and evaluating threats
– Implementing controls commensurate with associated
risks
– “Pretexting protection”, which includes safeguards
against social engineering attacks
– Oversight of service providers
– Board of Directors involvement and approval
12. Fair and Accurate Credit Transactions Act (FACTA)
• FACTA is targeted to the growing problem of identity
theft. The red flags rules require:
– Ongoing and comprehensive risk assessments to identify covered
accounts and related threats
– Based on the risk assessment, a comprehensive identity theft
program.
– Formal change of address procedures
– Employee training
– Development of specific policies, procedures and practices to
combat identity theft
– Oversight of third party providers
13. Payment Card Industry Data Security Standards (PCI
DSS)
• PCI is a standard, not a regulation. One of the
requirements to be PCI compliant:
– Perform external and internal penetration tests at least once a
year and after any significant infra-structure or application
upgrades.
16. Social Engineering as a tool
• Social engineering is highly encouraged for GLBA, as it
offers steps against pretexting.
• Social engineering serves as an exceptional tools to
counter identity theft.
17. • What is Social Engineering?
o Manipulate people into doing something rather than
by breaking in using technical means.
18. • Attacker uses human interaction to obtain or compromise
information.
• Attacker may appear unassuming or respectable.
– Pretend to be a new employee, repair man, utility provider, etc.
– May even offer credentials.
What is social engineering?
19. • By asking questions, the attacker may piece
enough information together to infiltrate an
organization’s network.
– May attempt to get information from many sources.
What is social engineering?
20. • Quid Pro Quo
– Something for something.
• Phishing
– Fraudulently obtaining private information.
• Baiting
– Real world Trojan horse.
• Pretexting
– Invented scenario.
• Diversion Theft
– Lying and convincing others of a false truth—a con.
Types of social engineering
21. • Something for something
– Call random phone numbers at an organization claiming to be
from technical support.
– Eventually you will reach someone with a legitimate problem.
– Grateful you called them, they will follow your instructions.
– The attacker will “help” the user, but will really have the victim type
commands that will allow the attacker to install malware.
Quid Pro Quo
22. • Fraudulently obtaining private information
– Send an email that looks like it came from a legitimate business.
– Request verification of information and warn of some
consequence if not provided.
– Usually contains a link to a fraudulent web page that looks
legitimate.
• Example: Update login information to new HR portal.
– User gives information to the social engineer/attacker.
Phishing
23. • Spear phishing
– Specific phishing that include your name or demographic info.
• Vishing
– Phone phishing—may be a voice system asking for call back.
Phishing - continued
24. • Real example
– Obtain email address of many employees in target organization
including key individual targets like Controller, Staff Accountant,
Executive Assistant, etc.
– Develop website to “change password” or “setup new account” for
a human resources vacation request system.
• Actual organization website is “Western States Credit Union”
• Link to attacker’s website is “Western States Credlt Union”
– Email website link to obtained email addresses.
Phishing - continued
25. • Real world Trojan horse
– Uses physical media.
– Relies on greed and/or the curiosity of the target/victim.
– Attacker leaves a malware infected CD or USB thumb drive in an
obvious location so that it is easily found.
– Attacker uses an intriguing r curious label to gain interest.
• Example: “Employee Salaries and Bonuses 2014”
– Curious employee uses the media and unknowingly installs
malware.
Baiting
26. • Invented scenario
– Involves prior research and a setup used to establish legitimacy.
• Give information that a user would normally not divulge.
– This technique is used to impersonate and imitate authority.
• Uses prepared answers to a target’s questions.
• Other useful information is gathered for future attacks.
• Example: “VP of Facilities” visiting a branch.
Pretexting
27. – Illegal examples from an inside testing perspective
• Law enforcement
• Fire
• Military/government official
Pretexting - continued
28. • Real example – Telecom provider
Pretexting - continued
29. • Real example
– Pose as a major telecom provider.
– Props:
• rented white van with magnetic logo
• logo polo shirts and hats
• business cards
• work order
• ID badge.
– Enter credit union branch and ask to inspect the “roving telecom
adapter” because they have been recalled.
Pretexting - continued
30. • Con
– Persuade deliver person that delivery has been requested
elsewhere.
• When delivery is redirected, attacker persuades delivery driver to
unload near a desired address.
• Example: Attacker parks a “security vehicle” in bank parking lot.
Target attempts to deposit money in night drop or ATM but is told by
attacker that it is out of order. Target then gives money to attacker for
deposit and safekeeping.
Diversion Theft
31. • Scavenging key bits of information from many documents
put out in the trash.
– Literally involves getting in a dumpster during off-peak hours and
looking for information.
– Janitorial crews could be involved. Are they bonded?
• Document shredders are not always the answer
– Vertical cut, cross cut, micro cut, and security cut.
Dumpster diving
32. • No matter how robust an organization’s:
– Firewalls
– Intrusion detection systems
– Anti-virus/malware software
– Other technological and physical safeguards
• The human is always the weakest link when dealing with
security and protecting valuable information.
• Knowledge is power.
– People sometimes want others to “know what they know” to
demonstrate importance.
Weakest Link?
33. • Training
– User awareness
• User knows that giving out certain information is bad.
• Policies
– Employees are not allowed to divulge information.
– Prevents employees from being socially pressured or tricked.
– Polices MUST be enforced to be effective.
How to prevent social engineering?
34. • Every organization must decide what information is
sensitive and should not be shared.
• Password management
• Physical security
• Network defenses may only repel attacks
– Virus protection
– Email attachment scanning
– Firewalls, etc.
• Security must be tested periodically.
How to prevent social engineering?
35. • Third-party testing
– Hire a third-party to attempt to attack targeted areas of the
organization.
– Have the third-party attempt to acquire information from
employees using social engineering techniques.
– Learning tool for the organization—not a punishment for
employees.
How to prevent social engineering?
37. • Security awareness reflects an organization’s mindset or
attitude toward protecting the physical and intellectual
assets of an organization. This attitude guides the
approach used to protect those assets. In general, the
approach is referred to as a security awareness program.
What is security awareness?
38. • What elements reflect the overall strength of an
organization’s security culture?
– What causes a security awareness program to fail?
– What comprises a successful security awareness program?
• Even the best technical security efforts will fail if the organization has
a weak security culture.
Security awareness success
39. 1) Not understanding what security awareness really is.
– Major difference between security awareness and security
training.
• Watching an online video about security awareness is training.
– The primary goal of security awareness is to change behavior.
2) Reliance on checking the box.
– Satisfying compliance standards equate to strong security
awareness or even that security exists.
• Merely prove the minimum standards have been met.
• Standards are vague and difficult to measure.
– EXAMPLE: “A security awareness program must be in place.”
Why do security awareness programs fail?
40. 3) Failing to acknowledge that security awareness is a
unique discipline.
– Who is responsible for the function?
– Does the person have the knowledge, skills, and abilities?
– Does the person have soft skills such as strong communication
and marketing ability?
• Initial efforts to implement security awareness and to affect change
over time require such skills.
Why do security awareness programs fail?
41. 4) Lack of engaging and appropriate materials.
– Annual computer-based training is not enough.
– It is critical that multiple versions or styles of security awareness
materials be implemented.
• Ensure the materials are appropriate to the organization based on
industry and employee demographics.
• Younger employees respond better to blogs and twitter feeds while
older employees prefer traditional materials like posters and
newsletters.
Why do security awareness programs fail?
42. 5) Not collecting metrics.
– Without metrics, there is no way to determine if security
awareness goals are being met.
• Are we wasting money or providing value?
• What is working and what is not?
• Are our losses decreasing?
– Collecting metrics on a regular basis allows for adjustments.
– Measure the impact to the organization.
Why do security awareness programs fail?
43. 5) Not collecting metrics (continued).
– Example metrics include:
• Number of people who fall victim to a phishing attack.
• Number of employees who understand and follow security policies.
• Number of employees securing desk environment at end of day.
• Number of employees using strong passwords.
• Number of employees who understand, follow, and enforce policies for
restricted access to facilities.
• Who has or has not completed annual security awareness training.
• Types of reinforcement training, who is it communicated to, and how
often.
Why do security awareness programs fail?
44. 6) Unreasonable expectations.
– No security counter-measure will ever be successful at mitigating
all incidents.
7) Relying upon a single training exercise.
– Focusing on a single security weakness or threat approach when
there are dozens leaves an organization open to attack to ignored
approaches.
Why do security awareness programs fail?
45. 1) C-suite support.
– Awareness program support from executive management leads to
more freedom, increased budgets, and support from other
departments.
– Obtaining strong support from top level management is first
priority.
• Consider materials designed specifically for executives—newsletters
and brief articles that highlight relevant news and information.
Keys to security awareness success
46. 2) Partnering with key departments.
– Get other departments involved in the program that might provide
additional resources toward program success.
• Human resources, legal, compliance, marketing, etc.
• Consider the needs of these other departments and incorporate into
the overall security awareness approach.
3) Creativity
– Small budgets for security awareness are common, however,
creativity and enthusiasm can bridge the gap created by a small
budget.
Keys to security awareness success
47. 4) Metrics.
– Prove the security awareness program effort is successful—utilize
metrics.
5) Explanation and transparency.
– Focus and how to accomplish specific actions through clear
explanation.
– Instead of telling people to not do certain things, explain how they
can do certain things safely.
Keys to security awareness success
48. 6) 90-day plans.
– Many programs follow a one-year plan with one topic covered
monthly.
• Does not reinforce knowledge and does not permit feedback or
consider ongoing events.
– A 90-day plan is most effective as it permits re-evaluation of the
program and its goals more regularly.
• Focus on 3 topics simultaneously and reinforce during the 90 days.
• Can be easily adjusted to address current and key issues.
Keys to security awareness success
49. 7) Multimodal awareness materials
– Utilize multiple forms of security awareness materials.
• Newsletters
• Blogs
• Newsfeeds
• Phishing simulation
• Games
– Participative approaches have the most long-term success.
Keys to security awareness success
50. 8) Incentivized security awareness programs.
– Develop “Incentivized Awareness Programs”.
– Focus on creating a reward structure to incentivize people for
exercising desired behaviors.
– This technique switches the entire awareness paradigm by
encouraging employees to elicit a natural and desired behavior
rather than forcing them.
Keys to security awareness success
51. • Habits drive security culture and there are no
technologies that will ever make up for poor security
culture.
• Awareness programs, when properly executed, provide
knowledge that instills behavior.
Key take away
53. • The potential loss from unexpected changes in interest
rates which can significantly impact profitability and
market value of equity.
What is interest rate risk?
54. • The amount at risk is a function of the magnitude and
direction of interest rate changes and the size and
maturity structure of the mismatch position.
• If interest rates rise, the cost of funds increases more
rapidly than the yield on assets, thereby reducing net
income.
• If the exposure is not managed properly it can erode
profitability.
Interest rate risk in more detail . . .
55. • A key element of management of interest rate risk is to
perform an independent validation of the modeling
system.
• Why? Financial market and economic conditions present
significant risk management challenges to institutions of
all sizes.
• Resources:
– Interagency Advisory on Interest Rate Risk Management issued
January 6, 2010.
– Interagency Advisory on Interest Rate Risk Management
Frequently Asked Questions issued January 12, 2012
Managing interest rate risk
56. • Models have long been a critical tool used by Credit
Unions to manage the various risks they face.
• Models need to be understood – not a “Black Box”.
Model validation
57. • Performing interest rate risk model validation is also a
best practice.
– It strengthens reliance on the model to make sound business
decisions.
– It addresses “model risk”, or the possibility of adverse
consequences from management decisions resulting from
incorrect or improperly used model outputs.
– Identifies weaknesses in:
• Data setups
• Inputs
• Behavior assumptions
Interest rate model validation
58. • Who should perform interest rate risk model validation
procedures?
– Consider expertise.
– Consider experience.
– Consider independence.
• Internal audit
• ALM model vendor
• CPA firm/consulting firm
• Investment brokers/advisors
• Corporate credit unions
Performing a model validation
59. • Model input
– Data
– Assumptions
• Model processing
– Mathematics and formulas/code
– Mechanics
– Theory
• Model output/reports
– Model results
– Context of reports
Key components of a validation
60. • Data and setup issues
– Data reconciles to the general ledger
– Market data
– Account attributes
– Contractual input
Model input
61. Models typically receive automated fees from many
sources:
– Interest rate curves
– Cost of funds
– Balance Sheet data
Model input
62. Models also utilize infrequently updated or hardcoded
values:
– Credit Union’s unit costs
– Leverage targets
Model input
64. • The testing of model inputs should regularly employ either
specified or statistically determined “stressed” model
input variables.
Model input
65. • During times of stress, one does not want data that
assumes market liquidity and an ample supply of buyers
and sellers across all risk categories.
Model input
66. Validation should include:
– Software vendor supplied verifications
– Predictive analysis
– Benchmarking
– Back-testing
Model processing
67. • Testing and validation should evaluate:
– The validity of the conceptual soundness of the model
– Potential limitations in the model and range of applicability
– Model effectiveness both through back testing and periodic
reviews of model results.
Model processing
68. • Are reports easy to understand?
• Do reports make comparisons to policy limits?
• Do reports meet regulatory guidelines/preference?
Model reports
69. • Models must capture the complexity of the institution and
the phenomena they want to simulate.
• Credit unions must have the information necessary to
know, monitor, and govern the models used.
Model reports
70. • Does the model meet the business needs and regulatory
requirements of the financial institution?
• Is the model capable of institution-specific modeling?
• Can it model the financial institution’s balance sheet
instruments?
Model adequacy
71. • Is the model contained in a strong control environment?
– Documented user procedures and processes.
– Is user training and cross training adequate and documented?
• Does the model satisfy governance needs?
– ALCO policy
– ALCO limits
– ALCO meetings with minutes
Model control and governance
72. • No regulatory standard exists for how frequently an
interest rate risk model should be validated.
– Interagency guidance suggests annually.
– At least as often, an on same cycle, as regulatory examinations.
• Depends on the size and risk of the financial institution.
– What is the complexity of the ALM environment?
– What is the risk appetite and risk tolerance of executive
management?
• Industry best practice suggests every 3 years by a third-
party vendor supplemented with internal testing annually.
Model validation frequency
74. • The vendor management process begins by selecting the
right vendor for the right reasons.
• The vendor selection process can be a very complicated
and emotional undertaking if you don't know how to
approach it from the very start.
• You will need to analyze your business requirements,
search for prospective vendors, lead the team in selecting
the winning vendor and successfully negotiate a contract
while avoiding contract negotiation mistakes.
Vendor selection
75. • Don’t get blinded by the “glitz and sizzle” that some
vendors project.
• A lot of salespeople and specialty consultants do not
always equate to a strong vendor—they may not be there
after the contract is signed.
• Ask all questions.
– Is the outsourcing area within the vendor’s expertise?
Scrutinize the prospects
76. • Be wary of restrictive or exclusive relationships.
– Limitations with other vendors or with future customers.
• Do not accept a contract with severe penalties for what
are small incidents.
• Do not accept long-term contracts.
– Short-term contracts with option periods are more appropriate.
• Consider the vendor’s needs.
– A small and insignificant issue to you may be very important to the
vendor.
• Overall, show good faith and willingness to work together.
Remain flexible
77. • Once the vendor relationship has commenced, don’t
assume all will go according to plan.
• The vendor’s performance must be monitored constantly
at the start.
– Should include the requirements most critical to the business.
• Quality of service, order of completion, response time, etc.
Monitor performance
78. • Communicate.
• Communicate.
• Communicate.
• Establish a well maintained line of communication.
– Avoid misunderstandings
– Proactively address issues before they become problems.
Communicate constantly
79. • Having a vendor management program in place will
greatly enhance the vendor relationship and protect the
business.
– Vendor management policy approved by the board of directors.
– Define what constitutes a critical vendor.
– Establish a vendor risk assessment process.
– Establish regular vendor review procedures.
• Vendor SOC reports (formerly SAS 70 reports) on file are current
Vendor management program components