3 Key Compliance Management Trends for Community Banks

Posted by Nik • Jun. 26, 2015 • 0 Comments

Community banks can improve their compliance management processes in three simple ways. Begin by reviewing and strengthening existing corporate compliance program policies. Then move on to building a culture of compliance within your organization. These tasks will require some effort from managers and board members, but don't cost very much money. Compliance management tools are the one component that can require an outlay of funds, but the cost is minimal when compared with alternatives that are prone to errors and difficulties.


1. Creation or strengthening of a corporate compliance program

It is very important for banks to have consistent enterprise-wide compliance processes in all areas of the company. To ensure your bank has a good corporate compliance program, go through each area of your regulatory compliance structure. This includes procedures, policies, reporting, monitoring, and assessment. Checking that each of these areas has consistent processes in place can not only help your bank avoid enforcement actions, it can also correct weaknesses and reduce risk before it becomes an enforcement issue.

While enterprise-wide compliance software can be very helpful, it's important to begin by identifying potential problems in order to determine the best solution for your company or enterprise as a whole. You will need to consider time, experience, perspective, and budget constraints, as well as adequate staffing and current job expectations. Your people are key.

It's very common for enterprises using compliance software to bring in external experts to manage the system or provide additional information. Typically, a person inside your company will not have the time, resources, and information that an external consultant can bring to the program.


2. Fostering a "culture" of compliance

It's important to get away from the “project” mentality that most banks and other companies bring to corporate compliance programs. Instead, a "culture" of compliance helps to move away from the one-off mentality that goes with projects and toward an ongoing process view of compliance. 

The landscape is shifting toward a focus on higher security and compliance regulations. This makes it clear that banks must be prepared to provide tight compliance at any time. Rather than implementing compliance tasks in an inconsistent and reactive manner, there needs to be a shift toward uniform processes and more well-rounded policies.

The board of directors at your bank must have compliance management at the forefront of their policies in order to signal their importance to employees. Additionally, you must reward employees for staying on top of compliance goals. The whole organization needs to continually look for areas to improve.


3. Simple compliance management solutions

It might become harder for banks to manage regulatory compliance manually with the changing regulatory landscape. Having lots of paper and humans involved in the process leaves the possibility for many errors and difficulties. Moving toward an outsourced compliance management process can alleviate these problems.

Using a compliance management regulatory expert (offered by Garland Heart) or an outside security consultant, employees won't have to learn multiple programs. This will benefit your bank in terms of saved training costs and risks associated with errors.

It is very important to keep the process simple. An automated system can sometimes make it even more complicated when multiple programs are used and required to interface with each other. If you need any help selecting the right compliance management support for your bank, Garland Heart can help.

Change Could Be Coming in the Legal Landscape for Cybersecurity Risk

Posted by Gaye Connell • Jun. 18, 2015 • 0 Comments

Bills that are being passed by The House of Representatives, recent data breaches at major companies, and cybersecurity are all becoming a main focus of the SEC. This suggests that the federal government may be prepared to change the legal landscape for cybersecurity risk. Even the President's 2015 State of The Union address featured cybersecurity proposals that signal how big a focus this is becoming for the executive branch.cybersecurity risk legal change


The SEC may increase cybersecurity regulations soon

The federal government is poised to expand their regulations for companies with regard to cybersecurity risk. This is no surprise after the huge cyber attacks of 2014. Just look at the recent data breaches at Target, Sony, and Home Depot. The signs that suggest this change is coming include:

  • Recent bills passed by The House of Representatives
  • The way these bills will impact companies
  • An increased focus on cybersecurity by the SEC


Bills passed by The House of Representatives

Just this past April, two new bills were passed by the House which will further encourage companies to disclose cybersecurity related information with the government. One of the benefits these bills promise for companies that open up their cybersecurity logs is protection against liability – provided the company continually checks their network for cybersecurity threats. Both of these bills are headed for the Senate, and they have a very good chance of passing there as well. These bills will setup a framework for companies to communicate information about security measures taken against cyber attacks with government agencies and other corporations.


How do these bills affect my company?

By allowing companies to share information directly with civilian federal agencies or the Department of Homeland Security, many more businesses will be involved in cybersecurity risk and information security. These bills are very likely to pass in the Senate. Legislators are feeling pressure to take action after the recent cyber attacks and these bills offer a way to address those concerns. If you aren't already involved with cybersecurity risk and information security in your company, get ready. As these changes go into effect, your company will need legal guidance with regard to which documents can be shared, how, and with whom. Opening up this information can be very helpful when addressing cybersecurity concerns, but there are always legal concerns when this much information is shared with people outside your company.


More of a focus on cybersecurity from the SEC

In March 2014, the SEC had a round table discussion to help them gather information and consider the next steps to address cyber threats. This past January, reports suggested that the SEC is now considering additional regulations which will require public companies to disclose information about cybersecurity threats and vulnerabilities.


As you can see, from The House of Representatives to The Senate and even the Securities and Exchange Commission – the federal government is getting ready for some major legislative changes with regard to cybersecurity. You can contact us at any time to discuss the changing legal landscape for cybersecurity risk.

How to Identify New Risks

Posted by Wade Clem • Jun. 15, 2015 • 0 Comments

It recently occurred to me that with any risk there will always be a typhoid mary.  Which made me consider the idea of how to recognize new and emerging risks so as an institution grows, they never have to be on the wrong side of a "dramatic outbreak" so - to - speak. 
An emerging trend of large-scale cyber attacks, as well as, a need for hyper-connectivity on a global scale is on the forefront, and even Artificial Intelligence and Synthetic Biology are starting to be considered as extremely plausible in the next 5 to 10 years, if not already. The world economic forum recently pointed out several environmental risks, technological risks, and financial risks on a global scale. And in all aspects, a centralized concept for more emphasis on Risk Governance and Control Frameworks, and being able to track and effectively manage risks known and unknown has been the trend. 
As the article points out,"Because of their longer term nature, risks emerging from changes in the external environment may require an analysis of scenarios to understand fully their potential impact on the business model. Scenario planning can help management to cope with uncertainty by bringing to the surface the vital signs on which the company must focus. It blends the known with the unknown into a limited number of internally consistent views of the future spanning an appropriate range of possibilities." 
This article has not only some great suggestions for Management to think about for the future, but also great incite on how to look forward within the Organization's culture. 

New Compliance Audit Guidance for Health Care: What You Need to Know

Posted by Nik • Jun. 12, 2015 • 0 Comments

In the past, the compliance guidance from the Office of Inspector General at the U.S. Department of Health and Human Services emphasized that health care governing boards focus on three key areas: 

  1. Fully engage themselves in their responsibilities to oversee compliance audits
  2. Make compliance a priority for management
  3. Inquire the effectiveness of compliance management software
compliance audit

New compliance audit guidance means that these three key areas will be expanding with the inclusion of a fourth aspect of compliance guidance: suggestions for health care compliance officers, auditors, and other members of health care governing boards.


What can I expect from the new compliance guidance?

These suggestions will provide additional insight into corporate compliance programs. Given that information security is a continually evolving process which is never perfect, they should be seen as a way to make any compliance process just a little better.

Large health care organizations must have a reporting system in place to ensure the board receives compliance related information and reports as quickly as possible. Small practices should also have a similar system in place to ensure compliance information is easily accessible, even if there is no board overseeing the organization.


Specifics of the compliance program

Corporate compliance programs are not a “one size fits all” type of project. These programs must be custom tailored to meet the specific needs and size of each organization. Every compliance program must have a formal plan for keeping decision makers up to date on regulatory changes. Additionally, these reports need to address the organization's current regulatory compliance.

These compliance reports can be delivered to board members or discussed at regular meetings. Additionally, they should be reviewed by compliance audit consultants and integrated into organizational education programs.


Roles and structure of internal audit and compliance functions

The most important thing to get right when setting up an internal audit and compliance system is to clearly define roles. Communication between compliance teams, HR teams, and all employees will hinge on clearly defined roles and responsibilities. This collaboration between teams is the most efficient way to address internal compliance audits.

Within your organization, you must consider how management is working to address risk and resolve compliance conflicts. This means someone must have the responsibility to identify problems and implement solutions that will impact the whole organization.


Compliance auditing process and culture

The governing board and/or management needs to establish a process by which areas of risk can be identified. Once found, these areas must be constantly reviewed and audited to create an action plan to correct the situation. 

Management and any governing board must also encourage a “culture of improved compliance” in which employees feel comfortable discussing concerns. There must be no fee or any consequences when an employee discloses these compliance concerns. If you have any questions about the new compliance audit guidance for health care, feel free to contact us any time.

3 Steps to Improve Your Firm’s Information Security Policy

Posted by Nik • Jun. 9, 2015 • 0 Comments

Improving the information security policy for your firm can be condensed down to three simple steps. These are the most common problems seen with firms and practices across the country, and they're easy for you to fix.information security policies


1. Realize the prevalence of the cloud

It's very common for the people writing information security policies to not be fully aware of how widespread the use of the cloud actually is today. This is actually a problem for Bring Your Own Device (BYOD) policies. 

To illustrate how common the cloud has become in our daily lives, here's a short list of common business activities that are done in the cloud without most people even knowing.

  • Creating a document using Google Drive
  • Backing up photos from your phone to your Google, Apple, or Microsoft account
  • Backing up the contact list from your phone to any of the above services
  • Creating a mailing list using Mail Chimp or one of the hundreds of similar services
  • Office365
  • Dropbox
  • Even mobile payment systems like Dwolla and Google Wallet.

There are also many more, but these are some of the more common cloud services used by businesses. The most effective risk management plans will begin by addressing cloud-based policies from the very beginning when creating an information security policy.


2. Keep your policy as suited to the environment as possible

How many times have you been confronted with a lengthy legal document and simply clicked “accept” rather than reading the whole thing? This is common behavior and something you should keep in mind when crafting an information security policy. When possible, keep the whole policy short and concise and above all, tailored to your firm’s environment.

If it's not possible to be brief, at the very least you can include a table of contents to help readers navigate the document. This will allow them to skip directly to the portions of the policy that are most relevant to their needs and current situation.

Better still, implementing security policy automation will make it easy to implement the policy – even if some people don't read the whole thing. An automated system can alert employees when something violates the security policy or when encryption is needed. Some of these systems allow an employee to override the policy while logging the exception. Other systems allow employees to request an exception which must be approved by a supervisor when working on specific projects. These systems can offer as much or as little flexibility as your business requires.


3. Maintain watch over internal security issues

More often than not, internal security issues are more of a threat to your business than external hackers. Employees may inadvertently give unauthorized people access to confidential documents or systems. Ensuring that access rights are properly delegated is the first step. Additionally, no information should be given to anyone inside your financial institution without a tangible purpose. This helps to ensure that information is not accidentally misplaced or inadvertently shared. Getting this right can save you a lot of money on risk management.

Contact Garland Heart any time to discuss other ways to improve your firm’s information security policy.

Determining Your Risk: Vulnerability Assessments vs. Penetration Tests

Posted by Gaye Connell • May. 26, 2015 • 0 Comments

Vulnerability assessments and penetration tests are both important components of threat management, but there’s often quite a bit of confusion surrounding the difference between the two. This confusion often leads to wasted resources and inefficient risk management strategies. Both methods can be performed internally or externally depending on your company’s industry, environment and internal skill set. Internal and external vulnerability tests are required by guidance acts like GLBA and HIPAA, so it’s important to know distinctions among various methods of risk assessments to determine your risk of a cybersecurity breach.


What’s a Vulnerability Assessment?

A vulnerability assessment is essentially the process of identifying real and potential vulnerabilities in your security policies and procedures and your entire information security structure. During an assessment, you evaluate the next steps that need to be taken to eliminate current holes in your security system or reduce the amount of risk they pose.


What’s a Penetration Test?

A penetration test simulates an internal or external cyber attack. Typically, only institutions that internally host multiple databases, websites, or file servers need an internal penetration test, as they are the one with the highest level of risk. In a penetration test, you or an IT security consulting company attempts to breach your system and steal data or compromise the information on your servers. Companies often hire renowned hackers for this task, just like security firms hire former safe-crackers or professional thieves to test their physical systems. The tester will try to gain access to confidential or sensitive data. If he succeeds, tighter security measures are needed. A true external penetration test will usually include an external vulnerability assessment, but not always. That being said, we always include the two together and believe this should be done annually.


Which Method is Best for Your Organization?

To determine which method is best for your organization (or if multiple methods are necessary) you should first investigate current procedures in place and the environment in which your data is stored. Examine the information you have stored internally and how it is currently protected. Look into your firewalls, encryption type, anti-virus software, and any other types of protection. 

Ideally, you should have a vulnerability solution in place internally and use the services of a third party to validate your testing. If you don't have the ability, staff, or budget to implement the test internally, you should consider hiring a security consulting company. A vulnerability assessment identifies your weaknesses and helps you determine how to fix the problems, as opposed to a penetration test which shows you whether someone can break into your system and what information could potentially be stolen or corrupted.


A penetration test is a virtual snapshot of your current security structure, so most organizations should start with a vulnerability assessment then go forward with penetration testing.

In conclusion, the best way to keep your system safe is with constant assessment. Contact us for more information about cybersecurity and safeguarding your company, and check out our free webinar on reducing potential impact of risk on your company.

Why Aren’t Corporations Focusing More on Cybersecurity?

Posted by Gaye Connell • May. 20, 2015 • 0 Comments

With all of the recent news around cybersecurity vulnerabilities at large corporations, it's surprising that companies aren't putting more focus on preventing these incidents. Recently, many corporations -- including Target, Home Depot and Sony -- have suffered significant data breaches. Experts say that the frequency of these attacks is likely to increase because the technology to prevent a breach costs more than the breach itself. This may be true in monetary terms, but the damage to customer relations could be immeasurable.

Your digital information is clearly and inherently vulnerable to hackers. Improving security practices and plugging holes in security systems seems like the obvious solution; preventing identity theft and financial loss should be easier than trying to fix the damage after the fact.

However, your organization's perimeter has too many access points. This exposure occurs because not every access point can be easily identified, which makes it difficult for you to monitor all of them.

Dollarphotoclub_65304532So why aren't companies doing more to protect themselves?


Why Security Isn't Airtight

Corporations suffer great losses in the case of a breach, but these losses are often minuscule compared to their overall revenue. It's easier for companies to write off the losses than it is to spend significant resources establishing complex defense systems. 

According to Target’s 2014 financial release, when the company lost 40 million debit and credit card numbers plus an additional 70 million customer records, the cost incurred was $105 million after insurance coverage and tax deductions. Although this certainly seems like a substantial sum, it only represented 0.1% of the company's 2014 revenue. Similarly, the 2014 Home Depot cybersecurity breach only cost the company 0.01% of their annual revenue.


What About Other Costs?

Breaches in cybersecurity also have more intangible implications. In particular, the opinions and buying decisions of these companies' customers seem likely to be affected by the news of the vulnerability and any inconveniences experienced by the customer -- for example, having to replace credit cards or having to sign up for identity theft monitoring. 

However, the impact of these costs on large companies are difficult to ascertain. Ultimately, if the number of cyber attacks continues to increase, consumers may start to expect that all corporations are inherently vulnerable. If that's the case, then the strength of a large company's cybersecurity defenses may not have a noticeable effect on buying decisions. 

Smaller companies, on the other hand, need to be more wary and implement excellent measures to mitigate cybersecurity risk. If a company's revenue stream is limited, its ability to absorb the financial impact of these sorts of vulnerabilities is considerably restricted. Moreover, a smaller company may suffer more if a certain percentage of its customer base stops using its services or products -- especially if those customers happen to be from the highest-spending tier. The bright side of smaller companies like community banks, however, is that cybersecurity is typically stronger, as they aren’t on the front pages of newspapers and they are more in tune with their data points, exposures and environment. In many cases, smaller companies have actually implemented more best practices than other industries because of the inherent regulatory process.


The best way to protect your company is to do a thorough audit of your network and restrict perimeter connections as much as possible. Although this can be a consuming process, the benefits to your business are immeasurable. If you're not sure where to start, getting advice from an experienced IT security consulting professional may be a great first step.

What are your thoughts on the recent wave of cybersecurity breaches and their impact on companies? Share your perspective in the comments below. Also, feel free to download our free eBook for more information on reducing cybersecurity risk in your institution.

How to Outsmart a Hacker

Posted by Gaye Connell • May. 12, 2015 • 0 Comments

Every time new IT security solutions are devised, hackers find new ways to break into systems. Traditional cryptographic and protocol approaches to security are no longer providing companies with sufficient protection. This is evident in the frequency of recent data breaches. It is also clear that consumers are routinely given a lot of outdated and inadequate advice. 

Although it's true that long and unique passwords can provide a certain amount of protection, as can updating your local software and installing secure firewalls and anti virus programs, there is still much more you can do to fend off hackers.original


Always Assume You Are Vulnerable

Assuming you are vulnerable to hackers keeps you on your toes. Companies can’t realistically prevent every employee from clicking on email attachments or opening legitimate looking files sent with the intention of phishing. Without this type of control, companies have to assume a certain amount of vulnerability. This doesn't mean your system can or will be hacked, but you should take an active role in keeping your data as safe as possible. 


Don't Focus on Secrecy

Don’t put all of your focus on keeping your data secret. Even tightly guarded secrets are hard to keep. It is much safer to make the stolen information useless to the hacker. By using codes or double encryptions, it's harder to abuse the information collected. When you focus more on making the information difficult to misuse instead of keeping it secret, it won't matter who has access to your data.

Keep in mind that at some point the human element could take over. This could be an innocent mistake or a misunderstanding, but it could happen. Be prepared for this situation by continually training and educating your staff on company IT policies and security protocol. Every person in your organization needs to play their part in ensuring the security of company data.


Use Advanced Security Methods

Advanced security methods can be surprisingly simple to implement, but if you have any trouble putting these methods in place, get help. The team of experts at information security companies can train you and your employees to implement advanced security methods, or install them for you.

Although all of your confidential data is important, the most sensitive information and programs should always use dual-factor authentication methods. Also, look at how software accounts and employee accounts are linked. Consider having a penetration test or a vulnerability assessment to ensure some savvy hacker isn't able to use unidentified vulnerabilities within your external and/or internal network as a back door exploit to your data.


Most importantly, train employees, clients, and customers in understanding what sensitive or important information is. That way they have a better understanding of what not to disclose. Please feel free to contact us for more information about how to outsmart a hacker and stay secure! Also, check out our free webinar on how to protect your company against social engineering!

3 Innovative Security Strategy Tips for Healthcare Organizations

Posted by Gaye Connell • May. 5, 2015 • 0 Comments

As you can see from recent security breaches, any organization can fall victim to a hacker. Keeping sensitive information safe takes careful planning and constant updating. You need to assess your organization's risk level and use the latest encryption technology to store data and transfer data among various facilities. Healthcare organizations are as vulnerable to hackers as any other company. IT security solutions can minimize these risks and keep your sensitive data safe from potential hackers.


1. Be Prepared for Upcoming Audits

Recent updates to HIPAA Rules, which are designed to protect the privacy of individuals, include a mandatory audit. Familiarize yourself with what an audit entails so that you can present the information required. Generally, these audits will include the records of everyone involved with your organization such as medical billing companies, software vendors, and other business associates. Make sure your records are accurate and up-to-date.

Ensure you are properly prepared for a compliance audit at all times by establishing and assessing the policies and procedures required. This includes having a well thought out incident response plan. Healthcare organizations need a comprehensive incident response plan in place to avoid accidents like misplaced private data, which could lead to security breaches. 


2. Assess Your Security Risk

Assess your security risk by analyzing what has been done within your healthcare organization so far. Determine how and where data has been stored, shared, and transferred. Also, find out how the system is set up. Once you understand the system and how it works, you will be able to identify existing and potential holes in security, and fix them before they become a problem. 

If this sounds too overwhelming, contact Garland Heart for advice and assistance with strategic security consulting. An experienced IT consultant can help assess potential risks and find simple solutions to plug any holes.


3. Utilize Security Services and Technology Used for Encryption

Private healthcare information might be shared with medical researchers, pharmacies, and other healthcare organizations. By sharing information, patients can have prescriptions filled or renewed at different pharmacies, researchers can monitor the effectiveness of treatments, and other healthcare organizations can access a patient's records to check for allergies or underlying medical conditions. Although the practice of sharing information is beneficial to the patient, it should be limited to as few outside parties as possible.

With the implementation of each new healthcare technology, it’s important for you to reassess security policies. This includes how information is encrypted, where it is stored, and how it is transferred to outside parties. Optimize your security services to identify risks and protect electronic health information.

Feel free to contact us for more information, advice, or cybersecurity solutions! To learn more about different types of information security, check out our free webinar on social engineering.

Maintaining Security in the Era of Digital Currency

Posted by Gaye Connell • Apr. 28, 2015 • 0 Comments

Digital currency services allow for low-cost and efficient money transfers through highly secure channels. This technology helps transform the way people make online purchases, share money, and conduct e-commerce. Although you take advantage of numerous benefits, it is still important to protect yourself and your business. The following article will inform you of digital currency service developments and how to utilize this technology in the safest manner in digital currency bitcoin

Digital Currency Platforms Gaining in Popularity

Services like Venmo, Paypal, and Facebook have expanded the popularity of digital currency transfers and led to their widespread use. This technology offers you the following:

  • No merchant fees, helping to increase a company’s bottom line
  • No intermediaries, which means there are fewer chances for fraud
  • No disclosure of personal financial data at time of purchase, making it safer for you to use

It is important, however, to know the difference between the currency transferred via those popularized services and the currency of Bitcoin. Bitcoin is a digital crypto-currency whose value is determined by how much people are willing to use it, similar to many currencies in the real world. But unlike currencies exchanged using Paypal and Venmo, it is unregulated by a central bank.


Understanding the Benefits Versus the Risks

Digital currency transfers have evolved into a highly secure method for your online business transactions. At the March 2015 Florida International Bankers Association’s Anti-Money Laundering Compliance Conference, Gene Truono, chief compliance officer at PayPal, noted that digital currency is similar to paying with cash. He discussed that while there are risks to you with this transaction form, these risks are comparable to the ones associated with any currency.

Furthermore, digital money transfers allow for anonymity, timeliness, and extremely low currency costs, making digital money transfers an attractive option for your cross-border commerce.

However, risks are inevitable, particularly in the online black marketplace. While most digital currency security breaches deal with Bitcoin, such as the recent $20 million heist involved with drug marketplace Evolution Market’s exit from the darknet, conscious consideration of risk is necessary with any digital currency transfer.

At TechMecca, an annual financial institution technology conference and expo in Dallas, several keynote speakers explained risks involved with digital currency and the potential downfalls of digital exchange tools. Despite the benefits, these services can take away revenue from traditional banks and move them further away from their customers.


Be Smart and Stay Secure

The first step to ensuring your security is to keep your money offline. This step basically means turning off your device when not in use and storing your digital currency apps in a password-protected hard drive. This is the equivalent of not leaving your money hanging out of your wallet or purse, and it helps add a layer of security.

When using digital money transfer services, keep your log in credentials and passwords secure and complex. Select difficult-to-guess passwords, and try to make each password unique for each service you use.

Furthermore, it is important to ensure that news reports and skeptics don’t deter you from experiencing the benefits of digital currency. These services are well-established, and they continue to provide convenient and low-cost transaction methods for millions of people and businesses worldwide. Keep your wits about you, and treat digital currency the same way you treat any other currency. This focus will ensure you continue to have a positive experience with digital currency transactions.

Digital currency technology is expected to advance further, opening up opportunities to make purchases from mobile phones, personal computers, and even tech wearable devices like smart watches. Businesses and individuals, embracing this technology as it develops, will be poised to gain from these advances in the future.

If you have any questions or would like to know more about secure digital currency, please feel free to contact us -- we would love to chat with you. 

Subscribe to our Newsletter to receive Regulatory News and Company Updates: