Changes to Watch For in 2022 Christy Thomas, CPA, CISA, CDPSE, Senior IT Auditor/Regional Director, SBS CyberSecurity CYBERATTACKS NO LONGER JUST IMPACT THE TARGETED organization but often have a ripple effect that harms partners, service providers, customers, and others. As data breaches trend up, organizations will be forced to spend more money to recover and ensure they have the appropriate solutions in place to prevent attacks without disrupting normal business. The role of the information security officer (ISO) is more important than ever when it comes to ensuring organizations are taking every precaution to avoid becoming victims. The following topics should be considered by all financial institutions as part of reviewing the Information Security Program and implemented as deemed necessary. Bank Protection Act of 1968 With the transition to remote audits and exams, an emphasis on the Bank Protection Act of 1968 has been incorporated into IT audits to ensure the organization is adequately managing and monitoring physical security in alignment with regulation and risk. Physical in-person security checks can be a struggle with the trend of remote audits by external auditors and examiners. Typically, videos or photos are used to examine physical security as part of the audit. As an additional step, a security officer should be officially named to ensure all requirements of a thorough physical security program are implemented, including an annual report to the board of directors. FFIEC Updated Guidance The FFIEC released updated guidance in August 2021 regarding authentication and access measures, which included bullet points of emphasis on customer awareness and education programs. Institutions should be making improvements and adjustments accordingly. An emphasis on specific policies will be incorporated into audits as well. A customer awareness program should include any cash management customers, specifically ACH originators and merchant remote deposit customers, and the ability to ensure they are aware of security protocols and abide by the expectations set forth in the respective agreements. New/Updated Policies The following policies should be documented within an Information Security Program, and some have become formal recommendations by examiners and regulators within the last 12 months. • Imaging Policy: Address the storage of critical documents to ensure readability and accuracy, responsibility, procedure, and disposal of original documents. • ATM/Debit Card Management Policy: Include policy and procedures to address the following: application process, employees authorized to order/ issue cards, card activation procedures, PIN change procedures, receipt of returned PIN mailers, receipt TECH TALK NEBANKERS.ORG 20
RkJQdWJsaXNoZXIy ODQxMjUw