Keeping an Eye On Risk - Current Concerns and Supervisory Oversight


Published on

In this presentation, you will
-Gain an understanding of leading edge risk management practices for Credit Unions.
-Gain insight on the Board and Supervisory Committees’ role in the internal control structure.
Recognize areas of potential weakness in the organization.
Gain an understanding of the regulatory environment and impact on risk management.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Keeping an Eye On Risk - Current Concerns and Supervisory Oversight

  1. 1. Keeping an Eye On Risk Current Concerns and Supervisory Oversight Tony Coble, CPA Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
  2. 2. Tony Coble, CPA Managing Director – CBIZ MHM, LLC Shareholder, Mayer Hoffman McCann P.C 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email:
  3. 3. About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
  4. 4. Topics to include: • Information Security – Social Engineering Audit – Security Awareness Program • Interest Rate Risk Management/Model Validation • Vendor Management Best Practices
  5. 5. Learning objectives • Gain an understanding of leading edge risk management practices for Credit Unions • Gain insight on the Board and Supervisory Committees’ role in the internal control structure. • Recognize areas of potential weakness in the organization. • Gain an understanding of the regulatory environment and impact on risk management.
  6. 6. Information Security Program
  7. 7. Information Security Program - Defined Is the written plan created and implemented by a credit union to identify and control risks to information and information systems and to properly dispose of information.
  8. 8. Information Security Program • Should address security guidelines safeguarding the confidentiality and security of information and proper disposal. • Should address privacy rules limiting the credit union’s disclosure of nonpublic personal information to unaffiliated third parties.
  9. 9. Board and Supervisory Committee Responsibilities • Ensure that information security program is developed, implemented, and maintained • Approve the information security program • Oversee the implementation and maintenance of the program
  10. 10. The Regulatory Scene • Important security regulations and industry standards: – Gramm-Leach Bliley Act (GLBA) – Fair and Accurate Credit Transactions Act (FACTA) – Payment Card Industry Data Security Standards (PCI DSS)
  11. 11. Gramm-Leach-Bliley Act (GLBA) • Requirements – Implementing and maintaining a comprehensive information security program – Assessing and evaluating threats – Implementing controls commensurate with associated risks – “Pretexting protection”, which includes safeguards against social engineering attacks – Oversight of service providers – Board of Directors involvement and approval
  12. 12. Fair and Accurate Credit Transactions Act (FACTA) • FACTA is targeted to the growing problem of identity theft. The red flags rules require: – Ongoing and comprehensive risk assessments to identify covered accounts and related threats – Based on the risk assessment, a comprehensive identity theft program. – Formal change of address procedures – Employee training – Development of specific policies, procedures and practices to combat identity theft – Oversight of third party providers
  13. 13. Payment Card Industry Data Security Standards (PCI DSS) • PCI is a standard, not a regulation. One of the requirements to be PCI compliant: – Perform external and internal penetration tests at least once a year and after any significant infra-structure or application upgrades.
  15. 15. Social Engineering as a tool • Social engineering is highly encouraged for GLBA, as it offers steps against pretexting. • Social engineering serves as an exceptional tools to counter identity theft.
  16. 16. • What is Social Engineering? o Manipulate people into doing something rather than by breaking in using technical means.
  17. 17. • Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
  18. 18. • By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
  19. 19. • Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
  20. 20. • Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
  21. 21. • Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
  22. 22. • Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
  23. 23. • Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
  24. 24. • Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing r curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
  25. 25. • Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
  26. 26. – Illegal examples from an inside testing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
  27. 27. • Real example – Telecom provider Pretexting - continued
  28. 28. • Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
  29. 29. • Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
  30. 30. • Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
  31. 31. • No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
  32. 32. • Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
  33. 33. • Every organization must decide what information is sensitive and should not be shared. • Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
  34. 34. • Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
  36. 36. • Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
  37. 37. • What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
  38. 38. 1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
  39. 39. 3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
  40. 40. 4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
  41. 41. 5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
  42. 42. 5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who understand and follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who understand, follow, and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
  43. 43. 6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
  44. 44. 1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
  45. 45. 2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
  46. 46. 4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
  47. 47. 6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
  48. 48. 7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
  49. 49. 8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
  50. 50. • Habits drive security culture and there are no technologies that will ever make up for poor security culture. • Awareness programs, when properly executed, provide knowledge that instills behavior. Key take away
  52. 52. • The potential loss from unexpected changes in interest rates which can significantly impact profitability and market value of equity. What is interest rate risk?
  53. 53. • The amount at risk is a function of the magnitude and direction of interest rate changes and the size and maturity structure of the mismatch position. • If interest rates rise, the cost of funds increases more rapidly than the yield on assets, thereby reducing net income. • If the exposure is not managed properly it can erode profitability. Interest rate risk in more detail . . .
  54. 54. • A key element of management of interest rate risk is to perform an independent validation of the modeling system. • Why? Financial market and economic conditions present significant risk management challenges to institutions of all sizes. • Resources: – Interagency Advisory on Interest Rate Risk Management issued January 6, 2010. – Interagency Advisory on Interest Rate Risk Management Frequently Asked Questions issued January 12, 2012 Managing interest rate risk
  55. 55. • Models have long been a critical tool used by Credit Unions to manage the various risks they face. • Models need to be understood – not a “Black Box”. Model validation
  56. 56. • Performing interest rate risk model validation is also a best practice. – It strengthens reliance on the model to make sound business decisions. – It addresses “model risk”, or the possibility of adverse consequences from management decisions resulting from incorrect or improperly used model outputs. – Identifies weaknesses in: • Data setups • Inputs • Behavior assumptions Interest rate model validation
  57. 57. • Who should perform interest rate risk model validation procedures? – Consider expertise. – Consider experience. – Consider independence. • Internal audit • ALM model vendor • CPA firm/consulting firm • Investment brokers/advisors • Corporate credit unions Performing a model validation
  58. 58. • Model input – Data – Assumptions • Model processing – Mathematics and formulas/code – Mechanics – Theory • Model output/reports – Model results – Context of reports Key components of a validation
  59. 59. • Data and setup issues – Data reconciles to the general ledger – Market data – Account attributes – Contractual input Model input
  60. 60. Models typically receive automated fees from many sources: – Interest rate curves – Cost of funds – Balance Sheet data Model input
  61. 61. Models also utilize infrequently updated or hardcoded values: – Credit Union’s unit costs – Leverage targets Model input
  62. 62. • Assumptions – Prepayments – Non-maturity shares – Price sensitivity – Reinvestment rates – Discount rates – Economics – stresses to portfolio Model input
  63. 63. • The testing of model inputs should regularly employ either specified or statistically determined “stressed” model input variables. Model input
  64. 64. • During times of stress, one does not want data that assumes market liquidity and an ample supply of buyers and sellers across all risk categories. Model input
  65. 65. Validation should include: – Software vendor supplied verifications – Predictive analysis – Benchmarking – Back-testing Model processing
  66. 66. • Testing and validation should evaluate: – The validity of the conceptual soundness of the model – Potential limitations in the model and range of applicability – Model effectiveness both through back testing and periodic reviews of model results. Model processing
  67. 67. • Are reports easy to understand? • Do reports make comparisons to policy limits? • Do reports meet regulatory guidelines/preference? Model reports
  68. 68. • Models must capture the complexity of the institution and the phenomena they want to simulate. • Credit unions must have the information necessary to know, monitor, and govern the models used. Model reports
  69. 69. • Does the model meet the business needs and regulatory requirements of the financial institution? • Is the model capable of institution-specific modeling? • Can it model the financial institution’s balance sheet instruments? Model adequacy
  70. 70. • Is the model contained in a strong control environment? – Documented user procedures and processes. – Is user training and cross training adequate and documented? • Does the model satisfy governance needs? – ALCO policy – ALCO limits – ALCO meetings with minutes Model control and governance
  71. 71. • No regulatory standard exists for how frequently an interest rate risk model should be validated. – Interagency guidance suggests annually. – At least as often, an on same cycle, as regulatory examinations. • Depends on the size and risk of the financial institution. – What is the complexity of the ALM environment? – What is the risk appetite and risk tolerance of executive management? • Industry best practice suggests every 3 years by a third- party vendor supplemented with internal testing annually. Model validation frequency
  73. 73. • The vendor management process begins by selecting the right vendor for the right reasons. • The vendor selection process can be a very complicated and emotional undertaking if you don't know how to approach it from the very start. • You will need to analyze your business requirements, search for prospective vendors, lead the team in selecting the winning vendor and successfully negotiate a contract while avoiding contract negotiation mistakes. Vendor selection
  74. 74. • Don’t get blinded by the “glitz and sizzle” that some vendors project. • A lot of salespeople and specialty consultants do not always equate to a strong vendor—they may not be there after the contract is signed. • Ask all questions. – Is the outsourcing area within the vendor’s expertise? Scrutinize the prospects
  75. 75. • Be wary of restrictive or exclusive relationships. – Limitations with other vendors or with future customers. • Do not accept a contract with severe penalties for what are small incidents. • Do not accept long-term contracts. – Short-term contracts with option periods are more appropriate. • Consider the vendor’s needs. – A small and insignificant issue to you may be very important to the vendor. • Overall, show good faith and willingness to work together. Remain flexible
  76. 76. • Once the vendor relationship has commenced, don’t assume all will go according to plan. • The vendor’s performance must be monitored constantly at the start. – Should include the requirements most critical to the business. • Quality of service, order of completion, response time, etc. Monitor performance
  77. 77. • Communicate. • Communicate. • Communicate. • Establish a well maintained line of communication. – Avoid misunderstandings – Proactively address issues before they become problems. Communicate constantly
  78. 78. • Having a vendor management program in place will greatly enhance the vendor relationship and protect the business. – Vendor management policy approved by the board of directors. – Define what constitutes a critical vendor. – Establish a vendor risk assessment process. – Establish regular vendor review procedures. • Vendor SOC reports (formerly SAS 70 reports) on file are current Vendor management program components
  79. 79. Questions?