The document discusses how regulatory and technological changes are increasing pressures on financial institutions to improve security. The new regulations eliminate specific security requirements and place greater responsibility on institutions to develop their own security programs tailored to their needs. This represents a shift away from prescriptive rules towards giving institutions more flexibility but also more responsibility. Security roles are becoming more complex and important given new technologies, growing liability risks, and stricter regulatory scrutiny of security compliance.
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
This document discusses cybersecurity risks that boards of directors need to address. It notes that 48% of directors cited data security as their top concern in a recent study, up from 25% in 2008. The document recommends that boards oversee management's efforts to mitigate cyber threats, assess risks, and devote adequate resources. It emphasizes that boards should communicate the importance of cybersecurity to management and create a culture that views it as a responsibility. While technical issues may be daunting, boards are not expected to be experts and should rely on management and consultants for advice.
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Cyber risk represents both risk and opportunity for insurance companies. While cyberattacks can result in multi-billion dollar losses, there is growing demand from companies for cyber insurance coverage. Actuaries can help develop sustainable cyber insurance products by analyzing available breach data, determining appropriate policy terms, and encouraging policyholders to strengthen cybersecurity. Offering generous policy limits alongside strict security requirements and high deductibles allows insurers to expand in this area while properly managing risk. The increasing need for cyber coverage represents a chance for actuaries to add value and for insurers to generate new revenue streams.
The document discusses how cybersecurity risks have become a major topic of discussion at high levels of organizations due to a combination of forces over the past decade. Sophisticated attackers now outpace security controls, and data breach disclosure laws have led to extensive media coverage of cyber attacks. This has increased pressure on boards of directors to oversee cybersecurity risks. Several case studies of large companies that suffered data breaches like Sony, Target, and TJX are presented to show how cyber attacks can significantly impact businesses but typically do not cause their downfall.
This document discusses cybersecurity risks and challenges for banks. It notes that banks hold sensitive financial and customer data, making them attractive targets for sophisticated cyber attacks seeking monetary rewards. The document outlines key cybersecurity issues banks face such as regulatory compliance pressures, consumerization trends, emerging attack types like APTs, and the sophistication of threats. It provides examples of past attacks on banks and discusses security challenges from e-banking, mobile banking, outsourcing, and PSD2 regulations. The document advocates for strategies like threat intelligence, compliance with standards like PCI DSS and ISO 27001, and information security maturity to help banks mitigate cybersecurity risks.
The case for a Cybersecurity Expert on the Board of an SEC firmDavid Sweigert
This document discusses cybersecurity risks that boards of directors need to address. It notes that 48% of directors cited data security as their top concern in a recent study, up from 25% in 2008. The document recommends that boards oversee management's efforts to mitigate cyber threats, assess risks, and devote adequate resources. It emphasizes that boards should communicate the importance of cybersecurity to management and create a culture that views it as a responsibility. While technical issues may be daunting, boards are not expected to be experts and should rely on management and consultants for advice.
To Be Great Enterprise Risk Managers, CISOs Need to Be Great CollaboratorsElizabeth Dimit
Blog post discussing why CISOs need to collaborate with privacy, legal, and product teams to effectively identify and mitigate risk in their organization.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Cyber risk represents both risk and opportunity for insurance companies. While cyberattacks can result in multi-billion dollar losses, there is growing demand from companies for cyber insurance coverage. Actuaries can help develop sustainable cyber insurance products by analyzing available breach data, determining appropriate policy terms, and encouraging policyholders to strengthen cybersecurity. Offering generous policy limits alongside strict security requirements and high deductibles allows insurers to expand in this area while properly managing risk. The increasing need for cyber coverage represents a chance for actuaries to add value and for insurers to generate new revenue streams.
The document discusses how cybersecurity risks have become a major topic of discussion at high levels of organizations due to a combination of forces over the past decade. Sophisticated attackers now outpace security controls, and data breach disclosure laws have led to extensive media coverage of cyber attacks. This has increased pressure on boards of directors to oversee cybersecurity risks. Several case studies of large companies that suffered data breaches like Sony, Target, and TJX are presented to show how cyber attacks can significantly impact businesses but typically do not cause their downfall.
This document discusses cybersecurity risks and challenges for banks. It notes that banks hold sensitive financial and customer data, making them attractive targets for sophisticated cyber attacks seeking monetary rewards. The document outlines key cybersecurity issues banks face such as regulatory compliance pressures, consumerization trends, emerging attack types like APTs, and the sophistication of threats. It provides examples of past attacks on banks and discusses security challenges from e-banking, mobile banking, outsourcing, and PSD2 regulations. The document advocates for strategies like threat intelligence, compliance with standards like PCI DSS and ISO 27001, and information security maturity to help banks mitigate cybersecurity risks.
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
This document provides guidance for investment fund managers on developing a cybersecurity action plan and program. It discusses the current cybersecurity risks and regulatory landscape, highlighting that regulators expect firms to have cybersecurity programs in place. It notes that employees can pose risks if not properly trained, as they may fall victim to phishing or share sensitive information unintentionally. The document recommends that firms implement training programs for employees, establish clear security policies and plans, and ensure management prioritizes cybersecurity culture. It also suggests protecting against potential insider threats from disgruntled employees.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Cybersecurity risks affect all senior executives in an organization. While the CEO may want to delegate cybersecurity to the CTO, effective programs require input from multiple stakeholders. A comprehensive understanding of technical, financial, and regulatory risks is needed to develop an appropriate strategy. Regular communication to the CEO should focus on trends, risks, and major incidents rather than technical details. Quantifying potential financial losses from data breaches can help obtain support for necessary security investments.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
This document discusses trends in government suspension and debarment actions. It notes that while federal procurement spending has declined in recent years, government enforcement actions like False Claims Act recoveries have increased. Suspension and debarment actions by the federal government have also sharply risen over the past few years, with a 260% increase in actions between 2009-2013 according to one report. The document examines factors driving this rise, like increased congressional and agency attention on suspension and debarment programs. It also profiles improvements to the suspension and debarment program at the Department of Homeland Security as one example.
Basics of insurance coverage and evolving issues surrounding cyber, data breaches, and a big picture overview of how it impacts businesses and the lawyers advising them.
This document summarizes an article from The Corporate Governance Advisor on tools for boards to oversee cybersecurity risk. It discusses the business impacts and litigation/regulatory risks of cyber attacks. It outlines how boards have an oversight duty to ensure proper information and reporting systems exist to manage cybersecurity risk. The document provides examples of cybersecurity disclosure from companies like Target and Home Depot. It discusses SEC guidance on cybersecurity disclosure and notes boards must exercise oversight in good faith to avoid liability for failures.
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
This presentation showcases the reasoning for and the importance of cyberseucrity in the not-for-profit sector. Case studies reinforce the importance of being ahead of the curve when managing cyber risk.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
EY - SEC Reporting update - Spotlight on cybersecurity disclosuresJulien Boucher
The document discusses guidance from the SEC on cybersecurity disclosures for public companies. The SEC chairman has signaled increased scrutiny of companies' disclosures around cyber risks and incidents. The guidance outlines factors companies should consider in disclosing cybersecurity risks, including in risk factors, MD&A discussions, and financial statement implications. Companies should provide details on cybersecurity programs, risks from suppliers, and describe any material incidents and related costs.
Sans 20 CSC: Connecting Security to the Business MissionTripwire
The document summarizes Katherine Brocklehurst's presentation at the 2013 SANS CSC Summit where she discussed the role and challenges of the Chief Information Security Officer (CISO). Some key points included that the CISO needs business experience and the ability to communicate security issues to executives in a way that shows relevance to the organization's mission. The presentation also discussed using metrics and dashboards to provide visibility into the organization's security posture and risks across different business units and technical platforms to report to various stakeholders.
The document is a research report that compares insurance protection for tangible versus intangible assets. Some key findings:
1) Information assets are valued slightly higher on average ($1.082 billion) than tangible property, plant, and equipment ($947 million) but have much lower insurance coverage (15% vs 59%).
2) The potential maximum loss from information assets being stolen or destroyed is estimated to be higher on average ($979 million) than potential losses from tangible assets ($770 million).
3) Despite higher risks and potential losses to information assets, companies are reluctant to purchase cyber insurance and many would not disclose material losses of information assets in financial statements like they would for tangible assets.
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
Complacency in the face of evolving cybersecurity norms is hazardous. Executives and boards are often reluctant to adopt comprehensive cybersecurity policies due to costs and contradictory advice. However, failing to take action increases regulatory and legal risks. Cyberattacks are difficult to defend against and are becoming more sophisticated. Small and medium enterprises are particularly vulnerable targets but may underestimate threats due to limited resources. Government efforts to work with businesses on cybersecurity have been inconsistent, creating uncertainty around compliance. Cyberbreaches can result in significant litigation and liability for companies, especially as legal standards continue developing. Comprehensive and strategic planning is needed to address diverse cyberattack risks.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
Aon has hired James Trainor, the former assistant director of the FBI's Cyber Division, to help clients avoid cyber attacks. Insurance broker Aon has also acquired cybersecurity specialist Stroz Friedberg to expand its cyber risk services. Australia faces one of the largest cybersecurity skills shortages globally according to a new report. SWIFT disclosed new hacking attacks on its member banks and is pressuring banks to improve security procedures.
Cyber attacks pose a serious risk for small to medium sized businesses as they are lucrative targets for hackers. While many believe cyber insurance is too expensive or unnecessary, the costs of a data breach can be devastating and easily exceed the relatively low premiums of a cyber insurance policy. The document provides an overview of common cyber attacks, costs of a breach, specifics of cyber insurance policies, and steps for creating a breach response plan to mitigate risks and reduce costs.
Understanding progress to date in Ireland's reform of its budgetary architect...OECD Governance
Presentation by Fiachra Kennedy, Ireland, at the 11th annual meeting of the OECD Senior Budget Officials Performance and Results network, OECD, 26-27 November 2015.
Este documento proporciona instrucciones sobre las teclas de acceso rápido para moverse por un documento de texto y realizar acciones como mover el cursor una palabra o línea a la izquierda o derecha, moverse al principio o final de una línea o párrafo, o desplazarse entre páginas. También incluye las palabras "cerrar", "silla" y "levantar" repetidas varias veces al final.
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
The document discusses an interview with James Christiansen, VP of Information Risk Management for Optiv Security, which was formed from the merger of Accuvant and Fishnet Security. Christiansen discusses how the role of CISO is changing to focus more broadly on information risk management (CIRO). He emphasizes the importance of aligning cybersecurity spending with business objectives and risk exposure. In an ideal security program, there would be clear governance, reporting to the executive team, and balance between protective measures, visibility, and incident response capabilities. The document ends by discussing questions boards should ask executives about cybersecurity risks and oversight of the security program.
This document provides guidance for investment fund managers on developing a cybersecurity action plan and program. It discusses the current cybersecurity risks and regulatory landscape, highlighting that regulators expect firms to have cybersecurity programs in place. It notes that employees can pose risks if not properly trained, as they may fall victim to phishing or share sensitive information unintentionally. The document recommends that firms implement training programs for employees, establish clear security policies and plans, and ensure management prioritizes cybersecurity culture. It also suggests protecting against potential insider threats from disgruntled employees.
This presentation examines to what extent that cyber-insurance can be a useful tool to manage the risks and harms caused by massive cyber-attacks from the national as opposed to enterprise standpoint,
Cybersecurity risks affect all senior executives in an organization. While the CEO may want to delegate cybersecurity to the CTO, effective programs require input from multiple stakeholders. A comprehensive understanding of technical, financial, and regulatory risks is needed to develop an appropriate strategy. Regular communication to the CEO should focus on trends, risks, and major incidents rather than technical details. Quantifying potential financial losses from data breaches can help obtain support for necessary security investments.
Managed Security For A Not So Secure World Wp090991Erik Ginalick
This white paper discusses the need for managed security services given the growing threat landscape and constrained IT budgets. It notes that good security requires continual monitoring and adaptation to new threats. Compliance with regulations is also difficult given shrinking resources. Outsourcing security to an expert provider allows organizations to focus on core operations while gaining access to skilled professionals, comprehensive solutions, and expertise in managing security risks. The white paper concludes that a managed security strategy can help reduce costs and ensure compliance while allowing IT staff to focus on business needs.
This document discusses trends in government suspension and debarment actions. It notes that while federal procurement spending has declined in recent years, government enforcement actions like False Claims Act recoveries have increased. Suspension and debarment actions by the federal government have also sharply risen over the past few years, with a 260% increase in actions between 2009-2013 according to one report. The document examines factors driving this rise, like increased congressional and agency attention on suspension and debarment programs. It also profiles improvements to the suspension and debarment program at the Department of Homeland Security as one example.
Basics of insurance coverage and evolving issues surrounding cyber, data breaches, and a big picture overview of how it impacts businesses and the lawyers advising them.
This document summarizes an article from The Corporate Governance Advisor on tools for boards to oversee cybersecurity risk. It discusses the business impacts and litigation/regulatory risks of cyber attacks. It outlines how boards have an oversight duty to ensure proper information and reporting systems exist to manage cybersecurity risk. The document provides examples of cybersecurity disclosure from companies like Target and Home Depot. It discusses SEC guidance on cybersecurity disclosure and notes boards must exercise oversight in good faith to avoid liability for failures.
Cyber insurance provides coverage for losses from cyber incidents and security breaches. It helps manage cyber risks through risk sharing. However, the cyber insurance market is still immature with global losses from cyber incidents exceeding the total cyber insurance market. Key challenges include asymmetric information between insurers and clients, interdependent and correlated cyber risks, and limited reinsurance capacity due to lack of claims data and potential for simultaneous global attacks.
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
This presentation showcases the reasoning for and the importance of cyberseucrity in the not-for-profit sector. Case studies reinforce the importance of being ahead of the curve when managing cyber risk.
White paper cyber risk appetite defining and understanding risk in the moder...balejandre
Managing risk is a balancing act for organizations of all sizes and disciplines. While some organizations take on too much risk, others arguably do not take on enough. Complicating this equation is the emergence of cyber as one of the most impactful sources of risk in the modern enterprise
EY - SEC Reporting update - Spotlight on cybersecurity disclosuresJulien Boucher
The document discusses guidance from the SEC on cybersecurity disclosures for public companies. The SEC chairman has signaled increased scrutiny of companies' disclosures around cyber risks and incidents. The guidance outlines factors companies should consider in disclosing cybersecurity risks, including in risk factors, MD&A discussions, and financial statement implications. Companies should provide details on cybersecurity programs, risks from suppliers, and describe any material incidents and related costs.
Sans 20 CSC: Connecting Security to the Business MissionTripwire
The document summarizes Katherine Brocklehurst's presentation at the 2013 SANS CSC Summit where she discussed the role and challenges of the Chief Information Security Officer (CISO). Some key points included that the CISO needs business experience and the ability to communicate security issues to executives in a way that shows relevance to the organization's mission. The presentation also discussed using metrics and dashboards to provide visibility into the organization's security posture and risks across different business units and technical platforms to report to various stakeholders.
The document is a research report that compares insurance protection for tangible versus intangible assets. Some key findings:
1) Information assets are valued slightly higher on average ($1.082 billion) than tangible property, plant, and equipment ($947 million) but have much lower insurance coverage (15% vs 59%).
2) The potential maximum loss from information assets being stolen or destroyed is estimated to be higher on average ($979 million) than potential losses from tangible assets ($770 million).
3) Despite higher risks and potential losses to information assets, companies are reluctant to purchase cyber insurance and many would not disclose material losses of information assets in financial statements like they would for tangible assets.
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
Complacency in the face of evolving cybersecurity norms is hazardous. Executives and boards are often reluctant to adopt comprehensive cybersecurity policies due to costs and contradictory advice. However, failing to take action increases regulatory and legal risks. Cyberattacks are difficult to defend against and are becoming more sophisticated. Small and medium enterprises are particularly vulnerable targets but may underestimate threats due to limited resources. Government efforts to work with businesses on cybersecurity have been inconsistent, creating uncertainty around compliance. Cyberbreaches can result in significant litigation and liability for companies, especially as legal standards continue developing. Comprehensive and strategic planning is needed to address diverse cyberattack risks.
Cyber liability insurance provides protection against the risks associated with data breaches and loss of personally identifiable information. As property owners and managers collect large amounts of private data on residents, employees, and applicants, the costs of a cyber attack or data breach can be substantial. Cyber liability policies cover expenses like notification of affected individuals, credit monitoring, lawsuits, investigations, and loss of business resulting from attacks. While prevention is important through security measures and policies, the growing threat of cyber crime means companies should evaluate cyber liability insurance as part of their risk management strategy.
Aon has hired James Trainor, the former assistant director of the FBI's Cyber Division, to help clients avoid cyber attacks. Insurance broker Aon has also acquired cybersecurity specialist Stroz Friedberg to expand its cyber risk services. Australia faces one of the largest cybersecurity skills shortages globally according to a new report. SWIFT disclosed new hacking attacks on its member banks and is pressuring banks to improve security procedures.
Cyber attacks pose a serious risk for small to medium sized businesses as they are lucrative targets for hackers. While many believe cyber insurance is too expensive or unnecessary, the costs of a data breach can be devastating and easily exceed the relatively low premiums of a cyber insurance policy. The document provides an overview of common cyber attacks, costs of a breach, specifics of cyber insurance policies, and steps for creating a breach response plan to mitigate risks and reduce costs.
Understanding progress to date in Ireland's reform of its budgetary architect...OECD Governance
Presentation by Fiachra Kennedy, Ireland, at the 11th annual meeting of the OECD Senior Budget Officials Performance and Results network, OECD, 26-27 November 2015.
Este documento proporciona instrucciones sobre las teclas de acceso rápido para moverse por un documento de texto y realizar acciones como mover el cursor una palabra o línea a la izquierda o derecha, moverse al principio o final de una línea o párrafo, o desplazarse entre páginas. También incluye las palabras "cerrar", "silla" y "levantar" repetidas varias veces al final.
Measuring performance: UK experience -- Simon Madden & Johannes Wolff, Unite...OECD Governance
Presentation by Simon Madden and Johannes Wolff, United Kingdom, at the 11th annual meeting of the OECD Senior Budget Officials Performance and Results network, Paris, 26-27 November 2015.
This document discusses the concept of specialization in production and the law of comparative advantage. It provides examples showing that through specialization and exchange, both parties can benefit even if one party is better at both activities due to lower costs and increased output. The document emphasizes that focusing on areas of comparative advantage allows countries and individuals to gain from international trade.
Andrew Masterman, Policy Lead, Violence Strategy, NHS Protect
Andrew leads on national initiatives to help maintain a safe and secure environment for NHS staff, patients and visitors. Andrew works collaboratively with key stakeholders to prevent violence, and has advised the All Party Parliamentary Group on Preventing Work-related Violence. Andrew chairs a clinically led Expert Group for the Prevention of Clinically Related Challenging Behaviour and was responsible for overseeing the successful launch of the work programme: Meeting needs and reducing distress: the prevention and management of clinically related challenging behaviour in NHS settings
Presentation Topic: 'The prevention and management of clinically related challenging behaviour in NHS settings.
The government sector establishes and enforces rules regarding commerce and property rights. It regulates competition and the environment. The government also redistributes income, provides public goods that are non-excludable and non-rival in consumption, and manages the macro economy through monetary and fiscal policy.
1) Credit unions need to carefully measure the return on investment (ROI) of promotional campaigns, as they have little margin for error due to the costs involved. A promotional campaign that costs $5,000 but only generates $750,000 in new loans results in a loss unless it returns at least 67 basis points.
2) Credit unions on average spend a higher percentage of their assets on marketing than banks and savings institutions, around 10 basis points compared to 7 and 6 respectively. This is because credit unions rely more heavily on direct mail marketing.
3) To determine the ROI of a promotional campaign, the marketing director of a credit union uses a formula that calculates net interest income, total income, net income,
Thomas Bokemuller has over 20 years of experience in strategic marketing and brand development. He received a Masters in Business Administration from the University of Trier in Germany. He has held senior marketing roles with various companies in Namibia and now owns his own strategic brand and marketing consultancy called Mindbox.
This document discusses duty of water and delta in irrigation engineering. It defines duty of water as the area irrigated using 1 cumec of continuous water supply. Delta is defined as the total depth of water required by a crop in its base period. Duty is calculated using the formula D=8.64/B(days) * Δ(meters). Several factors that affect duty are discussed such as crop type, irrigation method, soil type, climate etc. Methods to improve duty include proper land preparation, lining canals to reduce seepage, using efficient irrigation methods, and training farmers in optimal water usage.
The West Bengal Apartment Ownership Act, 1972
ApartmentADDA is India's #1 Apartment Management and Apartment Accounting Software. All the guidelines and best practices of State Bye-Laws are inbuilt in the product.
Anton Zorin has over 6 years of experience developing enterprise applications and over 10 years developing C++ applications. He has a Master's degree in Informatics and Control Systems from Novosibirsk State Technical University. His technical skills include Java, C++, databases, algorithms, and development methodologies. He has worked at IBM Zurich Research Laboratory developing solutions for sales and prospecting using analytics.
Renata Limited is a leading pharmaceutical company in Bangladesh that manufactures medicines and exports products to multiple countries. It has over 3,485 employees. The document summarizes Renata's HR practices, including its recruitment and selection processes, training programs, and compensation package. Renata aims to attract and retain talented employees through competitive compensation and opportunities for career growth. While Renata has strong HR practices, the document notes that the company could improve by developing an internal training institute and enhancing its selection process with additional screening steps.
This deals with the application of the concepts, principles, theories and methods of developing nursing leaders and managers in the hospital and community-based settings.
The document summarizes a study on non-performing assets of top five private sector banks in India. It discusses the objectives of the study, which are to understand NPAs of these banks, study trends over five years, evaluate gross and net NPAs, determine factors affecting NPAs, analyze banks' financial performance at different NPA levels, and examine problems caused by NPAs. It also outlines the methodology, sources of primary and secondary data, and profiles of the five banks studied - HDFC, ICICI, Axis Bank, Kotak Mahindra Bank, and IndusInd Bank.
Apartment Management: The Andhra Pradesh Societies Registration Act, 2001ADDA
The Andhra Pradesh Societies Registration Act, 2001
ApartmentADDA is India's #1 Apartment Management and Apartment Accounting Software. All the best practices of State Bye-Laws are inbuilt in the product.
Los engranajes se utilizan para transmitir movimiento giratorio u otro tipo de movimiento entre partes de una máquina. Existen diferentes tipos de engranajes como los rectos, helicoidales, interiores o anulares y cónicos, que se usan para transmitir movimiento entre ejes paralelos o no paralelos. Los engranajes datan de épocas muy antiguas y han sido fundamentales para solucionar problemas de transporte y movimiento a lo largo de la historia.
The SEC is now requiring hedge fund managers to appoint a Chief Information Security Officer to oversee cybersecurity. This has prompted funds to search for candidates to fill this role. Potential candidates include the CTO, CRO, CCO, or outsourcing the work. However, the role requires expertise in technology, risk management, and compliance. Additionally, the person in the role may face personal liability if a breach occurs. As a result, funds are struggling with how to structure the position and provide appropriate resources and support.
A Look At Evolving Cybersecurity Policy for Financial Institutions 2021Dawn Yankeelov
Dawn Yankeelov, a cyber policy leader in Kentucky, speaks to the changing landscape for banking cybersecurity policy for a SecuretheVillage workgroup in the Summer of 2021.
Cybersecurity risks are increasing as cloud computing and IT usage grows. There is currently no single obligatory framework for cybersecurity disclosure. Existing frameworks provide some guidance but lack specificity and enforceability. This document analyzes existing disclosure guidelines and frameworks like NIST, HIPAA, and CF DG 2. It finds that most disclosures are boilerplate and that industries with frameworks have more disclosures. The recommendation is to transition to a rules-based framework developed jointly by regulators and firms to standardize disclosures and reduce information asymmetry for shareholders. An implementation plan proposes expanding NIST internationally and incorporating it into SEC rules over time.
This summary provides an overview of key points from the document:
1) Enforcement of HIPAA security standards was initially lacking when they took effect in 2005, with compliance being below 25%. However, high-profile breaches, clearer regulations, and penalties from the Obama administration have increased enforcement and compliance.
2) A recent example is CVS Caremark being fined $2.25 million and required to fulfill obligations over 20 years after exposing patient health records.
3) Health care organizations face challenges in information security due to the nature of aggregating complete patient health histories, as well as generally being behind other industries in adopting new technologies. Factors like securing necessary funding and gaining staff buy-in for security
crucet1crucet2crucet3crucet4crucet5crucet6crucet7crucet8crucet9crucet10crucet11crucet12
CHAPTER 3
Security Policies and Regulations
In this chapter you will
• Explore the different types of regulations associated with secure software
development
• Learn how security policies impact secure development practices
• Explore legal issues associated with intellectual property protection
• Examine the role of privacy and secure software
• Explore the standards associated with secure software development
• Examine security frameworks that impact secure development
• Learn the role of securing the acquisition lifecycle and its impact on secure
development
Regulations and Compliance
Regulations and compliance drive many activities in an enterprise. The primary
reason behind this is the simple fact that failure to comply with rules and
regulations can lead to direct, and in some cases substantial, financial penalties.
Compliance failures can carry additional costs, as in increased scrutiny, greater
regulation in the future, and bad publicity. Since software is a major driver of
many business processes, a CSSLP needs to understand the basis behind various
rules and regulations and how they affect the enterprise in the context of their
own development efforts. This enables decision making as part of the software
development process that is in concert with these issues and enables the
enterprise to remain compliant.
Much has been said about how compliance is not the same as security. In a
sense, this is true, for one can be compliant and still be insecure. When viewed
from a risk management point of view, security is an exercise in risk
management, and so are compliance and other hazards. Add it all together, and
you get an “all hazards” approach, which is popular in many industries, as senior
management is responsible for all hazards and the residual risk from all risk
sources.
Regulations can come from several sources, including industry and trade
groups and government agencies. The penalties for noncompliance can vary as
well, sometimes based on the severity of the violation and other times based on
political factors. The factors determining which systems are included in
regulation and the level of regulation also vary based on situational factors.
Typically, these factors and rules are published significantly in advance of
instantiation to allow firms time to plan enterprise controls and optimize risk
management options. Although not all firms will be affected by all sets of
regulations, it is also not uncommon for a firm to have multiple sets of
regulations across different aspects of an enterprise, even overlapping on some
elements. This can add to the difficulty of managing compliance, as different
regulations can have different levels of protection requirements.
Many development efforts may have multiple regulatory impacts, and
mapping the different requirements to the indi ...
Cyber security reguations: The shape of things to come for captives?Daniel Message
Article discussing the potential impact of emerging cyber security regulations on captive insurance companies. Originally published in Captive Insurance Times, 5 April 2017.
What Financial Institution Cyber Regs Tell the Infrastructure SectorCBIZ, Inc.
Information security is a threat for every business, but it’s particularly disruptive to the nation’s infrastructure systems. Infrastructure companies should monitor how mandatory rules play out for financial institutions. If the regulatory efforts are successful in reducing the number of financial institution cyber incidents, state and federal regulators may turn their attention to other industries.
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
CHAPTER 3
Security Policies and Regulations
In this chapter you will
• Explore the different types of regulations associated with secure software
development
• Learn how security policies impact secure development practices
• Explore legal issues associated with intellectual property protection
• Examine the role of privacy and secure software
• Explore the standards associated with secure software development
• Examine security frameworks that impact secure development
• Learn the role of securing the acquisition lifecycle and its impact on secure
development
Regulations and Compliance
Regulations and compliance drive many activities in an enterprise. The primary
reason behind this is the simple fact that failure to comply with rules and
regulations can lead to direct, and in some cases substantial, financial penalties.
Compliance failures can carry additional costs, as in increased scrutiny, greater
regulation in the future, and bad publicity. Since software is a major driver of
many business processes, a CSSLP needs to understand the basis behind various
rules and regulations and how they affect the enterprise in the context of their
own development efforts. This enables decision making as part of the software
development process that is in concert with these issues and enables the
enterprise to remain compliant.
Much has been said about how compliance is not the same as security. In a
sense, this is true, for one can be compliant and still be insecure. When viewed
from a risk management point of view, security is an exercise in risk
management, and so are compliance and other hazards. Add it all together, and
you get an “all hazards” approach, which is popular in many industries, as senior
management is responsible for all hazards and the residual risk from all risk
sources.
Regulations can come from several sources, including industry and trade
groups and government agencies. The penalties for noncompliance can vary as
well, sometimes based on the severity of the violation and other times based on
political factors. The factors determining which systems are included in
regulation and the level of regulation also vary based on situational factors.
Typically, these factors and rules are published significantly in advance of
instantiation to allow firms time to plan enterprise controls and optimize risk
management options. Although not all firms will be affected by all sets of
regulations, it is also not uncommon for a firm to have multiple sets of
regulations across different aspects of an enterprise, even overlapping on some
elements. This can add to the difficulty of managing compliance, as different
regulations can have different levels of protection requirements.
Many development efforts may have multiple regulatory impacts, and
mapping the different requirements to the individual data flows that they each
affect is important. For instance, if an application invo ...
Cybersecurity has become a major risk for financial markets and stability according to the Commodity Futures Trading Commission Chairman. Companies and regulators are increasingly emphasizing cybersecurity. Lexis Securities Mosaic allows users to research cybersecurity through guidance from regulators, disclosures in company filings, rulemaking, enforcement actions, news and commentary, and law firm memos.
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
Security professionals often struggle with the ‘double intangibility’ of security - the intangibility of risk and intangibility of protection.
Changes hearts and minds often requires legislation and new compliance frameworks to motivate investment.
New Zealand's new Privacy Act comes into play on 1st December 2020 and there are ways security professionals can leverage new aspects including mandatory breach notifications to focus efforts on securing personal information and preventing privacy harms.
This document provides a three-step plan for healthcare providers to strengthen cybersecurity:
1) Conduct a cybersecurity risk assessment to identify vulnerabilities
2) Purchase cyber insurance to transfer some risks and costs of breaches
3) Consider moving data and IT services to a qualified cloud provider that specializes in healthcare security and compliance. Outsourcing to an experienced cloud provider can improve capabilities while potentially reducing long-term costs compared to maintaining IT systems in-house.
1) The security landscape has changed dramatically in recent years as threats grow at alarming rates and existing security solutions become quickly outdated.
2) The article investigates the changes in security and compliance driven by increased regulatory requirements, the need to align security strategies with business needs, a growing focus on information over infrastructure, and new threats like social media and cloud computing.
3) Interviews with security leaders from three organizations reveal how they are addressing these changes through initiatives like deploying Symantec solutions for centralized security and compliance management and adhering to standards like ISO 27001.
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
The HIPAA Security Rule (at 45 C.F.R. §164.308(a)(1)(ii)(A)) requires an initial security risk analysis according to risk analysis guidance issued by HHS/OCR based on NIST standards.
OCR Audit Protocols for Risk Analysis are clear! CMS, as planned, has launched audits of organizations who have attested to Meaningful Use Objectives and Risk Analyses will be audited. Have you completed a bona fide HIPAA Security Risk Analysis?
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, and the policies and solutions your organization needs to have in place to protect against them.
Viewers will learn:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
About the Presenter:
Ulf Mattsson is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
The New York Department of Financial Services (NYDFS) is expected to pass a proposed cybersecurity regulation in January 2017, called "Cybersecurity Requirements for Financial Services Companies".
In the light of the imminent regulatory update, most financial institutions, and insurance providers are preparing to comply with the fundamental requirements that the NYDFS will likely adopt.
In this webinar, we covered:
- Explanations of the regulation’s key legal requirements;
- How the regulation interacts with other data security laws;
- Industry best practices for securing data;
- The value of online compliance training.
Cyber-insurance and liability caps proposed as incentives by Department of Co...David Sweigert
It is important to note that while the incentives study was required within 120 days of the date of EO 13636, the preliminary version of the Framework is required within 240 days of the date of EO 13636. In addition, DHS will be establishing a voluntary program to support Framework adoption within 365 days of the signing of EO 13636. This report is limited by the current understanding of what the Framework will entail and would benefit from more specifics to inform the analysis and recommendation of the incentives designed for promoting its adoption. For example, knowledge of the Framework would allow the cost of Framework adoption to be quantified. Since the Framework is still under development, this was not possible, and so the incentives considered were evaluated at a more general level with the understanding that the analysis would be updated as needed as the Framework is developed. Since the Framework is still in development at the time of this writing, the incentives that are intended to promote its adoption were assessed prospectively, in terms of the likelihood that they will motivate organizations to adopt the Framework in the future. It is expected that the most effective incentives will not only promote adoption of the Framework.
CIOs need a strategy for securing enterprises as data breaches have increased significantly in recent years. While IT budgets and staffing have decreased, compliance requirements have increased. Outsourcing security functions to a managed security provider can help CIOs address these challenges more effectively by leveraging provider expertise, advanced tools and economies of scale, allowing IT to focus on business needs. Failure to comply with regulations through inadequate security practices can result in penalties, loss of customer trust and damage to reputation.
Major financial institutions have been the target of some of the most startling cyber security breaches in recent years. Mobile banking poses a new threat, as malware can specifically target mobile devices to steal banking credentials. In response, the New York Department of Financial Services has issued new cyber security guidance for banks, urging them to improve protections such as multi-factor authentication and incident response plans. Proper cyber governance, insurance, and continual assessment of risks are needed to promote cyber resilience among financial organizations.
Similar to Financial instituttion security article (20)
AAIS produced advisory notices from 2012 to 2016 that provided a combination of regulatory news and AAIS announcements. These notices resulted in a growing collection of product regulatory information for each jurisdiction based on the day-to-day research of AAIS's Government Affairs, Legal, and Compliance team.
The document discusses lessons that financial institutions can learn from foreclosing on and owning hotel properties. It describes how one institution, Security First Federal, prevented losses on a foreclosed hotel by keeping it running with an employee monitoring cash flow until a new owner was found. The document advises that hotels should be treated like businesses and their value depends on maintaining operations. It provides tips for institutions that must take over hotels, such as working with existing operators if they are honest and knowledgeable. The document also discusses regulatory challenges and options for selling troubled hotel properties, such as allowing new buyers to invest in renovations.
The document discusses three main proposals for restructuring financial institution regulation that are being debated in the House Banking Committee. It also discusses other related issues like community reinvestment obligations and estimates of future costs to resolve failed banks. The three main regulatory restructuring proposals are: 1) A Bush administration plan to create a single regulator under Treasury; 2) A proposal by Rep. Gonzalez to create an independent regulator; 3) A task force plan to merge two existing regulators and reduce the Fed's role. Debate reflects turf battles among regulators as much as philosophies. The status quo may remain as more proposals complicate reaching a consensus.
This document discusses systems that financial institutions are using to boost employee productivity. It provides examples of software programs that track employee performance in areas like sales, scheduling, and back-office work. The programs vary in price from $1,000 to $10,000 and can measure metrics like cross-selling ratios, sales volumes, and time spent on different tasks. Implementing even simple automated tracking systems has been shown to immediately improve productivity for companies like Family Bank.
The House Banking Committee passed a bill on banking reform that included some key Treasury proposals but excluded others. The bill would allow interstate branching, commercial ownership of banks, and affiliations between banks and securities/insurance firms. However, it rejected proposals to restrict deposit insurance coverage and overhaul financial regulation. Meanwhile, the Senate Banking Committee chairman issued a draft bill that took a different approach, prohibiting commercial bank ownership and merging bank supervisors instead of restructuring regulators. Further debate in additional House committees and the full Senate means more changes are likely before final legislation is approved.
The document discusses finding the right loan mix for credit unions. It recommends supplementing low-balance credit products with high-balance secured loans. Specifically, it suggests credit unions focus on secured loans like traditional second mortgages and mobile home loans, which can offer higher returns than low-balance signature loans and overdraft lines of credit that may lose money. The document also stresses the importance of calculating return on assets for different loan products to identify which are most profitable.
This document discusses the importance of controlling operating expenses to ensure profitability on loans. It provides the following key points:
1) While interest margins have widened as rates have fallen, operating costs as a percentage of assets have risen for mortgage, consumer, and credit card loans.
2) Calculating accurate loan origination and maintenance costs is important for properly pricing loans. Formulas are provided to determine these per-loan costs based on department costs and time spent on origination vs maintenance.
3) Controlling costs, such as by requiring electronic payments, can significantly increase returns on auto loans compared to simply raising rates or fees. Reducing costs preserves competitive positioning versus competitors who rely on price increases.
1. NEW PRESSURES PUT
SECURITY OFFICERS ON GUARD
Regulatory and technological
changes call for a closer
focus on the right protections
"We're so small, I'm the president,
too."
Robert York's comment describes
most security officers at small to mid-
sized financial institutions. For the
president of the $24 million First Trust
Savings Bank in Jacksonville, Fla., the
responsibility for ensuring the security
of his institution's customers and em-
ployees is only one role among many
that he plays.
Part-time attention to the job has
been common since enactment of the
Bank Protection Act of 1968, when the
regulatory agencies were directed to
detail minimum security standards for
institutions.
In turn, implementing regulations
required each institution to:
• Name a security officer.
• Develop a written security program.
• Install vaults, lights, alarms and
other devices as needed.
• Train employees to perform specific
procedures during a robbery.
• File reports to regulators on com-
pliance with the above requirements.
In most cases, the reponsibility for
compliance went to officers with other
duties.
Indianapolis attorney Buddy Pylitt,
who specializes in financial security
matters, recalls a recent meeting with a
security officer who said he refilled the
paper in automatic teller machines and
clipped the bushes near the ATMs.
The security role may become more
complex, however, given technological
advances, growing risks of liability and
a recent rewrite of the regulations im-
plementing the Bank Protection Act.
The new regulation from the Office
of Thrift Supervision on "mini-
mum security devices and proce-
dures" was issued in March and out
for comment until late May. Generally,
its aim is to put greater emphasis·on
the security-related responsibilities of
officers and directors (see box on page
36).
The OTS collaborated with the
Federal Reserve, Office of the Comp-
troller of the Currency and the Federal
Deposit Insurance Corporation in
drafting the revision; those agencies
are expected to release virtually identi-
cal versions.
The regulation is best known by
security professionals as Regulation P,
the Federal Reserve designation.
The revision does away with out-
dated equipment specifications, de-
tailed procedures for internal
monitoring of security procedures and
specific guidelines for employee con-
duct during a robbery.
The upshot of the revision is that
regulators are backing off from their
earlier, more specific mandates and,
instead, are providing more general
directives. Financial institutions would
simply be required to "train employees
in their responsibilities under these-
curity program" and "maintain appro-
priate security devices."
Moreover, periodic security reports
to regulators will be eliminated and
replaced by annual reports to institu-
tions' boards of directors.
ONUS ON INSTITUTION
"Under the new Regulation P, there
will be more responsibility in the
hands of security officers," says Boris
Melnikoff, senior vice presi-
dent of First Wachovia Bank,
Atlanta, and vice chairman of the
American Bankers Association's secu-
rity and risk management committee.
"Before, [security procedures] were
defined. Now, the onus is on these-
curity officer, and there is greater re-
sponsibility and liability for the
institution," he adds.
Donald Imrie, a security profes-
sional who also is senior vice president
for First Gibraltar Bank FSB, Dallas,
Tex., agrees. "I don't think [institu-
tions] can rely on what has been done
in the past, which is to give these-
curity responsibility to some other
bank officer."
Not surprisingly, the regulators see
fewer problems.
The regulatory changes "might re-
quire a little more expertise because
[security officers] will have to think
some," says Larry Clark, senior trust
specialist for compliance programs at
the OTS. "In my opinion, the draft
regulation makes the job easier be-
cause it offers a lot more latitude."
Clark says the OTS hopes to publish
a final version of the regulation in the
fall.
BUDGETS VS. REGULATORS
Several observers note that security
officers will have to be vocal advocates
for their mission in the institution's
budget process. At least two experts,
however, fear that tight budgets could
result in lax security.
"In two years, you may see are-
laxation of security programs for cost
reasons," says Barry Schreiber, a
SAVINGS INSTITUTIONS. JULY 1990 35
2. criminologist at St. Cloud (Minn.)
State University.
Savings institutions "may attempt to
fund other programs at the expense of
security programs," says Brian
McGinley, vice president for corporate
security and loss prevention at Citi-
bank FSB, Chicago.
Institutions, however, can expect
more attention on security from reg-
ulators. Clark at the OTS says ad-
herence to minimum security
standards and consumer protection
regulations is being reviewed by sepa-
rate, "specialized" examination teams
who are trained in security and con-
sumer protection issues.
Although the security examination
may not necessarily be more in-depth
than in the past, it is intended to
produce more uniform review of all
institutions, some of which have not
had a security review in years.
The examiners "never questioned us
about [our security program] before
this last exam. They spent some time
on it," says John Whetstone, senior
vice president and chief financial of-
ficer- and security officer- for
United Savings Bank FSB, Smyrna,
Ga.
"There was a two-part audit," says
Whetstone. "One was a traditional [fi-
nancial] audit, and the other a com-
pliance audit," where examiners
inspected security devices and asked
about security procedures.
Will tougher examiner scrutiny also
lead to harsher penalties for future
security violations?
The Bank Protection Act calls for a
$100-per-day fine for noncompliance.
36 SAVINGS INSTITUTIONS, JULY 1990
However, says Clark, "Our general
feeling is that there have not been any,
or only a minimal number of, mone-
tary citations."
A recent Federal Reserve memo
adds: "Compliance with Regulation P
is not especially difficult because most
of the requirements involve common
sense actions."
But one proponent of improved se-
curity believes that the regulators
should get tougher about levying
fines.
"The majority of banks and savings
institutions don't take security matters
seriously enough," says C.R. Calla-
han, vice president for administration,
Home Federal Savings Bank,
Hagerstown, Md. "We need some real
teeth in the [Bank Protection Act] .
There are no teeth in it."
COMPLEX TECHNOLOGY
Because ensuring security is "much
more complex now, the best thing an
institution can do is take it very se-
riously and get the best possible train-
ing," says Chuck Steinmetz, an FBI
spokesman. "It's no longer a part-time
job."
Accelerating that complexity, for
one, is more sophisticated security
technology.
The Federal Reserve cited the rapid
evolution of technology in its decision
to initiate a revision of Regulation P.
Regulatory standards for sur-
veillance cameras have been surpassed
by subsequent technological develop-
ments that can produce better pictures
at a lower cost, says Jerry Adams,
national marketing manager for elec-
REVISED RULES FOR
SECURITY CALL FOR
PROACTIVE RESPONSE
The OTS is the first
to issue changes in
security requirements
Alarmed by a nationwide surge in
bank robberies - which rose from
753 nationwide in 1960 to 2,259 in 1967
- Congress in 1968 passed the Bank
Protection Act, requiring each com-
mercial bank or savings institution to
name a security officer and adopt cer-
tain security procedures.
The various federal financial reg-
ulatory agencies collaborated on draft-
ing and now revising the regulations
implementing the act.
While the Federal Deposit Insur-
ance Corporation, Office of the Comp-
troller of the Currency, Office of Thrift
Supervision and Federal Reserve
Board technically have separate reg-
ulations, they are virtually identical
and commonly all known as Regula-
tion P, the Fed designation.
The number of bank robberies con-
tinued to rise through the 1970s, total-
ing nearly 8,000 in 1980; the trend has
since stabilized, remaining around
the 6,000-to-7,000 level each year in
the 1980s.
Despite the stability in crime ac-
tivity, emerging technologies and a
general effort to prune regulatory lan-
guage has led to a recent revision of
Regulation P; the new version elimi-
nates many specific requirements and
focuses more on officers' and direc-
tors' responsibilities for security.
OTSACTION
The Office of Thrift Supervision
was the first regulator to issue a newly
proposed regulation on March 20.
Comments were due May 21, says
Larry Clark, senior trust specialist for
compliance programs at OTS. He says
the OTS hopes to publish a final reg-
ulation in the fall.
The Federal Reserve Board, FDIC
and OCC are expected to follow with
virtually identical regulations.
3. The proposed regulation is only
half as long as its predecessor. House
cleaning accounts for some of the re-
duction in volume; redundant defini-
tions and statutory language as well as
references to obsolete equipment have
been removed.
KEY CHANGES
The more substantive changes in
the OTS regulation include:
• Purpose: In place of stating the reg-
ulatory agency's right and duty to es-
tablish and enforce security
standards, the proposal states: "It is
the responsibility of the association's
board of directors to comply with this
regulation and ensure that a security
program...is developed and imple-
mented."
• Security officer: Previous language
required the security officer to admin-
ister a program that "equals or ex-
ceeds" regulatory standards; now,
more general phrases call for protect-
ing offices and helping to apprehend
criminals.
• Reports: Required reports to reg-
ulators are eliminated, with the un-
derstanding that regulators can have
access to internal reports as needed.
However, reports on security must be
made to an institution's board of di-
rectors at least annually.
• Devices: Requirements for a lighted
vault, alarm system and tamper-resis-
tant locks remain, but an entire ap-
pendix with technical specifications
for these devices has been eliminated.
• Robbery procedures: A general refer-
ence requiring periodic employee
training in security procedures re-
places a 10-item list of instructions for
proper conduct during a robbery.
In that earlier list, institutions were
required to train employees to avoid
actions that might be dangerous, but
to activate alarms, give the robber bait
money, observe the robber, preserve
evidence and avoid comment except to
authorized persons after the event.
tronic security products at Diebold,
Inc., North Canton, Ohio.
He adds that alarm standards have
been surpassed by systems that now
can detect both motion and body heat,
thus reducing false alarms caused by
falling objects or blowing fans .
At a minimum, institutions will still
be required by regulations to have tam-
per-resistant locks, an alarm system
and a "secure place" -vault- for
cash that is well-illuminated if visible
from the outside.
But, beyond these minimum re-
quirements, the regulation calls for
"such other devices as the security
officer determines to be appropriate."
As such, institutions will have to rely
on their own expertise to decide which
emerging security technologies to
adopt.
For instance, says Ben Miller, pub-
lisher of Personal identification News,
large institutions are already using
new technologies for internal controls
that will almost certainly be adapted
for retail customers at institutions of all
sizes.
Among the choices on the high-tech
horizon:
• Biometrics, which can identify a per-
son's features (fingerprint, hlnd geom-
etry or retinal pattern) or behavioral
characteristics (voice signature and
typing patterns).
• "Smart cards," portable devices with
integrated circuits to be used for iden-
tification and authentification.
• Electronic imaging, where individu-
als can be identified through a video
camera linked to a computerized sys-
tem.
"The important part of the [security
officer's] job will not be to identify the
individual technologies, but to be able
to do a good job in screening out
installers," says Miller.
But Imrie at First Gibraltar questions
that practice, saying that "smaller
banks often rely on equipment ven-
dors for expertise, and I'm not so sure
they can afford to do that, since the
burden [of responsibility] is on the
bank."
Fortunately for institutions, Regula-
tion P and its revision explicitly allow
security officers to consider the cost of
security devices when considering
which ones to use.
Furthermore, the cost of new tech-
nologies falls almost every year, ac-
cording to Miller, who says that some
biometric units have fallen in price
from $8,000 in 1985 to $2,000 now.
Im'proved camera surveillance of
transactions has allowed significantly
greater recovery of losses in fraudulent
transactions, adds Diebold's Adams.
"We're getting to the point where we
can cost-justify security systems now
and not just treat them as overhead."
EXPOSED AT ATMs
In addition to new technological
pressures, the risks of legal liability for
inadequate security also are putting
new pressures on institutions.
Indeed, crimes against customers at
automatic teller machines loom as a
potential new source of civil liability
for institutions.
Seen as a precedent for ATM lia-
bility, bank security literature fre-
quently refers to a $1 million jury
SAVINGS INSTITUTIONS, JULY 1990 37
4. award in 1988 for a Florida man
nently injured when he was robbed at
a night depository. During the trial,
the bank in question admitted respon-
sibility for inadequate security mea-
sures.
"The 'big club' in the area of security
compliance is the risk of litigation,"
says Criminologist Schreiber, an expert
on ATM security .
"[Security preparations] are not
done to comply with federal law;
they're done to keep [you] out of a
courtroom," adds Robert Rosberg, di-
rector of the anti-crime bureau of
Mosler, Inc., Hamilton, Ohio.
But the courts have not left institu-
tions open to unlimited liability. Apart
from the widely publicized Florida
jury award, courts in Illinois, Alabama
and California have made rulings lim-
iting bank responsibility for customer
safety and recognizing the customer's
responsibility to accept risks and act
prudently.
Although claiming that a glut of law-
yers has resulted in imaginative- or
"absurd"- attempts to make liable
anyone perceived to have "deep
pockets," Attorney Pylitt believes
courts have been generally reasonable
in their rulings regarding the liability
of financial institutions for their cus-
tomers.
"It is my opinion that if banks do
their job- establish [security] pro-
cedures, check lighting and clip
bushes [at ATMs], there's not going to
be any responsibility or liability," Pylitt
says.
Aside from courtroom challenges,
regulators and lawmakers have been
38 SAVINGS INSTITUTIONS. JULY 1990
I
slow to mandate new ATM security
measures.
In the late 1980s, bills and ordi-
nances mandating lighting, visibility
and "panic buttons" at ATMs were
introduced at the local, state and
federal levels in the wake of highly
publicized crimes involving these
units, like the murder of a Chicago
woman and a series of rapes perpe-
trated by a California man.
With the exception of a few Califor-
nia cities, however, no governments
have enacted ATM security require-
ments, according to industry obser-
vers.
A Chicago task force on ATM se-
curity formed after the June 1989
murder of Dana Feitler recommended
against an ordinance. The task force
instead called for greater consumer
education on ATM security and more
cooperation between institutions and
police.
"I am not aware of specific legislation
regarding ATMs," says Anne Brown,
senior director of member services for
the Electronic Funds Transfer Associa-
tion.
"The only state legislature I know to
be considering it is in California, and
there are folks on Capitol Hill looking
on."
According to experts, two factors
have stalled further ATM security mea-
sures:
• A recognition that the number of
incidents is still relatively small: one
victim per 3.5 million transactions, ac-
cording to a 1987 Bank Administration
Institute study.
• A lack of consensus over what is
I
VARIOUS EXPERTS
OFFER TIPS TO BOOST
INTERNAL SECURITY
Clearly, management must make its
own decisions to shape the right se-
curity strategy to protect both em-
ployees and customers.
However, various experts offer the
following tips that can guide manage·
ment planning:
• Alert customers: Don't shy away
from discussing security precautions
with customers for fear of making
them uneasy.
Consumer education was cited as
the best deterrent to crimes at auto-
matic teller machines by task forces 01
ATM security organized by the City o
Chicago and the Bank Administratio
Institute, Rolling Meadows, Ill.
Moreover, some lawsuits filed by
injured customers have cited the
bank's failure to warn them of poten-
tial hazards.
• Design for deterrence: If building or
remodeling branches, take note of
new research findings that link bank
design and security.
Challenging the long-held belief
that visibility into a bank enhanced
its security, the BAI now recommend!
that tellers be at rear locations. Man-
agers should be situated by windows
near the entrance, where they can
screen traffic and possibly prevent a
robber from "casing" the bank.
• Reevaluatingguards: Use of guards,
once the mainstays of bank security,
has fallen steadily over the years due
to cost and the risk of accidents. In
fact, even after being robbed, many
institutions still show no interest in
using them.
"History shows that it usually
doesn't matter if there was a guard
there; a robbery would have hap-
pened anyway," says Boris Melnikof
vice chairman of the American Bank-
ers Association's Security and Risk
Management Committee.
• Train employees: Regular training tc
prepare employees for robberies and
other emergencies is essential to pro-
tect them and customers, say sources.
5. The quickness of most robberies
may prevent employees from doing
anything wrong, but efforts to ap-
prehend the perpetrator may be foiled
if employees fail to give bait money,
activate alarms or get a good descrip-
tion.
"Without proper training, the vic-
tims may not be looking for the right
things," says Melnikoff.
• Protect ATMs: "Panic buttons" at au-
tomated teller machines are not fa-
vored by experts, and research has
found that enclosures pose some
risks.
But there is consensus that ATMs
should be well-lit and visible to the
surrounding area. A task force of the
Electronic Funds Transfer Association
recommends installation of wide-an-
gle transaction cameras- continuous
operation ones, if possible.
• Know the vendor: The technology
for surveillance cameras, access tech-
nologies, alarms, vaults and locks has
grown increasingly complex.
As a result, experts advise institu-
tions to carefully screen and cultivate
their vendors. Apart from checking
the vendor's service record, ask to see
certifications from Underwriters Labo-
ratories for equipment and installa-
tion, says Jerry Adams, national
marketing manager for electronic se-
curity products for Diebold, Inc.,
North Canton, Ohio.
• Spread the word: Institutions are ad-
vised to share information about crim-
inal activity with law enforcement
officials and nearby institutions.
Dan Imes, director of marketing
and security officer for First Federal
Savings, Bakersfield, Calif., says a
"hot line" established among com-
mercial banks and savings institu-
tions in Bakersfield alerted the
institution to a robber working the
area. When she appeared at First
Federal, employees were ready with
bait money and quickly alerted po-
lice, who apprehended the offender
soon after the robbery.
needed beyond good lighting and
good visibility, which is what most
institutions already provide and cus-
tomers demand.
Law enforcement officials advised
against proposals to require panic but-
tons or emergency telephones, for fear
of being deluged with false alarms.
Some argued for requiring enclosed
vestibules, but the BAI cautions that
street people use ATM enclosures for
shelter. Moreover, Pylitt says police
have told of victims becoming trapped
wi"thin an enclosure with their at-
tackers.
Some institutions, like Home Sav-
ings of America, provide telephones
linked to 24-hour operators who can
screen false alarms and notify police of
robberies, as well as provide customer
service.
McGinley at Citibank says closed-
circuit television viewing of ATM
transactions by security personnel can
become "one of the hottest things," if
technology can evolve to the point
where constant images can be trans-
mitted over telephone wires at low
cost.
As it is, "slow scan" monitoring can
only send video "snapshots" with
eight-second delays over telephone
wires. That is still prohibitively expen-
sive to most institutions, according to
McGinley.
CONFLICTING ADVICE
The debate over ATM security re-
flects another dilemma that confronts
institution security officers: contradic-
tory theories on the appropriate se-
curity strategies. (For various views on
security measures, see box at left.)
The Bank Security Report criticizes
bank interiors that offer robbers unim-
peded escapes; the publication sug-
gests that an institution would be less
of a target if there were some obstruc-
tions.
But security officer Joe Rostowsky at
Elmhurst (Ill.) Federal Savings says the
top priority of his staff during a March
robbery was to get the offender out as
quickly as possible without incident,
as others recommend. They did so
successfully.
Rosberg at Mosler decries what he
feels is a dangerous lack of employee
training for bank robberies but ac-
knowledges that employees almost al-
ways act correctly in robberies,
perhaps because there is virtually no
time to do anything wrong.
The new Regulation P suggests that
institutions use dye packs and elec-
tronic tracking devices to help ap-
prehend robbers. But Steinmetz of the
FBI says that the safety of people
comes first, and "we don't want to
overburden people with an inves-
tigative role."
Despite the challenges involved in
protecting an institution, the best
course for security officers, according
to experts, may be the simplest: Exer-
cise common sense.
"There are some regulations that
regulators feel they have to adopt to
make institutions do what they would
not do voluntarily," says Clark at OTS.
"There are other areas where it's in the
institution's best interest to comply,
and [security] is one of those." lllJ
Joseph Harrington
SAVINGS INSTITUTIONS, JULY 1990 39