Cybersecurity: Steps to Take Now

cybersecurity-7-1-16.pngThe Federal Financial Institutions Examination Council (FFIEC) and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Bank executives and board members should be aware of published guidelines that cover four key areas the FFIEC believes are most important:

  1. Governance: What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence: How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank use to keep up-to-date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships: As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the Office of the Comptroller of the Currency (OCC) guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g., Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at the retailer Target occurred a few years ago, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response: At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

  • Begin at the top: Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
  • Be aware: Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
  • Align strategies: Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
  • Manage risks: Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
  • Establish governance: Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization, especially to senior management, and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
  • Participate: Take part in government and industry information-sharing groups and learn from other institutions and government officials.
  • Conduct ongoing training: As always, the three critical components of risk management are people, processes and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward.

Four Best Practices to Help Bank Boards Manage New Cybersecurity Guidance

cybersecurity-6-6-16.pngUpdates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.

While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.

It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.

Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.

Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?

It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:

  1. Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
  2. Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
  3. Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
  4. Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.

Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.

After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.

2016 Risk Practices Survey: Banks Beef Up on Cybersecurity

cybersecurity-3-21-16.pngFor 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.

Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.

In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.

Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.

Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.

Other key findings:

  • Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
  • Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
  • Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
  • Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
  • Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
  • Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
  • Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.

To view the full results to the survey, click here.

Cybersecurity: Five Best Practices To Protect Your Bank

Cybersecurity: Five Best Practices To Protect Your Bank

Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.

  • Cybersecurity and the Board
  • The FFIEC Cybersecurity Assessment
  • Detecting an Intrusion

Understanding the Board’s Role in Cybersecurity

cybersecurity-3-7-16.pngUnfortunately, despite the recent prevalence of cyberattacks and data breaches, many businesses neglect cybersecurity or, if they do pay attention, view cybersecurity as a technical issue for senior management. However commonplace lax oversight of cybersecurity may be in other sectors of the economy, bank directors cannot afford to neglect or delegate responsibility for cybersecurity—bank boards must be actively involved.

Regardless of size, no bank is completely safe from a cyberattack. Every bank should assume that a cyberattack will occur and, when it does, at least one defense will fail. Hackers constantly test cybersecurity defenses, transform their attack methodology, and exploit weaknesses, which, all too often, are the access points used by third-party vendors providing critical services.

Banks are expected to take steps to prevent intrusions, prepare for the possibility of cyberattack, and have processes in place to resume business continuity. Bank examiners look to see if a bank has an integrated system of technology, processes and practices employed to protect networks, computers and data from attack. Bank examiners also look to see whether the board, as the driver of governance controls, is actively involved with senior management in development of a robust approach to cyber risk. Poor cybersecurity measures and lax board oversight can result in a bad IT exam, which, in turn, can negatively affect a bank’s management component rating (even though cybersecurity falls under the IT component). Worse still, a poor cybersecurity review may also negatively affect a bank’s safety and soundness rating.

As with many complex issues facing banks, the board must take steps to ensure that it is well advised regarding technological issues and has a thorough understanding of the bank’s inherent risk environment. A good first step is to make the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool a part of the bank’s governance framework. The assessment tool is a two-part repeatable process review that helps banks identify their risks and evaluate cybersecurity maturity. The first part gauges the bank’s inherent risk profile, which identifies risks and threats (both internal and external), corresponding to the activities, services and products offered by the bank. The second part – the cybersecurity Maturity review – tests the maturity of the bank’s cybersecurity program, including board involvement and oversight of that program.

The board is ultimately responsible for cybersecurity, but it is not necessary that each director have a detailed technical understanding of the underpinnings of cybersecurity safeguards. Many boards appoint a board-level IT committee to take the lead on cybersecurity. Regulators expect the IT committee to own primary responsibility for the bank’s IT strategic plan, including making the board comfortable that the IT strategic plan aligns with the bank’s business strategy. As part of that process, the IT committee can incorporate the FFIEC assessment tool into its review and approval of bank IT policies, management of information security systems, training of other board members and bank management, and approval of IT budgets. Most importantly, because the IT committee is responsible for running periodic independent testing to monitor compliance, the assessment tool can be used to aid the IT committee in holding management accountable for identifying, measuring, monitoring and mitigating IT risks. Boards lacking an IT committee must work closely with senior management to tackle all of the tasks normally delegated to the IT committee and may want to consider hiring an outside consultant to advise the board on cybersecurity technologies and best practices.

The regulators have indicated that cybersecurity is going to be a key topic for exams during 2016. Federal regulators have also directed examination staff to incorporate the assessment tool into their review of bank cybersecurity and risk management. While there have been no reported civil money penalties to date related to a bank’s failure to adequately ensure cybersecurity, it is only a matter of time before examiners resort to supervisory and enforcement powers to ensure that banks adequately address cybersecurity risk. Moreover, as the scope of liability for cybersecurity risk grows, banks can be sure that insurance companies, plaintiffs’ attorneys and activist shareholders will scrutinize bank boards’ oversight of cybersecurity.

Proactive integration of the assessment tool into a bank’s governance and risk oversight framework will put the board in a better position to demonstrate satisfactory compliance on these points during an exam, help avoid any downgrade to the institution’s exam rating, and mitigate exposure to the bank and its customers from inevitable cyberattacks.

Seven Steps to Strengthen Your Vendor Management Process

vendor-management-10-30-15.pngWhat’s one of the scariest things that keeps a bank CEO up at night? Two words: data breach.

The Federal Financial Institutions Examinations Council document on board and senior management responsibilities says:

“The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue.”

Target corporation had 40 million credit card numbers exposed and eventually settled with Visa for $67 million. In 2014, we saw bigger companies in the headlines such as Home Depot and Sony fall victim to the same fate.

Target’s breach came through an HVAC vendor that had access to the retailer’s internal network. That means the bad guys only had to figure out how to sneak by the HVAC company’s security, not Target’s. This was a perfect example of how more robust vendor management practices could have prevented unauthorized access.

Think about all the people who need access to your building, systems, network, hardware, telephone lines, lighting, security, and so forth. How diligent are those other businesses about security?

If it’s time to ask your vendors for their annual SOC reports, reports that deal with organizational controls related to security and process integrity, insurance documents and financials, and you’re just checking boxes to satisfy an audit requirement, then you are doing it wrong.

Follow these seven steps to reinvent and strengthen your vendor management process.

Step 1: Obtain Executive Sponsorship
Vendor management should start at the top. You will need someone leading the charge and who has access to your bank’s board leaders.

Step 2: Create a Vendor Management Committee
These people should be from different departments and have different backgrounds, such as IT, legal, compliance, finance and senior leadership. Diversity here is crucial; everyone sees threat differently.

Step 3: Create a Centralized Vendor Management program
No single person can possibly be responsible for the entire program. It’s imperative that it becomes a collaborative effort.

Step 4: Gain Buy-In
Involving the staff creates a sense of ownership. It’s no longer just IT’s problem; it’s everyone’s responsibility.

Step 5: Create a Vendor Inventory
Make sure you know who your vendors are. Do you have multiple vendors doing the same function? Work with accounts payable to determine active vendors. The normal time span is 12 to 24 months.

Step 6: Categorize All Vendors
Does this vendor have access to customer data? Do they have facilities access? What is our risk if this vendor is compromised? This is where you identify critical and high-risk vendors.

Step 7: Remove the Silo
Save the documents to a shared resource. Everyone involved should have access.

How Would These Steps Prevent the Target Scenario?
Step six says to categorize all vendors and identify the risk. The HVAC vendor seems like it would be a low risk vendor, but when you dive into the level of access it had, you would quickly discover the HVAC should be a high risk vendor. The HVAC vendor was allowed access to the internal network which gave the hackers a way in. Although the HVAC didn’t have access to the customer data, they did have the keys to open the door.

The New Regulatory Expectation for Cybersecurity Assessment: What Every Board Must Know & Should Do

cybersecurity-7-29-15.pngEarlier on June 11, 2015, while serving as a keynote speaker on cybersecurity at Bank Director’s Bank Audit and Risk Committees conference in Chicago, I predicted that the regulatory agencies would publish a new cybersecurity assessment methodology by the end of the month.

That prediction came true and the Federal Financial Institutions Examination Council (FFIEC) on June 30, 2015, released the cybersecurity assessment tool. Examiners will start to use the cybersecurity assessment later in the year and there is a regulatory expectation that every single financial institution, regardless of charter type, asset size or complexity, complete a self-assessment and keep it updated.

What Is the Cybersecurity Assessment?
The main purpose is to provide a financial institution with a self-assessment method that is measurable and repeatable to identify risk exposures and cybersecurity preparedness.

The first step is to identify the institution’s inherent risk level (least, minimal, moderate, significant or most) based on five categories of risk factors:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

The next step is to identify the cybersecurity maturity level (baseline, evolving, intermediate, advanced or innovative) for each of five domains:

  • Cyber risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management 
  • Cyber incident management and resilience

FFIEC-image1.PNG Source: FFIEC

The next step is to identify the gaps and the target maturity level necessary for each of the five domains. The chart below depicts the risk/maturity relationship matrix and the “cybersecurity zone” in blue that each financial institution needs to attain and sustain in each domain:

FFIEC-image2.PNG Source: FFIEC

For example, if a financial institution with a moderate inherent risk level determines that its domain 3 or cybersecurity controls maturity level is baseline, then it will need to attain a target maturity level of evolving, intermediate or advanced  (i.e. it will need to get to the “cybersecurity zone”) and sustain it.  Staying at a baseline maturity level for the domain will be unacceptable given the moderate inherent risk level. In some cases, the institution may identify a maturity level below baseline, which will require immediate action.

The regulatory expectation is that once the initial cybersecurity assessment is completed, there will be an action plan identified to attain target maturity levels and to sustain it. Also the cybersecurity assessment will be updated and revaluated periodically as threats, vulnerabilities and operational environments change (e.g. launch of new products or services, new connections, etc.)

What Should the Board Do?
Examiners will be using the cybersecurity assessment to evaluate a financial institution’s risk level and cybersecurity preparedness and scoping examinations. Failing to complete the cybersecurity assessment and sustaining it may be deemed an unsafe and unsound practice and examiners will closely evaluate the board’s role and ultimately hold it accountable. Failing to complete an assessment may lead to unmitigated risks, a cyber disaster and a conclusion that the board failed to exercise its risk oversight and fiduciary duty.

Ultimately, the board is responsible for ensuring the organization completes the cybersecurity assessment and maintains a repeatable process to update it periodically. The cybersecurity assessment provides critical forward looking intelligence that the board should use to guide the organization to attain optimal cyber risk management performance, mitigate risks to a tolerable level and maximize shareholder value. The stakes are very high. Cybersecurity must remain top of mind and the board must lead.

Here are seven critical steps the board should take:

  1. Assign a target date for the completion of the cybersecurity assessment and reporting of results to the board, well in advance of the next examination. Provide necessary support to complete it properly and in a timely manner.
  2. Obtain independent review of cybersecurity assessment to validate results. Make sure there is proper support for inherent risk level and maturity level determinations. Pay extra attention to validation of baseline levels, because in reality, the bank may be below baseline.
  3. Review, approve and support action plan for addressing risk management and control weaknesses and attaining and sustaining target maturity levels.
  4. Make sure any levels below baseline are immediately addressed.
  5. Require that a repeatable and sustainable process be implemented so that the cybersecurity assessment is revaluated and updated periodically (based on board approved triggers) and results are reviewed with the board.
  6. Assign implementation of regular risk dashboard reporting to the board with leading, not lagging, key risk indicators mapped to the cybersecurity assessment.
  7. Require a cybersecurity assessment be completed as part of due diligence in a merger or acquisition and reviewed with the board.

Managing Social Media Risk: New Guidance From Regulators

2-20-13_Bryan_Cave.pngSocial media has become ubiquitous and many banks are wondering if they can survive without a trendy presence on Facebook, LinkedIn, Twitter, YouTube, and in the “blogosphere.” It is a bit of the Wild West out there though, with few rules in place to protect your message. Instead of yelling at the TV at home, a person can post a negative comment about your business for the world to see and, even if unfair and baseless, there may be little you can do about it. 

Financial institutions use social media in a variety of ways, including marketing, promotions, account applications, consumer feedback and communicating with new and existing customers. Since these communications occur in an informal and largely unsecured environment, it introduces new risks. If your bank is active in social media, or simply advertises consumer banking or other products through social media, new proposed guidance from the Federal Financial Institutions Examination Council (FFIEC) instructs your bank to adopt compliance policies and procedures governing these activities. Even if your financial institution is not active in social media, you need a process for responding to negative comments or complaints that surface through social media platforms.

This article briefly summarizes the proposed FFIEC guidance.

We encourage all interested banks to submit comments on this guidance by the deadline of March 25, 2013.

What are the compliance expectations for banks using social media?

On January 23, 2013, the FFIEC issued a request for comment on a proposed “Social Media: Consumer Compliance Risk Management Guidance.” The intent of the guidance is to help banks, thrifts and non-banks under the supervision of the Consumer Financial Protection Bureau identify, address, oversee and control risk from social media within their overall risk management program. 

What forms of social media are within the scope of the guidance?

The FFIEC considers social media to include forms of interactive online communication in which users generate and share content through the use of text, images, audio and/or video, including:

  • Micro-blogging sites (Facebook, Google Plus, MySpace and Twitter);
  • Forums, blogs, customer review web sites and bulletin boards (Yelp);
  • Photo and video sites (Flicker and YouTube);
  • Professional networking sites (LinkedIn)
  • Virtual worlds (Second Life); and
  • Social games (FarmVille and CityVille).

What should your social media compliance program include?

A financial institution should have a risk management program that allows it to identify, measure, monitor and control risks related to social media. The size of the program should relate to how active the bank is on social media. 

  • Governance structure: Should enable senior management to direct the use of social media to contribute to its strategic goals;
  • Policies and procedures: To monitor social media use and compliance within all applicable laws, including methodologies to manage risks from online activities such as postings, edits, replies and retention;
  • Due diligence process: For managing applicable third party vendor relationships;
  • Employee training: Program that incorporates policies for official, work-related use of social media, and potentially for other uses of social media, including listing prohibited activities;
  • Oversight process: For monitoring data posted to third party social media sites;
  • Audit and compliance: To ensure ongoing compliance; and
  • Reporting parameters: To evaluate the effectiveness of social media against defined goals.

What are the key areas of concern?

  • Compliance and legal risks: Banking and consumer laws must be followed, even in the social media space
    • Deposit/lending products
      1.  A lending advertisement mentioning APY or bonus has certain requirements under the Truth in Lending Act. A link to the full disclosures can be provided in social media.
      2.  A creditor must preserve prescreened solicitations made through social media, as required by the Equal Credit Opportunity Act Regulation B.
    • Bank Secrecy Act/Anti-Money Laundering
      An e-banking product offered or conducted through social media is subject to the BSA/AML policies that apply to all customers, products and services.
    • Payment systems
      If social media is used to facilitate a consumer’s payment transactions all laws, regulations and industry rules apply such as the Electronic Fund Transfer Act/Regulation E, UCC, the Expedidted Funds Availability Act Regulation CC and PCI DSS. 
    • Community Reinvestment Act (CRA
      If a depository institution is subject to the CRA and must maintain specific items in a public file, its policies and procedures should include monitoring social media sites.
    • Privacy
      1.  If social media is part of your customers’ online account opening or use experience, Title V of the Gramm-Leach Bliley Act will apply, which restricts use of personal information shared with third parties, and gives customers the option to opt out of the sharing of such information.
      2.  If a financial institution sends unsolicitied communications to consumers through social media (e.g., spam or SMS text message) the CAN-SPAM Act and the Telephone Consumer Protection Act may govern. 
  • Reputational risk
    • Fraud and brand identity
    • Privacy concerns: Policies and procedures must address risks from receipt, use and sharing of consumer information on a social media.
    • Consumer complaints and inquiries: The inherent nature of social media exposes a bank to reputation risks when users post critical or inaccurate statements.
    • Employee use of social media sites: An employee’s use of social media, even through a personal account, may appear to a customer as reflecting the bank’s official policies.
  • Operational risk
    • Use of information technology, including social media, requires identification, monitoring and management of risk of loss from inadequate or failed processes, people or systems.
    • The incident response protocol for a data breach or account takeover needs to address social media risk.