News Updates by Bradley Martin

Friday
Jul032015

What is NPI? Non-Public Personal Information. YES! But what is it... 

Below is what I found on the FTC web site regarding GLBA and defining what is and is not NPI... 

NPI is:

  • any information an individual gives you to get a financial product or service (for example, name, address, income, Social Security number, or other information on an application);
  • any information you get about an individual from a transaction involving your financial product(s) or service(s) (for example, the fact that an individual is your consumer or customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases); or
  • any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report).

NPI does not include information that you have a reasonable basis to believe is lawfully made "publicly available." In other words, information is not NPI when you have taken steps to determine:

  • that the information is generally made lawfully available to the public; and
  • that the individual can direct that it not be made public and has not done so.

For example, while telephone numbers are listed in a public telephone directory, an individual can elect to have an unlisted number. In that case, her phone number would not be "publicly available."

Publicly Available Information Includes:
  • federal, state, or local government records made available to the public, such as the fact that an individual has a mortgage with a particular financial institution.
  • information that is in widely distributed media like telephone books, newspapers, and websites that are available to the general public on an unrestricted basis, even if the site requires a password or fee for access.

Information in a list form may be NPI, depending on how the list is derived. For example, a list is not NPI if it is drawn entirely from publicly available information, such as a list of a lender's mortgage customers in a jurisdiction that requires that information to be publicly recorded. Also, it is not NPI if the list is taken from information that isn't related to your financial activities, for example, a list of individuals who respond to a newspaper ad promoting a non-financial product you sell.

But a list derived even partially from NPI is still considered NPI. For example, a creditor's list of its borrowers' names and phone numbers is NPI even if the creditor has a reasonable basis to believe that those phone numbers are publicly available, because the existence of the customer relationships between the borrowers and the creditor is NPI.

Putting It All Together:

Examples of Nonpublic Personal Information (in list form)

  • list of a retailer's credit card customers
  • list of a payday lender's customers
  • list of auto loan customers merged with list of car magazine subscribers
Friday
Apr102015

Bankruptcy and Vendor Performance

Should you worry about your vendor's financial health? Of course...
What happens when a company starts to suffer performance problems because of their financial health?
-
You've been monitoring your vendors performance; there are a number of outages and downtime is a constant nightmare. Your boss wants to understand what's going wrong. Your internal clients believe there's a magic IT wand that will make it all better. And to top it off the executive team is asking if they should consider forklifting an enterprise suite of products; spending millions of dollars and 18 to 24 months to convert to a new platform. Of course all eyes are now on you... There's an expectation that Vendor Management will have a solution.
Sound familiar?
-
If you live the life as a Vendor Manager or Third Party Risk Manager then this scenario has played itself out a number of times. So what do you need to consider? If the events are truly driven because the vendor is suffering financially, there are a number of things you can expect. Some can even be managed to a very positive effect.
-
First, you can expect the service to continue to deteriorate. It will only improve once on little thing happens... Bankruptcy! It is hard to believe, but service will immediately improve the day your vendor files Bankruptcy. Of course I mean Bankruptcy protection to reorganize. And for those thinking this... no, service is not improved because you can now hold the vendor hostage to a contract clause where Bankruptcy gives you termination rights (the Bankruptcy court will find a way to make certain that clause is unenforceable anyway). In fact, you as the vendor manager had nothing to do with the performance improvement. But Bankruptcy did make it all better... Why?
-
The one thing that drives customer support and thereby extension positive performance; The Support Staff. Give that some thought. If staff are worried about things like, paying the rent, keeping food on the table for the little ones or even just making the next car payment, then they are not thinking about you as a customer. If you keep this in mind when you're dealing with your vendor; you may find creative ways to get the extra attention you need.
-
We often forget about the human element when dealing with a poor performing vendor. We really want to just yell, holler and scream at someone. But as you are yelling... the person on the other side of that conversation is searching LinkedIn for a new job. The person receiving your rant is likely posting resumes and updating their professional network. They have dentist and doctor appointments, sick kids or relatives or just don't show up to the office randomly because they are out interviewing with a potential new employer. So your project with the vendor is behind, the root cause analysis you were looking for regarding last weeks outage is still being worked on and you have not progressed one bit in a positive direction. That's why Bankruptcy is the cure...well sort of...
-
For anyone that's been through this process, they can tell you the day of or sometime the day before the company files bankruptcy, there's a great internal gathering. Everyone is told the news; and they may even be introduced to the new Operational Excellence team. But the one thing that rings true is this... The band-aid is ripped off. The financial suffering is recognized. Senior Management sings the praises of the staff and how bankruptcy has freed up essential cash so they can resolve the problems everyone has suffered. It's a big "cheerleading" day and a whole host of anxieties are quelled. To top it off, everyone is given assurances that they are necessary and needed. The results of this recognition of the elephant in the room... well it is your magic wand! Staff feel a release; and by and large most stop looking for that replacement job. They get back to work. Performance improves because people believe the boss and they are back to paying attention to clients...
-
So what can you do between now and the bankruptcy?
Here are a few of my tips...
-
First, I remind my internal clients a phrase attributed to President Lincoln, "You'll get more flies with a drop of honey than a gallon of vinegar!" Anyone with kids understands yelling just gets you so far and fails more times than not. If the performance issues have been on-going, you've likely exhausted the yelling at the vendor avenue anyway. You need a new tactic.
-
Second, empathize with the person (not the vendor); but the human you are engaged with. They are likely under as much pressure as you to get things working... Maybe even more so, because you are not the only person or client yelling at them. And they are in fear of soon not having a job...
-
Third... Is this an opportunity for you both? (Depending on your non-solicitation clause) You've been wanting to get an expert in-house on the product, is this the time to make a play for key staff? Might be a win-win for all three. You get an expert, the vendor reduces costly headcount and your new SME is now gainfully employed.
-
Fourth... communicate the problems. Weekly meetings with a productive agenda. Keep in mind, this should be a working group. Engage the technology teams to find a creative solution. Get like minded individuals together. For instance, is the vendor having issues with operating in a virtual environment? Do you know someone that has successfully worked in that environment? Can you facilitate a call outside of the "regular" discussions. I've found that getting engineers in a room without senior management, leads to positive results; even if some secret sauce sharing needs to take place. You're looking for results, not IP protections...
-
Fifth... Recognize that you may have to exit the relationship. By that, I mean the Executive Team wants to know what it will take to swap out the vendor. Sit down with your internal client and run short and long term scenarios designed to move you toward an exit strategy. Document the plan and have it in your back pocket; knowing it is your last resort.
-----------------------------------
In summary, the financial stress on a vendor causes more damage up to and just before bankruptcy. Don't fear the bankruptcy; fear the Merger and Acquisition (I'll save that for another post). Communicate effectively. Remember, you are dealing with people; humans just like you that need to pay the rent and take care of family. Look for the opportunity to hire a subject matter expert. Engage the vendor outside of "management" to find creative solutions and even pull yourself out (remember your interaction even the observation can change the results, think Schrödinger's cat). And last, but always top of mind, make certain your internal client has a plan, even if you need to walk them through it..
-
Good luck!

 

Friday
Apr102015

Appendix J - Quick Thoughts... 

The new FFIEC Appendix J to the Business Continuity Planning booklet, issued February 23, 2015 impacts how we contract with vendors by setting specific requirements on what the contracts must include, what level of due diligence is expected prior to executing a contract and establishes new levels of expectation regarding the review of fourth party providers.  Special emphasis is made on recovery associated to large scale cyber events and the vendor’s cyber resilience.

 The FFIEC highlighted four key elements banks should address when contracting with Technology Service Providers (TSPs). 

  1. The Vendor Management program should be risk-focused and provide oversight and controls to manage the risk of outsourcing.  The VMO must maintain attention to due diligence, contracts management (see the OTS booklet) and ongoing monitoring of service providers including the TSPs subcontractors (fourth party providers).
  2. Capacity addresses the potential impact of a significant disruption of service and the vendor’s ability to restore multiple clients.
  3. Testing with our vendors addresses the importance of validating the vendor’s ability to recover.
  4. Cyber resilience covers unique disruptions caused by cyber events (e.g. DDOS attacks, zero day attacks, malware, insider threats, etc.)

Note: The Federal Reserve emphasized service providers are “broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.” (See FRB SR13/19) 

Contracts must include:

  • Right to Audit
  • Service Level Agreements
  • Default and Termination
  • Subcontracting provisions
  • Data Controls (especially for foreign-based service provider)
  • BCP Testing
  • Data Governance
  • TSP updates regarding regulatory changes
  • Security and Data Breach

The guidance provided requires the financial institution consider the maturity of the technology and the benefits and risks of its use.  All new technology should be fully reviewed to determine if new risk are being introduced, such as risks associated with shared access to data, authentication weaknesses and new exploits.  The Bank will assess the effectiveness of the TSPs business continuity program with a focus on recovery capabilities and capacity.  Further, the Bank must understand if the vendor subcontracts; and if so, what is the fourth parties BCP program?  Are the vendor and its subcontractor programs in alignment with the Bank’s BCP program?

Testing must be part of the due diligence process and ongoing monitoring of the vendor and its fourth parties.  This ensures the resilience of outsourced technology services.  “The financial institution should perform periodic in-depth assessments of the [vendors] control environment, including BCP, through the review of service provider business continuity plan testing activities, independent and/or third party assessments, and management information systems reports to assess the potential impact on the financial institution’s business resilience.”

The phrase Cyber Resilience is new language from the FFIEC, but the concept overall is not.  There is a very real threat to banks with the growing sophistication and volume of cyber threats.  Individuals, groups and even governments have developed new skills and technics to disrupt operations, corrupt files and steal data.  When testing and reviewing due diligence documentation there needs to be given consideration to the impact a large scale cyber event may have on the operations and the ability to recover.  The ever evolving threats must be properly managed to ensure cyber resilience.   Additionally, the capacity of the vendor to recover across all its customers timely must be considered.

Monday
Mar302015

D+H to Acquire FundTech for US$1.2billion 

Davis + Henderson announced today (March 30, 2015) that it will acquire Fundtech for US$1.2billion.  An announcement that does not surprise.  With Fundtech under an FDIC and OCC consent order, senior management at GTCR went out looking for key players to bring onboard to get FundTech polished up for sale. Canada's D+H is looking to swoop in and get in the payments business, just as GTCR thought they were doing in late 2011.  There is a lot D+H will need to do to get Fundtech resurrected.  However, unlike GTCR, Davis + Henderson actually know a little something about the financial industry; so maybe there is some light at the end of the tunnel. 

 

http://www.fundtech.com/media/ugc/pdf/DH_Fundtech_Acquisition_-_US_FINAL.pdf

Monday
Mar302015

FFIEC Releases Two Statements on Compromised Credentials and Destructive Malware 

http://www.ffiec.gov/press/pr033015.htm

--

FFIEC Releases Two Statements on Compromised Credentials and Destructive Malware 

The Federal Financial Institutions Examination Council (FFIEC) today released two statements about ways that financial institutions can identify and mitigate cyber attacks that compromise user credentials or use destructive software, known as malware. In addition, the FFIEC provided information on what institutions can do to prepare for and respond to these threats. 
-
Cyber attacks have increased in frequency and severity over the past two years. The attacks often involve the theft of credentials used by customers, employees, and third parties to authenticate themselves when accessing business applications and systems. Cyber criminals can use stolen credentials to commit fraud or identity theft, modify and disrupt information system, and obtain, destroy, or corrupt data. Also, cyber criminals often introduce malware to business systems through e-mail attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials.
-
In accordance with FFIEC guidance, institutions should: 
•Securely configure systems and services;
•Review, update, and test incident response and business continuity plans;
•Conduct ongoing information security risk assessments;
•Perform security monitoring, prevention, and risk mitigation;
•Protect against unauthorized access;
•Implement and test controls around critical systems regularly;
•Enhance information security awareness and training programs; and
•Participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
-
-
The FFIEC also highlighted the following resources that provide practical information for strengthening user awareness regarding safe online practices.
•Federal Trade Commission’s On Guard Online
•National Cyber Security Alliance’s Stay Safe Online
•US-Cert Security Tip (STI-003) “Handling Destructive Malware”
•Joint Security Awareness Report (JSAR-12-241-01B) “Shamoon/DstTrack Malware”
•National Institute of Standards and Technology “Cybersecurity Framework”
•US-CERT “Cyber Resilience Review”
•NSA/CSS Information Assurance Directorate (MIT-001R-2015) “Defensive Best Practices for Destructive Malware”

FFIEC Releases Two Statements on Compromised Credentials and Destructive Malware 

The Federal Financial Institutions Examination Council (FFIEC) today released two statements about ways that financial institutions can identify and mitigate cyber attacks that compromise user credentials or use destructive software, known as malware. In addition, the FFIEC provided information on what institutions can do to prepare for and respond to these threats. 

Cyber attacks have increased in frequency and severity over the past two years. The attacks often involve the theft of credentials used by customers, employees, and third parties to authenticate themselves when accessing business applications and systems. Cyber criminals can use stolen credentials to commit fraud or identity theft, modify and disrupt information system, and obtain, destroy, or corrupt data. Also, cyber criminals often introduce malware to business systems through e-mail attachments, connecting infected external devices, such as USB drives, to computers or networks, or by introducing the malware directly onto the business systems using compromised credentials.

In accordance with FFIEC guidance, institutions should: •Securely configure systems and services;•Review, update, and test incident response and business continuity plans;•Conduct ongoing information security risk assessments;•Perform security monitoring, prevention, and risk mitigation;•Protect against unauthorized access;•Implement and test controls around critical systems regularly;•Enhance information security awareness and training programs; and•Participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.

The FFIEC also highlighted the following resources that provide practical information for strengthening user awareness regarding safe online practices.

•Federal Trade Commission’s On Guard Online

•National Cyber Security Alliance’s Stay Safe Online

•US-Cert Security Tip (STI-003) “Handling Destructive Malware”

•Joint Security Awareness Report (JSAR-12-241-01B) “Shamoon/DstTrack Malware”

•National Institute of Standards and Technology “Cybersecurity Framework”

•US-CERT “Cyber Resilience Review”

•NSA/CSS Information Assurance Directorate (MIT-001R-2015) “Defensive Best Practices for Destructive Malware”