As part of the updated FFIEC Authentication Guidance, U.S. banking regulators mandate that financial institutions conduct periodic risk assessments of their electronic banking services.
But in the face of evolving threats, a growing online customer base and emerging mobile technology, what is the most effective and flexible framework for conducting regular risk assessments?
Join Joe Rogalski, information security officer at First Niagara Bank, as he details:
How and when to conduct your risk assessments and meet regulators' expectations;
How to adapt your internal controls based on what you glean from your periodic risk assessments;
Case study of his own bank ($44 billion in assets) and how it responded to the results of its most recent risk assessment.
Risk assessments are the foundation of risk management and information security, and since 2005 U.S. banking regulators have urged institutions to conduct periodic risk assessments of their online banking products and services.
But institutions failed to follow that guidance, and as a result they and their customers were victimized by sophisticated schemes such as ACH/Wire fraud and corporate account takeover.
These high-profile fraud incidents helped inspire 2011's updated FFIEC Authentication Guidance, which re-enforces regulators' expectations of periodic risk assessments. Specifically, the guidance says:
"Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Updated risk assessments should consider, but not be limited to, the following factors:
Changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
Changes in the customer base adopting electronic banking;
Changes in the customer functionality offered through electronic banking; and
Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry."
In this session, Joe Rogalski, VP and information security officer at New York's First Niagara Bank ($44 billion in assets), will detail how his institution conducts period risk assessments, including:
An overview of the FFIEC guidance and what examiners will expect to see in your approach to risk assessments;
How to conduct an effective risk assessment, including qualitative and quantitative approaches;
What to do about risks, vulnerabilities and threats identified in your assessments.
As an extension of Symantec's CTO Office, Joe works closely with Security Business Unit Executives, Sales Organizations and Customers. His responsibilities include providing security strategy and direction, governance and compliance, industry security trends and threat landscape evolution, best practices and trusted advisor to security executives, business leaders, and IT executives and management.
Prior to Symantec, Rogalski served as Information Security Officer and SVP of First Niagara Bank, a top 25 regional bank located in the northeast. Before joining First Niagara, Rogalski led information security risk management for M&T Bank.
Rogalski currently holds CISSP, CISM, and CRISC certifications and has more than 18 years of experience in technology and security in a variety of technical and management positions.