May 2019 AccumeView: Executive Cybersecurity Pulse Newsletter
May Monthly Compliance Newsletter
FFIEC Issues 2019 Guide to HMDA Reporting
The FFIEC issued its 2019 A Guide to HMDA Reporting: Getting it Right! This edition is effective as of January 1, 2019, for HMDA submissions due March 1, 2020. The guide includes information regarding a HMDA reporter’s responsibilities and requirements, directions for assembling the necessary tools, and instructions for reporting HMDA data. The guide was developed by the member agencies of the FFIEC. The updated edition incorporates changes that the Economic Growth, Regulatory Relief, and Consumer Protection Act made to HMDA, as well as the CFPB’s related 2018 HMDA interpretive and procedural rule. Additionally, the guide continues to include appendices developed by the member agencies regarding compliance materials useful for navigating HMDA requirements, such as the CFPB’s HMDA Small Entity Compliance Guide and various summary charts (regarding items like institutional coverage and transactional coverage).
April 2019 AccumeView: Executive Cybersecurity Pulse Newsletter
Computer hardware manufacturer ASUS was the victim of a sophisticated attack that left backdoor malware embedded in their update software. The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses, reached out to a command-and-control server the attackers operated, and installed additional malware on those machines. Supply-chain attacks are starting to grow in number and complexity – make sure that you have a plan to address them.
A recent survey of the 22,000 new vulnerabilities that were discovered in 2018 indicates that 1/3 have public exploits and 50% can be exploited remotely. Ensure that you have total visibility into all of your endpoints and that they are patched and up to date.
April Compliance Newsletter
The Federal Trade Commission (FTC) has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA). The proposed changes are intended to keep pace with technological developments. The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third-parties. Some of the proposed changes to the Safeguards Rule include:
- Encryption of all consumer data;
- Implementing access controls to prevent unauthorized users from accessing consumer information;
- Implementing multifactor authentication to access consumer data, and
- Requiring periodic reports submitted to the Board to ensure compliance.
The proposed amendments would require covered financial institutions to encrypt all customer data held or transmitted by the institution both in transit over external networks and at rest. The proposed amendments would also require the use of multi-factor authentication for any individual accessing customer information on the institution’s internal networks. Covered financial institutions would need to submit periodic reports to their Boards of Directors.Download
March AccumeView: Executive Cybersecurity Pulse Newsletter
California is proposing an update to their data breach notification law. When California State Bill 1386 went into effect in 2003, it was country’s first data breach notification legislation. California’s data breach notification rules continue to be among the strongest in the U.S. New changes proposed will include notification if passport numbers were exposed as well as government-issued identification numbers and biometric data. The bill would update California state’s definition of personal information as constituting “an individual’s first name or first initial and last name” in combination with any of the following, when either the name or these data elements have not been encrypted.Download
March Compliance Monthly Newsletter
Banks and Credit Unions now have a better opportunity to ensure that they meet consumers’ needs for short-term, small-dollar loans. The CFPB has proposed to remove the underwriting provisions from the small-dollar (payday) lending rule it issued in October 2017. The rule imposes an ability-to-pay test on a wide range of small-dollar loans of 45 days or less, including payday loans, auto title loans and bank-provided loans with balloon payments. The CFPB’s proposal maintains the complete exemption in the rule for banks and other depository institutions that made 2,500 or fewer small-dollar loans in each of the current and previous years and for which these loans account for less than 10 percent of revenues. The CFPB is also proposing to delay the August 19, 2019 compliance date for the mandatory underwriting provisions of the 2017 final rule to November 19, 2020. The extension is intended to help lenders avoid expending unnecessary resources to comply with provisions that the CFPB has proposed to rescind. Comments on the proposal to delay the compliance date for the ATR provisions are due on or before March 18, 2019. Comments on the proposal to rescind the ATR provisions are due on or before May 15, 2019.Download
February AccumeView: Executive Cybersecurity Pulse Newsletter
Perspective: Time for a Better Mouse Trap
If your institution uses Microsoft Exchange 2013 or newer, be aware that there is a new vulnerability that requires attention. Hackers have been able to leverage an NTLM authentication function to perform relay attacks using the Exchange Web Services (EWS) interface. A successful attack could gain domain user administrator privileges. There is NO PATCH, but Microsoft does have some work-arounds.Download
February Compliance Monthly Newsletter
The long-awaited private flood insurance rule is now here. The Biggert-Waters Act of 2012 required the Agencies to issue a rule to direct regulated lending institutions to accept private flood insurance, as defined by the Biggert-Waters Act, and to notify borrowers of the availability of flood insurance coverage issued by private insurers. There was an original proposal in 2013 regarding private flood insurance, which was later re-proposed in November 2016. The November 2016 Proposed Rule significantly revised the October 2013 Proposed Rule. The final rule is effective July 1, 2019.Download
January AccumeView: Executive Cybersecurity Pulse Newsletter
Automation is constantly evolving, and recent advancements in attack tools and methods are demonstrating that malicious automation can be expected to have significant ramifications. Researchers have proven that automated tools can successfully predict a user’s new password based on analyzing older stolen passwords, which makes the probability of a data breach infinitely higher. A recent test had a malicious bot infiltrate a network, scan all systems and exfiltrate all of the available data within 15 seconds. There is a good chance that 2019 will be the year that these types of attacks become real. Make sure that your protections are in place.Download
January Compliance Monthly Newsletter
Agencies Update CRA Asset-Size Thresholds
The financial regulatory agencies announced the annual adjustment to the asset-size thresholds they will use to differentiate small and intermediate banks and savings associations under the Community Reinvestment Act. A “small bank” or “small savings association” will be defined as an institution that, as of December 31st of either of the prior two calendar years, had assets of less than $1.284 billion. An “intermediate small bank” or “intermediate small savings association” will be defined as a small institution with assets of at least $321 million as of December 31st of both of the prior two calendar years, and less than $1.284 billion as of December 31st either of the prior two calendar years. These adjustments will be effective January 1, 2019.Download