Compliance

Risk Assessment Framework for Online Channel: Learn from an Expert
Risk Assessment Framework for Online Channel: Learn from an Expert
As part of the updated FFIEC Authentication Guidance, U.S. banking regulators mandate that financial institutions conduct periodic risk assessments of their electronic banking services.

But in the face of evolving threats, a growing online customer base and emerging mobile technology, what is the most effective and flexible framework for conducting regular risk assessments?

Join Joe Rogalski, information security officer at First Niagara Bank, as he details:

  • How and when to conduct your risk assessments and meet regulators' expectations;
  • How to adapt your internal controls based on what you glean from your periodic risk assessments;
  • Case study of his own bank ($44 billion in assets) and how it responded to the results of its most recent risk assessment.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

Background

Risk assessments are the foundation of risk management and information security, and since 2005 U.S. banking regulators have urged institutions to conduct periodic risk assessments of their online banking products and services.

But institutions failed to follow that guidance, and as a result they and their customers were victimized by sophisticated schemes such as ACH/Wire fraud and corporate account takeover.

These high-profile fraud incidents helped inspire 2011's updated FFIEC Authentication Guidance, which re-enforces regulators' expectations of periodic risk assessments. Specifically, the guidance says:

"Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Updated risk assessments should consider, but not be limited to, the following factors:

  • Changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
  • Changes in the customer base adopting electronic banking;
  • Changes in the customer functionality offered through electronic banking; and
  • Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry."

In this session, Joe Rogalski, VP and information security officer at New York's First Niagara Bank ($44 billion in assets), will detail how his institution conducts period risk assessments, including:

  • An overview of the FFIEC guidance and what examiners will expect to see in your approach to risk assessments;
  • How to conduct an effective risk assessment, including qualitative and quantitative approaches;
  • What to do about risks, vulnerabilities and threats identified in your assessments.



Around the Network