Risk assessments are a valuable tool, if used to truly understand the threat environment associated with specific product lines. A good example of a meaningful risk assessment would be a “Corporate Account Takeover Risk Assessment” which, if performed properly, is used to determine the probability of a Corporate Account Takeover (CATO). If the risk is low or nonexistent, then a CATO program would not be necessary. However, the risk is high if a bank offers any of the following products through the electronic banking or cash management system for either commercial or retail customers:
- Wire transfer requests;
- ACH origination requests; or
- External account transfers.
It may seem like basic risk assessment templates with general descriptions of threats such as “unauthorized access to customer information: or “viruses/malware” are sufficient, but by spending the time to understand which customers truly present the greatest risk from a corporate takeover, and to identify “best practice” procedures recommended to reduce the incident of a CATO, managers are in a much better position to present a case to their boards of directors for additional personnel and/or systems resources, as appropriate, to mitigate risk. At one time, these high-risk product lines used to be performed inside the bank with the highest levels of controls; now, customers control the security effectiveness within their operational environments, and communications associated with these product lines are Internet-based, and open to a number of threats if not properly secured.
Does your bank’s Board of Directors understand, and has it discussed, the risks associated with Corporate Account Takeovers?
Has the bank identified corporate customers that are subject to the greatest risk for a CATO, especially for corporate cash management customers initiating large dollar ACH origination files and/or wire transfer requests?
Are your bank’s corporate online banking customers knowledgeable of basic online security practices such as keeping anti-virus and system software up-to-date, using strong passwords and dual controls, transmitting ACH files and wire instructions securely, etc.?
Would corporate cash management self-administration capabilities be eliminated if the corporate customer doesn’t meet minimum security standards established by the bank?
Does the bank monitor changes made to corporate customers’ online banking profiles and/or unusual customer activities?
Are your bank’s monitoring systems, controls for system administrators, and processes adequate to detect anomalies?
Are detection options used by the bank based on the risk profile of the corporate online banking environment?
Does your bank’s “best practices” include an employee education and training program that is adequate to detect fraudulent account activity?
Are bank employees able to recognize compromised internal systems at the bank?
Do bank employees have multiple methods to contact customers immediately in the event of suspected fraudulent activities?
Does your bank bank’s Incident Response Plan require an attempt to immediately reverse fraudulent transactions?
Do procedures include FedLine’s “Fraudulent File Alert” and/or notification to receiving bank? Would compromised systems be suspended?
These are just a few procedures associated with “best practice” controls that should be considered in a CATO Risk Assessment. It takes time to adequately complete a CATO Risk Assessment and to implement appropriate controls as necessary. However, this process is much better than sitting in the President’s office after a CATO event has taken place and trying to identify if the bank’s processes met industry best practices that would have protected against CATO.
For additional information on Critical Risk Assessments, please contact:
Darla Brogan, CISA, CRISC, AAP
Senior Consultant, ProBank Austin