August 24, 2022 — With CyberSecurity Awareness month fast approaching, information security professionals and data protection managers will be looking at how to secure board-level buy-in for company-wide cybersecurity awareness campaigns. Often, this is the biggest hurdle for any cyber awareness campaign as senior leadership weighs the costs and benefits of investing in the security of their business.
Today we will be looking at some top tips for changing the tide on board-level buy-in.
What are the obstacles to Board-level buy-in and how to address them?
According to a study, by AT&T, board members covet data security as their number one concern, however, 75% of these boards do not actively put stock into internal cybersecurity campaigns.
With average data breach costs soaring to $4.4 million in 2022, the need to elevate cybersecurity initiatives on the boardroom agenda is increasing.
Why is there an understanding of the importance of cybersecurity awareness but no impetus to follow up with company-wide campaigns and initiatives?
1. Monetary Hurdles
Cybersecurity awareness providers can use behavior research tools and surveys to properly assess what areas of your company need to be addressed with training and development. This can then help you to present where and what your budget needs to be spent on, thus reassuring board members with facts and actionable insight and analysis. By doing this, you also instantly involve board members in the decision process.
2. Fear of change
One of the biggest hurdles to board buy-in is the fear of change and the comfort of following a tried and tested formula. People don’t like change and breaking leadership habits is very difficult to do.
In order to break this status quo, you need to increase board members involvement in security activities and simulations, especially considering recent developments in cybersecurity regulations.
When you do this, you can show your board members how easy it is to make mistakes and costly errors under the current protocols and teachings. When you root scenarios in relatable and personal examples, the risks associated with a cybersecurity event becomes clear for all board members.
3. Lack of security awareness
There is nothing harder than selling a new and improved security awareness campaign to your board members, especially if they have no security awareness at all. Why would they want to invest a portion of their finances in something that they do not understand? And why should the rest of your workers take security awareness seriously if their managers do not give it a second thought? It is meant to be a team effort after all, isn’t it?
This is a simple fix but requires hands-on work from an organization’s information security officer and/or data protection officer, with the help of your chosen training provider. You need to work to a trickle-down approach. First begin with focus groups and simulated training for board-level members, keeping a focus on the financial and legal ramifications companies face as a result of breaches. Position cybersecurity awareness as a proactive part of your organization with focus on Return on Investment (ROI), whilst highlighting how much more painful it is to be reactive to cybersecurity breaches.
How to engage Board members in the cybersecurity awareness conversation
When you implement a cybersecurity awareness campaign that is supported and planned out by the board, you increase the chances of company-wide buy-in and knowledge retention. So, how will you engage board members in the conversation? By speaking their language.
Sell it to them!
You need to encourage your board to focus on the risks and threat actors that target organizations every single day, but you also need to realize you are selling them something. When you are selling to your board, actualize the problems their employees face and use board-level language such as risk terminology and KPIs (Key Performance Indicators). board members want to see stone-cold numbers and measurable data to justify their investment.
Educate them regularly
The biggest reason board members struggle to support cybersecurity awareness initiatives is a lack of knowledge on the issue. If you are in charge of board buy-in, you need to regularly communicate cybersecurity insights, headlines, and stories with your board. They need to understand, in an easy-to-digest way, how cybersecurity is vital to the existence of their organization. Upskilling the board should always be a primary goal in any cybersecurity campaign!
It’s an investment, not a loss!
Board members want to hear things like ‘driving consistency’, ‘streamlining processes’, ‘minimizing human errors’, ‘avoiding reputational damage’, and ‘improving workflow’. Make it clear to your board members that they are making an investment which will lead to increased efficiency in the workforce and savings in the financial sheets. Begin with the message that cybersecurity is not a cost, it is an investment!
Bring in the pros
It is also highly beneficial to bring in the knowledge of a respected and experienced cybersecurity professional/consultant to add evidence to your board presentation. Cybersecurity professionals can run scoping workshops and team activities with your board to answer both company-specific questions and any technical questions that may arise.
In conclusion
Board-level buy-in is key to promoting a secure organization from top to bottom. Remember that your executives are still people, so it is important to communicate your objectives clearly, how your security awareness campaign addresses holes in your security culture and how it keeps your organization safe from cybercrime.
Courtesy of Tripwire Guest Authors
Aug. 22, 2022 — Updated rules from the National Credit Union Administration have resulted in a massive jump in the number of credit unions issuing subordinated debt and the overall dollar amount.
- Recent changes to regulations from the National Credit Union Administration have resulted in a surge in the number of credit unions issuing subordinated debt and the dollar amount being issued.
- Low-income credit unions (LICUs) have at times issued subordinated debt to expand their operations, typically using the capital for lending expansion and servicing, or for the acquisition of newer and more efficient financial technology. The advantage of subordinated debt is that credit unions can make loans or provide other services to members with borrowed money that is counted as net worth and thus not counted against their capitalization.
- Recently, the NCUA expanded the number of credit unions eligible to issue subordinated debt to include complex credit unions (those with more than $500 million in total assets) and newly chartered credit unions. This change was made in conjunction with the release of new regulatory capitalization ratios — risk-based capital and the Complex Credit Union Leverage Ratio — which are also designed for complex credit unions. Although only LICUs are permitted to include subordinated debt in net worth, complex and new credit unions can use it to bolster the new RBC value. By allowing these credit unions to issue subordinated debt, the NCUA is providing these institutions with a new route to adjust to the new regulatory thresholds.
- This new capitalization-requirement rules spurred a 170.8% quarterly increase in the dollar value of subordinated debt issued by credit unions industrywide. Alongside dollar growth, the number of credit unions using this tool to increase net worth is also expanding. As of the second quarter of 2022, 132 credit unions have issued subordinated debt. This is up from 86 institutions in the first quarter of 2022 and 80 in the fourth quarter of 2021, before the regulatory changes took effect. This increase has been driven by larger credit unions issuing subordinated debt as net worth: 64 of these 132 credit unions are complex credit unions, up from 44 in the fourth quarter of 2021.
Courtesy of Callahan, CreditUnions.com
Agency: National Credit Union Administration
Joint Policy Statement Summary: Prudent Commercial Real Estate Loan Accommodations and Workouts
The NCUA, FDIC, and OCC have published a joint policy statement on Prudent Commercial Real Estate Loan Accommodations and Workouts. If finalized, the policy statement would address supervisory expectations related to commercial real estate risk management elements, loan classifications, regulatory reporting, and accounting considerations by updating existing interagency guidance, provide updated examples of classifications and income property valuation methodologies and address relevant accounting changes on loss estimates in Generally Accepted Accounting Principles (GAAP).
The deadline to submit a comment is October 3, 2022. The proposed rule may be read in its entirety here.
Click here to read the full NASCUS Summary (Member login required.)
Agency: Financial Crimes Enforcement Network (FinCEN)
FinCEN ANPRM: No-Action Letters
FinCEN has issued an advance notice of proposed rulemaking (ANPRM) soliciting public comment on questions relating to the implementation of a no-action letter process. The no-action letter process at FinCEN may affect or overlap with other forms of regulatory guidance and relief FinCEN currently offers, including administrative rules and exceptive or exemptive relief. Therefore, the ANPRM seeks input from the public on whether a no-action letter process should be implemented and, if so, how the no-action letter process should interact with those other forms of relief.
Click here to read the full NASCUS Summary (Member login required.)
Click here to read comments filed with FinCEN on August 5, 2022.
The Consumer Financial Protection Bureau is taking heat from banks and credit unions over its proposal to limit increases in credit card late fees that would otherwise increase because of rising inflation.
August 05, 2022 — Banks and credit unions are pushing back hard against an effort by the Consumer Financial Protection Bureau to put a halt to a roughly 9% hike next year in credit card late fees pegged to inflation.
The issue has been moot for years because inflation has been so low. But with the Consumer Price Index up 9% in the past year, the CFPB is calling into question whether credit card late fees should be tied to inflation, a provision set by the Federal Reserve in 2010.
Under the “safe harbor” provision, institutions can raise late fees due to inflation without any cost-benefit analysis as long as the fees being charged are “reasonable and proportional.” To receive the safe harbor, credit card issuers can charge $30 for the first late payment and $41 for subsequent late payments within six billing cycles.
Under a complicated formula, credit card late fees are expected to rise next year to an estimated $33 for the first late payment and $45 for subsequent late payments.
Consumer advocates and critics of the Fed’s safe harbor suggest that the CFPB intervene and put a halt to the inflation adjustments. CFPB Director Rohit Chopra wants to lower credit card late fees generally and has already called out financial institutions for charging consumers roughly $12 billion a year in late fees.
The CFPB received 42 comments to an advance notice of proposed rulemaking in June that seeks to determine how credit card issuers set late fees. A core part of the CFPB’s review involves determining whether late fees are generating more revenue than is necessary to cover their cost, a requirement set by the Fed.
But Chopra also has raised concerns about whether the Fed initially set late fees too high more than a decade ago and whether giving financial firms a safe harbor, with immunity from enforcement actions for setting fees at the safe harbor level, gives issuers an incentive to raise late fees every year.
David Silberman, a former acting CFPB deputy director who is now a lecturer at Harvard Law School, said the bureau should issue an interim final rule to prevent late fees from rising in 2023. Silberman, who is also an adjunct professor at Georgetown University’s McCourt School of Public Policy, said the increases pegged to inflation do not meet the Fed’s own standards.
“There is ample reason to doubt whether a safe harbor which increases with the current cost of living increases meets the reasonable and proportional requirement,” Silberman wrote in a comment letter. “Even if the safe harbor levels were set correctly in 2010 to cover costs and deter violations, there is no basis to presume that the current levels are reasonable and proportional to the violations (i.e. the late or missed payment) that triggers the fee.”
“These late fees are calculated as a business judgment to establish a deterrent effect to mitigate the risk of extending credit,” said Ann Petros, vice president of regulatory affairs at the National Association of Federally-Insured Credit Unions. “The bureau should not second-guess this business judgment or further limit fees across the board by reducing the safe harbor fee amounts.”
Of the 20 largest card issuers, 18 charge late fees at or near the maximum allowed. Many small banks and credit unions charge late fees of $25 or less, though Petros said that credit card payment processors set most fee limits and then pass their costs onto credit unions.
Bankers consider late fees to be a deterrent to consumers piling on debt. (Late fees and interest are charged to cardholders that fail to make the minimum payment by their credit card’s due date.)
Some commenters said the CFPB should look elsewhere for culprits charging excessive fees such as fintechs and buy now/pay later companies.
Others said that reducing late fees or eliminating the safe harbor would cause some level of havoc for the industry, forcing financial institutions to raise fees elsewhere or raise the cost of credit overall, which would impact small banks and credit unions.
“Any reduction in the safe harbor amount or elimination of the safe harbor would have an impact on the thousands of credit card issuers operating in this market, including small issuers,” wrote Paige Pidano Paridon, senior vice president and senior associate general counsel at the Bank Policy Institute.
The CFPB has the authority to regulate late fees under the Truth in Lending Act and Regulation Z, the Card Act’s implementing regulation.
Chi Chi Wu, a staff attorney at the National Consumer Law Center, said credit card late fees should be proportional to the debt owed. She suggested that the CFPB create a sliding scale under the safe harbor so that late fees are proportional to the account balance.
Technology also has lowered the cost of collections, making it easier and cheaper for credit card issuers to use automated methods to collect overdue payments and delinquent debts, Wu said.
Another wrinkle involves minimum credit card payments. Currently, a late fee cannot exceed the minimum amount required. But if late fees go up, issuers also will have to raise the minimum payment floor, Silberman said.
Click here to read the entire article with quotes.
Courtesy of Kate Berry, American Banker
Plaintiff claims inaccurate score cost her more on auto loan; Company says majority of credit seekers saw no shift in scores
August 4, 2022 — Equifax Inc., the second-biggest global credit bureau, was hit with a proposed class-action lawsuit after a report that it provided inaccurate credit scores on millions of US consumers looking for loans.
The suit, filed Wednesday in federal court in Atlanta, alleges violations of the Fair Credit Reporting Act. It seeks financial damages and a court order requiring Equifax to notify all customers who were impacted by the score-reporting glitch, which the Wall Street Journal reported Aug. 2.
“We believe that many of the people impacted — some of whom may still be unaware of what happened — suffered severe financial consequences,” John Morgan and John Yanchunis, the attorneys who filed the suit, said a statement.
Erroneous scores were sent from mid-March through early April, and disclosures of the errors began in May, the Wall Street Journal reported. Equifax blamed a computer error that has since been rectified.
Equifax, in a statement Thursday, said the three-week “technology coding issue” was fixed on April 6. The company said its analysis showed that during that period there was “no shift in the majority of scores” for consumers seeking credit.
- Equifax Says Consumer Credit Scores Changed by Computer Error
- Equifax Credit Reporting Error Affects 300,000 Consumers, Potentially Resulting in Thousands of Dollars in Unnecessary Interest
“For those consumers that did experience a score shift, initial analysis indicates that only a small number of them may have received a different credit decision,” according to the statement. “While the score may have shifted, a score shift does not necessarily mean that a consumer’s credit decision was negatively impacted.”
The lead plaintiff in the suit is a Florida woman who alleges she was forced to take a less-favorable auto loan in April as a result of an inaccurate credit score. The suit claims she’s now paying about $150 a month extra.
Bloomberg Intelligence analyst Nathan Dean reported the fallout from the glitch may be limited.
Courtesy of Erik Larson, Bloomberg
August 2, 2022 — One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks.
Some of these tricks include masquerading malware executables as legitimate applications, signing them with valid certificates, or compromising trustworthy sites to use them as distribution points.
According to VirusTotal, a security platform for scanning uploaded files for malware, some of these tricks are happening on a much larger scale than initially thought.
The platform has compiled a report presenting stats from January 2021 until July 2022, based on the submission of two million files daily, illustrating trends in how malware is distributed.
Abusing legitimate domains
Distributing malware through legitimate, popular, and high-ranking websites allows threat actors to evade IP-based blocklists, enjoy high availability, and provide a greater level of trust. VirusTotal detected 2.5 million suspicious files downloaded from 101 domains belonging to Alexa’s top 1,000 websites.
The most notable abuse case is Discord, which has become a hotbed of malware distribution, with hosting service and cloud service providers Squarespace and Amazon also logging large numbers.
Most abused domains for malware distribution (VirusTotal)
Using stole code-signing certificates
Signing malware samples with valid certificates stolen from companies is a reliable way to evade AV detection and security warnings on the host. Of all the malicious samples uploaded to VirusTotal between January 2021 and April 2022, over a million were signed, and 87% used a valid certificate.
The most common certification authorities that are used to sign the malicious samples submitted to VirusTotal include Sectigo, DigiCert, USERTrust, and Sage South Africa.
Signing authorities used by malware authors (VirusTotal)
Disguised as popular software
Masquerading a malware executable as a legitimate, popular application has seen an upward trend in 2022.
Trend of disguising malware as real apps (VirusTotal)
Victims download these files thinking they’re getting the applications they need, but upon running the installers, they infect their systems with malware. The most mimicked applications (by icon) are Skype, Adobe Acrobat, VLC, and 7zip.
Click here to read the rest of the article.