Podcasts about ffiec

SentiLink is at the forefront of fraud prevention and identity verification, offering innovative solutions to help financial institutions tackle synthetic fraud, identity theft, and more. We're thrilled to have them onboard as partners in our mission to equip you with the tools and knowledge you need to stay ahead in this ever-evolving landscape.Stay tuned for more great episodes and insights—thanks again to SentiLink for supporting the podcast! Visit: https://www.sentilink.com/ and learn all about them!In this episode, Ken Palla, a former online security manager at Union Bank, shares insights from his open letter to US regulators addressing the urgent need for stronger guidance on scam controls and data sharing between financial institutions. Ken discusses the challenges banks face in combating authorized payment scams and proposes solutions modeled after past FFIEC online security guidance. He emphasizes the importance of clear regulations around data sharing, particularly through updates to the 314B provision, to enable more effective fraud prevention. He also highlights the growing threat of scams, their impact on consumers, and the role of banks in protecting customers. The conversation touches on international efforts to combat scams, the need for collaboration between banks, telcos, and digital platforms, and practical advice for consumers to avoid falling victim to scams.Open Letter from Ken Palla----------------------------------About Hailey Windham:As a 2023 CU Rockstar Recipient, Hailey Windham, CFCS (Certified Financial Crimes Specialist) demonstrated unbounding passion for educating her community, organization and credit union membership on scams in the market and best practices to avoid them. She has implemented several programs within her previous organizations that aim at holistically learning about how to prevent and detect fraud targeted at membership and employees. Windham's initiatives to build strong relationships and partnerships throughout the credit union community and industry experts have led to countless success stories. Her applied knowledge of payments system programs combined with her experience in fraud investigations offers practical concepts that are transferable, no matter the organization's size. Connect with Hailey on LinkedIn: https://www.linkedin.com/in/hailey-windham/

With FFIEC retiring the CAT assessment in August 2025, it might seem daunting to consider other frameworks as a path forward. I sat down with Dan Sitton of Guardian Technology Group to discuss his background in working with banks and some suggestions for the future. --- Support this podcast: https://podcasters.spotify.com/pod/show/msp1337/support

Understanding HMDA## Episode SummaryIn this episode of With Flying Colors, host Mark Treichel interviews Joe Goldberg, a retired NCUA consumer compliance expert, about the Home Mortgage Disclosure Act (HMDA). Joe provides an in-depth overview of HMDA, its purpose, requirements, and importance for credit unions.## Key Points1. HMDA Background and Purpose   - Enacted in 1975 to address housing issues and prevent discrimination   - Provides over 45 years of good mortgage data2. HMDA Requirements   - Applies to credit unions meeting specific criteria (asset size, location, loan activity, and volume)   - Requires collection and reporting of 48 data points on mortgage applications and loans3. Data Collection and Reporting   - Data must be recorded in a Loan Application Register (LAR)   - LARs must be updated quarterly   - Annual submission deadline: March 1st of the following year4. Partial Exemptions   - Available for institutions originating fewer than 500 covered closed-end mortgages or open-end lines of credit   - Reduces reporting requirements from 48 to 22 data points5. Use of HMDA Data   - Regulators use it for fair lending programs and compliance checks   - Credit unions can use it to assess their performance and improve fair lending programs6. Compliance Tips   - File data even if late to avoid more serious violations   - Utilize resources like FFIEC's "Getting It Right Guide" and CFPB's website## Notable Quotes"HMDA goes back to 1975, which is when it was enacted. And so, as a result of that, we actually have mortgage data, good mortgage data, going back for over 45 years.""Even if you're late, file the data.""I just think it's important for credit unions to understand, though, that even though complying with HMDA can be a chore, that there is a valid reason for collecting the HMDA data, and that is to try and ensure that mortgage credit is offered and extended to everybody based on mortgage related criteria."## Resources Mentioned- NCUA Regulatory Alerts- FFIEC Website (www.ffiec.gov)- FFIEC's "Getting It Right Guide"- Consumer Financial Protection Bureau Website (consumerfinance.gov)- Lending Patterns software by Compliance Tech (used by NCUA)## About the GuestJoe Goldberg is a retired NCUA consumer compliance expert with over 40 years of experience as a lawyer. He has taught consumer law and worked in various aspects of financial regulation.## SponsorThis episode is sponsored by Credit Union Exam Solutions by Mark Treichel. Visit marktreichel.com for more information on optimizing your results with NCUA.

It is a BSA Compliance officer's job to make sure their institutions are in compliance with the latest from the FFIEC. That means getting their boards and leadership invested in following AML/CFT best practices. In today's episode, we'll explore the FFIEC's list of critical elements for a BSA program—from adequate staffing and expertise to the technological systems necessary for identifying and managing risks. Our guest is Hannakah Rubin, a Senior Client Development Consultant with Abrigo, who brings over 24 years of experience in the financial institution and software industry. Hannakah has not only developed Compliance, Fraud, and BSA Programs from the ground up but has also worked extensively with financial institutions to incorporate automated solutions into their compliance efforts.Learn more about upcoming AML/CFT certification and training events.Helpful links:Survey: State of Fraud 2024: Key findings and recommendations for FIsInfographic: 6 Steps for compliance with new AML/CFT program rulesChecklist: Elements of an effective SAR narrative

Did you know federal law aims to curb discriminatory lending? Ed Hill from IDFPR's Division of Banking breaks down the Community Reinvestment Act and how it works to increase lending to underserved communities in our latest episode of the Making Cents of Money podcast! Show Notes: • Community Reinvestment Act (CRA) via Federal Reserve Board - https://www.federalreserve.gov/consumerscommunities/cra_about.htm o CRA Ratings via FFIEC - https://www.ffiec.gov/craratings/default.aspx • Housing Discrimination Under the Fair Housing Act via HUD - https://www.hud.gov/program_offices/fair_housing_equal_opp/fair_housing_act_overview • Equal Credit Opportunity Act via FTC - https://www.ftc.gov/legal-library/browse/statutes/equal-credit-opportunity-act • Home Mortgage Disclosure Act via FFIEC - https://ffiec.cfpb.gov/ • Illinois Community Reinvestment Act (CRA) via IDFPR - https://idfpr.illinois.gov/admin/cra.html

In this podcast episode, Dean and Len discuss the timely issue of appraisal discrimination and bias within the context of Fair Lending. Dean highlights the FFIEC's recent guidance on mitigating risks related to discriminatory practices in property valuations and ensuring credible appraisals. Appraisal bias, which can result in minorities receiving lower property valuations, affects credit access and terms and violates anti-discrimination laws like the Equal Credit Opportunity Act and Fair Housing Act. The guidance is relevant for both financial institutions and examiners, emphasizing the importance of internal controls and compliance to avoid legal risks and ensure fair lending practices. Dean provides practical suggestions for lenders, including thorough vendor due diligence, risk assessments, training on bias red flags, and establishing clear processes for appraisal reviews and complaints. Both hosts stress the necessity for financial institutions to address and mitigate appraisal bias actively. Brought to you by GeoDataVision and M&M Consulting

Podcast #71 discusses how banks can estimate their performance under the new Community Reinvestment Act (CRA) rules. Len highlights bankers' concerns about the increased difficulty in passing the CRA exam with the new rules, which predict a significant rise in failure rates. He emphasizes the importance of the Retail Lending Test, explaining that failing this test results in an overall unsatisfactory CRA rating.To estimate their performance, banks should first focus on the Retail Lending Test and identify their Retail Lending Assessment Areas. The next steps involve determining benchmarks based on geographic and borrower distribution tests and applying multipliers to create calibrated benchmarks for a low satisfactory rating. Banks then need to compute their penetration rates in different income tracts and compare them to these benchmarks.Dean asks about data sources for these calculations, and Len suggests using HMDA and CRA data, along with FFIEC demographic files. He also notes that GeoDataVision will publish relevant benchmarks on their website for further guidance. The podcast ends with an invitation for future topic suggestions from listeners. Brought to you by GeoDataVision and M&M Consulting

Introducing the Credit Union Regulatory Guidance PodcastIn this episode of 'With Flying Colors', host Mark Treichel announces a new podcast titled 'Credit Union Regulatory Guidance'. Sponsored by Credit Union Exam Solutions, this new program will primarily focus on educational content presented in an audiobook-style format, explaining new regulatory directives from the National Credit Union Administration (NCUA), FDIC, OCC, FFIEC, and the CFPB. The aim of the podcast is to ensure credit union leaders understand crucial guidance often cited in NCUA exam reports. The host of this new podcast, Samantha Shares, is introduced. Samantha, who is an AI voice, outlines plans to release two episodes weekly and gives a sneak peek into topics like contingency funding and commercial real estate concentrations, among others.00:35 Introduction and New Year Wishes00:40 Introduction to the New Podcast: Credit Union Regulatory Guidance01:16 Purpose and Focus of the New Podcast02:42 Invitation to Subscribe to the New Podcast03:01 Introduction of the New Podcast Host: Samantha Shares03:12 Discussion on the Upcoming Episodes of the New Podcast04:32 Conclusion and Final Remarks

In the podcast, Len Suzio from GeoDataVision LLC and Dean Stockford of M&M Consulting delve into the topic of CRA (Community Reinvestment Act) Assessment Area delineation. Len emphasizes the critical importance of banks updating their CRA assessment area maps, particularly in light of changes to census tracts that were officially adopted by the FFIEC on January 1, 2022. He is alarmed to find that many banks haven't updated their maps, which is a mandatory requirement. Len further elaborates on the "performance context" in the CRA regulation, which is pivotal in determining banks' performance expectations. This context includes the unique characteristics of the bank, the demographics of the communities within the CRA assessment area, and the credit markets in local communities.   Len explains the various CRA lending tests, such as the Assessment Area ratio, the conspicuous gaps in contiguous tracts test, the LMI tracts penetration test, and the “borrower characteristics” test. He emphasizes that the configuration of the assessment area can significantly impact performance standards, as examiners will evaluate demographic and credit market variables. Len also touches upon the regulatory flexibility banks have in defining their assessment areas and urges banks to review and evaluate their current areas to avoid inflating their CRA performance standards. The conversation concludes with Len and Dean encouraging listeners to take the topic seriously and consider the implications of their assessment area delineations.   Brought to you by GeoDataVision and M&M Consulting  

In today's rapidly evolving digital landscape, there is often an apprehension towards new technology, as many people fear the unknown. However, it is vital to embrace a different perspective, one embodied by forward-thinkers like Genaro Liriano, the Director of Technology Operations Risk Management at CIBC. Instead of succumbing to fear, Genaro advocates for an approach that encourages learning and understanding of new technology. He believes that the essence of innovative technology lies in its potential to enhance and improve our lives. By gaining knowledge about these advancements, we can harness their power to solve problems, drive efficiency, and ultimately, make the world a better place. This mindset of curiosity, exploration, and adaptability can help us navigate the ever-changing technological landscape with confidence and optimism, rather than trepidation.Here's more about Genaro LirianoI am an Information Systems Security Professional with over 24 years experience in various aspects of Information Technology Management, devising strategic initiatives in the Information Systems Security realm. Helping Enterprises Manage and Govern through various regulatory requirements and industry standards such as: OSFI, FFIEC, PIPEDA,PCI DSS, etc.Hands on experience on various security controls such as: PKI, ATM Security, Security Operations, Management, Infrastructure and Operations, Network Security, End Point Security, Security Architecture, Online Banking, Mobile Banking, Online Banking for Business.Other skills: Customer Service, Voice-Over, Public SpeakingBroadcasting.

On this episode we discuss the four key roles Boards play in cybersecurity. Setting the company's vision and risk strategy Reviewing assessment results Evaluating management cyber risk stance Approving risk management plans Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Transcripts - https://docs.google.com/document/d/1jarCcQYioT59jtIrppH4xZqyAy4Vn_tB/ Chapters 00:00 Introduction 01:36 What is a Board of Directors and what do they do? 09:33 FFIEC requirements for Boards 16:51 Establishing an Information Security Culture 19:08 Vision and Risk Appetite 22:00 Reviewing Cyber Assessments 25:09 Are we secure? 32:44 Castle Walls and Attacks 33:37 Getting your budget requests approved 37:10 Using use or loose money and reserved funding

I catch up with Commercial Lending Expert Vin Vieten on the FFIEC's Loan Accommodation Guidance issued late last month. The guidance provides guidance to federal banking regulatory agencies on prudent commercial real estate loan accommodations and workouts. The main points are:Regulators will not criticize financial institutions for engaging in prudent loan workout arrangements with creditworthy borrowers, even if the modified loans are adversely classified due to weaknesses.Modified loans to borrowers who can repay according to reasonable terms will not be adversely classified solely due to declines in collateral value below the loan balance.The guidance covers risk management expectations, loan classification, regulatory reporting, and accounting considerations for commercial real estate loan accommodations and workouts.Short-term accommodations are encouraged as a tool to help borrowers, and the guidance provides principles for prudent risk management of these accommodations.For loan workouts, regulators will evaluate the effectiveness of a financial institution's practices, including having appropriate policies, documentation standards, risk monitoring, and regulatory reporting processes.The guidance provides principles for classification of renewed/restructured loans, problem loans dependent on collateral for repayment, and restructurings with partial charge-offs.The statement emphasizes coordination between the loan workout function and accounting/regulatory reporting staff.Appendices provide loan workout examples, relevant supervisory guidance and rules, valuation concepts, adverse classification definitions, and a summary of current expected credit loss accounting.In summary, the guidance aims to promote consistent supervisory approaches and transparency for commercial real estate loan accommodations and workouts. The goal is to avoid impeding credit availability to sound borrowers while maintaining prudent lending practices.Here Vin's take on why this is A+ guidance.

Ready to decode the mystery of AI in digital forensics? I'm your host, Sean Gerber, and in this stimulating conversation, we're peeling back the layers on how AI is revolutionizing the digital forensics landscape. From automating log analysis and malware detection to reshaping image and video analysis, we're talking about it all. So, buckle up as we navigate the potential legal implications of this rapid technological evolution.Dive deeper into the tangled web of data protection and classification in the second part of this riveting episode. We'll guide you through the labyrinth of laws, such as Sarbanes Oxley and PCI DSS, that govern personal identifiable information (PII), intellectual property (IP), financial data, and health records. Learn the ropes of securing your data via encryption, access controls, and periodic audits. Let's get ready to demystify the laws and methods that protect your digital footprint.Finally, prepare to be fascinated as we explore the complexities of health data storage, compliance requirements, data mapping, and destruction methods. We'll shine a light on regulations like SEC, FFIEC, NERC and how they relate to the CISP exam. We'll also discuss data sovereignty, jurisdictional risks and the pros and cons of physical data centers versus cloud storage. We're arming you with knowledge to navigate the increasingly complex world of data destruction, from physical methods to electronic ones like secure race and cryptographic shredding. Now, let's set sail on this voyage of cyber discovery!Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.

Listen to our interview with Richard Bird, the Chief Security Officer at Traceable AI, a leading API security and observability company.  We discussed the following topics among others.  What are the key components of the FFIEC API security compliance mandates?  What are the most important aspects of an API security strategy for FFIEC-insured financial institutions?  What are the most important steps that CISOs, CIOs, and GRC leaders should take to ensure their organizations are compliant?  How can organizations ensure their API security approaches are up to date and secure?  and more... If you want to be our guest, or you know some one who would be a great guest on our show, just send your email to info@globalriskconsult.com with a subject line “Global Risk Community Show” and give a brief explanation of what topic you would like to to talk about and we will be in touch with you asap.     

From October 11, 2022 - David Leech is a vCISO using his global, operational, program management, and security experience together with leadership skills to drive digital transformation, product innovation, and risk reduction for business growth, involving work across Risk Management, Technical Architecture, Control Frame Works, HIPAA, FFIEC, PCI, HITRUST, FedRamp, and SOC compliance. He has supported clients in multiple sectors, including Finance, Manufacturing, Insurance, Healthcare and GovEd. --- Send in a voice message: https://podcasters.spotify.com/pod/show/virtual-ciso-moment/message

Guest: Raana Tivnan Part 3 Part 1: https://www.youtube.com/watch?v=yGuIi... Part 2: https://www.youtube.com/watch?v=0cNMt... The significance of Raana is in addition to who she is as a person is that she is younger sister of a Pakistan's martyr - Shaheed- Rashid Minhas. Visit for more details about Rashid Minhas: https://pakistanarmy.gov.pk/Pilot-Off... About: An Information Technology executive with a strong record of designing a secure network infrastructure. Experienced in developing an Information Security Program that enables business priorities and mitigates security risks. Successfully brought IT organization to proper compliance by implementing effective security controls, policies, procedures and strategies. A hands on technology leader with the ability to architect a highly secure and available network that meets the demands of a significant user base. Extensive experience in managing and implementing multiple complex global projects that involved the design or re-design of network infrastructure and applications in local and distributed offices which enhanced security and availability. Compliance: SEC, FINRA, FFIEC, FDIC, NIST Framework More Programs on LightupwithShua to watch: Pakistan 75: https://www.youtube.com/watch?v=iK-AC... First Woman President of an Islamic Center: https://www.youtube.com/watch?v=ELjri... ------------------------------------------------------------------------- Who is the founder & Owner of LightupwithShua Podcast and LUWS ACADEMY LLC ? visit: lightupwithshua.com I am a student of knowledge of multiple disciplines, a mentor, and an intercultural & Interfaith practitioner, who wants to help heal and solve problems by bringing awareness for conscious living and conscious parenting to people with flexible mindset. Currently hosting a weekly podcast on LightupwithShua podcast on conscious living and parenting. Additionally, actively conducting Self - Healing & Transformation Training Workshops in Pakistan and in the USA. For more information please inquire through email or phone. You can connect with me here: Shua@lightupwithshua.com *Remember to LIKE, SHARE, RATE and REVIEW. Thank you. Shua - شعا ع https://linktr.ee/Shuakhan Copyright © 2017-2022 LUWS ACADEMY LLC & LightupwithShua Podcast All Rights Reserved Attribution-NonCommercial-NoDerivs This work is licensed under a Creative Commons Attribution 4.0 International LicenseLightupwithShua

David Leech is a vCISO using his global, operational, program management, and security experience together with leadership skills to drive digital transformation, product innovation, and risk reduction for business growth, involving work across Risk Management, Technical Architecture, Control Frame Works, HIPAA, FFIEC, PCI, HITRUST, FedRamp, and SOC compliance. He has supported clients in multiple sectors, including Finance, Manufacturing, Insurance, Healthcare and GovEd. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app --- Send in a voice message: https://anchor.fm/virtual-ciso-moment/message Support this podcast: https://anchor.fm/virtual-ciso-moment/support

Guest: Raana Tivnan Part 2 Part 1: https://www.youtube.com/watch?v=yGuIi... The significance of Raana is in addition to who she is as a person is that she is younger sister of a Pakistan's martyr - Shaheed- Rashid Minhas. Visit for more details about Rashid Minhas: https://pakistanarmy.gov.pk/Pilot-Off... About: An Information Technology executive with a strong record of designing a secure network infrastructure. Experienced in developing an Information Security Program that enables business priorities and mitigates security risks. Successfully brought IT organization to proper compliance by implementing effective security controls, policies, procedures and strategies. A hands on technology leader with the ability to architect a highly secure and available network that meets the demands of a significant user base. Extensive experience in managing and implementing multiple complex global projects that involved the design or re-design of network infrastructure and applications in local and distributed offices which enhanced security and availability. Compliance: SEC, FINRA, FFIEC, FDIC, NIST Framework Pakistan 75: https://www.youtube.com/watch?v=iK-AC... First Woman President of an Islamic Center: https://www.youtube.com/watch?v=ELjri... ----------------------------   Who is the founder & Owner of LightupwithShua Podcast and LUWS ACADEMY LLC ? visit: lightupwithshua.com I am a student of knowledge of multiple disciplines, a mentor, and an intercultural & Interfaith practitioner, who wants to help heal and solve problems by bringing awareness for conscious living and conscious parenting to people with flexible mindset. Currently hosting a weekly podcast on LightupwithShua podcast on conscious living and parenting. Additionally, actively conducting Self - Healing & Transformation Training Workshops in Pakistan and in the USA. For more information please inquire through email or phone. You can connect with me here: Shua@lightupwithshua.com *Remember to LIKE, SHARE, RATE and REVIEW. Thank you. Shua - شعا ع https://linktr.ee/Shuakhan Copyright © 2017-2022 LUWS ACADEMY LLC & LightupwithShua Podcast All Rights Reserved Attribution-NonCommercial-NoDerivs This work is licensed under a Creative Commons Attribution 4.0 International LicenseLightupwithShua

Guest: Raana Tivnan Part 1 The significance of Raana is in addition to who she is as a person is that she is younger sister of a Pakistan's martyr - Shaheed- Rashid Minhas. Visit for more details about Rashid Minhas: https://pakistanarmy.gov.pk/Pilot-Officer-Rashid-Minhas.php About: An Information Technology executive with a strong record of designing a secure network infrastructure. Experienced in developing an Information Security Program that enables business priorities and mitigates security risks. Successfully brought IT organization to proper compliance by implementing effective security controls, policies, procedures and strategies. A hands on technology leader with the ability to architect a highly secure and available network that meets the demands of a significant user base. Extensive experience in managing and implementing multiple complex global projects that involved the design or re-design of network infrastructure and applications in local and distributed offices which enhanced security and availability. Compliance: SEC, FINRA, FFIEC, FDIC, NIST Framework Pakistan 75: https://www.youtube.com/watch?v=iK-ACQ5EJW8 First Woman President of an Islamic Center: https://www.youtube.com/watch?v=ELjrimkGGyU -------------------------------------------------------------------------Who is the founder & Owner of LightupwithShua Podcast and LUWS ACADEMY LLC ? visit: lightupwithshua.com I am a student of knowledge of multiple disciplines, a mentor, and an intercultural & Interfaith practitioner, who wants to help heal and solve problems by bringing awareness for conscious living and conscious parenting to people with flexible mindset. Currently hosting a weekly podcast on LightupwithShua podcast on conscious living and parenting. Additionally, actively conducting Self - Healing & Transformation Training Workshops in Pakistan and in the USA. For more information please inquire through email or phone. You can connect with me here: Shua@lightupwithshua.com *Remember to LIKE, SHARE, RATE and REVIEW. Thank you. Shua - شعا ع https://linktr.ee/Shuakhan Copyright © 2017-2022 LUWS ACADEMY LLC & LightupwithShua Podcast All Rights Reserved Attribution-NonCommercial-NoDerivs This work is licensed under a Creative Commons Attribution 4.0 International LicenseLightupwithShua

Privacy & Compliance expert from Microsoft, Ingrid Rodriguez, joins hosts Jerich Beason& Whitney McCollum to discuss taking risk out of silos. They talk about how the entire organization needs to have understanding of the enterprise risks.  Specifically, how does security & compliance fit into the enterprise risk framework?  What are the situational perspectives of the C-Suite and how can those perspectives drive compliance goals?  How can the CISO and legal work together and with the enterprise for compliance? They will also talk about risk appetite, the tolerance of risk by leadership, and aligning acceptance of risks with business goals.  How much and how often should you communicate risks and mitigation strategy?  Note: “The statements of the guest speakers and hosts in this podcast should not be construed as legal advice.  They represent their views only and not those of Epiq or their respective employers.”BIOGRAPHYIngrid is an Advanced Compliance Global Black Belt with Microsoft Security Solutions Area supporting the South, Southeast of the US, and LATAM regions. In her role, Ingrid shares her enterprising multinational information and security risk management executive experience, to help customers strategize within their Risk and Compliance obligations leveraging our solutions in Compliance, Information Protection, Privacy Management, and Insider Threat management capabilities. During her 18 years tenure in IT Risk & Compliance Leadership, Ingrid designed for an innovative Global Technology Risk Management Framework, as well as a vision for tactical implementation of technology and security controls by combining a variety of data security standards such as: NIST, ISO, PCI, HIPAA, FFIEC, GDPR, to mention a few. Ingrid designed and built the first Global Technology Risk Management programs in most of her previous employers. She lead, supported and guided over 45 countries to meet US and country-level compliance and privacy needs and well as Global Standards.  Ingrid is from Puerto Rico, based in Dallas, TX but soon relocating to beautiful Pensacola, FL. She is a frequent speaker on Risk Management and Compliance topics, in both languages English and Spanish, in many global, national and regional events including ISACA, Microsoft Executive Briefing Center, Fintech, Partners and many other associations and affiliations within the Privacy, Risk and Compliance industry in the US and LATAM.  Ingrid received a Bachelor's Degree in Computer Engineering from the University of Puerto Rico, and also holds a Master's Degree in Sciences, Computer Sciences from the University of Phoenix. She holds various industry certifications, including CRISC, CDPSE, ITIL among others. LinkedIn: https://www.linkedin.com/in/inrodz/ Find us on LinkedIn, Twitter, Facebook, and Instagram or email us at cyberside@epiqglobal.com.

How have financial institutions' approach to technology changed over the course of the last decade?That's the question explored in this episode of GroundBanking. Terry Ammons, partner at Wipfli, talks with Brendan McGowan, CTO of Safe Systems, about how technology investments have transformed dramatically in the past few years, shifting from a “necessary evil” to a strategic IT and corporate decision. They discuss:How every financial institution, regardless of size, should be able to leverage the best technology, compliance and security solutions to serve the financial needs of their community.How institutions can stay up to date on the current technologies, security risks, regulatory changes and FFIEC guidelines.Listen now to gain a better understanding of how to effectively unlock and leverage these solutions.

SIFMA, DTCC and ICI to shorten U.S. securities settlement cycle. ISDA assesses regulatory considerations for sustainability-linked derivatives. FFIEC updates Bank Secrecy Act/AML Examination Manual. NFA reminds CPOs and CTAs to affirm registration exemptions. CFPB to increase oversight over bank overdraft fees. Effective date set for amended universal proxy rule. Comment deadline set for SEC-proposed changes to electronic recordkeeping requirements. SEC staff guidance on "spring-loaded" compensation now effective.  

The purpose of CRA data collection and maintenance is to enable examiners and the public to evaluate (through issuance of a CRA Performance Evaluation) whether a bank is helping to meet the credit needs of its communities through its small business and small farm loans. Accurate data leads to accurate assessments of fair lending and CRA lending performance. When data errors do occur, not only is the bank subject to reputational risk, but costly remediations and an erosion of consumer confidence may also ensue.Three Common Challenges: • Determining which commercial loan transactions are reportable and/or which ones are not reportable (based on Call Report Schedule RC-C etc.) and then capturing reportable loans data fields accurately.• Correctly identifying community development loans.• Correctly identifying loan types based on size and definition tests.If you are new to the CRA or to data integrity elements of the CRA, start with a review of the call report Schedule RC-C instructions to learn about the common loan definitions that are consistent with the CRA and the FFIEC guide to CRA Data Collection and Reporting. Yes, I know this is a dated publication, but it is still relevant, compliant and a good guide to answer your questions regarding CRA data elements. Quotes• “Make sure that you map out how you extract data through your core systems into your CRA proprietary database that then goes to your loan register. So, you need to look end to end to make sure that you have data integrity.” (03:12-03:29)Want to learn more about the CRA? Sign up for CRA Today's free course: https://hub.cratoday.com/freecourseLinks• A Guide to CRA Data Collection and Reporting: https://www.ffiec.gov/cra/guide.htm • Call Report Instructions: https://www.fdic.gov/regulations/resources/call/crinst-051/2017/2017-03-051-rc-c2.pdf • CRA Today Website: https://cratoday.com/ For more information on the CRA Hub, a membership for bankers to connect, inspire, and master the art of CRA: https://cratoday.com/hub/ Copyright © 2021 by CRA Today LLC(No claim to original U.S. government material)All rights reserved. No part of this podcast may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.This podcast is a periodic publication of CRA Today LLC and is intended to notify and inspire recipients of new developments in the Community Reinvestment Act. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.Podcast production and show notes provided by HiveCast.fm

Does a blank page make you nervous? Yes, us too. Here are some documents you may want to reference (and even borrow the framework of!) to get you started on your CRA self assessment. • Peer Data: Download performance evaluations from similarly situated banks in your assessment areas.• Industry Data: Data from local community development think tanks, government agencies, or nonprofits. National statistics on demographics, labor, market, housing, small business, affordability, poverty, etc.• PE Templates: Performance evaluation templates are available at FFIEC.gov. Make sure to select the correct template based on your asset size (Small Institutions, Intermediate Small Institutions, Large Retail Institutions, Limited Purpose and Wholesale Institutions, and Institutions with Strategic Plans).• Standard Examiner Tables (from your previous exam): Re-create examination lending performance tables similar to what is presented within your last performance evaluation. • CRA Examination Procedures: Examination procedures are available at FFIEC.gov. Make sure you select the correct template base on your specific regulator (FRB, FDIC, or OCC).Quotes• “It's crucial to populate that blank page and just get started because a self assessment is a key practice to positioning your bank for success and backing into your desired CRA rating.” (03:35-03:51)Want to learn more about the CRA? Sign up for CRA Today's free course: https://hub.cratoday.com/freecourseLinksCRA Today Website: https://cratoday.com/ For more information on the CRA Hub, a membership for bankers to connect, inspire, and master the art of CRA: https://cratoday.com/hub/ Copyright © 2021 by CRA Today LLC(No claim to original U.S. government material)All rights reserved. No part of this podcast may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.This podcast is a periodic publication of CRA Today LLC and is intended to notify and inspire recipients of new developments in the Community Reinvestment Act. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.Podcast production and show notes provided by HiveCast.fm

FFIEC updates guidance on authentication management. ARRC supports Refinitiv's USD IBOR cash fallbacks prototype publication. OFAC and Commerce Department detail measures supporting Internet freedom in Cuba. Access to today's version and previous versions of the Cabinet's General Counsel daily podcast summarizing the newletters' stories.

The 5 Tools Mike Taravella uses when underwriting deals are: US Census Bureau for population growth & employment FFIEC to see Median Household Income Reddit to find best and worst places to live in a market Police Department to see crime stats and if they are comfortable living in that market Lexis Nexis for crime incidents Reach out to Mike Taravella directly at MikeT@RandCre.com

FinCEN issues AML/CFT national priorities list. Internet broker settles FINRA charges for system failures. HFSC considers impact of increased digital asset use on U.S. financial system. FINRA requests comments on educating new investors. IOSCO recommends sustainability-related practices in asset management. FFIEC issues IT “Architecture, Infrastructure, and Operations” booklet.  

Commissioner Elad Roisman raises questions on “materiality” for an ESG disclosure framework. CFTC staff clarifies requirements for margin model usage. FFIEC updates Bank Secrecy Act / AML Examination Manual. Firm settles FINRA and NYSE Arca charges for short sale violations.

Senator Elizabeth Warren unveils "ultra-millionaire" tax. FFIEC updates Bank Secrecy Act / AML Examination manual. DTCC proposes method for shortening U.S. settlement cycle. SEC provides guidance on investing in ESG funds. SFA highlights 2021 priorities. Cadwalader Client & Friends Memo: Unwelcome Intrusion: Reckoning with the Impact of Economic Sanctions on Derivatives Transactions.

On this episode, we are joined by David Cotney, Senior Advisor at FS Vector and former Massachusetts Banking Commissioner, who shares some ideas about how the Federal Financial Institutions Examination Council (FFIEC) could play a role in shaping national privacy policy by publishing privacy guidance for banks similar to the FFIEC's Cybersecurity Guidance. He also reflects on how a compromise on the tricky issue of preemption in privacy legislation might be achieved by looking to experience with the Fair Credit Reporting Act. Cotney, who currently advises fintech companies and other financial services providers, has held leadership positions in the world of financial regulation, serving as Massachusetts Banking Commissioner, Chairman of the Conference of State Bank Supervisors, and as a participant in the FFIEC. This week, we also discuss his thoughts on how to assign responsibility for privacy regulation among various federal agencies that each have some claim on jurisdiction, particularly referencing the appropriate responsibilities of bank regulators.

Commissioner Gonzales serves as the Commission of the Tennessee Department of Financial Institutions. He also serves as Chairman of the State Liaison Committee that incorporates the state supervisory perspective into the Federal Financial Institutions Examination Council (FFIEC). This role gives him a unique vantage point of how regulatory matters are addressed at the state level as well as with the consortium of all the nation's federal regulatory agencies. We spoke with Commissioner Gonzales about the role of risk management and board oversight, specifically with regard to tailored regulations, the “math of things”, risk appetite and the June 2020 FFIEC guidance, and how boards should interpret exam findings.

We are using personal devices for work (and working from home) more than we ever have before. These are both big risk factors as cybersecurity threats have soared during the pandemic. So, how do we make security sustainable and not live life at the hackers' mercy? ALPS Risk Manager Mark Bassingthwaighte sits down with Sherri Davidoff, CEO and Founder of LMG Security and the latest addition to the ALPS Board of Directors, to give you some practical advice in guarding your data like the gold it is. TRANSCRIPT: Mark: Let's rock and roll. Hello. Welcome to ALPS in Brief, the podcast that comes to you from the historic Florence building in beautiful downtown Missoula, Montana. I am really excited about our guest today. I have heard her speak and have read a book about her. And let me just share, our guest is Sherri Davidoff, the CEO of LMG Security. And I believe, Sherri, that is short for Lake Missoula Group. Is it not? Sherri Davidoff: It's true. We're named after the lake that we're sitting at the bottom of. Mark: For those of you, it's worth looking up in Wikipedia or Google or something to get a little bit of history of Lake Missoula. That's a whole nother story. But Sherri is a noted speaker, trainer, white hack, excuse me, white hacker, and author of the recently released book, Data Breaches, Crisis and Opportunity. As a recognized expert in cybersecurity and data breach response, Sherri has been called, and I love this, a security badass by the New York Times. I just think that's fantastic. Mark: She has conducted cybersecurity training for many distinguished organizations, including the Department of Defense, the ABA, the FFIEC, the FDIC, and many more. She's also a faculty member at the Pacific Coast Banking School and an instructor for Black Hat, where she teaches her data breaches course. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace. It's a Prentice Hall publication, out in 2012. And this is a noted security text in the private sector and a college textbook for many cybersecurity courses. Mark: Sherri is also a GIAC certified forensic examiner, a penetration tester, and holds her degree in computer science and electrical engineering from MIT. She has also been featured as the protagonist in the book Breaking and Entering: The Extraordinary Story of a Hacker Called Alien. And so welcome, Sherri. And I can say I love the book. Sherri Davidoff: Thank you so much, Mark. It's a pleasure to be here with you. Mark: It was a lot of fun. It was a good read. Sherri Davidoff: Good. Mark: What you and I had been visiting about in terms of just having a conversation today, obviously in light of all that has happened in recent months with COVID-19, global pandemic, and this fallout of a very rapid move into working from home did not overlook lawyers. Many, many had to immediately jump and try to figure out how to make this work. And it seems some were pretty successful at that. Others, there were a few struggles, but they got there. But what I really want to focus on is the security side, the security piece of this. Mark: I think remote security is exposing not only lawyers, I think businesses of all shapes and sizes, to unexpected or perhaps a broadened way, broadened their risk, their exposure just because we have at times home systems. And I guess initially, would you agree, is the remote work setting a concern for you? Sherri Davidoff: Well, absolutely. There's an expanded attack surface now that so many people are working remotely. And I'd say that's for two reasons. Number one, because many people have moved to the cloud, or have started logging into work remotely, and therefore poked holes in their firewalls and things like that in order to facilitate it. And everybody did what we needed to do keep going and to keep business up and running. And that's fine. I'm here to tell everybody it's all fine. Sherri Davidoff: Our goal is progress and not perfection. But now's the time to step back and think, "What do we do?" And start cleaning things up, start thinking about, "How do we sustain this potentially long-term?" Because I think remote work has been here for a while and has definitely ramped up, and is here to stay. And the other reason why the attack surface has expanded is because a lot of people are using personal devices for work more than we ever have before. Sherri Davidoff: And so all of a sudden, you have sometimes very sensitive data on your personal device that you also share with your kids, or your friends, and you play games and this and that. And there's a different risk level that we have in our personal lives versus what's appropriate when we're handing this very sensitive information, so we have to balance those issues. Mark: Yeah. I like sort of two comments here, briefly. Initially, I like that you're saying lawyers haven't done anything wrong, in other words, by transitioning. It's so tempting to try to scare the bejeezus out of everybody and say, "You're not doing anything," but they did what they needed to do. And now is the time because I think you're absolutely right, this work from home evolution in terms of the rapid rise of it, is here to stay in a lot of ways. And so now it's time to say not, you've done anything wrong, or you're bad, but let's try to fix it. Sherri Davidoff: How do we make it sustainable and not get hacked all the time? Mark: Yeah, yeah, yeah. And I want to come back to here a little bit down the road, but I do really appreciate the comment of personal devices. And I think that's worth exploring a little bit. Where I'd like to start, if we may, and I don't know if you agree or disagree with this, but even again today, I have come across additional articles talking about an exposure that is I think for so many, flying under the radar. And that is simply the wireless access points, the routers and whatnot that all of us typically have in our homes. And do you feel, is that an overblown risk? Would you have any thoughts about some basic things that staff and lawyers should be thinking about? Sherri Davidoff: Well, it depends where you are. I used to live in the middle of Boston, and there were a zillion people around my house all the time. Now I live in the middle of Montana, and wireless security is always important, but less of a concern. So first of all, consider physically where you are and who might have physical access to that wireless network. And absolutely, your network is only as secure as the devices that are on it. And we've seen time and time again that if a computer gets infected, it will try to infect all the devices around it. So if you have a neighbor that starts using your wireless network, and they happen to have a computer that's been infected, that could absolutely cause risk for systems on your network as well. Mark: Very good. And thoughts about, are there any just practical steps you think folks might be able to take to minimize that likelihood? Sherri Davidoff: Sure. Well, as we were talking about ahead of time, there have been a number of vulnerabilities in common routers and wireless access points. So step number one, make sure that your software is up to date, your firmware is up to date on those devices. And you can do that either, sometimes they have an app that's paired with your smartphone, so you can update it that way. Or you can go into the device itself in the administrative interface and do updates. So every now and then, sit down, have a glass of wine, whatever, update your router. It's fun. It's easy. And change that password. Make sure that the password is not a default, that it's secure, it's not your phone number or your address, because guess what, people know that. Sherri Davidoff: And also that the name of your wireless network is something that does not draw attention to you, that it's a little bit under the radar, boring. Make your network look boring. Mark: I like that. I like that. Sherri Davidoff: Really slow wireless, that's what you should call it. Nobody will want this. Mark: I think your idea of maybe having a glass of wine to do this isn't a bad one because there have been times where I've been trying to do some things in terms of ... I take security very, very seriously because I've been telecommuting, and boy, there are times when certain things aren't as easy as they should be. And just instead of throwing the computer, you could have a little sip of, just relax. Sherri Davidoff: Yeah. Well, risk is your job at ALPS, so I could imagine it's something you take seriously. Mark: That's right. That's right. For a moment, let's just say that I am a lawyer. I'm the owner of a small firm, couple of staff. And we have made this transition out, and everybody's at home for the time being. May or may not be coming back. We'll just see how this all evolves. But as the owner of this small business, what kinds of things really should be on my radar that may not be? What should I think about? Sherri Davidoff: Yeah. The number one thing to think about right now is two-factor authentication. And I know that's a big word. I cannot even tell you how important that is because we're living in a world today where all of your passwords have been stolen, just assume that, because if you get a virus on your computer, it's going to steal all your passwords first thing before you even know it. And you're not fooling anybody by keeping it in a Word document with a totally different name. I know that it's there and so do the criminals, and they're just going to grab it. Sherri Davidoff: The other thing is if you reuse passwords on different websites, and one of those websites gets hacked, criminals have automated tools that will try your password in a zillion other websites. It's called credential stuffing attacks. And Akamai, which is a big tech company, reported that there were 61 billion credential stuffing attacks just in the past 18 months. So assume somebody's going to steal your password. You're not going to know about it because that company may not even know they have a data breach. Or if they know, maybe they'll report it to you six months to three years later. Sherri Davidoff: And in the meantime, you need to protect your accounts. The FBI recently reported that the number of business email compromised cases is going up because of coronavirus. Scammers are using tactics to try to trick people out of their money, so they're breaking into email accounts. They're finding examples of invoices, or payments, or things like that. And they're saying, "Oh, due to coronavirus, that bank account is being audited, and I really need these funds. Please send it to this other place." Sherri Davidoff: So you should guard your email account like it is gold because it is. You have valuable information in it. And remember with lawyers, information is your business. Right? If it's valuable to you, or if it's valuable to your client, it is valuable to a criminal. They can leverage it somehow. So protect that email account like it is gold. And your email account can also be used to reset your password on anything else, and the criminals know that, so they're after your email. Mark: That's a great point, that really is. Can you take just a moment or two and explain just a bit more about what you mean by two-factor authentication? I'm not sure that everybody in our audience, I think a lot do, but I know that there are more than a few that really don't understand. And I assume we talk about this, you're really saying we want to use this if we can in any and every setting, so email account, bank account. Sherri Davidoff: Yes. Cloud, you name it. Mark: Cloud, right, right. But can you just share just a little bit more to make sure everybody's with us? Sherri Davidoff: Absolutely. This is my favorite question, Mark. Thank you so much. So two-factor authentication is what you need to know. Authentication means how we verify someone's identity. So online you might have your identity verified with a password. Passwords are dead to me now. In the real world, you might verify your identity with your driver's license. Right? Two-factor authentication is when you use more than one method of verifying someone's identity together. And it makes it a lot less likely that your account will be broken into. And you might not know it, but we use two-factor authentication all the time. I don't know if you can think of a place where you use two different methods of verifying yourself. Mark: Well, the one that comes immediately to mind to me is just a debit card at the ATM machine. Sherri Davidoff: Yes. I'm giving you a prize. I have to rummage through my swag and drop it off at your office. Absolutely, yes. You're the only person I have ever worked with who's gotten it right off the bat. But yes, your debit card. And when ATMs first came out in the '60s, they did not all have a pin number associated with them. You were in England, you'd get your punch card. And if you lost that punch card, some criminal could pick it up and get your money. And it actually took over a decade before all the ATMs in the world had pins. But now, if you had a choice, if your bank said, "Oh, you don't need a pin on that ATM card," how would you feel about it? Mark: I would have a problem with that. Sherri Davidoff: You'd have a problem with it. And it's going to be that way on the internet pretty soon. People will be like, "Really? You don't have two-factor authentication? That's so dangerous. I can't believe it." Mark: Yeah. Sherri Davidoff: I can give you some examples of what you can use for two FA if you want. Mark: Sure. Sherri Davidoff: Okay. So when you're logging into your email for example, some of you are probably familiar with the case where you get a pin on your phone. Right? You log in, it sends a pin to your phone. That's better than nothing, but it's not the best because those are not encrypted. I don't know if you've heard of simjacking attacks, where attackers can take over your phone, or they can get your phone number sent somewhere else, so those are not the best. Sherri Davidoff: What's better than that is an app on your phone, like Google Authenticator, which is free, or Microsoft's Authenticator. And it'll show you a code that you type in. Or even better, it'll just pop up a message that says, "Do you want to authenticate, yes or no? Is this acceptable?" And so you type in your password and then you hit yes, or you type in your code, and then you get in. And so the criminal actually needs your phone and your password in order to get in, and that is so much safer than just a password. Mark: And I want to follow up. You had talked as we started this discussion a little bit about they're into your email and they're capturing your passwords. One of the things I want to underscore for our listeners is that you don't know they're in your system monitoring and capturing all this stuff. I still run into a lot of people that say, "Well, I've never been hacked because the computer still works." Nobody's going to send you a thank you card for doing something silly and saying, "We've been in. And thank you, we got all this." Mark: But you made the comment about passwords. And one of the things that I hear from time to time as I talk about password policies, long passwords, passphrases, complex passwords, those kinds of things, and the pushback you always get. How in the world do I remember all this? And your comment of a Word document is absolutely not the way to do this. But I have talked about password saves. And one of the questions that comes up from time to time is, well, here I am putting all this information into a file. And sometimes these safes, I have one, Iron Key, that's a jump drive. But they're also cloud-based. And what are your thoughts about the security of that? Because I had a lot of pushback of people saying, "How in the world can that be safe if they're hacking in?" Mark: I certainly have my thoughts about it. But I'd love to hear from your ... I mean, you do the pen testing. How reliable are these password safes in terms of helping us try to be as secure as we can? Sherri Davidoff: Yeah. So you're probably thinking, "Well, why would I want to put all my eggs in one basket?" And then hackers know they're going to attack that basket. Right? Mark: Exactly. Sherri Davidoff: The reality is that it's more complex than that because first of all, that basket LastPass, Dashly, OnePassword, you name it, they are especially designed to be hardened against attacks. For example, they're resistant to the common attacks. They're constantly researching it. And if they autofill a form for you, they're using different hooks in the operating system that make it harder for the attacker to grab that compared with a regular web browser, for example, so that's the first thing. Sherri Davidoff: The second thing is I use password managers not just for their ability to store passwords, but for their ability to generate passwords. And that's perhaps even more important. You need a unique password for every single website, maybe not the really junky ones that you don't have anything important in them. But most people underestimate the importance of an individual account. Ideally, you want a totally different login for each website because you never know which website's going to get hacked. Right? Sherri Davidoff: And the human brain is not designed to remember 20 billion passwords. I mean, it's probably all we can do to remember three passwords. And so then you get people picking the password fluffy1984, like their dog and their kid's birthday, which people can totally guess, or spring2018bicycles, and then that changes to summer2018 when you have to change it. The hackers are onto you. They have automated tools that will automatically try different variants on your favorite password that they have already captured. They'll put an exclamation point at the end. They'll put a one, and then a two, and then a three, and then a nine and a 10. Sherri Davidoff: And they'll change spring to summer and 2018 to 2019. So those ways that people modify their passwords are not very secure. So use your password manager. Use two-factor authentication on it if it's in the cloud. And if you hear, LastPass, for example, was actually hacked several years ago. And what happens in that case is you want to change at least your master password if [inaudible 00:21:58] passwords. Sherri Davidoff: But it is so much better than keeping your passwords in a file on your computer because people get their computers infected so frequently. And that's the first thing that goes out the door. The criminals are automatically stealing your files, and then you won't even know you've been hacked until your money's been missing, or a spam email goes out to all your clients. Mark: So what I'm hearing then as the owner, I need to be really concerned about authentication and protecting passwords, strong passwords. Are there other concerns that come to mind as the owner? Sherri Davidoff: Ransomware. A lot of attorneys are hit with ransomware. Ransomwares steal your information often before they hold you for ransom. And that's the thing that a lot of attorneys don't think about because I've seen many law firms even put up out of office messages that say, "Hey, we have ransomware. We'll get back to you tomorrow." That's not cool for your clients. Mark: No. Sherri Davidoff: That means chances are their data was stolen too. And the trend that we are seeing in 2020 is that criminals have started to realize that people have better and better backups. And if you don't pay them the ransom to get your data back, they will threaten to publish it. And in that case, you've got two options. You can either say, "Okay, we'll pay the ransom," in which case, they could come back to you in six months and say, "Pay us again or we'll release it again." You can't trust them. Sherri Davidoff: Or you don't pay the ransom, and all your data's published. And what does that mean for your clients and your relationships and your status as an attorney? So you really need to protect yourself with ransomware. And you do that with two-factor authentication, super important. Mark: Yes, right. Sherri Davidoff: And making sure you have a secure method to connect to your data. So for a lot of people who have just poked holes in their network and they're going through RDP, remote desktop protocol, that's not a secure way to do it. There's other better ways to do it, like using a VPN. Or you can, if you choose to store your data in the cloud, there are some benefits to that, especially if you use two-factor authentication. Mark: Let's talk a little bit about this. And for those of you listening, if you're not completely sure, VPN stands for virtual private network. And we're really talking about disguising our location at times, in terms of what servers, when I use my VPN for instance, I am picking servers in Canada and other parts of the United States. I can go all over the world if I wanted to. So you're hiding your location a little bit, but it's also encrypting the data stream, so that's what we're talking about in terms of any remote connection. And I think it's particularly important in the wifi space. Mark: But there are a lot of free VPNs available and a lot of other just tiered pricing of all kinds of things. Do you have any thoughts about is it unwise to use the free VPNs as opposed to spending a little bit of money? I hear at times the VPNs that are free, they may be monitoring and monetizing the information they're learning about what you're doing. But I truly don't know. Do you have any thoughts on that? Sherri Davidoff: In general, there's no such thing as a free lunch in our society. Right? If you're not paying for a product, you are the product, so they say. So I would be careful about that. In general, I would get an experienced IT person's advice when you're setting up your VPN. I wouldn't do it on your own because if you make a little mistake, again, it's all your data on the line. There's some pretty serious consequences. Also, consider if you really need a VPN. Are you just trying to get into one computer? And if so, is it just a certain type of data that you need? Sherri Davidoff: Personally, I am a proponent, I've become a proponent of using the cloud. And I was a slow adopter. Being a security professional, I was fairly conservative about it. But you have some really strong options like Microsoft Office 365 is a great option for attorneys. There's a lot of compliance. There's a lot of regulations that they adhere to, and you can get them to sign off on that. There's other providers as well that are very good. And again, if you're using that two-factor authentication, they have some very advanced security features built in. They are maintaining that software, so I think it takes a lot of the pressure off of small and solo practitioners to just use the cloud. And then you don't have to worry about somebody remoting into your whole computer. Mark: One question that comes up every once in a while from lawyers as they start to think through some of the things we're talking about, but in the context of ransomware the cloud, they're learning. And I think for the most part they have as a profession, have a pretty good understanding what ransomware does at a basic level. And it can infect the network and this kind of thing. But I think some believe one of two things, but first, the cloud one is if I put things in the cloud, I'm safe there because there's this break. Would you put that to rest? Sherri Davidoff: Yeah. I mean, if you can access it, so can criminals. Right? Mark: Oh, yeah. Sherri Davidoff: Especially because often we see people click on links in phishing emails. Their computers get infected. And the criminals will even install ransomware in your cloud drives, like One Drive. If you can get to it and a criminal has access to your account, then the criminal has access to it. And there are times, in fact, I have a little video example that we took in our laboratory, where criminals will deliberately remote into your computer and use your computer to break into your bank accounts or your email accounts because you have your password saved there. And you don't have ... You've clicked trust this computer, so it's way easier for them than trying to break in from Thailand, or Russia, or wherever they happen to be. Mark: And I want to respect your time here, Sherri. The stuff you're sharing is just awesome, awesome stuff. I want to just take a few moments and shift a little bit now. So we've talked about some really good security things that lawyers, business owners, firm leaders need to be thinking about. And of course, all of this needs to apply to everybody. But let's talk about the home place. So what do I need to think about in terms of making sure my employees do, or understand? Do you have concerns about what the individual is actually doing in their own home? Sherri Davidoff: Yes, of course. A big issue that comes up is sharing of computers, so you need to have a clear policy as to whether it's okay to share computers. Is it okay to have certain types of documents on their personal computers? Remember that personal computers are much higher risk. You are likely to get a virus on a personal computer, especially if multiple people are sharing that. So whenever possible, keep work documents on work systems, or systems that are just used for work. And again, the cloud can help you with that. Sherri Davidoff: For example, you can allow people to access documents in the cloud and prevent them from downloading those documents. And it's all well and good to tell people that. But ideally, you want to actually implement that control and prevent them from a technical measure. We also see people emailing documents to their personal emails, and now it's totally out of your control. It's up in Google somewhere else. You may have violated some policies, especially if you deal with health information. You might've violated some regulations just by putting it up in Google, or violated your client's privacy. So mainlining control of your data, especially during these times, is absolutely critical. Sherri Davidoff: I think I would be remiss if I didn't mention mobile device management software, so if you have people using personal devices, you can deploy what we call an MDM. It's a piece of software that allows you to have some level of control over that personal device. So if that employee leaves, or if the device is stolen, it'll wipe your data from it. It can require that there's a pin or a passcode set on that device, even though you don't own that device. It can require antivirus software, and that's another one. If you do nothing else, require antivirus software. And you can buy it for employees to use on their home computers if they're using those for work. Mark: Yeah. The takeaway for me, and there are a lot here, and we can talk about this for hours. Maybe I could. Sherri Davidoff: I've been talking about it for 20 years. Mark: But I do like, when I think about our confidentiality rules in law, I do think saying we really ... You can't use a home computer for work that the teenage kids have access to in the evening, and the gaming. That's just victim here on the forehead if you ask me. So it underscores the value of saying, "If you have the financial wherewithal, let's supply our employees and staff and associates, whoever may be involved here, with company-owned equipment," because we can enforce the rules. We have control over that. I really like that. I but I also think that there's value in having some policies and then thinking through some of the issues that you just identified. And let's have written policies that staff are well aware of, so that if they are constantly breaking the rules, which is so easy to do because we trust our personal devices. Do we not? Mark: We seem to trust our personal devices a little bit more than work devices, whether it's because we know we're not being watched, if you will, in terms of just when you're on corporate device, they have the ability to monitor what's happening to the device, that kind of thing. I don't know what it is. But I think having a policy allows you to, well, not monitor, but hold people accountable. Sherri Davidoff: Absolutely. Mark: And say, "Look, if you're not doing something." Sherri Davidoff: Yeah. A policy's a great first step. And remember, progress not perfection. I do recognize, especially right now, a lot of people just don't have any other option besides using personal devices. And if you do that, again, that next step is to create a separate account at least. So you're not sharing the same account as your kids or as the other people you're working with. And if you can, having a separate device for work is definitely the way to go if you are able to do that. Mark: Well, Sherri, it's been a pleasure. I want to share with our listeners that Sherri has made available some remote work cybersecurity checklists for employees and managers. And this isn't live yet, but when it will be, you can click right there and have access to these. They're excellent tools. And Sherri, thank you very much for making that available to our audience. For those of you listening today, I hope you have found something of value. And if you have an idea of a topic that you feel strongly about that you think others would enjoy hearing, or you have a speaker that you'd be interested in seeing if we can have join the podcast, please don't hesitate to reach out to me. My email address is mbass, M-B-A-S-S, @alpsinsurance.com. Mark: And before I close, for those listening to the mileage score, you have to go back to earlier podcasts. I'm up to 700 even as of today, so I'm getting there. That's it. Thank you all. Thanks for listening. Bye-bye.

Tune in as expert practitioners discuss the intricacies of the FFIEC manual, threats to its use, whether or not regulators may be able to fix it, and some practical tips for banks as they look for best practices in using it.

Once you've created your initial crisis management framework, how do you go about prioritizing your top risks for additional situation-based planning? That's the topic that we dive into today in this week's edition of the Managing Uncertainty Podcast. Bryghtpath Principal & CEO Bryan Strawser along with Consultant Bray Wheeler talk about how to shift from your established crisis management framework and plan to situational based planning for your top prioritized risks. Related episodes of our Managing Uncertainty Podcast and articles from our blog include: Managing Uncertainty Episode #1: Shouldn't we have a plan for alien invasion? Managing Uncertainty Episode #12: When the world falls down around you Managing Uncertainty Episode #55: Crisis Leadership Roundtable Managing Uncertainty Episode #59: All roads lead to one What the CEO needs to understand about planning for a crisis Crisis Communications 201: Crisis Protocols //static.leadpages.net/leadboxes/current/embed.js Episode Transcript Bryan Strawser: Hello and welcome to the Managing Uncertainty podcast. I'm Bryan Strawser, principal and CEO at Bryghtpath. Bray Wheeler: I'm Bray Wheeler, a consultant at Bryghtpath. Bryan Strawser: One that we've talked about, at least, in a couple of previous episodes is this really common call or email that we get from prospective clients. It usually starts with, "I don't have any kind of crisis plan or structure, but my executives have told me I need an active shooter plan." Bray Wheeler: Yup. Bryan Strawser: We always immediately steer them towards, "You might need an active shooter plan, but if you don't have anything else, what you first need to establish is a crisis management framework. You need a plan on you're going to deal with any major disruption that establishes, here's the team, here's the process, here's how you're going to communicate, here's how you're going to make decisions, here's how you're going to escalate things." When we talk about a crisis framework, that's what we're talking about. Bryan Strawser: So, we've talked about this several times. What we want to talk about today is, what happens when you have that in place, and now it's time to take a look around the company and say, "There's probably some specific things I need to write a plan for, but what are those things? So, what do we do next?" Bray Wheeler: I think, people can get hung up on evaluating different things and scoring different things, and talking to different people. All of those things are important, and all of it needs to come into play, but you really just need to start somewhere. And some obvious places that you can start to have those conversations that kind of whittle yourself in are, "Do we have something recent that we were not prepared for that did not go well?" Say, you're a bank or financial institution, "We had an armed robbery. We didn't have anything in place." Probably need a plan for that. You know, "Something that can help guide us through that kind of situation." That's kind of an obvious starting point, but it's also looking at, what are your top enterprise risks? And start the conversation there. What's have other functions of the company, done any kind of impact, or likelihood analysis that you can borrow from. You can get way down a rabbit hole on a lot of that stuff. Bryan Strawser: You can totally turn this into rocket science. I think that's a bad route to go. You can do all this analysis of frequency, impact, whatever. Bray Wheeler: Vulnerability. Bryan Strawser: Vulnerability. You could spend months making heat maps of your risk. Bray Wheeler: That's not helpful. Bryan Strawser: It's not helpful. I remember a project once, internal to an organization many years ago, where a division came to our crisis team and said, "We wanted this detailed threat analysis of our organization so that we can plan around the biggest risk to the organization," and we all looked at them and said, "The number one phone call that we get from your division is the power is out. Can we start by having a process to deal with when the power is out?" They said, "No. That can't be the answer, it's got to be much more complicated than that." Bryan Strawser: They spent weeks doing analysis and they came back and said, "Hey, our top risk is the fact the power goes out and we don't have generators at these particular facilities." Bray Wheeler: Yup. Bryan Strawser: So, you can turn this into rocket science. Don't do that. Bray Wheeler: No. Bryan Strawser: I think Bray's got it right. What are the obvious things that you need to plan for, or what are the things that are driven by regulatory requirements that you have to do? Start there. For example, if you're a financial institution, you mentioned armed robbery, but let's go to a regulatorily driven issue. If you're a financial institution that's subject to the FDIC's and the Office of the Comptroller of the Currencies audit process, then the FFIEC guidelines say, fourteen years after H1N1, that you... I'm sorry, nine years after H1N1, you have to have a pandemic plan. So, one of the scenarios that you need to plan for, is you need to have a pandemic scenario because, from a regulatory standpoint, you're required to have it. So, that's an obvious one. Start there, because you have to have it. Bray Wheeler: Well, exactly. There's a lot of work being done, whether it's large or small organization and no matter the type of organization, there's a lot of work that's already done that's, people have prioritized these things. Business initiatives, common things that call centers to get called about, or security is getting called about, regulated information that says you need to have these different things. Those are all easy places to start. You just kind of flop them on the table and say, "Okay. What are the ones for sure we have to have? Let's start there." Then as you tick through, or other things bubble up, then you start to address them. Bray Wheeler: Say you're a mid-sized company, you have an office in the Midwest, and one smaller branch in Florida, probably don't need a hurricane plan. You just need a plan to give shelter to that office, a close-up plan, something for those employees. You don't need a full-fledged organizational plan if you don't have anything that's critical down in Florida. If most of your organization is in Minnesota, a hurricane plan probably isn't the place to start. Bryan Strawser: Right. Right. I like to tell people, we like to tell people, I should say, we want to look at the obvious risks first. The things that you know are going to happen to you. The things that you're regulatorily required to have planned around. Then I think you can start to get into the outer rings of, "Well, I've covered the things I know are going to happen. I've covered the things I have to have for regulatory purposes. Here are some things that I think are the next circle of risk here." I think you kind of keep going in circles from there as you need to have scenario specific plans. Bray Wheeler: Well, I think even as you get... As you start to build those things out and you couple years in and you have a dozen, let's say you're really doing a really good job, and you have like two dozen plans of different scenarios, it's important to go back to those plans you've already created and reassess, or "Hey, we've moved in a different direction as a company, this risk that the company is talking about generally, is becoming a bigger deal. Hey, we did a plan for that two years ago. Let's pull that back out and make sure it aligns to what it is that we're talking about, or the direction that we're going." Bryan Strawser: Update. Bray Wheeler: I just think that it's, to kind of beat on the point that we're making, it's real, real easy to go down a rabbit hole and it's real, real easy to make, even these plans, more complicated than they need to be. We've seen a lot of different organizations try to account for every little nuance of a situation. That's probably not helpful. When you get into that situation, nobody's pulling that plan out to address it. Really what you're trying to accomplish with these top risks, these more specific plans or annexes, or whatever you want to call them on top of your crisis plan to address the situation is, what are those key unique things in that situation that we need to make sure that we hit right away, or that we need to act right way, or we need to make decisions on right away? Then what are those other nuances that we start accounting for as we move through the situation? It's not another 14 pages on how to do something. That's not helpful. Bryan Strawser: We could probably do a whole episode just about how to construct plans in an intelligent and effective manner. A couple of things that you brought up that I think are worth elaborating on here, is when are talking about developing these scenario-specific plans, these really should be structured as annexes to your crisis management plan, or crisis management framework, whatever you're calling it, because essentially what you're saying is, "I'm going to take the framework by which I always manage a crisis, I'm going to add this plan content for this specific scenario or situation or type of scenario, I'm going to use that on top of my framework." Bryan Strawser: Maybe you've got specific checklists by role. Maybe you've got some specific assessment questions, you got some specific strategies you're going to follow, but all of that has to be built, that annex has to be constructed in a flexible way, because to your point, you can over-structure this, where it's too rigid, and you find yourself in the situation where the real-life scenario is slightly off of how you thought it was going to be, and now your annex is shit, because the underlying scenario is different. Or you didn't foresee the combination of factors that got you into the place that you're in. Bray Wheeler: Or you've positioned it in a way that the people that are responsible for working through those checklists, or kind of working through the process, or helping facilitate that conversation, get stuck up on what order they're supposed to be doing things in, and, "Oh. We didn't call this person, or this thing didn't get done, we can't possibly move on to the next thing." You have to keep adapting and you have to keep moving against whatever the situation is. Those plans should really be there to guide you and make sure that you're accounting for the nuances of those situations. Bryan Strawser: Part of what I think you have to account for, as well, in all of this, is that you may have developed plans for a number of different scenarios, planning annexes, for a number of different scenarios, your situation that you find yourself in now, is a combination of scenarios. Right? Bray Wheeler: Yup. Bryan Strawser: So, you're pulling two or three plan annexes out, that you got to execute. How do you make that interact? Did you plan it in that way? Do even know, the situational question, which is, do you know that there are really three things going on? You may only see two of them at the time. You may not have the awareness to know there's a third. Bryan Strawser: So, anyway, the point is, that the annex needs to be able to interoperate. Part of what you want to think about when we started getting into this complex crisis management situation, is what do you do when you have the multiple, simultaneous incidents, or you have the incident, the crisis situation, that has multiple impacts that fit your scenario? Like you've had cyber-attack, and you're under cyber-attack, and now you have a physical attack in your lobby. Okay, those are two same, might be the same crisis, you don't know it yet, but now you've got simultaneous issues going on that you've got to deal with. Bray Wheeler: As you're working through and trying to identify because I think that's an important point when you're thinking about what risks to prepare for, what's your top risk, it really going back through the annexes that you have, and, or, thinking about, "Okay. Our top risk is a data breach". Great. Okay. "So, let's start there." It's important to have that exercise too, kind of once you're done, a little bit of an after-action, or a little bit of a debrief off of it, going, "Okay. What are those other things," to your point, "That might manifest out of this or may have caused this? Is it a physical security thing? Does that need to be the next thing that we go into a little bit more detail on?" Bray Wheeler: One I always enjoy that our previous... Bryan Strawser: Our previous life. Bray Wheeler: Our previous life. Was the having an annex for a terrorist attack and an annex for a mass-casualty event? Does it really matter, as that organization, the nature of the situation? Is really what you're doing is managing a mass-casualty attack, and later on, it turns into something else. So, as you're thinking about those top risks, it's important to be clear about what it is you're trying to address, because in that case, that organization, there's no responsibility there from a terrorist standpoint. Really, you're treating it as a mass-casualty event. You don't really care what the motivation of the attacker is at that point. Bray Wheeler: So, it's being really clear as you're laying out what that annex is, what that top risk is, that you're dialing into the right thing that's going to have the impact to your organization that you're accounting for, and not something that's kind of sexy, or high profile, or gives it a different cool spin on something. It's really getting down to the nuts and bolts of what that situation is. Bryan Strawser: Yeah, I think you make an important point. This could be overdone. We've seen this. We have often seen plan annexes that we're being asked to edit, coming in as a consultant, I think we read a 170 page one back at the first of the year on a... To be fair, it was on a complex topic, and don't want to minimize that the underlying issue was a serious one, but that it was about three times as long as it really needed to be. Bryan Strawser: You've got to allow flexibility in these plans. You have to make sure they connect to the underlying incident or crisis management process, and they need to able to interoperate with other annexes when you have these multi-impact, complex, crisis situations, that we hope you never have to face, but the reality is if you're in a big company, big organization, sooner or later, you're going to run into that scenario. So, you want to make sure that your annexes and your plans all fit what those unseen possibilities are because we know it will be the combination of events that you never imagined would happen. Bryan Strawser: The whole time we've been sitting here in this podcast talking, thinking about these multi-impact events, I just keep going back to Japan and the 2011 earthquake off the coast of Natori Province, and that was one of the largest earthquakes in world history, followed by this massive tsunami, and then this rising nuclear issue at Fukushima that came after. It all interconnected, and the Japanese government just didn't have situational awareness to see the big picture, and really struggled in the response that should have been much easier for a company, or for a country rather, that was that prepared. Bray Wheeler: Well, yeah, because individually- Bryan Strawser: They nailed it. They had it. Bray Wheeler: They could execute each one of those situations, probably, brilliantly. Bryan Strawser: But not all three at the same time. Bray Wheeler: But all three at the same time, there wasn't that awareness. Bryan Strawser: So, as you think about how to plan for your top risks, as you build that crisis framework and you're moving forward, our advice, go for the obvious and regulatorily driven risks, and then start to look out from there. Whatever you do, don't turn this into rocket science. Bray Wheeler: Keep it simple. Bryan Strawser: Keep it simple. Keep your planning simple. Make your annexes interoperate. We wish you luck. Thanks for listening to this episode of the Managing Uncertainty podcast. We'll be back with you with a new episode next week. Thanks for listening.

Welcome to Simply Stated, a podcast by CSBS, the Conference of State Bank Supervisors. I am Matt Longacre. My guest today is Greg Gonzales. He is commissioner of the Tennessee Department of Financial Institutions. Like many other state regulators, the department oversees banks, credit unions, trust companies, and a variety of nonbanks. Because of this diversity, Greg says, “Our small department touches every community in the state of Tennessee.” And that comes in handy as the department looks to support the strategic plan of his new Governor, with an emphasis on assisting rural communities across the state. The regulatory approach relies on balancing two important parts of its mandate — “ensuring safety and soundness and being mindful of economic development” — while tailoring regulations to the risks presented by individual institutions, depository and non-depository alike. To Greg, that’s the best way to enable financial institutions to deliver benefits to the citizens of Tennessee. “We want to help institutions not just survive but thrive.” In our interview, Greg elaborates on his regulatory approach. He recounts how companies have thanked the department for flagging risk issues to make those companies stronger entities. He describes a large increase in assets managed by state-chartered banks — from about $40 billion a few years ago to $120 billion and more in the near future — and what conditions have led to this growth. He also speaks to his role as chairman of the State Liaison Committee of the FFIEC and the critical role that organization performs. In particular, he appreciates how federal officials have supported state efforts to assist smaller institutions on issues such as exam modernization, and how CSBS provides important staff support. And, finally, he speaks to how regulators need to do their jobs — both with industry and with consumers — to enable financial services to be delivered in a safe, sound and reliable manner. As he summarizes, “It’s all about public confidence.” A lifelong Tennessean, Greg speaks with enormous pride in the work of his department, everyone he works with outside the department, and his hopes for a better future for all those in the state. Conducting this interview is Jim Kurtzke, who recently spent the day with Greg and his staff in their offices in Nashville. Let’s go to the interview.

SSO Security Threats Office 365 Security Threats http://ericenglish.com/2018/08/28/8-ways-to-harden-office-365-environments/ Various Security Standards HIPPA, PCI, NIST, FFIEC, etc

Show Notes: https://justinfimlaid.com/quickstart-building-a-security-program-with-the-nist-cybersecurity-framework/h Sponsor: https://www.nuharborsecurity.com Contact Me: https://justinfimlaid.com/contact-me/ Twitter: @justinfimlaid LinkedIn: https://www.linkedin.com/in/jfimlaid/ Hey Everyone - I'm starting to feel a little bad that the Government has been shutdown for so long.  I've hit the NIST site at least 10-15 over the last couple weeks looking for a reference only to be met by a we're closed frowny face.  Anyway - as soon as I recorded this the government opened up…figures.   By the time this goes live NIST will be open again.  If you're looking to build or enhance your security program.  The NIST Cybersecurity Framework might be a good place to start. I see a lot of companies looking to build their security or compliance programs around PCI-DSS, HIPAA, or FFIEC guidance to name a few.  It's good guidance but these regulations fail to recognize an organized security capability.  Meaning - there's no categorization that exists that says if you do these group of security tasks you'll be better protected, or if you focus on these groups of tasks you'll be better positioned to recover from a cyber event. The NIST Cybersecurity framework is organized exactly that way.  In absence of any regulation or compliance requirement this framework might provide a nice step into budget conversations or even establishing a common way to talk about cybersecurity within your organization or institution. To read more about the NIST Cybersecurity Framework, check out my post at NuHarbor Security.

Bernie Mason, RMA's Regulatory Affairs Liaison, discusses the FFIEC's update on its Examination Modernization Project, which identifies and assesses ways to improve the effectiveness, efficiency, and quality of community financial institutions' safety and soundness examination processes through the use of technology.

Learn how FFIEC’s Appendix J relates to your vendor risk management program, four key elements of business continuity planning that you should address when contracting with a third party service provider and our recommendations to best incorporate Appendix J into your vendor risk management program.

It is difficult to say big data without instantly thinking about MongoDB. As enterprises adopt MongoDB, they also bring security concerns with them. Depending on their business, they may have multiple government (HIPAA, GDPR, FFIEC, etc.) or business (PCI DSS, etc) security regulatory standards with which they need to comply. Join Patrick Townsend, Founder and CEO of Townsend Security, as he talks about leveraging the WiredTiger storage engine, achieving a strong security posture with key management, and how to easily begin encrypting data in MongoDB Enterprise. Download this podcast to learn about: Encryption using the WiredTiger storage engine - no need to buy 3rd party encryption! Easily generate a master encryption key and begin encrypting database keys using native command line operations Meeting compliance requirements (PCI DSS, HIPAA, GDPR, etc.) The importance of KMIP

Learn the key takeaways from important third party risk regulatory guidance released by the OCC, FDIC, and FFIEC.

Bernie Mason, RMA's Regulatory Affairs Liaison, discusses the FFIEC's guidelines used to assess the accuracy of the Home Mortgage Disclosure Act data that institutions record and report.

FFIEC Appendix J and E by Venminder Inc.

The finance industry is increasingly being held accountable for the security, confidentiality and integrity of non-public customer information. By protecting nonpublic personal information (NPI) and personally identifiable information (PII), businesses in the banking and financial services industry can protect private information including: customer financial records, social security number, income, and account numbers. Organizations that experience a data breach where un-encrypted data is lost can suffer fines reaching into the millions of dollars, as well as face indirect costs like brand damage and customer loss. Download this podcast to learn about: Meeting data security compliance requirements (GLBA, FFIEC, PCI DSS, etc.) Examples of NPI and PII that need to be encrypted Encryption and key management How to take advantage of the GLBA’s “safe harbor” protection for privacy notices

This week the gang's all here to talk about some news happenings. Michael, James and I talk through some of the stories we've been tracking. Have something you've been reading and want to talk about? Hit us on Twitter with hashtag #DtSR and suggest a topic/story for the next NewsCast!   Tennessee Amends Breach Notification Statute http://www.natlawreview.com/article/tennessee-amends-breach-notification-statute Removes the exception for encrypted data. Will this raise the costs to companies?   Encrypted or not, will credit monitoring be the norm? More lawsuits (even if the data is encrypted) Do we run the risk of notification overload? What do people do with these notifications anyway? FFIEC’s New Mobile Security Guidance: An Assessment http://www.bankinfosecurity.com/ffiecs-new-mobile-security-guidance-assessment-a-9104 Interesting how they discuss some of the risks (SMS, mobile enabled website) but also talk about ways to mitigate the risk. Software “glitch” kills Formula1 car mid-race Does not take a rocket surgeon to figure out the real-world applications here Sure this time it was a 'glitch' but could just as well have been a security bug, exploited by an attacker? Many vehicles are now ‘smart’ and phone home, make decision and drive for you http://news.filehippo.com/2016/05/software-glitch-kills-formula-1-car-mid-race/ LinkedIn plays down 117 million user breach of data sale http://www.theregister.co.uk/2016/05/19/linkedin_breach/ From 2012 breach... coming back to us Does this show how a breach can linger on? Alternate theory: attacker has been using credentials stolen, and now that they're not useful anymore he/she is dumping them to the public?