1

OFFICE OF THE STATE BANK COMMISSIONERINFORMATION TECHNOLOGY AND 

CYBERSECURITY

COMMITTEE ON GOVERNMENT, 

TECHNOLOGY AND SECURITY

FEBRUARY 1, 2017

The Office of the State Bank Commissioner regulates all state‐chartered banks, trust companies, mortgage businesses, supervised lenders, credit service organizations, and money transmitters that do business in the State of Kansas.

Our Mission Statement 

Ensure the integrity of regulated providers of financial services through responsible and proactive oversight, while protecting and educating consumers. 

Our Goals

*ENSURE the fair and reliable supervision of state chartered banks, trust companies/departments, savings and loans, and suppliers of mortgage and consumer credit;*EDUCATE regulated entities to promote a better understanding of and compliance with governing laws and regulations;*PROTECT Kansas consumers from unfair or unscrupulous credit practices;*PRESERVE the dual banking system through chartering of new state banks, maintenance of existing state charters, and equitable regulation of state banks; and*PROMOTE and MAINTAIN the public's trust in a state financial system.

Our Philosophy

The Office of the State Bank Commissioner embraces equitable treatment of regulated institutions, and strivesto maintain the highest ethical and professional standards. We believe the public's reliance upon ourregulatory function is of vital importance to our state's economy. We strive to incorporate regulatoryresponsibilities, education, preservation of the dual banking system, and promote fair and equitable treatmentof Kansas consumers and creditors. We undertake our responsibilities and goals with a deep sense ofcommitment to the State of Kansas, its citizens, and the institutions we regulate. 2

2

TODAY’S  TOPICS

• Elements of an Information Security Program within financial institutions

• The Office of the State Bank Commissioner’s Information Technology Examination Process

• Cybersecurity Risk• Bank Self Assessment Tool

• Banker Education• OSBC In‐House IT Protection

3

Information Security Program

4

3

Evolution of Data SecurityStarted with Doors, Windows, and a Vault

5

Evolution of Data Security

Emerging

ATM

6

4

Why Should a Bank Establish an Information Security Program?

• Protect Confidentiality, Integrity, & Availability of Information

• Mitigate Financial Losses

• Prevent Potential Lawsuits• A security program is required by Insurance Companies

• A security program is required by Law (FDIC Rules and Regulations Part 364, Appendix B)

7

Information Security Program

Information Security Program

Governance Structure

Risk Assessment

Physical, Technical, &

Administrative Controls

Policies and

Procedures

Audit Program

Vendor Management

Incident Response

Business Continuity/D

isaster Recovery Planning

Ongoing Review of

ISP

8

5

Information Technology Examinations

9

IT Examination Work Program ‐ InTREx

• The OSBC started IT Examinations in 2004.

• In 2016, a new IT examination work program was adopted called Information Technology Risk Examination Program (InTREx)

• InTREx is an update of IT and Operations Risk examination procedures, with a focus on efficiency using a risk‐focused approach.

• InTREx includes a cybersecurity preparedness assessment

• Goals are to ensure financial institution management promptly identifies and effectively addresses IT and cybersecurity risks. 

10

6

IT Examinations

• InTREx provides a pre‐screening process that allows regulators to rate the level of IT risk in a bank (level A, B, or C).  A is the most complex.

• The IT Profile (pre‐screening) focuses on an institution’s IT environment.

• The results of the Profile assists regulators with assigning IT human resources to the examination.

• The OSBC has two IT Specialists positions that focus on Level A and high level B examinations.

• The OSBC has 14 field examiners that are cross‐trained on IT that are capable of conducting Level B and C examination.

11

IT Examination Work Program – InTRExThe scoring profile covers the following topics:

• Core processing – applications for loans, deposits, investments, trust, and general ledger

• Network and wireless network

• Online banking

• Development and Programing

• Software and Services

• ACH

• ATM

12

7

IT Examination Work Program – InTRExThe scoring profile covers the following topics:

• Mobile devices (bank and personal)

• Call Center

• Vendors and Third party contractors

• Servers and server rooms

• Cloud storage

• Cybersecurity program

• Staff and training

13

IT Examination Work ProgramInTREx Core Analysis

• Audit

• Management

• Development and Acquisition

• Support and Delivery

• Information Security Standards

• Cybersecurity

In addition to the above, there are expanded procedures for each topic.

14

8

IT Examination Process

What do you have 

and where’s the risk?

How is the risk 

controlled?

Does the bank have  Policies/ Procedures to 

Govern?

Audit Coverage/ Testing?

Audit findings tracked and corrected?

Effective management / governance processes in‐

place?

Does the Board provide effective oversight?

15

IT Examination Ratings

• The OSBC conducts two types of IT Examinations:  Complex or Non‐complex

• Examinations will use the full InTREx work program on complex institutions and the modified InTREx work program on less‐complex institutions.

• A non‐complex examination will only receive a Composite Rating (1 to 5).  1 rated is the best.  

• At complex examinations, examiners will rate the areas of Audit, Management, Development and Acquisition, and Support and Delivery, as well as provide an overall Composite Rating.  Each of these will be rated on a scale of 1 to 5.   

16

9

IT Risk Management

17

IT Risk ManagementWhat do examiners consider?

• Does the institution possess the proper amount of IT knowledge?

• Has the institution designated an IT Officer?

• Is the IT Officer properly trained?

• Is the IT Officer properly informing the board with an appropriate amount of information that would allow the board to assess risk?

• Are IT reports being included in the board meeting packets?

• The board does not need to specialize in IT, but they need to know enough to assess risk and set overall policy for the institution.

• KEY: Is IT information getting from the backroom to the boardroom?

18

10

IT Risk ManagementWhat do examiners consider?

• Is the board holding management and the IT Officer accountable for any deficiencies that exist?

• Does the bank perform an IT Risk Assessment?

• Is the Risk Assessment properly focused on the bank’s environment?

• Are IT audits being conducted and does the audit scope cover the key risks?

• Is the auditor competent and possess independence?

• Has the board/management initiated remediation tracking, resolution documentation, and risk assessment updating processes?

19

Cybersecurity

20

11

Threat Environment: VulnerabilitiesCybersecurity

Technological Weakness in hardware, software, network, or system

configurations

Organizational Lack of awareness of threats/vulnerabilities, incomplete asset

inventories, weaknesses in/over-reliance on third parties

Human Exploitation of human behavior such as trust and curiosity

Lack of effective security awareness training

Physical Theft, tampering, device failure, or introduction of infected media

21

Threat Environment: ActorsCybersecurity

Cyber Criminals - Financially motivated; attacks include account takeovers, ATM cash-outs, and payment card fraud.

Nation States - Attempt to gain strategic advantage by stealing trade secrets and engaging in cyber espionage.

Hacktivists - Maliciously use information technologiesto raise awareness for specific causes.

Insiders - Abuse their position and/or computer authorization for financial gain or as a response to a personal grievance with the organization.

22

12

Cybersecurity – Types of Attacks

• Phishing e‐mails

• Malware installations (Viruses, Worms, Trojans, Keystroke Logger)

• Patch and Vulnerability Exploits

• Advanced Persistent Threats (APTs)

• Distributed Denial of Service (DDoS)

• Ransomware

• ATM Attacks

23

Cybersecurity – Regulatory EnvironmentThe OSBC Recommends all financial institutions:

• Participate in information sharing through the Financial Services‐Information Sharing and Analysis Center(FS‐ISAC) or United States Computer Emergency Readiness Team (US‐CERT)

• Monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so risk can be evaluated

• Possess proper IT related policies and follow policy• Include IT in institution strategic planning• Formally assess cybersecurity risk

• Ensure management preparedness (oversight, intelligence, controls, external dependency, incident management)

• Align resources and departments so they are communicating

24

13

Cybersecurity – Regulatory EnvironmentThe OSBC Recommends all financial institutions:

• Require strong vendor management

• Require strong patch management

• Know your customers and customer habits

• Require employee and board training

• Know your law enforcement and regulatory agency contacts should an emergency occur

• Audit the system for validation

• Conduct penetration testing

25

Highest INTERNAL Risk Areas

• Individual Employees and Directors

• Corporate Culture• Third party vendors and contractors• Failure to apply timely patch management

• Using software and technology that is no longer supported

26

14

Employee Risk

• Flash drives• Social websites• Opening harmful e‐mails or webpages• Opening redirect web pages that look authentic• Failure to update devices (patch management)• Failure to protect devices when away from the workstation• Failure to create secure passwords• Cross use of work and personal email• Cross application of work and personal devices• Stolen or lost devices

27

Cybersecurity Assessment Tool

• Financial institutions are required to formally assess cybersecurity risk

• In 2016, the Federal Financial Institutions Examination Council (FFIEC) issued a federal and state joint work project called the Cybersecurity Assessment Tool (CAT)

• Institutions are not required to use the CAT, but must be using something similar

• CAT is a provided resource to assist institutions in assessing risk and thinking through all the IT risk areas

28

15

Banker Education

29

Banker Education

• Kansas is one of 32 states that have held an Executive LeadershipBriefing on Cybersecurity to raise awareness and provideinformation. The OSBC, in conjunction with the Kansas BankersAssociation and the Conference of State Bank Supervisors held abriefing on November 3, 2015.

• Over 3,000 financial institutions’ executives across the United Stateshave attended these sessions since they began in December, 2014.

30

16

Available Banker Education

• Cybersecurity Assessment Tool (CAT)

• CSBS issued Cybersecurity 101 Resource Guide• Institutions have access to the examination work program (InTREx)

• FS‐ISAC and US‐CERT• FDIC has an IT/Cyber Technical Assistant Video Series online• IT is included in bank director training• Regulators “train and explain” at examinations

• Industry professionals and consultants are available• Classes and seminars for IT topics are abundant

31

Statistics to Consider

• A campaign of just ten e‐mails yields a greater than 90% change that at least on person will become the criminal’s prey

• 11% of recipients of phishing messages click on attachments

• Estimated cost of a breach is upwards of $254 per record

• Employees are curious, and there is a high likelihood that an employee will introduce a found flash drive into a work computer

• In 38% of cases, it took attackers just seconds to compromise a system

• In 60% of cases, attackers were in within minutes

32

17

Statistics to Consider

• In 28% of cases, it took attackers minutes to exfiltrate data

• It sometimes takes weeks & months before a company knows it was hacked

• 25% are targeted attacks  /  75% are victims of opportunity

• 89% of breaches have financial or espionage motive

• 99.9% of compromises were more than 1 year after a public warning

• 97% of breaches were avoidable (patch management failures)

• Experts say it is often cheaper to trash all tech after a breach, and start over

33

OSBC In‐House Security Measures

34

18

OSBC In‐House Security Measures• All portable storage and mobile computing devices, including agency cell phones, laptops, and USB flash drives are encrypted.

• Electronic transfer of files with institutions are encrypted‐in‐transit and encrypted‐at‐rest (FDICConnect, OSBC Sharefile)

• Independent security assessments are performed annually, including “ethical hacking” attempts to exploit weaknesses or discover vulnerabilities.

• All PCs protected by managed antivirus solution and reputation based network filtering.

• Emails containing sensitive information automatically encrypted during transit. All email communications with federal counterparts are encrypted in transit.

• Network Intrusion Prevention System in place to constantly observe network traffic and automatically respond to security events.

35

OSBC In‐House Security Measures• Primary data center (ISG, Topeka) is monitored 24/7 with strict access controls, fire suppression system, and 1,000 gallon fuel generator with uninterruptable power system.

• Off‐site secondary data center (in Salina) with fail‐over capabilities.

• Monthly off‐site, off‐line encrypted backups of exam reports and licensing database.

• Comprehensive software patching capabilities, ensuring latest security patches for operating system and third‐party applications are deployed to workstations.

• Multiple layers of email security including attachment sandboxing, phishing analysis, and a series of automated and manual checks on external emails that fit suspicious criteria.

36

19

Questions from the Committee• What information is collected, stored, and accessed by the agency?

Personally Identifiable Info (PII), Federal Tax Information (FTI), Criminal Justice Information (CJI), examination data of financial institutions, and other information that assists with licensing and evaluating institutions, including an institution’s volume and assets.

• With whom does the agency share this information?Federal agencies such as the FDIC and the Federal Reserve Bank, and other States during joint examinations. 

37

Questions from the Committee

• What are your emergency/back‐up plans?

In case of the main data center’s loss of function, a second data center in Salina, KS replicates our production system each day. Email has additional redundancy which could keep email functional even without either data center functioning.

Data backups are performed at various intervals up to hourly. In addition to our normal backup strategy and replication to a second data center, some business‐critical data is also stored on media at a safety deposit box, which rotates monthly.

38

20

Questions from the Committee

• Have you gone through a security audit? By whom, when, and with what results?

January, 2016 – Conducted by Optiv. They had five medium‐risk recommendations, none in the “High” risk category.

September 2014 – Conducted by Optiv. There were six medium‐risk recommendations, none in the “High” risk category.

Another security audit is scheduled to be conducted in 2017.

39

Questions from the Committee

• What kind of security training is conducted? By whom? How often? What is covered in the training?

All agency employees must attend yearly training, prepared by theagency. In addition, all employees review and sign anacknowledgement of the agency security policy. This training coversagency policies, social engineering, phishing, internet security, and datasecurity.

40

21

Questions from the Committee

• What kind of security training is conducted? By whom? Howoften? What is covered in the training

Agency IT staff have attended formal training, equal to or in excess of 40 hours on the following topics.  As a result of their training they hold certifications in several of these areas. 

Certifications held from CompTIA:• A+• Security+• Network+Microsoft Windows Server ‐• Active Directory• Server Management• Network Infrastructure

Microsoft Windows 7 Enterprise SupportMicrosoft SQL Database AdministrationCCNA (Cisco Certified Network Associate)Java Programming FundamentalsTransact SQL ProgrammingCEH (Certified Ethical Hacker)CHFI (Computer Hacking Forensic Investigator)

41

Legislative Post Audit Study

• During the legislative post audit study of 2014 our agency was found to have 0 Critical Findings and 2 High Findings. 

Finding Resolution

Lacked formal policy on password rotation, 

complexity and auditing  on encrypted USB 

drives.

Added specifics to our current policy on rotation, complexity and 

auditing. 

All USB drives were reissued passwords with a more complex 

password.  This will occur each year.

Yearly reissue of encrypted thumb drives for all employees will occur 

in the future.

We will complete quarterly random auditing to ensure compliance 

of retention policy and security.

Lacked formal policy on conducting background 

checks on IT staff.  Agency had no record of 

background checks being performed.  Three of 

the four staff had passed background checks 

independently for data center access.

Introduced formal policy requiring background checks prior to hiring 

of IT staff.  

Conducted background checks of existing IT staff.

42

22

Division of Banking

Judi M. Stork

Deputy Commissioner

Judi.Stork@osbckansas.org

785‐296‐1515

Ken Torgler

Director of Examinations

Ken.Torgler@osbckansas.org

785‐296‐1379

Division of Consumer and Mortgage Lending 

Jennifer Cook

Deputy Commissioner

Jennifer.Cook@osbckansas.org

785‐296‐1532

Mike Enzbrenner

Director of Examinations

Mike.Enzbrenner@osbckansas.org

785‐296‐1878

Michelle W. BowmanBank Commissioner

Miki.Bowman@osbckansas.org785‐296‐1520

OFFICE OF THE STATE BANK COMMISSIONER

QUESTIONS?