Pub. 10 2019 Issue 2

www.wvbankers.org 10 West Virginia Banker increasing number of patient records that may have been subject to unauthorized access, many including the gov- ernment have increased scrutiny. A concerning statement on the AMCA initial report was that security measures were taken to protect the data that was compromised including encrypting certain information – those en- cryption keys were compromised. Other concerning information:  The hack appeared deliberate increasing the possi- bility that the accessed information may be used to commit fraud.  It appears the fraudster may have had access to the very personal and highly sensitive information for more than seven months. The information may have also included information from healthcare providers.  There are still some unknowns as to the extent of the breach. The investigation of the AMCA breach is ongoing and more information is expected in the coming months and weeks. • Fiserv. KrebsOnSecurity reported in August 2018 that Fiserv “fixed a glaring weakness in its Web platform that exposed financial details of countless customers across hundreds of bank Web sites”. KrebsOnSecurity received information from a security researcher, Kristian Erik Hermansen, that he deemed curious while accessing an account at a bank that used Fiserv’s platform. The solution used by Fiserv assigned an “event number” when receiv- ing email notifications for new transactions. Hermansen tested the system by changing the event number by one and confirmed the event numbers were sequential and he could see an alert sent to another bank customer. The information included the customer’s email address, phone number and full bank account number. KrebsOnSecurity successfully replicated Hermansen’s findings. However, KrebsOnSecurity was limited to viewing information to only the one financial institution where the account resid- ed. According to KrebsOnSecurity, it appears that Fiserv no longer displays the sequential event number and “has replaced them with a pseudo-random string.” There have been many other breaches and security issues that have occurred during the past year. Moving Forward. As indicated previously, as the reliance on vendors to deliver and provide products and services to customers increase, the importance of having a robust vendor management program continues to grow in importance. The vendor management program should consider many different factors to identify the critical vendors. Once identified, many risks should be considered including strategic, reputation, operational, transaction, credit and compliance. In addition, critical vendors should be considered during the financial in- stitution’s cybersecurity risk assessment process. The services provided by the vendor will also impact the detailed review conducted by the financial institution (i.e. review the applicable SOC report, review the disaster recovery/business continuity plan, Regulatory reports/notices on the vendor that may be available, etc.). As with all risk assessments, the vendor management and cybersecurity risk assessment processes should be an ongoing process. Vendor management and cybersecurity updates should be considered as changes occur in technol- ogy, new products and services are being considered (not after deciding to provide and/or obtain the new product or service), trends in the industry. The vendor management program and cybersecurity risk assessment should be pre- sented to the Board of Directors at least annually.  Chris Joseph is a Partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A Certified Public Accountant, Certified Information System Auditor, Certified in Risk and Information Systems Control and Certified Information Technology Professional, Mr. Joseph has over thirty- four years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris. joseph@actcpas.com.  Vendor Management Continued from Page 9