Pub. 9 2018 Issue 1

Spring 2018 11 West Virginia Banker Chris Joseph is a Partner of Arnett Carbis Toothman LLP, located in the Charleston, West Virginia office. A Certified Public Accountant, Certified Information System Auditor, Certified in Risk and Information Systems Control and Certified Information Technology Professional, Mr. Joseph has over thirty years of experience in information technology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@actcpas.com. also observed updates to the core processing system which resulted in logical access issues. In other cases, the em- ployee(s) in question serve as backup personnel in order to provide timely customer service. There are several controls that can be implemented to address the issues. One control is the implementation of logical access administration controls. The logical access administration controls are those that assist the financial institution with requesting, approving and executing logical access requests resulting from new hires, terminations or changes in job duties and responsibilities. The control usually involves the use of request forms or communications to ensure the appropriate personnel are aware of the requested change. In order for the change to be implemented, the request must be inde- pendently approved by management. Other controls include the implementation of compensation controls over activity conducted including reports review by independent personnel and periodic review of the logical access assigned to financial institution personnel. Ransomware. According to Adam Kujawa, director of malware intelligence at security firm Malwarebytes, “From a business standpoint, the biggest threat, especially at the end of last year, was ransomware.” The number of ransomware available to cybercriminals is increasing at a rapid rate. ID Ransomware, a website where victims can upload a ransom note and / or a sample encrypted file to identify the ransom- ware that has encrypted a company’s data, currently detects 543 (as of January 29, 2018) different members of the ransom- ware family. In October 2016 there were approximately 200. In addition, according to the telemetry from Malwarebytes products, business ransomware detections have increased by 90 percent (up to ten times the rate of 2016). Consumer ransomware detections have increased by 93 percent. Many experts feel ransomware is not going away. What is ransomware? There are two primary types of ransom- ware: locker ransomware that locks the computer or device and crypto ransomware which prevents access to files or data usually through encryption. Locker ransomware is sometimes referred to as blackmailing. The impacted computer is locked and then an official-looking message is displayed (from the FBI, etc.). The message indicates the user of the computer was involved in some type of illegal activity (child pornography, software piracy, etc.) and that they could avoid further action by paying a fine. The user’s computer will be unlocked after paying the fine. Crypto ransomware encrypts the users’ data. Once the encryption is complete, a ransom message is dis- played demanding payment in return for the release of the us- ers’ data files. There have been different variations since 2013 including CryptoLocker, CryptoWall, CTB-Locker, TorrentLock- er, Bitcryptor and CoinVault, TeslaCrypt, Locky and WannaCry. Gaining an understanding of how these different variations operate can provide the IT security team more insight to the challenge facing financial institutions. When implementing controls to address ransomware, an important concept to understand is that ransomware does not target a certain technology – it targets human behavior. Re- ducing the risks of ransomware entails a multiphase approach including: deployment of endpoint protection software to reduce the risk of malware penetrating your network, effective data backup to assist in the recovery of data, increase aware- ness with employee training, use an effective spam filter, configure desktops to show file extensions, block executables in emails, prevent malicious JavaScript files from running, restrict the use of elevated privileges and the deployment of a patch management program that patches software promptly. SOC Reports. Many financial institutions utilize a service provider to assist in providing customer services and / or assist the financial institution with addressing certain internal needs. When utilizing a service provider, especially when delivering services that could impact internal control over financial reporting, it is extremely important that the service provider have a service organizational control (SOC 1) en- gagement conducted. During the completion of a SOC 1 en- gagement, both the service organization and the service au- ditor have responsibilities. One of the service organization’s responsibilities is to identify and communicate complemen- tary user entity controls. The service provider controls cover only a portion of overall internal control for each user entity of the system. It is not feasible for the control objectives related to the system included in the SOC 1 to be achieved solely by the service provider. Each user entity, or customer, must evaluate its own internal controls over financial reporting in conjunction with the service provider controls. The service provider includes certain complementary user entity controls that should be considered during the customer’s evaluation. One of the issues we have encountered is the lack of an eval- uation of the complementary user entity controls. It is impor- tant that the complementary user entity controls are reviewed by the financial institution to ensure the applicable controls have been considered and implemented where considered necessary. In addition, we recommend the review is docu- mented and periodically updated for currency and applicabil- ity. In some cases, a financial institution’s service provider will have a SOC 2 conducted. While a SOC 2 does not address controls over financial reporting, it can address any one or combination of five different trust service principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. The Bank should consider evaluating the complementary user entity controls for SOC 2 reports as well. Conclusion. Information technology is significant to the effective delivery of customer services. An increasing number of challenges are encountered with the increased reliance and use of information technology. A financial institution must en- sure a dynamic approach is used to address these challenges and that the controls are assessed and tested regularly. 