Interested in how community financial institutions were interpreting and implementing the Federal Financial Institutions Examination Council’s supplemental guidance on authentication, HEIT, a Computer Services Inc. company, partnered with cbanc Network to survey chief information, security, compliance, and operations officers from hundreds of community financial institutions.

Survey highlights include:
•    42% of community financial institutions thought the guidance primarily focused on multifactor authentication. In fact, the supplement specifically addresses malware, the need for better IT risk assessments, and stronger layered security controls.

•    50% did not realize the guidance defines two minimum required elements of a layered security program. In 2012, examiners will ensure a process is in place to detect and respond to suspicious activity at initial login to an electronic banking system and initiation of electronic transactions involving funds transfer.

•    83.2% of community financial institutions are using multifactor authentication for retail online banking accounts, while 73.5% are using it for business accounts. The guidance only encourages multifactor authentication for high-risk transactions and online business accounts. It is not required for all activity.

 

 

“The FFIEC's supplemental guidance acknowledges that virtually every authentication technique can be compromised,” says Paul Reymann, chief risk officer at HEIT. “So we felt it was paramount for community financial institutions to gain more tactical insights on what to do and what not to do going forward in regards to authentication best practices. Our survey focused on the understanding of the guidance, multifactor authentication products and services in use today, and lessons learned from existing multifactor authentication initiatives.”

“The survey results identified some confusion about the supplemental guidance, highlighted additional areas where more specific guidance might be useful, and supported our recommended security posture for community financial institutions,” says Reymann. “We recommend relying on multiple controls for authorizing high-risk transactions, instituting a system of layered security and reviewing and updating existing risk assessments on a continuous basis.”

 

 

http://www.csiweb.com/getNews.cfm?cid=1122