Sunday, October 22, 2017

FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare

Posted by OnCourse Staff December 31, 1969 7:00pm

Photo Credit: Lalie F

By Buddy Arriola, M.S.C., CISA, IT Audit Supervisor

The Federal Financial Institutions Examination Council (FFIEC) released on January 22, 2013 the proposed guidance on Social Media use in response to requests from various industries and interest groups to assist them in understanding the risks associated with social media activities.  According to the press release, the guidance is not an additional imposition to financial institutions.  Rather, it is meant as a standardized basis for managing social media exposures for institutions that need it.

The proposed Risk Management Guidance is reasonable.   With increasing popularity of social media, many financial institutions may be at risk.  Employees could be involved in some form of social media activities both at work and at home that could advertently or inadvertently expose the institution. As such, it is critical that management understands the potential dangers social media presents to their business so they can come up with plausible solutions for managing these risks.  The impending guidance is a great social media risk awareness initiative that can only help enhance an institution’s information security program.

What is Social Media?

According to Wikipedia, “Social media refers to the means of interactions among people in which they create, share, exchange contents among themselves in virtual communities and networks.”  Social Media is facilitated by online social and professional networks, and other technologies that allow efficient dissemination, sharing, publication or exchange of information via the Internet.  Information can be in the form of articles, photos, videos, posted comment, message, chat and other materials disseminated through popular social and professional networks such as Facebook, Twitter, YouTube and LinkedIn.  Employees can as easily engage in social media activities because it is available and accessible to them.  It is very accessible from most desktops, laptops and other mobile devices with Internet connectivity and no additional tools or software is necessary.

What issues do Social Media present?

Common business issues identified with Social Media include: 1) inappropriate disclosure of customer confidential information, 2) distribution of negative, inappropriate or fraudulent information, and 3) system and data compromise caused by vulnerable devices and software used for social media activities.   As such, institutions engaging in social media activities can be exposed to financial, operational, reputational, legal and compliance risks.  Such institutions need to establish employee guidelines and define standards for acceptable and safe social media activities to remain compliant with privacy, information security, and other applicable laws and regulations as well as to minimize potential financial losses due to possible lawsuits, regulatory fines, business disruptions, and loss of business and clients as a consequence of damaged company reputation.

By now, state and federal regulated institutions should have strong general IT controls and information security program in place that address and manage the aforementioned issues commonly associated with Social Media.  Specifically, they should have already developed and implemented the following policies and procedures: 

  • Acceptable Internet, Email and Computer Use Policy,
  • Code of Ethics and Business Conduct policy
  • Non-Disclosure/ Confidentiality Policy
  • Virus Protection
  • Change Management
  • Patch Management
  • Network Security
  • Periodic vulnerability assessment and penetration testing
  • Mobile Computing Policy
  • Periodic information security awareness training
  • Monitoring

Although not specifically written for Social media, the aforementioned policies and procedures encompass social media risks.  Social Media is another internet tool, application or service similar to email as such have similar risks as Internet email use.  “Inappropriate disclosure of confidential customer information and dissemination of fraudulent information both in and outside the workplace” are typically addressed in the Code of Ethics, Business Conduct Policy and Acceptable Internet, Email & Computer Use Policy.  These policies require employee use of good judgment on internet, email and computer use.  Such policies and procedures can be expanded to explicitly include social media.  Explicit definition of social media in policy and procedures can increase employee awareness and accountability on social media activities to better manage associated risks.

The social media risks on “System and data compromises resulting from system vulnerabilities” are risks typically addressed in Mobile Computing Policy, Virus Protection Policy, Change Management Policy, Network Security Policy, Patch Management Policy, and periodic vulnerability assessment and penetration testing process.  Institutions need to make sure these policies are enforced and are operating effectively to minimize system and data compromise resulting from social media activities.

How to prepare

As we await the final Risk Management Guidance on Social Media from the FFIEC, institutions can prepare by taking the initial step of determining the applicability of this guidance to their institution.  Specifically, institutions should explore if any of their employees are engaging in social media activities either at work or at home.  If so, they should prepare an inventory of social media tools, sites, accounts and activities by employee that can be used as the starting point for the FFIEC Social Media Risk Assessment and Risk Management process.

SUMMARY

The proposed Risk Management Guidance on Social Media released by the FFIEC in January 2013 is helpful and reasonable.  It is a great way to raise awareness on social media risks that can only lead to the enhancement of an institution’s information security program.    As we await the release of the final FFIEC Risk Management Guidance on Social Media, institutions can prepare by assessing the applicability of the impending guidance to their institution.  And as appropriate, by preparing an inventory of social media activities and assets that can be used as input into the institution’s social media risk assessment and management process.

REFERENCES

“Financial Regulators Propose Guidance on Social Media” http://www.ffiec.gov/press.htm  January 22,2013

“FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL:

Docket No. FFIEC-2013-0001” http://www.ffiec.gov/press/Doc/FFIEC%20social%20media%20guidelines%20FR%20Notice.pdf  January 22, 2013

“Social Media”, http://en.wikipedia.org/wiki/Social_media

“Social Media: Business Benefits and Security, Governance and Assurance Perspectives” http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Social-Media-Audit-Assurance-Program.aspx  May 2010

“Introduction to Social Media” http://www.bbc.co.uk/webwise/courses/social-media-basics/lessons/introduction-to-social-media/

“How To Protect Your Business From Social Media Pitfalls”  http://www.forbes.com/sites/capitalonespark/2013/01/31/how-to-protect-your-small-business-from-social-media-pitfalls/  January 31, 2013

Comments

Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.



 Image

OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment



OnCourse Staff's Posts Subscribe to RSS Feed



Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
Same Day ACH Credits – Phase One
Is the IRS Status of your Defined Benefit plan in Jeopardy?
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
The Importance of BSA Training
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Pandemic Preparedness: Are you testing your Pandemic Plan?
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Is Your Institution's Marketing UDAAP Compliant?
Electronic Work Papers - Why P&G Made the Switch
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
The Test Drive: Leasing or Buying a HR IT Platform
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Another One Bites the Dust: Regulators Close 4 Banks
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Law on Your Side: Understanding HR Regulations in 2011
No Respite from RESPA