Given the increase in social unrest and the logistical challenges of COVID–19, banks should take a deep look at their overall security programs and consider giving them a thorough review and update. The bank’s security program considers a number of elements including, but not limited to, physical security, data security, employee security and coordination with law enforcement. Banks should take a hard look at their overall security risk assessment and modify accordingly to address current circumstances.
The Bank Protection Act requires the Board to name a Security Officer and for the Security Officer to prepare an annual report to the board on the status and effectiveness of the bank’s security program. The requirements spelled out in the regulation are rather general in nature, however, best practice suggests the duties of the Bank Security Officer include:
- Preparing an annual security risk assessment;
- Engaging on new bank facilities projects to ensure security considerations are identified and addressed;
- Ensuring employees receive appropriate [risk based] security training;
- Coordination with law enforcement both before and after a security event;
- Working with third party firms such as insurance companies to identify and reduce bank [security] risks;
- Working with internal risk staff such as compliance, legal and audit to ensure that policies, procedures, training, and testing are in place to meet bank security requirements;
Both the COVID-19 crisis and the high volume of social unrest have changed the bank security landscape considerably.
- “Work from Home” has extended the bank“footprint” into a multitude of locations;
- Bank facilities are operating under closed conditions, reduced hours, or limited access;
- Normal work patterns and practices have changed considerably;
Moreover, the external environment has changed considerably:
- Many locales have seen an increase in property crimes against business, including banks;
- Crimes such as ATM theft have increased;
- Increased “social unrest” and calls to “de-fund”the police have impacted police operations, response times, and other activities in a number of jurisdictions;
Other Security Matters:
It is not just physical security that is impacted by these factors, there are numerous other impacted areas such as data security,employee security, and customer data. Since many organizations are operating in a radically different manner, consideration should be given to:
- Data Security – ensuring virtual networks, bank systems and work processes are up to date with current security protocols,updated system patches, and other fixes such as VPN’s, increased use of multi-factor authentication, etc.
- Virtual Meeting Management – Many of us are using systems such as ZOOM and Skype – ensure policies and procedures are in place to mandate that these be used in a secure and well controlled manner.Ensure frequent changes in passwords and “audit” the attendance of your meetings.
- Employee Security Awareness – While working from home, ensure that work related conversations remain confidential and bank data is properly managed and secure.
Steps the Security Officer should take
In light of these risks and the volume of changes to the external environment, the Bank Security Officer should consider conducting a thorough reassessment of its overall risk profile and impact to operations. Factors to consider include, but are not limited to:
- Prepare an updated Bank Security Risk Assessment to ensure the program is up to date with regard to potential bank risks and the corresponding risk response;
- Conduct as-needed inspections of facilities and bank premises to ensure security protocols are up to date and commensurate with the increased risk profile;
- Contact law enforcement to discuss any changes that may be needed and discuss factors such as response time, current changes to coverage, etc. Identify any significant trends or increased risks that they may be aware of.
- Review and update employee training, policies,or procedures;
- Coordinate with IT and data security to ensure that data security practices are up to date and that enhanced bank and customer data protections are in place in a “work from home environment.