Cybersecurity

We perform, evaluate, and update Cybersecurity Risk Assessments using the Cybersecurity Assessment Tool. RGS deploys seasoned professionals with the expertise to evaluate the current state of cybersecurity internal control frameworks and determine the risks based on systems and technologies being used including all Third-Party vendors. Our approach is designed to identify vulnerabilities and control weaknesses before a security breach occurs. We also seek opportunities for process and control enhancement. Other key considerations include:

• Known and emerging risks
• Regulatory changes and priorities
• Strategic initiatives
• Prior audit or regulatory issues
• Resource planning and skill requirements

We develop and update policies and procedures and facilitate implementing a program to ensure that policies and procedures are kept up to date timely and systematically. RGS team customizes programs that suit and support an institution’s needs, based on the systems and technologies used, Third-party vendor and IS/Cybersecurity and related processes implemented at the institution. We also assist in enhancing policies and procedures to ensure the appropriate alignment with regulatory requirements

We develop or enhance programs to comply with regulatory requirements which are designed to effectively address actions in response to a reportable cyber or fraud incident. Processes developed will record and evaluate computer-security incidents for escalation as needed and will include consideration for regulatory reporting based on preset criteria triggers concerning materiality and measurements of harm to provide consistency in reporting. Policy and processes will be evaluated against industry best practices and compliance with applicable Federal and State regulations.

We evaluate, update and test processes and control, or develop and document program for protection and accuracy of data for privacy, security, and cybersecurity purposes, as applicable, while considering applicable regulatory requirements, including Federal Banking Regulators, European Union’s GDPR, New York State’s Cybersecurity Regulation 23 NYCRR 500, California State’s CCPA, etc. We assist in establishing and/or performing on-going compliance monitoring with respect to these regulations. We also review reporting and tracking protocols to ensure that identified issues are tracked and investigated within stipulated timeframes and reported accordingly through the governance process and in compliance with regulatory requirements concerned.

RGS helps institutions prepare for upcoming regulatory examinations, highlighting likely IS/ Cybersecurity issues that need immediate attention of the Board and Senior Management before the onset of the regulatory examination. RGS leaders bring years of experience working with institutions and the Technology/Security related regulatory examination process. Whether reviewing information requests or validating prior regulatory issues we understand regulatory expectations and the nuances associated with IS/Cybersecurity compliance. Our mock examinations are designed to identify potential issues ahead of time and help reduce the number of potential examination findings. Our mock examinations have been of great help to various institutions from De Novo (facing their first examination) to ones with significant or complex regulatory issues, or the ones that have changed their systems, processes or services, etc.

RGS offers customized training programs that are designed not only to address core Board training requirements but also includes industry developments, regulatory updates, and best practices. We create staff training programs tailored to specified needs. Our training programs focuses specifically on evolving technology and cybersecurity risks, digitalization, vendor management and data security.

RGS specializes in helping institutions ensure that corrective actions implemented to address IS/Cybersecurity audit or regulatory examination issues are appropriate and fully addresses the issues and their root-cause. The RGS validation process is thorough, well documented, and clear in demonstrating whether an issue has been properly remediated. Our team is experienced in working with the institution’s management and board, as well as regulatory authorities. Our work ensures a comprehensive evaluation and clear conclusion whether regulatory matters requiring attention, or consent order actions are fully remediated, with a clear understanding of the root cause, and the remediations set the stage for regulatory acceptance of the comprehensiveness and adequacy of corrective actions, setting the stage for removal of the supervisory action and lifting of restrictions on business, if any.

We perform security vulnerability assessments and provide penetration testing. Our approach starts with a review of the state of the vulnerability management program and procedures currently in place for completeness and best practices. We offer routine internal vulnerability testing including, all servers, applications, wireless networks, and other access channels. If requested, we also perform social engineering and phishing stimulations testing for vulnerabilities.

RGS team includes experienced and qualified resources to perform a simulated attack on institution’s network perimeter. External penetration testing includes attempts to exploit identified vulnerabilities located on external devices that are accessible over the Internet. In this category are Web Servers (HTTP), Mail Servers, and publicly accessible applications leveraged by the organization’s employees and customers.

RGS performs social engineering and phishing stimulations testing for institutions. The social engineering assessment of RGS is designed to evaluate and assess the adequacy of controls established to protect the institution’s assets and resources, as well as the institution’s employees’ conformance with their policy and related Information Security training guidelines.

We are available to support any cybersecurity service needs that may arise. Examples include, policies and procedures, project management, ongoing monitoring and testing, governance and reporting, internal audit, regulatory remediation, or training.