OUTLOOK: Fears of a double dip recession are quietly receding
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
{Community Bank Advisor} Winter 2013 News & views for the banking executive. OUTLOOK: Fears of a double dip recession are quietly receding According to most reports, the threat of a double- It is a complex question and you need to take a com- brian.pollice@plantemoran.com dip recession is fading and there are signs that the prehensive approach. economy is moving from a slow to a moderate rate of growth. Recovery, however, is coming slowly to com- The sweetest spot is close to home munity banks. They are being squeezed. Low demand This year just like in years past community banks need for loans translates into less revenue while increased to operate in their sweet spot. They can compete most compliance costs mean higher expenses. successfully in their local markets where their service and knowledge give them an edge. Bankers should be In a recent Plante Moran survey, 48 percent of financial Brian Pollice ready to help the business leaders in their communities institutions anticipated their regulatory compliance build on their optimism. kristine.hoefler@plantemoran.com costs would increase 25 to 50 percent this year added to a 25 to 50 percent increase over the past several Data collected by the National Center for the Middle years. Market (NCMM) in mid-December 2012 and comments from business leaders who reviewed the findings before Bankers are faced with many challenges going into they were printed in mid-January were moderately 2013. They must successfully deal with constantly optimistic about 2013. “It appears we are slowly recov- changing margins, manage risk, and balance the appeal ering from the Great Recession,” a distributor, with 40 of online services with information security concerns. employees and $10 million in annual sales, described. Kris Hoefler Like all businesses, they also have to develop a compre- hensive response to the healthcare reform play-or-pay Responses regarding investment decisions, which often brady.nitchman@plantemoran.com mandate that goes into effect Jan. 1, 2014. indicate how companies feel about the future, show that 41 percent of executives continue to keep their The debate among many is whether to drop or keep money in cash or securities rather than use it for growth, offering benefits. McKinsey and Company researchers, expansion, or acquisitions. However some are spend- however, insist there are other options and indicate ing. “We’re trying to invest in advanced equipment to that after employers better understand the economic increase our capacity and reduce our manual workforce and social incentives embedded in the law they may to help offset the increasing costs of healthcare and dramatically restructure their benefits. Brady Nitchman Continued on pg. 2 Inside This Issue Troubled debt restructurings: The irs delays the effective date of new tangible A quick update — PG. 3 property regulations — pg. 8 Proposed changes to allowance for First-time abatement penalty relief — Pg. 8 loan losses – Comments due April 30, 2013 — Lessons learned from hurricane sandy — PG. 9 PG. 5 What’s with these recent password hacks? — How much risk are you taking? — PG. 7 pg. 10
{Community Bank Advisor} OUTLOOK: Fears of a double dip recession are quietly receding Continued from front cover pensions,” explained a $100 million Revenue growth from 1.9 percent in 2012 to 3.5 percent manufacturer with 625 employees. In 2012, middle-market companies this year, and the wholesale industry posted average gross revenue growth anticipates doubling its job growth Number one challenge: over last year, up from 0.7 percent to of 7 percent and predict a 5.2 percent Healthcare costs increase in 2013. According to NCMM 1.2 percent. In every industry, the cost of healthcare Academic Director Anil Makhija middle- is the top challenge. More than 90 per- Confidence is low, but market business leaders are often cent of the respondents to the NCMM cautious in their forecasts. improving fourth quarter survey found healthcare According to NCMM polling, confi- costs to be somewhat or highly chal- Jobs growth dence among middle-market leaders lenging. That has remained unchanged The middle market added 1.17 million remains depressed, but they are slowly through most of the year and is a jobs in 2012 for a 2.7 percent gain, becoming more optimistic. Of the firms constant across size and industry. compared to a 2.1 percent gain for surveyed roughly half are at least some- large U.S. firms. Small businesses were what confident in the U.S. economy As employers begin planning for the at the low end of the scale with only with the largest companies showing the play-or-pay mandates that will go into 1.2 percent job growth according biggest increase. effect in 2014, 47 percent will be recon- sidering staffing. Thirty percent said to ADP data. The middle market The economists at the NCMM say they would freeze hiring and 17 percent anticipates a slight drop in job creation, the fourth quarter results suggest “a said they would be laying off workers. down from 2.7 percent in 2012 to notable change in trends that point to 2.3 percent in 2013. increasing expansion in the broader Growth profit pressures Looking more closely at job creation economy after a year of mostly tepid continue last year, the service industry topped GDP growth.” And they conclude: “Talk Besides healthcare costs, executives in the list with 5.5 percent growth in and fears of a double dip recession are the NCMM report are concerned about jobs according to fourth quarter quietly receding.” their ability to continue revenue growth figures. Health care was second with We thank the National Center for the and indicate that margins are under 3.4 percent growth, retail was third with Middle Market (NCMM) at The Ohio pressure moving into 2013. Commodity 2.8 percent. The wholesale industry State University for sharing its data with prices rose significantly last year, and was at the bottom with only 0.7 percent us. The NCMM surveys 1,000 c-suite they might impact the cost of doing growth, followed by manufacturing with executives of middle-market companies business and the ability of middle- 1.7 percent. in a range of industries each quarter. market companies to maintain margins. The middle market is defined as com- Looking ahead in 2013, the service Unlike large firms, middle market firms panies with annual revenue between industry will continue to outpace the don’t have the leverage to control price $10 million and $1 billion. other industries, but anticipates job swings. One way to grow revenues is to growth will decline 1.5 percent to go abroad, but middle-market compa- 4 percent. Construction jobs will grow nies view this as risky. 2
Plante moran | Winter 2013 Troubled Debt Restructurings: A Quick Update At the risk of further wearing out an already and lender concessions, the two elements that need to be pres- steve.schick@plantemoran.com well-worn topic, it seems worth a few ent in order for a loan modification to be considered a TDR. As moments to review what was new in the such, most institutions have found that the TDR policies they world of Troubled Debt Restructurings (TDRs) previously had in place are still relevant and accurate (albeit, in during 2012 and provide some thoughts on need of some clarification and expansion, in many cases). The how best to interpret and implement the new most significant changes brought about by the new guidance FASB and regulatory guidance. For some have been within the detailed documentation that institutions time now, the industry has been working to use to support the TDR decision and to calculate required Steve Schick interpret and implement Accounting Stan- specific reserves and charge-offs, particularly when interest dards Update (ASU) 2011-02 — A Creditor’s rate concessions have been made. True, the new guidance has scott.misch@plantemoran.com Determination of Whether a Restructuring is made it more difficult for a troubled loan modification to avoid a Troubled Debt Restructuring. SEC regis- the TDR designation; and some old standbys that were previ- trants were required to implement the new ously called upon to refute the TDR presumption, such as the guidance during the second quarter of 2011, debtor’s effective interest rate test, are now prohibited. Yet, in and non-public institutions were required to working through TDR issues with our clients over the past 12–18 adopt it for fiscal years ending after Decem- months, it seems the most significant new burdens on institu- ber 15, 2012 (essentially, for December 31, tions are the nature and level of documentation required by the 2012, financial reporting for calendar-year guidance and in practice by regulators and auditors. SCOTT MISCH institutions). Along with the new accounting A review of ASU 2011-02 will quickly prove that some of the guidance from the FASB, the Office of the subjectivity has been taken out of the TDR identification pro- Comptroller of the Currency (OCC) issued contemporaneous cess. Circumstances that are now considered strong indicators regulatory guidance in April 2012. It is safe to assume that other of borrower financial difficulty and the types of lender actions regulators will likely apply TDR guidance that is very similar to that qualify as concessions (as well as insignificant actions that that put forth by the OCC. do not qualify as concessions) are more clearly defined. Despite One of the most important facts to keep in mind is that neither this, the identification of TDRs and the overall accounting the new accounting nor regulatory guidance amended the treatment for modified loans is still a highly subjective exercise. definition of what constitutes a TDR. Instead, the new guidance Whether determining if a payment delay is “insignificant,” attempts to clarify what constitutes borrower financial difficulty attempting to decide if a revised interest rate is akin to a Continued on pg. 4 3
{Community Bank Advisor} Troubled Debt Restructurings: A Quick Update Continued from pg. 3 “market rate,” or if a loan structure is comparable to that In conclusion, it’s worth mentioning that a complex process which would be offered by another institution, the path is like TDR identification and measurement can always benefit indeed perilous. The nature of lending and loan structuring, from a “second look,” particularly if that look comes from an particularly to small businesses and real estate ventures, independent source. We’ve heard some clients and friends in makes the challenge even greater, as each deal has its own the industry bemoan the fact that despite their best and most nuances that make it difficult to compare it to another deal — meticulous efforts related to TDRs, they still feel that they’ll if only it were that easy. be (or have been) second guessed and have their conclu- sions unreasonably challenged by regulators and auditors. The solution, or at least the most successful solution seen Unfortunately, there’s no magic bullet to completely defend to date, has been to significantly enhance the nature and against that reality. However, some additional credibility has volume of documentation supporting the TDR determina- been gained by institutions that call upon internal auditors tion. Logically, when dealing with a highly subjective matter, (whether outsourced or in-house) to execute a targeted audit the more one can explain and support their decision with of TDR processes, documentation, and conclusions. In cases empirical data and tie it to the applicable guidance and rules, where this additional level of review and internal challenge the more likely one’s argument and position are to stand in has been performed, external auditors have been able to the face of challenge. Those institutions whose TDR identi- rely, to varying degrees, on the internal audit work product fication processes and documentation have passed muster and regulators have considered the results of the review and with the regulators and auditors tend to have the following in modified their approach accordingly. To date, a review of this common: nature seems to be the best insurance policy an institution 1. Clear TDR identification and measurement policies can buy regarding TDRs. and procedures have been established and are clearly followed. Don’t forget the importance of the mechani- cal procedures; deciding who will analyze the data, prepare the documentation, and review and approve the final decisions is critical. 2. Proper personnel have been included in the process. For better or worse, the TDR identification and mea- surement process is a multidisciplinary activity. Lenders and accountants must work together so that the facts are presented completely and accurately and those facts are properly interpreted in light of the applicable guidance. Processes that reside exclusively in the lend- ing or accounting areas will almost certainly fall short. 3. Quality tools are available to aid those involved in the process. Whether using a detailed TDR checklist to document if a modification qualifies as a TDR or relying on an accurate discounted cash flow calculation template, implementing and consistently using stan- dard tools is imperative. There are myriad quality tools publicly available, and your Plante Moran advisors are always happy to provide a template if you need one or would like to consider alternatives. Please don’t hesitate to ask. 4. Senior management must dedicate the necessary resources to make sure the process is completed properly and timely. As previously mentioned, working with TDRs is a time-consuming and highly subjective process. The tone at the top of the institution must be supportive of personnel doing the detail work and provide them with the time and materials necessary to do the job right. 4
Plante moran | Winter 2013 Proposed Changes to Allowance for Loan LossES – Comments due April 30, 2013 After the worst recession since the Great The proposed standard has gone through multiple transfor- marc.doerr@plantemoran.com Depression, financial institutions have mations, including potential convergence with IASB after its had to reassess the adequacy of their initial exposure document in November 2009. For its part, the allowance for loan and lease losses IASB had proposed a three-bucket approach to accounting (ALLL). This reevaluation has included for the expected losses. The IASB approach includes Bucket 1 questions, such as: (1) Should I shorten or whereby an entity would recognize expected losses for which a extend the historical loss period? (2) Are loss event is expected in the next 12 months. Bucket 2 includes my qualitative factors enough to adjust assets that have been affected by the occurrence of observ- Marc Doerr the historical loss factor? (3) And, most able events that indicate a direct relationship to possible future importantly, is the allowance sufficient defaults within the lifetime of the credit. Bucket 3 consists of scott.phillips@plantemoran.com to cover the losses included in my loan loans where information is available that specifically identifies portfolio? The International Accounting that credit losses are expected to, or have, occurred on Standards Board (IASB) and the Financial individual credits within the credit’s lifetime. A transfer from Accounting Standards Board (FASB) have Bucket 1 to Bucket 2 would occur when the deterioration in been developing a new ALLL methodol- credit quality has been more than insignificant and at least ogy to include estimates of future losses some or all of the contractual cash flows may not be collected. in addition to the losses inherent in the The FASB, as part of its movement toward convergence with loan portfolio. international standards, was considering the IASB model. How- Scott PhiLlips ever, due in part to concerns over transfers between buckets, On December 20, 2012, FASB issued the FASB broke away from convergence with the IASB. Proposed Accounting Standards Update No. 2012-260, Financial Instruments – Credit Losses (Subtopic 825-15). The The CECL model was introduced in August 2012 and, now proposed standard introduces a Current Expected Credit Loss with this recent exposure draft, may replace the five existing (CECL) model. The CECL model requires an entity to impair impairment models (FAS 5, FAS 114, SOP 03-3, FAS 115, EITF its existing financial assets on the basis of the current estimate 99-20) for debt instruments in current U.S. GAAP, with a single of contractual cash flows not expected to be collected. The expected credit loss measurement objective for the allowance significant difference from current GAAP would be to eliminate for credit loss. The CECL model focuses on “expected credit the “probable” initial recognition threshold and replace it with loss and the current recognition of the effects of credit dete- the current estimate of expected credit loss. It is believed the rioration on collectability expectations.” This estimate should CECL model will likely result in increased reserves as compared reflect the future contractual cash flows that the entity does not to current accounting. expect to collect using current probabilities of default, current Continued on pg. 6 5
{Community Bank Advisor} Proposed Changes to Allowance for Loan Losses – Comments due April 30, 2013 Continued from pg. 5 historical loss rates, changes in credit risk (risk rates, credit between fair value and amortized cost for debt instruments scores), and other changes in reasonable and supportable classified at fair value with qualifying changes in fair value forecasts. recognized in other comprehensive income, (5) past-due status, (6) nonaccrual status, (7) purchased credit-impaired In theory, as the level of risk inherent in loans increases, the financial assets, and (8) collateralized financial assets. The expected loss would increase and require a commensurate FASB has proposed the transition be a cumulative-effect level of allowance. In order to fully substantiate the estimate approach, where the cumulative-effect adjustment would be of expected credit losses, all assumptions will have to be recorded in the beginning of the first reporting period for based on supportable information that is relevant in making which the guidance is effective, with appropriate transition the forward-looking estimates. disclosures detailing the transition. Disclosures and transition guidance included in the new The exposure draft has a comment period that ends April exposure draft for the CECL model include: (1) credit-quality 30, 2013. All interested parties are encouraged to read the information, (2) allowance for expected credit losses, exposure draft and provide a comment letter to the FASB (3) roll forward for certain debt instruments, (4) reconciliation for consideration. 6
Plante moran | Winter 2013 How Much Risk Are You Taking? The Case for Developing Enterprise Risk Management at Community Banks…NOW How would you answer the question, TASK 2: Map Your Inventory robert.bondy@plantemoran.com “How much risk are you taking?” In years Each one of the areas, risks, policies, and monitoring activi- past, the common response was, “Only ties should correlate to one of the CAMELS components. If enough to generate an adequate return.” it doesn’t, create a group of “other strategic initiatives” to Most responses came “from the gut” include, such as compliance, information technology, etc. versus any formal analysis. After all, Now, organize them: most financial institutions correlate risk with asset underwriting or asset-liability 1. Rate each area from 1–10 (or however many you have) Rob bondy management practices and, perhaps, on importance. believe enterprise risk management (ERM) 2. Limit the focus to the top three areas from each of the michael.stearns@plantemoran.com to be a “big bank” task. CAMELS components (we’ll provide some leniency To help guide the focus of directors and here). senior managers, some institutions have As a result, you’ve identified up to 20 of the riskiest areas. attempted to tackle an ERM system, The important policies are inventoried, and a monitoring plan only to find the devil is in the details. It’s is in place. A great starting point! Now, it’s time to take it to important to view ERM as an opportunity to the next level. embrace each component of the organiza- mike stearns tion and apply a consistent methodology TASK 3: Begin to Manage the Model and and reporting structure. To start down the Plan for the Next Level road of an ERM system, formulate a roadmap to get some The next level of managing the ERM model will integrate momentum. financial results, budgeting, internal/external risk indicators, Task 1: Take Inventory determining base cases, and stress tests. Definitions, toler- ances, and activities will be further defined. Ultimately, the The following steps are critical in developing an ERM model ERM system becomes a tool that’s consulted when strategic and will put the scope of an ERM system in perspective: initiatives are contemplated. That’s a lot to cover in one 1. Identify areas most important to providing a return to article, but until a framework is formulated, ERM is really stakeholders. a non-starter. 2. For each of the identified areas, identify the most Your financial institution likely has a strong front-line risk man- significant risks to providing that return. agement system; however, the concept of ERM requires us to consider a broader risk appetite and risk profile when making 3. Now, align existing policies with each risk. strategic decisions. Details can be overwhelming and might 4. Determine what you already do to monitor be a deterrent to establishing an ERM program. We’ve found those policies. integrating a simple program to monitor the key risk indica- tors can be highly effective in overcoming the challenge. After completing the above activity, it’s likely that there are up to a dozen areas considered important with five to 10 corresponding risks from each to monitor and track. You likely have a book full of policies and have a lot of money devoted to monitoring and testing against these policies. Your list probably has more than 100 items on it. Now what? Develop a System (Or Take One From an Existing Concept) An ERM system should have a consistent reporting struc- ture and definitions to measure against. Thankfully, in the financial institution industry, we’ve been trained well, and regulators have already formulated a concept to measure us against. Approaching risk management along the lines of the CAMELS components has been proven to be the most efficient way to consistently define and measure risk. 7
{Community Bank Advisor} The IRS delays the effective date of new tangible property regulations The IRS has deferred the effective date of new tan- mariann.krieger@plantemoran.com gible property regulations from tax years beginning on or after January 1, 2012, to tax years beginning on or after January 1, 2014. The new regulations were issued in December 2011 to guide taxpayers on how First-time to account for amounts paid to acquire, produce, or abatement improve tangible property. Below is a summary of the MAriann Krieger new guidance. penalty relief The new guidance (as published in Notice 2012-73) delays the mandatory effective date of the tangible brian.howe@plantemoran.com property regulations to tax years beginning on or According to the IRS, the purpose of after January 1, 2014. The guidance also notifies penalties is to deter noncompliance, not taxpayers that final regulations will likely be issued in to raise revenue. Certain penalties can be 2013, which will apply to taxable years beginning on waived or abated if the taxpayer has a past or after January 1, 2014. For taxable years beginning history of compliant behavior. In effect, on or after January 1, 2012, taxpayers may apply the the IRS rewards taxpayers with a history provisions of either the already existing temporary of compliant behavior with a one-time Brian Howe regulations or the anticipated final regulations. penalty amnesty. Recognizing that taxpayers are expending resources • For individuals, First-Time Abate- to comply with the temporary regulations, the IRS also indicated that ment (FTA) applies to the failure- certain sections of the temporary regulations may be revised and in to-file and failure-to-pay penalties. certain cases simplified when the regulations are issued in final form. Estate and gift tax returns do not The areas below were specifically noted by the IRS. qualify for FTA waivers. • De Minimis Rule – Under the current regulations, taxpayers with • For businesses and payroll returns, an applicable financial statement, such as a certified audited FTA applies to the failure-to-file, statement, may claim a current deduction for the cost of acquiring failure-to-pay, and/or the failure-to- items, including materials and supplies. The amount that may deposit penalties. S corporation and be expensed annually under a taxpayer’s policy is subject to a partnership late-filing penalties also limitation based on the greater of 0.1 percent of gross receipts or qualify under FTA. 2 percent of book depreciation and amortization. FTA applies only to certain penalties and • Rules Related to Asset Disposition – The new regulations per- certain returns filed. The taxpayer must mit taxpayers to claim a loss deduction for the retirement of a also satisfy the clean compliance criteria structural component. The regulations allow a taxpayer to use a rules: reasonable method in determining the basis of an asset for the • Clean three-year penalty history. purpose of determining the deduction. The taxpayer cannot have penalties • Safe Harbor for Routine Maintenance – A taxpayer may deduct an of a “significant” amount assessed amount paid to keep a property in its ordinary operating condition in the prior three years on the same if the taxpayer reasonably expects to perform the activities more type of tax return. than once during its life when it is placed in service. • Required returns filed. The taxpayer Taxpayers who choose to apply the temporary regulations to the 2012 must have filed all tax returns for the tax year may continue to obtain automatic consent to change their past three years, as required. methods of accounting under previous guidance. FTA does not apply to the estimated In light of these and other potential planning and implementation tax and accuracy-related penalties. The issues, taxpayers have the opportunity to early adopt either the entire assertion of an accuracy-related penalty is regulations or select provisions depending on each taxpayer’s unique based on the facts and circumstances of tax situation. Regardless of whether taxpayers decide to early adopt or each taxpayer and each tax year. wait until 2014, they should begin to analyze how they will be affected and start to develop the necessary systems to track the information needed for the eventual implementation of the final regulations. 8
Plante moran | Winter 2013 Lessons Learned From Hurricane Sandy On October 30, 2012, Hurricane Sandy Although disasters are hardly created equal, there are common colin.taggart @plantemoran.com launched a 13-day devastating drive across issues from which the entire country can learn. For example, the East Coast, disrupting families and busi- any large natural disaster could potentially affect the commu- nesses caught in her path. The destruction nication infrastructure in the area. Whether cell phone towers included damages in excess of $70 billion, a are toppled or power is simply knocked out, you may not be crippled mass transit system, gas shortages, able to rely on cell phones to connect with your staff. (With and more than 8 million customers without approximately 32 percent of adults living in households with power. According to an article posted on the only wireless telephones, you may have no alternate landline to Colin Taggart Centers for Disease Control Prevention web- use.) In addition, staff may not be able to make it into the office. site, “FEMA has estimated that nearly 72,000 Whether the office no longer exists, travel is unsafe, or staff joe.oleksak@plantemoran.com homes and businesses in New Jersey alone prefer to manage the effects of the disaster at home, organiza- were damaged. An analysis of aerial imagery tions need to consider how they’ll recover without full, onsite by the agency showed more than 500 build- recovery teams. ings were destroyed outright or reduced to It’s also important to note, however, that each disaster has debris, another 5,000 suffered major damages unique features. For example, the advance warning time for a from flooding or high winds, about 24,000 hurricane differs from that of a tornado. Therefore, no overall had minor damage, and tens of thousands of plan can cover all possibilities. While an organization may cover others were affected by floodwaters.” Joe Oleksak the backup data restoration process in an overall plan, there Hurricane Sandy was only one of many events should also be unique staff evacuation procedures documented that impacted businesses directly or indirectly for each disaster possibility. It’s important that companies during 2012, which taught businesses two things: (1) all disasters complete a risk assessment to identify the most likely incidents are not created equal, and (2) it’s critical to be prepared. Inte- and their specific impacts (such as water damage, staff safety, gral to preparation is developing a disaster recovery plan (DRP). and power redundancy). ALL DISASTERS ARE NOT CREATED EQUAL DO YOU HAVE A DISASTER RECOVERY PLAN? Although there are a variety of natural disaster possibilities, Ideally your DRP will never need to be used, but that doesn’t most organizations only concern themselves with those that mean it’s not important to have one. In the event of a disas- have affected nearby areas in the past. Your organization will ter, your team’s expertise with day-to-day procedures will be need to tailor its disaster recovery planning efforts to align helpful; however, with unavailable staff and resources, you’ll with the most probable disasters. This is not to say organiza- need to modify existing procedures to accommodate a disaster tions outside Tornado Alley should ignore the possibility of a scenario. Being able to rely on a useful DRP in this situation tornado; however, based on a probability assessment, planning is a critical timesaver, eliminating the need to invent new for a volcano in the Midwest may not be necessary. Further- procedures mid-disaster. Training key team members on their more, while your organization may not operate in Tornado responsibilities and workaround procedures under the plan will Alley, violent storms resulting in property damage, flooding and greatly help to reduce confusion and wasted time. power outages can happen anywhere. A major misconception included in typical DRPs pertains to Continued on pg. 10 9
{Community Bank Advisor} Lessons learned from hurricane sandy Continued from pg. 9 the number of key staff who will be available to assist in the ARE YOU PREPARED? recovery process. Results of a survey completed after a The first steps toward developing a DRP are the most impor- 1994 Los Angeles area earthquake confirmed that the most tant and most difficult, as they’ll shape the entire recovery common reason for a business interruption was staff attend- program for your organization. Our business continuity ing to personal matters. Even if the disaster doesn’t destroy planning team has assisted clients in a variety of industries the office or roads, the disaster could lead to multiple staff in navigating this important process. We start by meeting having family crises to attend to. If the technology is func- with key team members to identify the organization’s unique tioning, this can be slightly alleviated by allowing staff to work environment and explain the DRP process. To develop a remotely from home. For those who do come into work, the comprehensive plan, our IT specialists will consult with all organization will also need to be sensitive to the personal departments in your organization to determine which data effects of the disaster, such as setting up a temporary office and applications are most critical and need to be recovered daycare if there are related school closings and power out- most quickly after a disaster. These discussions will all be ages. As staff will be the toughest “resource” to replace focused on the organization’s “pain threshold” for system during a disaster, it’s also critical that DRP efforts include downtime related to lost income, industry image, customer cross-training initiatives from front-line staff to executive confidence, and other key impacts. members of the organization. Once the critical system recovery goals have been identi- Another mistake to avoid in the recovery planning process is fied, we’ll work with your IT department to identify the key ignoring the importance of regularly testing recovery capa- resources required to meet these goals. At the end of our bilities. Generators, redundant communication lines, and engagement, your team will have a plan in place to recover backup drives all need to be tested to confirm you can rely key resources following a disaster and re-establish business on them when necessary. Relying on an untested secondary operations at an acceptable level and time frame to ensure critical vendor connection is an improvement over having no the well-being of your organization. We’ll also assist with redundancy at all; however, it could lead to a similar recovery long-term goals to ensure the continuity plan evolves with delay if the organization waits until a disaster to realize there your organization by being periodically revisited, updated, needs to be additional changes to firewall settings for the and tested. connection to function. Additionally, the organization should continue to complete tests as the organization grows and changes to ensure implemented controls can still support the organization. What’s With These Recent Password Hacks? In June 2012, a large dump of around 6.5 that the vulnerability that led to their compromise has been tom.ervin@plantemoran.com million LinkedIn password hashes were discovered and closed. posted on an online forum by a hacker Formspring and Yahoo, on the other hand, confirmed their requesting help in reversing the hashes into password breaches and applied fixes within 24 hours. Form- valid passwords. This was followed, appar- spring went further and provided details on how the breach ently by the same hacker, by passwords was fixed. from the dating website eHarmony. Then, in July, Formspring and Yahoo passwords Blogs, news agencies, and Internet resources everywhere Tom Ervin were compromised. Is this a wake-up responded by reporting these events and dispensing text- call for businesses to get serious about book advice about how to respond to a password compro- jennifer.whiteside@plantemoran.com password security? mise. Unfortunately, in their rush to publish these stories, they missed some important details. In the case of LinkedIn, After LinkedIn acknowledged the com- only the password hashes were posted online. They weren’t promise, they still haven’t confirmed if posted alongside the corresponding email addresses. This there was, in fact, a compromise or if it means that even though a large list of encoded passwords was simply a false alarm. Even after finally was posted publicly, the information required to log in acknowledging the compromise, they under those accounts is only available to the hacker(s) that still haven’t confirmed that they’ve deter- posted the encoded passwords. Since these passwords Jennifer whiteside mined when and how hackers accessed were encrypted using the SHA-1 algorithm, they couldn’t the account information of their users. be read without using time-consuming, password-cracking More importantly, they haven’t announced Continued on pg. 11 10
Plante moran | Winter 2013 techniques. By now, hundreds of thousands of the passwords These breaches will continue to occur, so where does that have been reversed by security researchers to help gain statis- leave the end user? Vulnerable … but that vulnerability can be tics about password complexity and use. decreased by following these three tips: Most companies immediately sent internal emails to employees • Use tiered passwords. Don’t use the same password to change their LinkedIn or Yahoo passwords, which missed the for all sites. The key to your office door shouldn’t open real intent of the hack. Hackers never wanted the LinkedIn pass- the front door of your house or safe, so why should one words, as access to those accounts simply isn’t very valuable. So password access different sites/systems? Just like you what were they after? Email addresses and account passwords. have different keys for different doors, you need to use They hope you, like so many others, reuse the same password different passwords for different sites (especially financial across many or all of the sites you use. and email sites). If you used the same password to log into LinkedIn as you do • Change your passwords more frequently. When was the for your email account, stop reading, and change your email last time you changed your password for your online password now. Access to your email provides a hacker with the banking account or your Facebook account? Ideally, you ability to view all the other sites you’ve signed up for using that should change passwords to sensitive accounts at least email address. This means they can locate accounts like your every 30 days. online banking sites, online shopping (particularly sites where • Set strong passwords. Setting long passwords that con- you’ve stored your credit card information), and online payment tain letters, numbers, and characters for numerous web- sites like Google Checkout or PayPal. Using the information sites can be difficult to memorize. So what can a user do? they originally gained from accessing LinkedIn, they can then Use paraphrases. For example “MyBirthDate?June15,60.” purchase goods and sell them for cash. Often, large compro- It’s long, it has all the letters, numbers, and characters, mises of username/email and password combinations would and it’s easy to remember. be sold off on hacker sites leaving cyber criminals with smaller chunks of user data they could take advantage of in whatever These best practices can be the difference between security way they see fit. and vulnerability. raj.patel@plantemoran.com Check Out More Technology Features at Banks.plantemoran.com From the 2012 Community Bank Technol- Cyber Attacks: Is Your Bank at High Risk? ogy Survey to whitepapers helping banks Large financial institutions continue to make the front page guard against cyber attacks, leveraging in the ongoing onslaught of cyber attacks. However, small Raj Patel smart phones as the wallets of the future, and medium-sized banks may be just as vulnerable, if not and going green, we have a number of great resources on more so. our website. Here’s a quick overview. On September 19, the Financial Services Information Shar- ICBA Community Bank Technology ing and Analysis Center (FS-ISAC) issued an alert notifying Survey Results U.S. financial institutions that they’re now at high risk of For more than a decade, the Independent Community cyber attacks. What does this mean? Learn more at Bankers of America (ICBA) and Plante Moran have con- banks.plantemoran.com. ducted the Community Bank Technology Survey. The survey Smart Phones: The Wallet of the Future is designed to track community bank trends and strategies in technology. A total of 530 community banks responded. Smart phones offer us a means of convenience. We can Key findings include: share our lives, experiences, and adventures through social media apps or travel to places near and far guided by GPS • Community banks are embracing mobile technology. navigation. In addition, several technologies are emerging • Mobile apps have core functionality comparable to that will allow us to use the chips in our phones to make online banking. purchases, making that smartphone all the more invaluable. Technologies like Google Wallet, ISIS Mobile Commerce • Regulatory compliance is community banks’ top Network, and Venmo are here—and they’re changing the technology concern, followed by data security and way we look at our phones. Learn more at systems availability. banks.plantemoran.com. Learn more at banks.plantemoran.com. 11
{Community Bank Advisor} National Tax Office Illinois Locations Ohio Locations China Chicago–W. Washington Flint Cincinnati Shanghai 312.899.4460 810.767.5350 513.595.8800 86.21.52131026 FAX 312.726.3262 FAX 810.767.8150 FAX 513.595.8806 FAX 86.21.52131025 Chicago–Riverside Plaza Grand Rapids Cleveland 312.207.1040 Mexico 616.774.8221 216.523.1010 FAX 312.207.1066 FAX 616.774.0702 Monterrey FAX 216.523.1025 52.81.1477.5151 Northwest Chicago Kalamazoo FAX 248.233.9040 847.697.6161 Columbus 269.567.4500 FAX 847.697.6176 614.849.3000 FAX 269.567.4501 India FAX 614.221.3535 Macomb Mumbai Michigan Locations Toledo 91.22.3953.7241 586.416.4900 Ann Arbor FAX 586.416.4901 419.843.6000 FAX 91.22.3953.7200 734.665.9494 FAX 419.843.6099 St. Joseph { } FAX 734.665.0664 269.982.8000 Auburn Hills FAX 269.982.2800 248.375.7100 Client Feedback Is FAX 248.375.7101 Southfield Important to Us! 248.352.2500 Detroit FAX 248.352.0018 Access our client 313.876.1630 satisfaction survey at East Lansing Traverse City clientsatisfaction. 517.332.6200 231.947.7800 plantemoran.com to FAX 517.332.8502 FAX 231.947.0348 share your input. This publication is distributed with the understanding that Plante & Moran, PLLC is not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assumes no liability whatsoever in connection with its use. Please send change of address or additions/corrections to the mailing list to theresa.zimmerman@plantemoran.com.
You can also read