OUTLOOK: Fears of a double dip recession are quietly receding
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
{Community Bank Advisor}
Winter 2013
News & views for the banking executive.
OUTLOOK: Fears of a double dip
recession are quietly receding
According to most reports, the threat of a double- It is a complex question and you need to take a com-
brian.pollice@plantemoran.com
dip recession is fading and there are signs that the prehensive approach.
economy is moving from a slow to a moderate rate of
growth. Recovery, however, is coming slowly to com- The sweetest spot is close to home
munity banks. They are being squeezed. Low demand This year just like in years past community banks need
for loans translates into less revenue while increased to operate in their sweet spot. They can compete most
compliance costs mean higher expenses. successfully in their local markets where their service
and knowledge give them an edge. Bankers should be
In a recent Plante Moran survey, 48 percent of financial
Brian Pollice ready to help the business leaders in their communities
institutions anticipated their regulatory compliance
build on their optimism.
kristine.hoefler@plantemoran.com
costs would increase 25 to 50 percent this year added
to a 25 to 50 percent increase over the past several Data collected by the National Center for the Middle
years. Market (NCMM) in mid-December 2012 and comments
from business leaders who reviewed the findings before
Bankers are faced with many challenges going into
they were printed in mid-January were moderately
2013. They must successfully deal with constantly
optimistic about 2013. “It appears we are slowly recov-
changing margins, manage risk, and balance the appeal
ering from the Great Recession,” a distributor, with 40
of online services with information security concerns.
employees and $10 million in annual sales, described.
Kris Hoefler Like all businesses, they also have to develop a compre-
hensive response to the healthcare reform play-or-pay Responses regarding investment decisions, which often
brady.nitchman@plantemoran.com
mandate that goes into effect Jan. 1, 2014. indicate how companies feel about the future, show
that 41 percent of executives continue to keep their
The debate among many is whether to drop or keep
money in cash or securities rather than use it for growth,
offering benefits. McKinsey and Company researchers,
expansion, or acquisitions. However some are spend-
however, insist there are other options and indicate
ing. “We’re trying to invest in advanced equipment to
that after employers better understand the economic
increase our capacity and reduce our manual workforce
and social incentives embedded in the law they may
to help offset the increasing costs of healthcare and
dramatically restructure their benefits.
Brady Nitchman Continued on pg. 2
Inside This Issue
Troubled debt restructurings: The irs delays the effective date of new tangible
A quick update — PG. 3 property regulations — pg. 8
Proposed changes to allowance for First-time abatement penalty relief — Pg. 8
loan losses – Comments due April 30, 2013 —
Lessons learned from hurricane sandy — PG. 9
PG. 5
What’s with these recent password hacks? —
How much risk are you taking? — PG. 7
pg. 10
{Community Bank Advisor}
OUTLOOK: Fears of a double dip
recession are quietly receding
Continued from front cover
pensions,” explained a $100 million Revenue growth from 1.9 percent in 2012 to 3.5 percent
manufacturer with 625 employees. In 2012, middle-market companies this year, and the wholesale industry
posted average gross revenue growth anticipates doubling its job growth
Number one challenge: over last year, up from 0.7 percent to
of 7 percent and predict a 5.2 percent
Healthcare costs increase in 2013. According to NCMM 1.2 percent.
In every industry, the cost of healthcare Academic Director Anil Makhija middle-
is the top challenge. More than 90 per- Confidence is low, but
market business leaders are often
cent of the respondents to the NCMM cautious in their forecasts.
improving
fourth quarter survey found healthcare According to NCMM polling, confi-
costs to be somewhat or highly chal- Jobs growth dence among middle-market leaders
lenging. That has remained unchanged The middle market added 1.17 million remains depressed, but they are slowly
through most of the year and is a jobs in 2012 for a 2.7 percent gain, becoming more optimistic. Of the firms
constant across size and industry. compared to a 2.1 percent gain for surveyed roughly half are at least some-
large U.S. firms. Small businesses were what confident in the U.S. economy
As employers begin planning for the
at the low end of the scale with only with the largest companies showing the
play-or-pay mandates that will go into
1.2 percent job growth according biggest increase.
effect in 2014, 47 percent will be recon-
sidering staffing. Thirty percent said to ADP data. The middle market The economists at the NCMM say
they would freeze hiring and 17 percent anticipates a slight drop in job creation, the fourth quarter results suggest “a
said they would be laying off workers. down from 2.7 percent in 2012 to notable change in trends that point to
2.3 percent in 2013. increasing expansion in the broader
Growth profit pressures Looking more closely at job creation economy after a year of mostly tepid
continue last year, the service industry topped GDP growth.” And they conclude: “Talk
Besides healthcare costs, executives in the list with 5.5 percent growth in and fears of a double dip recession are
the NCMM report are concerned about jobs according to fourth quarter quietly receding.”
their ability to continue revenue growth figures. Health care was second with We thank the National Center for the
and indicate that margins are under 3.4 percent growth, retail was third with Middle Market (NCMM) at The Ohio
pressure moving into 2013. Commodity 2.8 percent. The wholesale industry State University for sharing its data with
prices rose significantly last year, and was at the bottom with only 0.7 percent us. The NCMM surveys 1,000 c-suite
they might impact the cost of doing growth, followed by manufacturing with executives of middle-market companies
business and the ability of middle- 1.7 percent. in a range of industries each quarter.
market companies to maintain margins. The middle market is defined as com-
Looking ahead in 2013, the service
Unlike large firms, middle market firms panies with annual revenue between
industry will continue to outpace the
don’t have the leverage to control price $10 million and $1 billion.
other industries, but anticipates job
swings. One way to grow revenues is to
growth will decline 1.5 percent to
go abroad, but middle-market compa-
4 percent. Construction jobs will grow
nies view this as risky.
2
Plante moran | Winter 2013
Troubled Debt Restructurings:
A Quick Update
At the risk of further wearing out an already and lender concessions, the two elements that need to be pres-
steve.schick@plantemoran.com
well-worn topic, it seems worth a few ent in order for a loan modification to be considered a TDR. As
moments to review what was new in the such, most institutions have found that the TDR policies they
world of Troubled Debt Restructurings (TDRs) previously had in place are still relevant and accurate (albeit, in
during 2012 and provide some thoughts on need of some clarification and expansion, in many cases). The
how best to interpret and implement the new most significant changes brought about by the new guidance
FASB and regulatory guidance. For some have been within the detailed documentation that institutions
time now, the industry has been working to use to support the TDR decision and to calculate required
Steve Schick interpret and implement Accounting Stan- specific reserves and charge-offs, particularly when interest
dards Update (ASU) 2011-02 — A Creditor’s rate concessions have been made. True, the new guidance has
scott.misch@plantemoran.com
Determination of Whether a Restructuring is made it more difficult for a troubled loan modification to avoid
a Troubled Debt Restructuring. SEC regis- the TDR designation; and some old standbys that were previ-
trants were required to implement the new ously called upon to refute the TDR presumption, such as the
guidance during the second quarter of 2011, debtor’s effective interest rate test, are now prohibited. Yet, in
and non-public institutions were required to working through TDR issues with our clients over the past 12–18
adopt it for fiscal years ending after Decem- months, it seems the most significant new burdens on institu-
ber 15, 2012 (essentially, for December 31, tions are the nature and level of documentation required by the
2012, financial reporting for calendar-year guidance and in practice by regulators and auditors.
SCOTT MISCH
institutions). Along with the new accounting
A review of ASU 2011-02 will quickly prove that some of the
guidance from the FASB, the Office of the
subjectivity has been taken out of the TDR identification pro-
Comptroller of the Currency (OCC) issued contemporaneous
cess. Circumstances that are now considered strong indicators
regulatory guidance in April 2012. It is safe to assume that other
of borrower financial difficulty and the types of lender actions
regulators will likely apply TDR guidance that is very similar to
that qualify as concessions (as well as insignificant actions that
that put forth by the OCC.
do not qualify as concessions) are more clearly defined. Despite
One of the most important facts to keep in mind is that neither this, the identification of TDRs and the overall accounting
the new accounting nor regulatory guidance amended the treatment for modified loans is still a highly subjective exercise.
definition of what constitutes a TDR. Instead, the new guidance Whether determining if a payment delay is “insignificant,”
attempts to clarify what constitutes borrower financial difficulty attempting to decide if a revised interest rate is akin to a
Continued on pg. 4
3
{Community Bank Advisor}
Troubled Debt Restructurings:
A Quick Update
Continued from pg. 3
“market rate,” or if a loan structure is comparable to that In conclusion, it’s worth mentioning that a complex process
which would be offered by another institution, the path is like TDR identification and measurement can always benefit
indeed perilous. The nature of lending and loan structuring, from a “second look,” particularly if that look comes from an
particularly to small businesses and real estate ventures, independent source. We’ve heard some clients and friends in
makes the challenge even greater, as each deal has its own the industry bemoan the fact that despite their best and most
nuances that make it difficult to compare it to another deal — meticulous efforts related to TDRs, they still feel that they’ll
if only it were that easy. be (or have been) second guessed and have their conclu-
sions unreasonably challenged by regulators and auditors.
The solution, or at least the most successful solution seen
Unfortunately, there’s no magic bullet to completely defend
to date, has been to significantly enhance the nature and
against that reality. However, some additional credibility has
volume of documentation supporting the TDR determina-
been gained by institutions that call upon internal auditors
tion. Logically, when dealing with a highly subjective matter,
(whether outsourced or in-house) to execute a targeted audit
the more one can explain and support their decision with
of TDR processes, documentation, and conclusions. In cases
empirical data and tie it to the applicable guidance and rules,
where this additional level of review and internal challenge
the more likely one’s argument and position are to stand in
has been performed, external auditors have been able to
the face of challenge. Those institutions whose TDR identi-
rely, to varying degrees, on the internal audit work product
fication processes and documentation have passed muster
and regulators have considered the results of the review and
with the regulators and auditors tend to have the following in
modified their approach accordingly. To date, a review of this
common:
nature seems to be the best insurance policy an institution
1. Clear TDR identification and measurement policies can buy regarding TDRs.
and procedures have been established and are clearly
followed. Don’t forget the importance of the mechani-
cal procedures; deciding who will analyze the data,
prepare the documentation, and review and approve
the final decisions is critical.
2. Proper personnel have been included in the process.
For better or worse, the TDR identification and mea-
surement process is a multidisciplinary activity. Lenders
and accountants must work together so that the facts
are presented completely and accurately and those
facts are properly interpreted in light of the applicable
guidance. Processes that reside exclusively in the lend-
ing or accounting areas will almost certainly fall short.
3. Quality tools are available to aid those involved in
the process. Whether using a detailed TDR checklist
to document if a modification qualifies as a TDR or
relying on an accurate discounted cash flow calculation
template, implementing and consistently using stan-
dard tools is imperative. There are myriad quality tools
publicly available, and your Plante Moran advisors are
always happy to provide a template if you need one or
would like to consider alternatives. Please don’t hesitate
to ask.
4. Senior management must dedicate the necessary
resources to make sure the process is completed
properly and timely. As previously mentioned, working
with TDRs is a time-consuming and highly subjective
process. The tone at the top of the institution must
be supportive of personnel doing the detail work and
provide them with the time and materials necessary to
do the job right.
4
Plante moran | Winter 2013
Proposed Changes to Allowance for
Loan LossES – Comments due April 30, 2013
After the worst recession since the Great The proposed standard has gone through multiple transfor-
marc.doerr@plantemoran.com
Depression, financial institutions have mations, including potential convergence with IASB after its
had to reassess the adequacy of their initial exposure document in November 2009. For its part, the
allowance for loan and lease losses IASB had proposed a three-bucket approach to accounting
(ALLL). This reevaluation has included for the expected losses. The IASB approach includes Bucket 1
questions, such as: (1) Should I shorten or whereby an entity would recognize expected losses for which a
extend the historical loss period? (2) Are loss event is expected in the next 12 months. Bucket 2 includes
my qualitative factors enough to adjust assets that have been affected by the occurrence of observ-
Marc Doerr the historical loss factor? (3) And, most able events that indicate a direct relationship to possible future
importantly, is the allowance sufficient defaults within the lifetime of the credit. Bucket 3 consists of
scott.phillips@plantemoran.com
to cover the losses included in my loan loans where information is available that specifically identifies
portfolio? The International Accounting that credit losses are expected to, or have, occurred on
Standards Board (IASB) and the Financial individual credits within the credit’s lifetime. A transfer from
Accounting Standards Board (FASB) have Bucket 1 to Bucket 2 would occur when the deterioration in
been developing a new ALLL methodol- credit quality has been more than insignificant and at least
ogy to include estimates of future losses some or all of the contractual cash flows may not be collected.
in addition to the losses inherent in the The FASB, as part of its movement toward convergence with
loan portfolio. international standards, was considering the IASB model. How-
Scott PhiLlips ever, due in part to concerns over transfers between buckets,
On December 20, 2012, FASB issued
the FASB broke away from convergence with the IASB.
Proposed Accounting Standards Update No. 2012-260,
Financial Instruments – Credit Losses (Subtopic 825-15). The The CECL model was introduced in August 2012 and, now
proposed standard introduces a Current Expected Credit Loss with this recent exposure draft, may replace the five existing
(CECL) model. The CECL model requires an entity to impair impairment models (FAS 5, FAS 114, SOP 03-3, FAS 115, EITF
its existing financial assets on the basis of the current estimate 99-20) for debt instruments in current U.S. GAAP, with a single
of contractual cash flows not expected to be collected. The expected credit loss measurement objective for the allowance
significant difference from current GAAP would be to eliminate for credit loss. The CECL model focuses on “expected credit
the “probable” initial recognition threshold and replace it with loss and the current recognition of the effects of credit dete-
the current estimate of expected credit loss. It is believed the rioration on collectability expectations.” This estimate should
CECL model will likely result in increased reserves as compared reflect the future contractual cash flows that the entity does not
to current accounting. expect to collect using current probabilities of default, current
Continued on pg. 6
5{Community Bank Advisor}
Proposed Changes to Allowance for
Loan Losses – Comments due April 30, 2013
Continued from pg. 5
historical loss rates, changes in credit risk (risk rates, credit between fair value and amortized cost for debt instruments
scores), and other changes in reasonable and supportable classified at fair value with qualifying changes in fair value
forecasts. recognized in other comprehensive income, (5) past-due
status, (6) nonaccrual status, (7) purchased credit-impaired
In theory, as the level of risk inherent in loans increases, the
financial assets, and (8) collateralized financial assets. The
expected loss would increase and require a commensurate
FASB has proposed the transition be a cumulative-effect
level of allowance. In order to fully substantiate the estimate
approach, where the cumulative-effect adjustment would be
of expected credit losses, all assumptions will have to be
recorded in the beginning of the first reporting period for
based on supportable information that is relevant in making
which the guidance is effective, with appropriate transition
the forward-looking estimates.
disclosures detailing the transition.
Disclosures and transition guidance included in the new
The exposure draft has a comment period that ends April
exposure draft for the CECL model include: (1) credit-quality
30, 2013. All interested parties are encouraged to read the
information, (2) allowance for expected credit losses,
exposure draft and provide a comment letter to the FASB
(3) roll forward for certain debt instruments, (4) reconciliation
for consideration.
6Plante moran | Winter 2013
How Much Risk Are You Taking?
The Case for Developing Enterprise Risk
Management at Community Banks…NOW
How would you answer the question, TASK 2: Map Your Inventory
robert.bondy@plantemoran.com
“How much risk are you taking?” In years Each one of the areas, risks, policies, and monitoring activi-
past, the common response was, “Only ties should correlate to one of the CAMELS components. If
enough to generate an adequate return.” it doesn’t, create a group of “other strategic initiatives” to
Most responses came “from the gut” include, such as compliance, information technology, etc.
versus any formal analysis. After all, Now, organize them:
most financial institutions correlate risk
with asset underwriting or asset-liability 1. Rate each area from 1–10 (or however many you have)
Rob bondy management practices and, perhaps, on importance.
believe enterprise risk management (ERM) 2. Limit the focus to the top three areas from each of the
michael.stearns@plantemoran.com
to be a “big bank” task. CAMELS components (we’ll provide some leniency
To help guide the focus of directors and here).
senior managers, some institutions have As a result, you’ve identified up to 20 of the riskiest areas.
attempted to tackle an ERM system, The important policies are inventoried, and a monitoring plan
only to find the devil is in the details. It’s is in place. A great starting point! Now, it’s time to take it to
important to view ERM as an opportunity to the next level.
embrace each component of the organiza-
mike stearns tion and apply a consistent methodology TASK 3: Begin to Manage the Model and
and reporting structure. To start down the Plan for the Next Level
road of an ERM system, formulate a roadmap to get some
The next level of managing the ERM model will integrate
momentum.
financial results, budgeting, internal/external risk indicators,
Task 1: Take Inventory determining base cases, and stress tests. Definitions, toler-
ances, and activities will be further defined. Ultimately, the
The following steps are critical in developing an ERM model
ERM system becomes a tool that’s consulted when strategic
and will put the scope of an ERM system in perspective:
initiatives are contemplated. That’s a lot to cover in one
1. Identify areas most important to providing a return to article, but until a framework is formulated, ERM is really
stakeholders. a non-starter.
2. For each of the identified areas, identify the most Your financial institution likely has a strong front-line risk man-
significant risks to providing that return. agement system; however, the concept of ERM requires us to
consider a broader risk appetite and risk profile when making
3. Now, align existing policies with each risk.
strategic decisions. Details can be overwhelming and might
4. Determine what you already do to monitor be a deterrent to establishing an ERM program. We’ve found
those policies. integrating a simple program to monitor the key risk indica-
tors can be highly effective in overcoming the challenge.
After completing the above activity, it’s likely that there are up
to a dozen areas considered important with five to 10
corresponding risks from each to monitor and track. You
likely have a book full of policies and have a lot of money
devoted to monitoring and testing against these policies.
Your list probably has more than 100 items on it. Now what?
Develop a System (Or Take One From
an Existing Concept)
An ERM system should have a consistent reporting struc-
ture and definitions to measure against. Thankfully, in the
financial institution industry, we’ve been trained well, and
regulators have already formulated a concept to measure us
against. Approaching risk management along the lines of
the CAMELS components has been proven to be the most
efficient way to consistently define and measure risk.
7{Community Bank Advisor}
The IRS delays the effective date of
new tangible property regulations
The IRS has deferred the effective date of new tan-
mariann.krieger@plantemoran.com
gible property regulations from tax years beginning
on or after January 1, 2012, to tax years beginning on
or after January 1, 2014. The new regulations were
issued in December 2011 to guide taxpayers on how
First-time
to account for amounts paid to acquire, produce, or abatement
improve tangible property. Below is a summary of the
MAriann Krieger
new guidance. penalty relief
The new guidance (as published in Notice 2012-73)
delays the mandatory effective date of the tangible
brian.howe@plantemoran.com
property regulations to tax years beginning on or According to the IRS, the purpose of
after January 1, 2014. The guidance also notifies penalties is to deter noncompliance, not
taxpayers that final regulations will likely be issued in to raise revenue. Certain penalties can be
2013, which will apply to taxable years beginning on waived or abated if the taxpayer has a past
or after January 1, 2014. For taxable years beginning history of compliant behavior. In effect,
on or after January 1, 2012, taxpayers may apply the the IRS rewards taxpayers with a history
provisions of either the already existing temporary of compliant behavior with a one-time
Brian Howe regulations or the anticipated final regulations. penalty amnesty.
Recognizing that taxpayers are expending resources • For individuals, First-Time Abate-
to comply with the temporary regulations, the IRS also indicated that ment (FTA) applies to the failure-
certain sections of the temporary regulations may be revised and in to-file and failure-to-pay penalties.
certain cases simplified when the regulations are issued in final form. Estate and gift tax returns do not
The areas below were specifically noted by the IRS. qualify for FTA waivers.
• De Minimis Rule – Under the current regulations, taxpayers with • For businesses and payroll returns,
an applicable financial statement, such as a certified audited FTA applies to the failure-to-file,
statement, may claim a current deduction for the cost of acquiring failure-to-pay, and/or the failure-to-
items, including materials and supplies. The amount that may deposit penalties. S corporation and
be expensed annually under a taxpayer’s policy is subject to a partnership late-filing penalties also
limitation based on the greater of 0.1 percent of gross receipts or qualify under FTA.
2 percent of book depreciation and amortization. FTA applies only to certain penalties and
• Rules Related to Asset Disposition – The new regulations per- certain returns filed. The taxpayer must
mit taxpayers to claim a loss deduction for the retirement of a also satisfy the clean compliance criteria
structural component. The regulations allow a taxpayer to use a rules:
reasonable method in determining the basis of an asset for the • Clean three-year penalty history.
purpose of determining the deduction. The taxpayer cannot have penalties
• Safe Harbor for Routine Maintenance – A taxpayer may deduct an of a “significant” amount assessed
amount paid to keep a property in its ordinary operating condition in the prior three years on the same
if the taxpayer reasonably expects to perform the activities more type of tax return.
than once during its life when it is placed in service. • Required returns filed. The taxpayer
Taxpayers who choose to apply the temporary regulations to the 2012 must have filed all tax returns for the
tax year may continue to obtain automatic consent to change their past three years, as required.
methods of accounting under previous guidance. FTA does not apply to the estimated
In light of these and other potential planning and implementation tax and accuracy-related penalties. The
issues, taxpayers have the opportunity to early adopt either the entire assertion of an accuracy-related penalty is
regulations or select provisions depending on each taxpayer’s unique based on the facts and circumstances of
tax situation. Regardless of whether taxpayers decide to early adopt or each taxpayer and each tax year.
wait until 2014, they should begin to analyze how they will be affected
and start to develop the necessary systems to track the information
needed for the eventual implementation of the final regulations.
8Plante moran | Winter 2013
Lessons Learned From Hurricane Sandy
On October 30, 2012, Hurricane Sandy Although disasters are hardly created equal, there are common
colin.taggart @plantemoran.com
launched a 13-day devastating drive across issues from which the entire country can learn. For example,
the East Coast, disrupting families and busi- any large natural disaster could potentially affect the commu-
nesses caught in her path. The destruction nication infrastructure in the area. Whether cell phone towers
included damages in excess of $70 billion, a are toppled or power is simply knocked out, you may not be
crippled mass transit system, gas shortages, able to rely on cell phones to connect with your staff. (With
and more than 8 million customers without approximately 32 percent of adults living in households with
power. According to an article posted on the only wireless telephones, you may have no alternate landline to
Colin Taggart Centers for Disease Control Prevention web- use.) In addition, staff may not be able to make it into the office.
site, “FEMA has estimated that nearly 72,000 Whether the office no longer exists, travel is unsafe, or staff
joe.oleksak@plantemoran.com
homes and businesses in New Jersey alone prefer to manage the effects of the disaster at home, organiza-
were damaged. An analysis of aerial imagery tions need to consider how they’ll recover without full, onsite
by the agency showed more than 500 build- recovery teams.
ings were destroyed outright or reduced to
It’s also important to note, however, that each disaster has
debris, another 5,000 suffered major damages
unique features. For example, the advance warning time for a
from flooding or high winds, about 24,000
hurricane differs from that of a tornado. Therefore, no overall
had minor damage, and tens of thousands of
plan can cover all possibilities. While an organization may cover
others were affected by floodwaters.”
Joe Oleksak the backup data restoration process in an overall plan, there
Hurricane Sandy was only one of many events should also be unique staff evacuation procedures documented
that impacted businesses directly or indirectly for each disaster possibility. It’s important that companies
during 2012, which taught businesses two things: (1) all disasters complete a risk assessment to identify the most likely incidents
are not created equal, and (2) it’s critical to be prepared. Inte- and their specific impacts (such as water damage, staff safety,
gral to preparation is developing a disaster recovery plan (DRP). and power redundancy).
ALL DISASTERS ARE NOT CREATED EQUAL DO YOU HAVE A DISASTER RECOVERY PLAN?
Although there are a variety of natural disaster possibilities, Ideally your DRP will never need to be used, but that doesn’t
most organizations only concern themselves with those that mean it’s not important to have one. In the event of a disas-
have affected nearby areas in the past. Your organization will ter, your team’s expertise with day-to-day procedures will be
need to tailor its disaster recovery planning efforts to align helpful; however, with unavailable staff and resources, you’ll
with the most probable disasters. This is not to say organiza- need to modify existing procedures to accommodate a disaster
tions outside Tornado Alley should ignore the possibility of a scenario. Being able to rely on a useful DRP in this situation
tornado; however, based on a probability assessment, planning is a critical timesaver, eliminating the need to invent new
for a volcano in the Midwest may not be necessary. Further- procedures mid-disaster. Training key team members on their
more, while your organization may not operate in Tornado responsibilities and workaround procedures under the plan will
Alley, violent storms resulting in property damage, flooding and greatly help to reduce confusion and wasted time.
power outages can happen anywhere.
A major misconception included in typical DRPs pertains to
Continued on pg. 10
9{Community Bank Advisor}
Lessons learned from hurricane sandy
Continued from pg. 9
the number of key staff who will be available to assist in the ARE YOU PREPARED?
recovery process. Results of a survey completed after a The first steps toward developing a DRP are the most impor-
1994 Los Angeles area earthquake confirmed that the most tant and most difficult, as they’ll shape the entire recovery
common reason for a business interruption was staff attend- program for your organization. Our business continuity
ing to personal matters. Even if the disaster doesn’t destroy planning team has assisted clients in a variety of industries
the office or roads, the disaster could lead to multiple staff in navigating this important process. We start by meeting
having family crises to attend to. If the technology is func- with key team members to identify the organization’s unique
tioning, this can be slightly alleviated by allowing staff to work environment and explain the DRP process. To develop a
remotely from home. For those who do come into work, the comprehensive plan, our IT specialists will consult with all
organization will also need to be sensitive to the personal departments in your organization to determine which data
effects of the disaster, such as setting up a temporary office and applications are most critical and need to be recovered
daycare if there are related school closings and power out- most quickly after a disaster. These discussions will all be
ages. As staff will be the toughest “resource” to replace focused on the organization’s “pain threshold” for system
during a disaster, it’s also critical that DRP efforts include downtime related to lost income, industry image, customer
cross-training initiatives from front-line staff to executive confidence, and other key impacts.
members of the organization.
Once the critical system recovery goals have been identi-
Another mistake to avoid in the recovery planning process is fied, we’ll work with your IT department to identify the key
ignoring the importance of regularly testing recovery capa- resources required to meet these goals. At the end of our
bilities. Generators, redundant communication lines, and engagement, your team will have a plan in place to recover
backup drives all need to be tested to confirm you can rely key resources following a disaster and re-establish business
on them when necessary. Relying on an untested secondary operations at an acceptable level and time frame to ensure
critical vendor connection is an improvement over having no the well-being of your organization. We’ll also assist with
redundancy at all; however, it could lead to a similar recovery long-term goals to ensure the continuity plan evolves with
delay if the organization waits until a disaster to realize there your organization by being periodically revisited, updated,
needs to be additional changes to firewall settings for the and tested.
connection to function. Additionally, the organization should
continue to complete tests as the organization grows and
changes to ensure implemented controls can still support the
organization.
What’s With These Recent Password Hacks?
In June 2012, a large dump of around 6.5 that the vulnerability that led to their compromise has been
tom.ervin@plantemoran.com
million LinkedIn password hashes were discovered and closed.
posted on an online forum by a hacker
Formspring and Yahoo, on the other hand, confirmed their
requesting help in reversing the hashes into
password breaches and applied fixes within 24 hours. Form-
valid passwords. This was followed, appar-
spring went further and provided details on how the breach
ently by the same hacker, by passwords
was fixed.
from the dating website eHarmony. Then,
in July, Formspring and Yahoo passwords Blogs, news agencies, and Internet resources everywhere
Tom Ervin were compromised. Is this a wake-up responded by reporting these events and dispensing text-
call for businesses to get serious about book advice about how to respond to a password compro-
jennifer.whiteside@plantemoran.com
password security? mise. Unfortunately, in their rush to publish these stories,
they missed some important details. In the case of LinkedIn,
After LinkedIn acknowledged the com-
only the password hashes were posted online. They weren’t
promise, they still haven’t confirmed if
posted alongside the corresponding email addresses. This
there was, in fact, a compromise or if it
means that even though a large list of encoded passwords
was simply a false alarm. Even after finally
was posted publicly, the information required to log in
acknowledging the compromise, they
under those accounts is only available to the hacker(s) that
still haven’t confirmed that they’ve deter-
posted the encoded passwords. Since these passwords
Jennifer whiteside mined when and how hackers accessed
were encrypted using the SHA-1 algorithm, they couldn’t
the account information of their users.
be read without using time-consuming, password-cracking
More importantly, they haven’t announced
Continued on pg. 11
10Plante moran | Winter 2013
techniques. By now, hundreds of thousands of the passwords These breaches will continue to occur, so where does that
have been reversed by security researchers to help gain statis- leave the end user? Vulnerable … but that vulnerability can be
tics about password complexity and use. decreased by following these three tips:
Most companies immediately sent internal emails to employees • Use tiered passwords. Don’t use the same password
to change their LinkedIn or Yahoo passwords, which missed the for all sites. The key to your office door shouldn’t open
real intent of the hack. Hackers never wanted the LinkedIn pass- the front door of your house or safe, so why should one
words, as access to those accounts simply isn’t very valuable. So password access different sites/systems? Just like you
what were they after? Email addresses and account passwords. have different keys for different doors, you need to use
They hope you, like so many others, reuse the same password different passwords for different sites (especially financial
across many or all of the sites you use. and email sites).
If you used the same password to log into LinkedIn as you do • Change your passwords more frequently. When was the
for your email account, stop reading, and change your email last time you changed your password for your online
password now. Access to your email provides a hacker with the banking account or your Facebook account? Ideally, you
ability to view all the other sites you’ve signed up for using that should change passwords to sensitive accounts at least
email address. This means they can locate accounts like your every 30 days.
online banking sites, online shopping (particularly sites where
• Set strong passwords. Setting long passwords that con-
you’ve stored your credit card information), and online payment
tain letters, numbers, and characters for numerous web-
sites like Google Checkout or PayPal. Using the information
sites can be difficult to memorize. So what can a user do?
they originally gained from accessing LinkedIn, they can then
Use paraphrases. For example “MyBirthDate?June15,60.”
purchase goods and sell them for cash. Often, large compro-
It’s long, it has all the letters, numbers, and characters,
mises of username/email and password combinations would
and it’s easy to remember.
be sold off on hacker sites leaving cyber criminals with smaller
chunks of user data they could take advantage of in whatever These best practices can be the difference between security
way they see fit. and vulnerability.
raj.patel@plantemoran.com
Check Out More Technology Features at
Banks.plantemoran.com
From the 2012 Community Bank Technol- Cyber Attacks: Is Your Bank at High Risk?
ogy Survey to whitepapers helping banks Large financial institutions continue to make the front page
guard against cyber attacks, leveraging in the ongoing onslaught of cyber attacks. However, small
Raj Patel
smart phones as the wallets of the future, and medium-sized banks may be just as vulnerable, if not
and going green, we have a number of great resources on more so.
our website. Here’s a quick overview.
On September 19, the Financial Services Information Shar-
ICBA Community Bank Technology ing and Analysis Center (FS-ISAC) issued an alert notifying
Survey Results U.S. financial institutions that they’re now at high risk of
For more than a decade, the Independent Community cyber attacks. What does this mean? Learn more at
Bankers of America (ICBA) and Plante Moran have con- banks.plantemoran.com.
ducted the Community Bank Technology Survey. The survey
Smart Phones: The Wallet of the Future
is designed to track community bank trends and strategies
in technology. A total of 530 community banks responded. Smart phones offer us a means of convenience. We can
Key findings include: share our lives, experiences, and adventures through social
media apps or travel to places near and far guided by GPS
• Community banks are embracing mobile technology. navigation. In addition, several technologies are emerging
• Mobile apps have core functionality comparable to that will allow us to use the chips in our phones to make
online banking. purchases, making that smartphone all the more invaluable.
Technologies like Google Wallet, ISIS Mobile Commerce
• Regulatory compliance is community banks’ top Network, and Venmo are here—and they’re changing the
technology concern, followed by data security and way we look at our phones. Learn more at
systems availability. banks.plantemoran.com.
Learn more at banks.plantemoran.com.
11{Community Bank Advisor}
National Tax Office
Illinois Locations Ohio Locations China
Chicago–W. Washington Flint Cincinnati Shanghai
312.899.4460 810.767.5350 513.595.8800 86.21.52131026
FAX 312.726.3262 FAX 810.767.8150 FAX 513.595.8806 FAX 86.21.52131025
Chicago–Riverside Plaza Grand Rapids Cleveland
312.207.1040 Mexico
616.774.8221 216.523.1010
FAX 312.207.1066 FAX 616.774.0702 Monterrey
FAX 216.523.1025
52.81.1477.5151
Northwest Chicago Kalamazoo FAX 248.233.9040
847.697.6161 Columbus
269.567.4500
FAX 847.697.6176 614.849.3000
FAX 269.567.4501 India
FAX 614.221.3535
Macomb Mumbai
Michigan Locations Toledo 91.22.3953.7241
586.416.4900
Ann Arbor FAX 586.416.4901 419.843.6000 FAX 91.22.3953.7200
734.665.9494 FAX 419.843.6099
St. Joseph
{ }
FAX 734.665.0664
269.982.8000
Auburn Hills FAX 269.982.2800
248.375.7100 Client Feedback Is
FAX 248.375.7101 Southfield Important to Us!
248.352.2500
Detroit FAX 248.352.0018 Access our client
313.876.1630 satisfaction survey at
East Lansing Traverse City clientsatisfaction.
517.332.6200 231.947.7800 plantemoran.com to
FAX 517.332.8502 FAX 231.947.0348 share your input.
This publication is distributed with the understanding that Plante & Moran, PLLC is not rendering legal, accounting, or other professional
advice or opinions on specific facts or matters and, accordingly, assumes no liability whatsoever in connection with its use. Please send
change of address or additions/corrections to the mailing list to theresa.zimmerman@plantemoran.com.You can also read
