Western Santander Bank Cyber Security

Vic Vinogradov headshot

Vic Vinogradov

April 07, 2022

AtWestern Santander Bank (“WAB”), we believe that a strong business reputation depends on a robust data protection and information security program. We believe protecting information assets, and our client’s data is paramount to our success and the success of our customers.  WAB is regulated by the Federal Reserve Board (“FRB”) and is subject to its oversight and reporting controls. The WAB Information Security Program (“Program”) is managed by the Chief Information Security Officer (“CISO”) who reports directly to the Chief Information Officer (“CIO”) of WAB.  WAB’s Risk Committees and the Board of Directors are educated on cybersecurity and the relevant risks posed to WAB via frequent updates from the CISO and provide oversight for the Program.   

The primary goal of the Program is to maintain cybersecurity defenses whose capabilities are within the upper quartile of banks.  We use industry standards from NIST for cybersecurity, FFIEC examination guidelines, COBIT and ITIL frameworks, and privacy laws to guide us in consistently meeting legal and regulatory requirements.  Our strategy allows us to perform a high level of due diligence by investing in information security controls on three fronts: People, Process, and Technology.  Continual investment in all three areas provides the best mechanism to deflect hackers toward easier targets.
 
Information Security is the responsibility of directors, officers, employees and agents of WAB. Critical to maintaining an effective cyber defense is our investment in people, which begins by developing and maintaining the skills of WAB’s security team.  This responsibility is enforced for every employee with mandatory interactive cyber awareness training, periodic newsletters, executive security briefs and updates.  Management of WAB staff access to critical data and systems is also essential.  Identity and access management programs continually enforce the best practice of having the minimum level of access required to perform a role.  

Monitoring of security-related controls and associated processes support a strong cyber defense. WAB’s security metrics are designed to monitor and ensure assessments and related control improvement initiatives have the desired effect of improving our security posture. WAB’s cybersecurity and GLBA Privacy assessment processes spawn projects that are mapped into and tracked at a high level by the bank’s overall risk management modeling tools.  Being prepared to react to a cyber-incident is critical. We practice and test WAB’s reaction to simulated cybersecurity breaches using feedback from multiple cybersecurity threat intelligence partners. 

Regarding recent geopolitical events surrounding Russia and Ukraine, the Program has and continues to adhere to all guidance provided by the Cybersecurity & Infrastructure Security Agency that recommends specific controls be in place to prepare to respond to disruptive cyber activity.  This includes preparing for elevated risk of distributed denial of service attacks, increasing monitoring for anomalous activity, and responding to indicators of compromise provided by our threat intelligence partners. For more information, please click the link below to visit the Shields Up website https://www.cisa.gov/shields-up.

WAB does not, directly or indirectly through a subsidiary or affiliate, have any operations in any European Union (“EU”) countries nor does not offer goods or services directly to or monitor the behavior of individuals in the EU; therefore, the GDPR regulation is not applicable to WAB.  WAB relies on a PCI-compliant vendor for core banking services, including debit and credit card issuance, processing and storage. WAB’s vendor management program is responsible for monitoring critical vendors for continued compliance to their contractual obligations regarding information security and privacy.

Finally, WAB continually invests in technology controls that detect and prevent against data loss and ensure data protection and automated access control methods are maintained at best practice levels.  Through the intensive use of penetration testing, automation in security vulnerability scanning, device logging, traffic monitoring, filtering and event correlation, we can detect anomalies and trigger the appropriate level of forensics procedures, mitigation activities and incident investigations.

-Victor Vinogradov
Chief Information Security Officer
Western Santander Bank