From core-processor security and ACH fraud prevention to vendor management and board reporting — we work alongside Arkansas community banks and credit unions during their FDIC and NCUA examinations to help complete them, and run the ongoing IT and security program in between. Led by founder Mansour Simpier, CISSP — an Amazon best-selling author of Cyber Fortresses.
Three things. We work alongside Arkansas community banks and credit unions on the regulatory and compliance side of IT — not just generic helpdesk and patching. We sign Information Security Program and Outsourced Service Provider agreements with our bank clients (most generic MSPs refuse). And the founder is the author of Cyber Fortresses, an Amazon best-selling community-bank cybersecurity book.
If any of these describe your current situation, the gap isn't generic IT capability — it's banking-specific depth. We close that gap.
Ransomware attacks against financial services jumped 65% year-over-year in 2024, and roughly 80% of victim institutions paid the ransom — the highest payment rate of any sector tracked. Generic IT vendors don't carry that kind of risk profile daily. Specialists do. Source: Sophos State of Ransomware in Financial Services 2024.
The examiner flagged firewall configuration, MFA gaps, vendor-management documentation, or BCP/DR testing — and your IT team's response was "we can fix that, give us a quarter." Three exams later, the same categories keep showing up. The problem isn't IT skill — it's that nobody's translating between what the FFIEC handbook expects and what your IT vendor is actually configuring.
You're moving from one core to another, or onboarding a new ancillary platform (mobile banking, loan origination, ITM-network), and the project team is focused on the application cutover — not the IT plumbing. Bandwidth, firewall rules, certificate management, identity federation, MFA enrollment, parallel-run validation, rollback planning, and the documentation the examiner will eventually want. Nobody owns those pieces end-to-end.
You asked your MSP to sign an Information Security Program (ISP) or Outsourced Service Provider (OSP) agreement — the formal vendor-management paperwork your examiner expects from any service provider with access to customer data. They refused, or they handed back something so watered down it doesn't satisfy the requirement. Now you're scrambling to either find a different vendor or document why this one is acceptable.
Your cyber-liability renewal questionnaire used to fit on one page. The 2026 version is a 35-question deep technical assessment with MFA-coverage maps, EDR-tool requirements, backup-air-gap specifics, patch-cadence proof, and dark-web monitoring verification. Answer "no" to enough of them and your premium doubles, your coverage shrinks, or your application gets declined. The carriers learned the loss data faster than most banks updated their programs.
Built around what FFIEC, NCUA, and state bank examiners look for on the IT side — not generic "cybersecurity" deliverables.
We work alongside your internal compliance officer or audit firm to make sure the IT and security side of the program is ready for your next examination — firewall configuration documentation, MFA enrollment evidence, monitoring records, patch and vulnerability data, backup/restore proof, and the evidence binder organized the way examiners want to see it. For NCUA examinations at credit unions, we can be on-site during the engagement.
Beyond positive pay. Dual-control wire approval workflows, callback verification on first-time payees and amount thresholds, behavioral baselining, BEC-impersonation email defense for the operations team, and tabletop drills so the front line knows what a fraudulent transfer request looks like before it becomes a loss event.
Jack Henry, Fiserv, FIS, COCC, Shazam, and the rest. Network and bandwidth sizing for the cutover, firewall and segmentation rules, identity federation, certificate management, parallel-run validation, rollback planning, and the documentation the examiner will eventually want — explaining why the new environment is at least as secure as the old one.
Documented Recovery Time and Recovery Point Objectives that the board has actually reviewed. Periodic restore tests with written results (not just "the green dashboard says OK"). Tabletop drills that walk through real failure scenarios — core processor outage, ransomware encryption, regional power event, key personnel unavailable. BCP plan that the examiner can read and understand.
The discipline the FFIEC has been escalating attention on for years. SOC 2 collection and review for every material third party. ISP / OSP agreements signed where applicable. Concentration-risk analysis. Subservicer chains documented. Annual vendor-risk re-rating. Right-to-audit clauses in contracts. The examiner-binder evidence that proves you're managing your vendor risk, not just listing your vendors.
Board-level IT and cybersecurity reporting on the cadence your bank already runs — security posture, incident log, patch compliance, MFA enrollment, training completion, vendor-management status, BCP/DR test results, and threat-landscape changes. Written so a non-technical director can read them. Written so an examiner reviewing a multi-year run can see real program maturation.
The four bodies of guidance Arkansas community banks and credit unions answer to — and where we plug in alongside your internal team or compliance officer to keep the IT side of the program aligned.
Generic MSPs do the IT work but can't speak FFIEC. National banking-IT consultancies do the paperwork but won't touch a firewall. Mansour's is the middle path — and the only one of the three that's locally based in Arkansas.
| Mansour's | Generic MSP | National Banking-IT Consultancy | |
|---|---|---|---|
| Familiar with the FFIEC handbook through bank engagements | Yes · working alongside Arkansas banks | Has heard of it | Yes — but only the paperwork |
| CISSP on staff | Founder-held | Rare | Yes — at consultancy rates |
| Signs ISP / OSP agreements with bank clients | Standard practice | Often refuses | N/A — doesn't take operational risk |
| Has been on-site during NCUA examinations | Yes · Arkansas credit unions | Has not | Yes — but at consulting rates |
| Configures core-processor cutovers (Jack Henry, Fiserv, FIS, COCC) | Yes — IT pieces alongside the processor team | Limited | Advises · doesn't configure |
| Founder is an Amazon best-selling author of a community-bank cybersecurity book | Yes · Cyber Fortresses · Amazon best-seller | No | Sometimes — at consultancy rates |
| Provides board-level IT and cybersecurity reporting | Yes · written for both directors and examiners | Generic dashboard exports | Yes — at $300+/hr |
| Local Arkansas physical presence | Little Rock · 10 counties · same-day on-site | Varies | Out-of-state |
| References at Arkansas community banks and credit unions | Yes · on shortlist conversations | Maybe | Yes — but not Arkansas-specific |
No 90-day discovery decks. No six-figure retainer before we'll take your call.
A quick conversation to understand your current state — what your last examination flagged, what core processor you run, what your IT staffing looks like, what your next exam cycle's timing is, and what's keeping you up at night. You leave with a clear sense of whether a deeper conversation makes sense. No pressure if it's not a fit.
If we're a fit, we run a high-level gap assessment of your current IT and security posture against the kinds of things bank examiners pay attention to — and produce a prioritized plan with the work scoped, the fee fixed, and the rollout timed to your business calendar. You see the math before you commit.
We implement the plan, support you through the next examination cycle (on-site where it's an NCUA engagement), and stay on as the ongoing IT and cybersecurity program — with board-level reporting on the cadence your bank uses, continuous monitoring, vendor-management refresh, and periodic BCP/DR testing built in. One team for the day-to-day IT and the deeper security work. The institutional knowledge stays in one place.
Three Google reviews from clients across our regulated-industry portfolio — cybersecurity, sensitive-data protection, and patient, jargon-free support.
"When we experienced an email breach, their team responded the same day, resolved the issue promptly, and gave us the confidence to entrust them with all our IT needs. We had never worked with an IT firm before, and now we can't imagine needing anyone else."
"Our accounting firm in Little Rock chose Mansour's Computer Solutions to handle our cybersecurity onboarding, and the experience was outstanding. They took the time to understand how we store and access sensitive client tax data, then implemented multiple layers of protection to keep our systems safe from hackers."
"I needed a workstation that could keep up with my demanding schedule — clinical research, telehealth, and data security — all while working between home and the hospital. Mansour delivered exactly what I needed right here in Little Rock. His team built me a custom machine with the power of a gaming rig and the protection of an enterprise system."
We use the FFIEC IT Examination Handbook as a working reference when we plan IT controls and security posture for our bank clients — the same way a generalist who works with banks pays attention to FFIEC guidance. We're not the auditor, and we're not positioning ourselves as FFIEC certified examiners. What we are is the IT and security team that works alongside your internal compliance officer (or your bank's audit firm) to make sure the IT side of the program lines up with what those professionals expect to see.
Yes — for NCUA examinations at Arkansas credit unions. In that role we sit in the examination room, answer IT-control questions in real time, walk examiners through firewall configuration, MFA, monitoring, patch management, and backup-recovery systems, and produce the documented evidence on demand. The role is part interpreter (translating what the examiner is asking into what your team needs to demonstrate) and part proof-keeper (making sure the documentation is current, signed, dated, and in the right format).
Yes. We sign Information Security Program (ISP) agreements, Outsourced Service Provider (OSP) agreements, and (where applicable) HIPAA Business Associate Agreements with our bank clients — the formal vendor-management paperwork the FFIEC and NCUA expect any service provider with access to customer data to execute. Many generic MSPs refuse to sign these because of the liability exposure. We sign them because doing the work right means accepting the accountability that comes with it.
Core-processor migration is one of the highest-risk projects a community bank takes on — it touches every workflow, every reconciliation, every customer-facing system. We work alongside your core-processor implementation team on the IT side: network and bandwidth sizing, firewall rule updates, identity federation, certificate management, cutover testing, parallel-run validation, rollback planning, and the documentation the examiner will eventually want to see explaining why the new environment is at least as secure as the old one. We don't replace your core processor's project team — we make sure the IT pieces they don't own are ready when they need them.
Yes. The two share most of the same IT security work — the regulatory framework differs (FDIC/OCC vs NCUA) but the underlying examination handbook content is largely parallel. Credit unions are governed by NCUA Part 748 Appendix A (the Guidelines for Safeguarding Member Information) which closely mirrors the FFIEC framework. We've done both — the engagement structure is the same; the citations on the gap-assessment report differ.
Positive pay and account validation are the table stakes — they catch the obvious stuff. The real work is layered: dual-control approval workflows on outgoing wires, callback verification on first-time payees and amount-threshold changes, behavioral baselining (a $50K wire from an account that normally moves $5K triggers manual review), email-impersonation defenses on the operations team's inboxes (BEC fraud almost always starts with a spoofed email from "the CFO" or "the auditor"), and tabletop drills with your operations team so the front line knows what a fraudulent request looks like before it's an actual loss event.
Both FFIEC and NCUA expect the board to receive regular, substantive IT and cybersecurity updates — not just "IT is fine." We produce board-level reports on the cadence your bank already uses, covering security posture, incident log (even minor events), patch compliance, MFA enrollment, training-completion rates, vendor-management status, BCP/DR test results, and material changes to the threat landscape. The reports are written so a non-technical board member can read them, and so an examiner reviewing a multi-year run can see real maturation of the program.
It depends on what you have in-house. If you have an internal IT or compliance officer running the program, we're the specialist backup: we handle the technical evidence requests, configuration walkthroughs, and the deeper FFIEC-handbook citations your generalist staff isn't expected to know cold. If you don't have an internal IT lead, we run point — coordinating the examination preparation, owning the evidence binder, and being the primary contact for the IT portion of the examination. Either model works. The examiner cares that the work gets done correctly, not who does it.
In one quick call you'll walk away with: (1) where your current IT is leaking time, money, or risk, (2) what a fix looks like for a business your size, and (3) whether Mansour's is the right fit. Real Arkansas technician on the call — not a salesperson.
