Six Best Practices to Help Customers Achieve True Data Privacy

data-7-24-17.pngWith today’s constant news stream of ransomware threats, denial of service attacks and data breaches, data privacy is more of a concern than ever. But, what exactly do we mean by data privacy, and how can we convey its importance to customers?

At its root, data privacy is the concept of implementing appropriate controls related to the sensitivity of data. There are two key components of data privacy: data classification and data protection.

Data classification simply means understanding the sensitivity level of data. There are three main categories: public, sensitive and confidential. Any data, even that which is publically available, can be collected and used by a criminal to profile their prey. The numbers tell the story: Through July 6, 2017, according to the nonprofit Identify Theft Resource Center, we’ve seen a total of 791 breaches and 12.39 million compromised records across all major industries.

Data classification helps determine the level of protection warranted, with confidential data justifying the most:

  • Confidential data, such as social security numbers, bank details, or other personally identifiable information—whether in transmission or storage—should be encrypted, and devices used to store and transmit it should be secured as well. When disposing of this data, whether electronically or in a tangible format, the data records should be fully destroyed through shredding (electronic or physically). In some cases, entire storage devices should be destroyed.
  • Sensitive data, such as religious or relationship information, or private business plans, is similar to confidential data in that the owner does not wish to share it with others. As such, sensitive data often is protected similarly to confidential data. The only differentiator is the amount spent to protect it.
  • Public data is that which is publically available, like where a person attended high school.

With greater access to information, coupled with the increased rate and publicity of compromise, many consumers are numb to the severity of a data breach, even though strengthening the environments in which they store or transmit data should be top of mind.

Below are six best practices you can convey to your customers to help them achieve real data privacy:

  • Employ data encryption for both storage and transmission. One advantage of encrypting all data is that a decision doesn’t have to be made regarding classification when it comes to encryption. A second benefit is that a criminal doesn’t know what to target when all data is encrypted.
  • Avoid accessing data such as emails, cloud storage, and the like on a public computer or network, which are easily compromised. If a public network must be used, virtual private network (VPN) encryption is necessary when sensitive or confidential data is being accessed. Keep in mind, passwords aren’t always transmitted in an encrypted format, so a criminal could intercept the password. Public computers should be used only as a last resort, and never to access confidential or sensitive data.
  • Ensure your computer is patched and protected with a firewall and up-to-date anti-malware solution. Further, even careful users should periodically have their machine inspected for malware and cleaned by a trusted technician; with the sophistication of malware today, even the most cautious and educated can still end up compromised.
  • When possible, implement multi-factor authentication, which entails using more than one means of authentication, such as passwords and authentication codes. This is one of the most promising ways to ensure data and accounts remain secure, yet even these systems aren’t foolproof. Avoid receiving texts of access codes when possible, as this is a weaker form of multi-factor authentication. Use authentication applications, phone calls or a secure email account instead, and remember that codes sent to a device are only as secure as the device itself.
  • Use strong passwords that are changed at least every 90 days. Passwords should, when allowed, be at least 15 characters in length and complex in nature, including letters, numbers and symbols. Also, password safes like KeyPass are useful for storing them. And remember, treat your password like your toothbrush: never share it and change it often.
  • Consider the sensitivity of the data you store in the cloud. Utilizing a cloud service means entrusting a company to protect your data, so ensure the provider is equipped to protect the data to the same degree that you would. Another alternative is encrypting the data with your own encryption key before storing it in the cloud, which helps mitigate risk.

While one of banks’ most important tasks is protecting customer data, educating customers to respond in kind goes a long way toward a common goal.

The Five Critical Attributes of Effective Cybersecurity Risk Management

risk-manangement-3-15-16.pngThe size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.

Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.

Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.

Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.

To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.

Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.

Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.

Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:

  • Inventory and understand the data to be protected.
  • Inventory and classify incidents.
  • Understand known threats and monitor new ones.
  • Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
  • Set up a command center.
  • Develop and implement a containment and investigation strategy.
  • Develop and implement an evidence preservation strategy.
  • Develop and implement a communication plan for customers, media, regulators and other stakeholders.
  • Conduct a post-mortem and apply lessons learned.

Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.

In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.

The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.

Making the Right Investment in Cybersecurity

In a January interview with Bloomberg, Brian Moynihan revealed that Bank of America Corp. has an unlimited budget for cybersecurity. “I go to bed every night feeling comfortable that group has all the money, because they never have to ask,” said the Bank of America chairman and chief executive officer. “You’ve got to be willing to do what it takes at this point.”

The vast majority of banks can’t grant carte blanche to their organization’s information security team. Bank Director’s 2015 Risk Practices Survey found that most banks, at 60 percent, dedicated less than 1 percent of revenues to cybersecurity in 2014. Thirty-eight percent allocated from 1 percent to 5 percent of revenues on cybersecurity. Two percent dedicated 5 percent of revenues to cybersecurity.

Regulators don’t mandate a minimum cybersecurity spend; how much is the right amount is up to the bank. However, banks that are prepared to battle cybercrime typically aren’t hit as hard when the inevitable data breach or hack occurs. So bank boards face some difficult decisions when it comes to protecting their bank from cybercrime. How much should the bank invest? And on what? 

Tony Buffomante, principal in information protection and cybersecurity at KPMG, says bank boards want to know what the risks are, and whether their current programs are ready to mitigate cyberthreats. Identifying the areas of the business that the bank wants to protect from a potential cyberattack—where customer account data is housed, and what processes are involved—is key to determining how much to invest in cybersecurity, and where. “If they don’t really understand what the risks are, it’s difficult to figure out, ‘Am I investing enough?’” he says.

2014 Cybersecurity Budget, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 1% of revenues 60% 38% 50% 59% 72%
From 1% – 5% of revenues 38% 62% 50% 38% 28%
More than 5% of revenues 2% 3%

Source: 2015 Risk Practices Survey

Cybersecurity Budget Increase for 2015, By Bank Size
  All Banks >$10 Billion $5Bn to $10Bn $1Bn to $5Bn <$1Bn
Less than 10% 52% 57% 50% 56% 42%
From 10%-25% 23% 43% 30% 23% 15%
No Increase 21% 20% 18% 35%
From 25%-50% 4% 3% 8%

Source: 2015 Risk Practices Survey

As a rule of thumb, Michael Bruemmer, vice president of the data breach resolution group at Experian, recommends that companies commit 5 percent of their revenues to cybersecurity. Two of the more technical areas that the bank’s cybersecurity budget should prioritize are intrusion detection, to detect hacks and breaches, and encryption of data to make it more secure. Bruemmer calls encryption a cybersecurity “Get Out of Jail Free Card.” Depending on state laws, companies that can prove that their data was encrypted may not have to report the breach to customers. Security breach notification laws in states such as Arizona, California and Illinois specifically reference unencrypted data.

According to a 2014 study by the Ponemon Institute, the typical data breach for the financial services industry cost $236 per record lost, but companies that followed certain practices had lower than average costs. For example, the appointment of a chief information security officer (CISO) reduces the cost of a breach by $10 per record. Sixty-four percent of respondents to Bank Director’s Risk Practices Survey say they employ a full-time CISO, a practice less common for banks with less than $1 billion in assets (44 percent).

Preventing, detecting and responding to cyberthreats is at the core of information security. Banks need expertise in understanding what the risks are, someone who can implement controls to protect customer information, as well as watch for a breach and then react to it, says Buffomante. The role may be held by multiple people within the organization, or, instead of hiring a CISO, the role can be outsourced for banks that lack that expertise on staff. 

An outsourced CISO can be just as effective, says Bruemmer. “It’s not as important who you have on staff…but that you cover all the bases, whether it is outsourced or internally.” 

The median salary for an information security officer is $75,662, according to Crowe Horwath LLP’s 2014 Financial Institutions Compensation Survey.

Bank boards should recognize that the CISO isn’t the sole guardian of the bank’s digital assets. “Executives, meaning boards and senior executives of companies, need to participate and be involved in improving their incident response,” says Bruemmer. 

Beyond technology investments, Bruemmer believes the biggest area of focus for banks should be on its employees. Training can make or break an organization’s cybersecurity efforts and investment, and Bruemmer says the root cause of most breaches is simple human error. Commonly, an employee makes a mistake and clicks a link in a phishing email, or doesn’t respond appropriately to an alert. “All of the budget expenditure in the world would not have stopped” these types of errors, he says. Employees should know not only how to prevent a breach, but how to respond to one as well. Banks need to have a plan.  

According to Ponemon, an incident response plan for cybersecurity can result in a reduction of $17 per record. These plans should be tested regularly, so the bank is prepared when a real cyberattack occurs. Seventy-six percent of respondents to the 2015 Risk Practices Survey report that their bank has a cyber incident management and response plan in place. Of these, three-quarters regularly test it.

Does your bank have a written cyber incident management and response plan?


Another investment boards should consider is cyber insurance, which can reduce the impact of a data breach by protecting the institution from customer lawsuits and covering costs like credit monitoring, customer notification and crisis management.

The Federal Financial Institutions Examination Council encourages banks to join the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit source for intelligence on cyberthreats, which gives banks access to information on the latest threats. The agency also plans to release a cybersecurity self-assessment tool, which will help institutions evaluate their ability to mitigate these risks. 

Bruemmer argues that the success and failure of a bank’s cybersecurity preparedness doesn’t come down to how much money is thrown at the problem. Instead, it’s more about the bank’s dedication to protecting the bank, and focusing resources on the issue. The board should play a strong role, though fewer than 20 percent regularly address cybersecurity within meetings, according to the 2015 Risk Practices Survey. Just 8 percent of respondents from banks with less than $1 billion in assets say their board addresses the issue at each board meeting. Although the board’s job isn’t to manage the bank’s security, it should provide effective oversight in terms of knowing about the bank’s security plans, staffing and resources, and making sure those are adequate.

Cybersecurity “needs to be part of the board-level strategy discussion, says Bruemmer. It “is so impactful to the organization’s ongoing reputation and viability, [and] it needs to be connected to the board level,” says Bruemmer.

Cyber Criminals: How to Keep Them Out of Your Bank

8-29-14-Stinson.pngWyndham Worldwide and Target Corp. (and their officers and directors) were recently hit with cyber-security derivative lawsuits related to data breaches. Allegations in the cases were that the companies failed to maintain reasonable and appropriate data security for consumers’ sensitive and personal information.

Until this week, when news broke that Russian data hackers apparently hit JPMorgan Chase & Co. and four other banks, banks have not suffered any significant data breaches, but regulators are concerned that more cyberattacks will be a threat to the safety and soundness of the financial system. Bank customers have great confidence that their personal financial data is highly protected by their banks. Bank management and directors must not let customer confidence in the banking system wane.

The Comptroller of the Currency, Thomas J. Curry, made a speech in Washington, D.C. on April 16, 2014, imploring banks, especially community banks, to shore up the industry’s defenses against cyberattacks. In his speech, Curry emphasized that banks are attractive targets for terrorists and criminals alike, because “that’s where the money is.” “[Banks are] attractive to terrorists because of the potential to inflict significant damage on our nation’s economic security and way of life.”

The OCC also has said bank executives and directors must monitor and oversee third-party risk management in all aspects of the bank, especially when the bank outsources internal bank functions (processing, internal audit, loan review, etc.) to third-party vendors. Outsourcing of mechanisms for bank’s customer products (remote deposit capture, mobile banking, bill payment, overdraft protection, etc.) require management to constantly monitor and test its systems to assess and protect customer accounts and information from cyberattacks by “hacktivists.” Senior management and the board must have measurable and verifiable goals to ensure that third-party vendors are competent and capable in building security walls, among other things, to protect customers from cyberattacks.

What Do You Need to Do?

  • Perform extensive due diligence on all third-party vendors that provide services to your bank. Background checks are a must.
  • Complete and thorough documentation of the due diligence process must be recorded and retained.
  • Clearly understand the history of the third-party vendor’s performance and legal compliance.
  • Review information security, business continuity and testing of the systems being sold to you.
  • Understand the proposed contract between the third-party vendor and the bank. There should be a clear description of the services to be provided.
  • Determine business resumption plans, continuity plans and contingencies of the system. In addition, review the vendor’s procedures in the event of a security breach.
  • Require that the vendor permit the bank’s regulatory authorities to examine the vendor.
  • Review your insurance coverage to be sure damages and losses from cyberattacks are fully covered.
  • Finally, review carefully provisions in the contract dealing with allocation of losses and responsibility for complaints.

Other important contract provisions include indemnification obligations, ownership of customer information, restrictions on use of information, flexibility for loss/regulation changes and rights upon breach of contract, including termination rights.

Senior management and the board must oversee and monitor performance, fraud losses, suspicious activity and complaints. There must be control of marketing/consumer communications and complaints and monitoring of the processes to ensure information security contract compliance and financial ability of the vendor to perform.

Accordingly, a bank must have sufficient internal resources to ensure that the programs in high risk customer services (i.e., ACH) are operating as designed. This means that there must be adequate and qualified staff with subject matter expertise available. The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. have issued risk management guidance (i.e., OCC 2013-29 and FIL-3-2012). Your bank must carefully review this guidance and be sure that you are managing third-party risk appropriately.

As Comptroller Curry emphasized, “managing these vendor relationships is especially important in the realm of IT systems and information security, particularly with respect to smaller banks and thrifts.” As a result, the OCC is particularly focused on “controls and risk management practices employed by vendors that provide services to banks and thrifts.”

There can be nothing more damaging to the reputation of the banking industry than major security breaches at banks. As bank customers, we are all at risk of having our personal financial information stolen by hacktivists. Senior management and the board must ensure that IT systems are secure and continually updated to avoid security breaches.