Guarding Against Virtual Viruses in a Pandemic

As healthcare experts work to mitigate the Covid-19 pandemic, the banking industry is faced with fighting other viruses.

Cyber attackers are known to be opportunistic, pouncing during times of anxiety and uncertainty. Rest assured, they won’t let up once the coronavirus has run its course. While information technology directors are focusing their attention on processing huge volumes of Small Business Administration loans and assisting bankers working remotely for the first time, computer virus and malware threats continue to rise. If not handled effectively, this could threaten the security of the financial system.

Dr. Anthony Fauci, head of the National Institute of Allergy and Infectious Diseases, cautions that Americans need to prepare for the possibility that Covid-19 could return — or even become a seasonal disease. With such prospects, savvy bank directors should familiarize themselves with their institutions’ data security and technology infrastructure. Here are six points to consider when assessing the future of their bank’s information security system:

Look again at business continuity plans. While your bank may have one, it likely did not consider the immediate worldwide demands for laptops and network hardware needed to configure remote work capabilities. Nor did these plans likely consider supply chain interruptions when factories shut down in Asia, where the virus was first detected. The lesson: If you wait until the next global emergency occurs, you might be too late. Plan now.

Consider the increased risk with more employees working remotely. The larger the inventory — coupled with less control of who uses the computer — the tougher it is to protect. An even more concerning practice is allowing bank employees to use personal computers to access bank networks. Firewalls, spam filters, anti-virus software and other security measures should not be determined by individual employees.

The Cybersecurity and Infrastructure Security Agency has issued guidance related to remote work and defending against Covid-19 scams. One of their tips is to ensure virtual private networks, or VPNs, have the latest software package and configurations, and that current anti-virus software is installed and up-to-date. Multi-factor authentication is another must-have for protecting your bank’s network.

Make sure you have enough IT support. Even before Covid-19, there were not enough qualified technical staff to fill available positions. The increased demand for remote connectivity has further stretched IT departments. Make sure your technology departments are fully staffed, or have access qualified outside help.

Be sure employees are hyper-vigilant. Attackers hope that more distance between coworkers will equate to guards being lowered. Ensure that employees are regularly reminded of social engineering, email and other current threats to increase top-of-mind awareness of cyber security.

Be aware that some attacks are physical. We typically think of cyberattacks occurring “invisibly,” through system networks and software. But at least one entity is now mass-mailing infected “free” USB drives to financial institutions. Remind employees to discard any hardware that comes from unknown sources.

Consider the benefits of cloud technology. A recent article in The Wall Street Journal described how remote-work capabilities could become more common as money tightens and daily operations need more flexibility. Cloud computing is both more efficient and flexible, and is easily scalable. Bank regulators have taken notice, saying that outsourcing such technologies gives banks more options.

Time will tell, but this may be a turning point for American business. As more workers have established a routine for working from home — and have found surprising levels of efficiency and productivity — it’s expected that this could become more of the norm, at least in the near term.

Some in the financial services industry have been slow to change; they may now be forced to out of necessity. It’s incumbent upon directors to champion for this flexibility and resiliency by ensuring their data security and information infrastructure is ready to handle it.

How Banks Can Use the Dark Web to Shed Light on Cybersecurity


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.

How Financial Institutions Should Prepare For and Respond to a Cybersecurity Incident


cybersecurity-7-2-18.pngCybersecurity incidents and data compromises continue to plague financial institutions on a seemingly daily basis. Without a proper response plan in place, financial institutions risk significant damage to their reputation and operations, as well as serious potential liability from regulators and class-action litigation. This guide outlines the procedures financial institutions should implement to prepare for and respond to a cybersecurity incident.

It is crucial that financial institutions adopt a response policy to mitigate the harm of a cybersecurity incident. This policy should establish a response team, including an executive officer and technical and operational personnel, charged with handling all cybersecurity incidents.

Time is of the essence during any cybersecurity incident, and communication is vital to the response team’s effective handling and investigation of the situation. Each employee should know how to report an incident. Notification processes, responsible personnel, and other elements of the communications plan should be as seamless as possible to enable the cybersecurity response team to immediately investigate the potential incident and determine whether an incident actually occurred. As soon as the incident is confirmed, the team must immediately respond.

Determine the severity of the incident. The response team should first determine the severity of the harm and the type of incident that occurred. This will help determine the scope of response necessary to appropriately address the incident. The team should be sure to create a detailed record of all investigations and responses.

Mitigate the harm. The response team next should work to mitigate the harm on its systems. For example, the team can quarantine or isolate the compromised system, install security patches to prevent further incidents, update anti-virus signatures, and conduct a vulnerability analysis to identify elements of the system potentially at risk of a similar incident.

Establish lines of communication. Pre-determined and clear lines of communication, both internal and external, are critical to responding to an incident. The response team should also be in communication with appropriate auxiliary teams in the financial institution. For example, if the cybersecurity incident led to customer information being compromised, the response team should coordinate with the customer relations team to facilitate customer notification. Senior management should also inform the board of directors of the incident so that the directors can assist in developing a response strategy as appropriate.

When deemed necessary, the response team should also be in contact with third-party advisors, such as legal counsel or forensics experts. If the response team determines an incident has potentially compromised personally identifiable information or other legally protected information, the team should immediately contact legal counsel and the institution’s insurance carrier (unless instructed otherwise by legal counsel).

Review and repair vulnerabilities. After a financial institution has experienced a cybersecurity incident, it should evaluate system vulnerabilities by identifying the incident’s source and method. The financial institution should rectify or mitigate the risk of the vulnerabilities as soon as possible.

After addressing the incident, the financial institution should also evaluate its response team’s efficiency and effectiveness. Are there aspects of the plan that can be improved? Were the communication lines clear and efficient? How long did it take for the team to spring into action? How long did it take to implement the mitigation? Was the response team appropriately staffed? Answers to these and other probing questions will serve to better prepare the institution for the next incident and should provide the basis for improvements to policies and procedures.

Preparing in advance for a cybersecurity incident can mean the difference between quarantining the release of sensitive data and having the sensitive data released to the public; and because preparations help control damage even if a breach happens, they can also make the difference between a small, manageable cybersecurity incident and a large, cumbersome data breach that could severely damage the reputation and operations of the company.

How Poor Communication Practices by Directors Increase Cyber Risk


cyberrisk-10-9-17.pngThe role of a corporate director is continuously expanding, particularly in the banking space. Beyond growing profits, today’s directors are also responsible for ensuring corporate ethics, social responsibility, cybersecurity and more. Unfortunately, many directors are still using their old communication tools. A recent report from the New York Stock Exchange and Diligent found that the communication practices of directors and executives are potentially increasing their company’s level of cyber risk for the sake of personal convenience.

These findings are particularly alarming in the context of recent regulatory pressures on boards to be held accountable for data privacy and cyber breaches—including a recent ruling by the New York State Department of Financial Services applicable to all financial services firms conducting business in New York, and the impending impact of the European Union’s General Data Protection Regulation for every company that serves EU customers. (For further details about the New York regulations, see “New Rules for Financial Firms in New York Put New Onus on Boards.”)

The NYSE/Diligent report noted that while directors and executives have access to sensitive data, they operate with little-to-no direct oversight by the company’s IT/data security teams, and are therefore not restricted to using only secure communication channels when discussing board business. In fact, of the 381 corporate directors of publically traded companies surveyed for the report:

  • Ninety-two percent use personal email accounts (outside corporate firewalls) at least occasionally to conduct board business.
  • Fifty percent regularly download confidential company documents onto personal devices or computers.
  • Sixty-two percent are not required to undergo cybersecurity training.
  • Forty percent “didn’t know” if the board had ever conducted a security audit.

So what what are some best practices for secure board communication that banks and financial institutions can employ to mitigate cyber risk and prepare their directors and executives to meet the challenge?

Training and Assessments
Cyber threats can change at a moment’s notice, and regulatory requirements in the cybersecurity space continue to evolve. Regular training is imperative for board members, especially experienced directors who need refreshers or may not be aware of the latest risks. Customize the training to include a review of the practices your company expects from directors to ensure they are handling sensitive information appropriately, and continue to revisit these on an annual basis.

Bring the data security team into the boardroom to conduct an audit of directors’ communication practices. By ensuring that directors are handling documents only through secured and encrypted channels, your company can minimize exposure to some of the worst penalties of the new regulations.

Also, leverage the annual board evaluation by making cybersecurity a key component of board success. Query directors on their level of readiness to handle a material data breach or leak, and their understanding of the board’s responsibility versus the roles of IT and the management team. From there, the company can identify areas where further education and training are needed.

Keep Business and Personal Separate
Free email service provider use has been the center of too many corporate cyber incidents in recent years—yet directors continue to use personal email as a primary communications method rather than adopting more secure technology. Why? While internal emails and servers typically have heightened security and stronger encryption, many directors reject company-issued email accounts because they serve on multiple boards, which could lead to a single director having to check multiple inboxes and multiple calendars to conduct board work.

But what directors gain in convenience by using personal email, they lose in increased risk. The better solution? Give up on email altogether and opt for a secure messaging tool.

Secure and Convenient Technology
Select a secure messaging tool that is designed specifically for director communication and can be integrated into your existing governance software. There are a number of considerations to keep in mind. Do your directors prefer to use mobile? Do they want to make digital edits while reviewing board docs? What level of protection and encryption do you need?

These platforms can alert directors’ mobile phones when messages arrive and allow them to login with biometrics—while still enabling the data security team and corporate secretary to control record retention and data encryption. It not only facilitates convenient board communication, but can also be a last line of defense in case devices are stolen in transit, lost on planes or impacted by viruses/malware while connected to unsecure Wi-Fi.

Six Best Practices to Help Customers Achieve True Data Privacy


data-7-24-17.pngWith today’s constant news stream of ransomware threats, denial of service attacks and data breaches, data privacy is more of a concern than ever. But, what exactly do we mean by data privacy, and how can we convey its importance to customers?

At its root, data privacy is the concept of implementing appropriate controls related to the sensitivity of data. There are two key components of data privacy: data classification and data protection.

Data classification simply means understanding the sensitivity level of data. There are three main categories: public, sensitive and confidential. Any data, even that which is publically available, can be collected and used by a criminal to profile their prey. The numbers tell the story: Through July 6, 2017, according to the nonprofit Identify Theft Resource Center, we’ve seen a total of 791 breaches and 12.39 million compromised records across all major industries.

Data classification helps determine the level of protection warranted, with confidential data justifying the most:

  • Confidential data, such as social security numbers, bank details, or other personally identifiable information—whether in transmission or storage—should be encrypted, and devices used to store and transmit it should be secured as well. When disposing of this data, whether electronically or in a tangible format, the data records should be fully destroyed through shredding (electronic or physically). In some cases, entire storage devices should be destroyed.
  • Sensitive data, such as religious or relationship information, or private business plans, is similar to confidential data in that the owner does not wish to share it with others. As such, sensitive data often is protected similarly to confidential data. The only differentiator is the amount spent to protect it.
  • Public data is that which is publically available, like where a person attended high school.

With greater access to information, coupled with the increased rate and publicity of compromise, many consumers are numb to the severity of a data breach, even though strengthening the environments in which they store or transmit data should be top of mind.

Below are six best practices you can convey to your customers to help them achieve real data privacy:

  • Employ data encryption for both storage and transmission. One advantage of encrypting all data is that a decision doesn’t have to be made regarding classification when it comes to encryption. A second benefit is that a criminal doesn’t know what to target when all data is encrypted.
  • Avoid accessing data such as emails, cloud storage, and the like on a public computer or network, which are easily compromised. If a public network must be used, virtual private network (VPN) encryption is necessary when sensitive or confidential data is being accessed. Keep in mind, passwords aren’t always transmitted in an encrypted format, so a criminal could intercept the password. Public computers should be used only as a last resort, and never to access confidential or sensitive data.
  • Ensure your computer is patched and protected with a firewall and up-to-date anti-malware solution. Further, even careful users should periodically have their machine inspected for malware and cleaned by a trusted technician; with the sophistication of malware today, even the most cautious and educated can still end up compromised.
  • When possible, implement multi-factor authentication, which entails using more than one means of authentication, such as passwords and authentication codes. This is one of the most promising ways to ensure data and accounts remain secure, yet even these systems aren’t foolproof. Avoid receiving texts of access codes when possible, as this is a weaker form of multi-factor authentication. Use authentication applications, phone calls or a secure email account instead, and remember that codes sent to a device are only as secure as the device itself.
  • Use strong passwords that are changed at least every 90 days. Passwords should, when allowed, be at least 15 characters in length and complex in nature, including letters, numbers and symbols. Also, password safes like KeyPass are useful for storing them. And remember, treat your password like your toothbrush: never share it and change it often.
  • Consider the sensitivity of the data you store in the cloud. Utilizing a cloud service means entrusting a company to protect your data, so ensure the provider is equipped to protect the data to the same degree that you would. Another alternative is encrypting the data with your own encryption key before storing it in the cloud, which helps mitigate risk.

While one of banks’ most important tasks is protecting customer data, educating customers to respond in kind goes a long way toward a common goal.

New Rules for Financial Firms in New York Put New Onus on Boards


cybersecurity-7-10-17.pngNew York-based financial services companies are under a new rule of law, intended to protect consumers from the repercussions of a cyberattack and one that puts boards in a front-and-center role when it comes to the company’s security.

Touted as the first law of its kind in the United States, New York enacted new cybersecurity regulations this year, outlining standards that are sure to resonate beyond the financial businesses—such as banks, insurance companies and other financial services firms—that the law targets.

How Far Does Regulation Go?
Companies regulated by the state’s Department of Financial Services (DFS) are required as of March 1, 2017, to create and maintain a cybersecurity program to protect the privacy of consumers and the safety of the state’s financial services industry.

It only applies to those that DFS oversees—in other words, only financial services organizations must comply with the regulation.

New York’s rules, DFS notes, don’t extend to nonfinancial companies. There are limited exemptions for companies with fewer than 10 employees, less than $5 million in gross annual revenue or less than $10 million in year-end total assets.
Still, the message from New York is a strong one: consumers are protected here, and financial firms will be held accountable.

Several of the regulation’s mandates outline the ways in which a company must comply, and in doing so, vastly widens the base of those culpable for a breach and the requirements of a board to pay attention to its potential vulnerability and its cybersecurity planning.

New Duty for Board Members
The idea that board members should make cybersecurity a priority has risen over the years, coming into focus with the Target data breach in 2013 that resulted in members of the board of directors being sued.

In reality, banking regulators have held boards responsible for their banks’ cybersecurity program for years, as described in the Federal Financial Institutions Examination Council’s IT Examination HandBook.

In it, the banking regulators place oversight of the development, implementation and maintenance of the IT security program in the board’s hands, and say the board must hold senior management accountable for its actions and review the overall status of the program at least annually.

This new regulation expands on that. It requires board members to ensure that there’s a framework in place at the company “for a robust cybersecurity program,” and one “that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most senior governing body of the organization.”

That means nontechnical leaders on the board must take an active role in security oversight.

For the first time, the new rules say the firm must hire a chief information security officer, or CISO, to oversee policies and ensure that they’re working effectively. The CISO would report at least annually to the board, the DFS says, and according to the regulation, that person can be employed by an affiliate or third-party provider instead of being employed by the company itself.

It’s not uncommon for companies to have much of the new regulation’s guidelines already in their processes, but it’s good to tie it to risk assessments. Lastly, as the law firm McGuireWoods notes, the new rules require penetration testing at least annually and vulnerability assessments at least quarterly. Among new provisions, institutions must track and maintain cybersecurity records for at least six years, encrypt sensitive data and report any cybersecurity event to the Department of Financial Institutions within 72 hours of becoming aware of it.

What Comes Next
Entities have varying times to comply with specific requirements, from 180 days to two years after the regulation went into effect in March. Financial companies outside of New York are likely to look at these regulations to get a sense of what’s coming for the greater industry.

To learn more about protecting your organization’s security as a member of a board, read this white paper written in conjunction with the New York Stock Exchange to improve your cybersecurity practices.

Fintech Opportunities for Your Bank: A Voyage Into New, But Not Uncharted Waters


strategy-6-9-17.pngFinancial technology, or fintech, is creating a dynamic range of new services and products for banks. Much of the initial discussion about fintech focused on disruption and replacement of traditional banking products and services.

Now, fintech is evolving and is creating new opportunities for banks to expand their products and services, as well as creating various non-interest revenue possibilities through partnering and joint venturing with fintech entities.

Increasingly, fintech entities such as online lenders and payment systems are turning towards partnering and joint venturing with banks for a simple reason they need banks. They need banks because banks can hold federally insured deposits and have the experience and track record of existing and prospering under various federal and state regulatory regimes. However, working with a fintech is not necessarily a voyage into uncharted waters while regulators may adapt with new technologies, banks are comfortable working in the existing banking regulatory ecosystem.

Some existing examples of fintech entities working with banks include:

  • licensing online lending platforms
  • licensing online customer interface platforms
  • using banks as insured depository support for payment systems
  • developing cryptocurrencies
  • developing digital tools that allow banks to mine and harness data for more efficient operations

State and federal regulators are expanding their ever-advancing regulatory agenda to cover fintech’s unique aspects. Indeed, the Office of the Comptroller of the Currency recently announced plans to start issuing Special Purpose National Bank charters to fintech entities, which the state regulators are heavily criticizing. Fintech entities are debating whether they will seek a federal charter in its proposed form.

Nevertheless, if your bank is considering working with a fintech entity, you should consider the following issues:

Strategic Plan: The first, and primary issue that your bank should consider is whether the fintech opportunity fits your bank’s strategic vision and innovation plan. If the opportunity does not, the relationship may not only be not successful, but ultimately detrimental to your bank’s efforts in this area.

Vendor Management: Vendor management is an especially critical area because most banks will choose to work with a fintech entity that owns, develops and services the technology. The key for banks in this area is know their fintech partner and understand the deal. Fintech partners can range from early-stage start-ups to mature entities. Many of these fintech entities have little bank regulatory experience and may be learning as they develop and deploy their products without the legacy regulatory experience. They may also propose contract terms that expose banks to unnecessary risks. The challenge for banks is to conduct thorough due diligence on their fintech partner and understand the agreement.

Cybersecurity: Because essentially all fintech-based products and services are online, cybersecurity is a significant consideration. Additionally, most fintech accumulates and evaluates customer data, which is very attractive to cybercriminals. The critical issue for banks is the ability to ensure that their fintech partners are employing best-of-class cybersecurity practices, not simply regulatory compliant cybersecurity, because the cybercriminals are almost always one step ahead of their targets, as well as the regulators. This will also help the bank protect itself in the event of a data breach or an attack.

Data Privacy: If your bank is working with a fintech, banks should ensure that there are provisions to protect your customer’s data so that it is not used or disseminated in a way that violates the law, as well as provide adequate disclosures to your customers about how their data is used.

Consumer Banking Laws and Regulations: If a bank is working with a fintech entity in providing any type of consumer services, federal and state consumer lending laws and regulations will likely apply to that activity. The combination of new technologies and a fintech entity without a great deal of regulatory experience could spell trouble for a bank partner.

Bank Secrecy Act/Know Your Customer/Anti-Money Laundering: BSA/KYC/AML issues remain critically important for regulators and fintech entities working with banks need to be fully versed in them.

Even considering the regulatory and related issues, working with a fintech is not a voyage into uncharted waters. The tide is also changing, and fintech can provide your bank potentially great opportunities to grow and develop as technology evolves and as fintech entities mature in this sector.

Cybersecurity Governance: How to Protect the Bank


cybersecurity-12-23-16.pngModern banking increasingly relies upon technology and the internet to manage and streamline business operations. With increased dependence on technology comes an increased risk of security threats. Kaspersky Lab reported it had detected 323,000 malware files per day using its software in 2016. This number is 4 percent higher than in 2015.

The impact of a successful cyberattack is often quite damaging: legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately, revenue. The average cost of a data breach is now up to $4 million, according to a 2016 Ponemon study.

Banks are responsible for more data than ever and as data use continues to grow, banks face the challenge of properly creating strategies, frameworks and policies for keeping sensitive data secure. Meanwhile, criminals develop new and sophisticated tactics to target valuable data.

Security is, and should be, a concern for all employees. However, leadership must be responsible for establishing and maintaining a framework for information security governance. Information security governance is defined as a subset of enterprise governance that provides strategic direction, ensures objectives are achieved, and manages risks while monitoring the success or failure of the IT security program.

Whether it is the board of directors, executive management or a steering committee that is involved—or all of these—information security governance requires strategic planning and decision-making.

Best Practices
Despite the threats of cyberattacks and data breaches, banks can take proactive steps to better position themselves for successful security governance. What follows are five strategic best practices for information security governance:

1. Take a holistic approach.
Security strategy is about aligning and connecting with business and IT objectives. A holistic approach can provide leadership with more levels of control and visibility.

What data needs to be protected? Where are the risks? Take a unified view of how information security impacts your organization and how employees view security. Get early buy-in from key stakeholders, such as those in the IT, sales, marketing, operations and legal departments. Scope out what data needs to be protected and how that fits into the larger picture.

2. Increase awareness and training.
Although developed by leadership, information security governance speaks to all employees within the organization and requires continued level of awareness. Governance creates policies and assigns accountabilities, but each member is responsible for following the security standards.

Constant training and education on security best practices is vital. The cyberthreat landscape is rapidly changing and employees, and company training, must keep up. This way, if new threats emerge, you will be prepared.

3. Monitor and measure.
Information security governance should never have a “set it, then forget it” approach. It’s about ongoing assessment and measuring. Monitoring ensures that objectives are being achieved and resources are appropriately managed. What security governance policies are working? Which policies are not?

Conduct mock data breach scenarios to test the efficacy of corporate teams and company incident response plans. Test results can reveal strong and weak links—what the bank needs to concentrate on, and what security governance policies work well under pressure.

4. Foster open communication.
Stakeholders should feel they can openly communicate directly with leadership, even when sharing bad news. Open communication promotes trust and brings a higher level of visibility throughout. Engagement is key. Consider creating a steering committee comprised of executive management and key team leads (IT, marketing, finance, PR, legal, operations, etc.) to review and assess current security risks.

5. Promote agility and adaptability.
Gone are the days of monolithic, cumbersome governance; banks need to adapt quickly to meet the changing tide of security threats. IT management, which is typically concerned with making tactical decisions to mitigate security risks, might have some hands-on experience and opinions about the effectiveness of a particular security policy, but their recommendations can only go so far without C-suite support. Leadership must quickly determine how to implement suggested changes throughout the bank. And if a security governance policy is ineffective, leadership must be willing to jettison the policy.

Overall, successful information security governance involves a continuous process of learning, revising and adapting. Banks need to be proactive and strategic with their security posture. Threats and incidents are inevitable, but moving strategic security governance to the forefront of your organization can help protect valuable information.

Download the full Diligent white paper: Five Best Practices for Information Security Governance.

Three Critical Steps to Launch a Data Breach Response


data-breach-1-8-16.pngAs we look back on 2015, it is easy to see the heightened stakes in data breach response.

The U.S. government’s Office of Personnel Management was hacked, with as many as 22 million Americans’ personal data stolen. This includes fingerprints and background checks. One hacker tapped into the director of the CIA’s personal emails and breached a portal that law enforcement, including the FBI, uses to share intelligence and book those arrested.

It’s not just government agencies that fall victim to attacks. Any company that collects sensitive data can become a target for hackers and nation-state actors.

The risks are getting higher for those whose data is breached, too. Javelin Research predicts that by 2018, some eight million people will experience a credit card breach and identity fraud within the same year. There is no doubt that criminals have become more sophisticated and better able to parlay one successful hack into another. Cyber criminals have crafted more elaborate “social engineering” methods—tricking people into compromising corporate security. Phishing schemes still deceive about one in four people, according to the Verizon 2015 Data Breach Investigations report.

This only reiterates that idea that a cyber attack is likely for almost every organization. There are steps that a smart company can take now to help mitigate the damage should a breach occur. Preparing for a cyber attack must become as ingrained in the company culture as a tornado evacuation plan or a fire drill

One of the key steps to prepare for an effective breach response is to build a data breach response team, which has created—and practiced—a response plan. Make sure that contact numbers for team members—including those for non-work hours and mobile phones—are readily available. A customer support and communication plan should be built into any response and should cover how customers and regulatory agencies will be notified and when, as well as what protections will be offered to those affected.

Proper preparation is only one piece of the puzzle, however. In the event of an actual breach, there are critical steps to take to ensure your organization is able to successfully launch your customer-facing response:

  1. Immediately assemble the breach response team. Your team should include internal experts as well as third-party partners such as communications and legal experts. A partner experienced in the customer-facing aspects—including responding to the surge in customer demand, answering identity theft-related questions, and providing identity protection services—should be part of the team.
  2. Review and update the plan. A plan that has been carefully honed in advance is certainly an advantage. But it may not have anticipated some of the nuances of the particular data breach your organization is facing. So, one of the first action steps for the crisis response team is to look at the documented plan and make any changes needed. If there is one guiding principle in any plan, it should be to keep the response focused on your customers.
  3. Launch the initial response. This includes informing customers, and in some cases, regulatory agencies, about what has happened and how you plan to minimize any damage that results from the event. One significant misstep to avoid: Don’t provide public information that may need to be corrected at some point. Instead, only release the information that is known and confirmed at the time. There is nothing that will breed a lack of confidence more than a constantly shifting explanation of what happened.

As for the customers, this is a good time to let them know exactly how you intend to protect them. Understand, though, that they may be hesitant to provide their information to a third-party service—especially if this data was not compromised in the breach. And they will be suspicious of anything that smacks of an attempt to upsell them. To combat these challenges, lead with the promise that you will repair any harm that comes to them as a result of the incident.

In 2014, there were nearly 80,000 security incidents, according to the Verizon Data Breach Investigations Report. And business news web site ZDNet reported that one billion personal records were illegally accessed in those breaches.

The time for asking “if” a data breach will occur has passed. It’s time to prepare as if one is inevitable.

Getting Started With Third-Party Risk Management: Two Key Questions


risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.