Three Critical Steps to Launch a Data Breach Response


data-breach-1-8-16.pngAs we look back on 2015, it is easy to see the heightened stakes in data breach response.

The U.S. government’s Office of Personnel Management was hacked, with as many as 22 million Americans’ personal data stolen. This includes fingerprints and background checks. One hacker tapped into the director of the CIA’s personal emails and breached a portal that law enforcement, including the FBI, uses to share intelligence and book those arrested.

It’s not just government agencies that fall victim to attacks. Any company that collects sensitive data can become a target for hackers and nation-state actors.

The risks are getting higher for those whose data is breached, too. Javelin Research predicts that by 2018, some eight million people will experience a credit card breach and identity fraud within the same year. There is no doubt that criminals have become more sophisticated and better able to parlay one successful hack into another. Cyber criminals have crafted more elaborate “social engineering” methods—tricking people into compromising corporate security. Phishing schemes still deceive about one in four people, according to the Verizon 2015 Data Breach Investigations report.

This only reiterates that idea that a cyber attack is likely for almost every organization. There are steps that a smart company can take now to help mitigate the damage should a breach occur. Preparing for a cyber attack must become as ingrained in the company culture as a tornado evacuation plan or a fire drill

One of the key steps to prepare for an effective breach response is to build a data breach response team, which has created—and practiced—a response plan. Make sure that contact numbers for team members—including those for non-work hours and mobile phones—are readily available. A customer support and communication plan should be built into any response and should cover how customers and regulatory agencies will be notified and when, as well as what protections will be offered to those affected.

Proper preparation is only one piece of the puzzle, however. In the event of an actual breach, there are critical steps to take to ensure your organization is able to successfully launch your customer-facing response:

  1. Immediately assemble the breach response team. Your team should include internal experts as well as third-party partners such as communications and legal experts. A partner experienced in the customer-facing aspects—including responding to the surge in customer demand, answering identity theft-related questions, and providing identity protection services—should be part of the team.
  2. Review and update the plan. A plan that has been carefully honed in advance is certainly an advantage. But it may not have anticipated some of the nuances of the particular data breach your organization is facing. So, one of the first action steps for the crisis response team is to look at the documented plan and make any changes needed. If there is one guiding principle in any plan, it should be to keep the response focused on your customers.
  3. Launch the initial response. This includes informing customers, and in some cases, regulatory agencies, about what has happened and how you plan to minimize any damage that results from the event. One significant misstep to avoid: Don’t provide public information that may need to be corrected at some point. Instead, only release the information that is known and confirmed at the time. There is nothing that will breed a lack of confidence more than a constantly shifting explanation of what happened.

As for the customers, this is a good time to let them know exactly how you intend to protect them. Understand, though, that they may be hesitant to provide their information to a third-party service—especially if this data was not compromised in the breach. And they will be suspicious of anything that smacks of an attempt to upsell them. To combat these challenges, lead with the promise that you will repair any harm that comes to them as a result of the incident.

In 2014, there were nearly 80,000 security incidents, according to the Verizon Data Breach Investigations Report. And business news web site ZDNet reported that one billion personal records were illegally accessed in those breaches.

The time for asking “if” a data breach will occur has passed. It’s time to prepare as if one is inevitable.

Getting Started With Third-Party Risk Management: Two Key Questions


risk-manangement-12-22-15.pngBanks often outsource technology services to third-party vendors. In light of increased regulatory attention and third-party involvement in day-to-day business operations, many bank boards and senior management teams are considering their approach to developing a third-party risk management program. A thoughtful approach based on an initial assessment of the bank’s current state can result in better risk management and compliance that aren’t overly burdensome. Addressing two important questions will help begin the process of successfully launching an effective third-party risk management program.

Does our bank have a full inventory of its contracts and agreements?
While most banks have some type of contract management system, many typically use low-tech storage facilities—like databases of scanned copies or even hard copies in file cabinets—from which data can’t be extracted. Such storage facilities rarely contain complete records of all executed contracts, and even simple data like contract renewal notification and expiration dates are not tagged or automated. In such environments, contract terms and conditions don’t keep pace with changes to regulations and the business environment, and financial reporting and accounting concepts, such as unrecorded liabilities, contingencies, and financial commitments, exist but may not be understood or monitored.

To address such drawbacks, banks should do a complete inventory of critical relationships to ensure that they have a complete inventory of current contracts. The contracts should meet current regulatory and business requirements, and data within the contracts should be metatagged, meaning tagged with coding in a web page so it can found with a search engine. Banks should consider establishing standard, required contract terms and using technology to track compliance. Increasingly, contracts are being moved into third-party risk management systems for a “single-book-of-record” view and improved risk management beyond basic compliance.

How do we identify all relevant third parties and manage the overall effort?
The potential universe of third parties in an organization can seem endless—from global companies to intercompany affiliates to mom-and-pop providers. On top of that, the potential universe of third parties is never constant. Companies regularly are onboarding and terminating third parties and expanding or reducing third-party services. While it is important to build data and artifacts (certificates of insurance, documentation of financial viability, or Service Organization Control reports, for example) that support a risk assessment at the third-party relationship level, it is easy to lose sight of the entire population of third-party relationships. Depending on how a bank defines third parties, that population could include franchisees, external salespeople and debt holders, among others. This is one area of risk management where completeness counts.

To make such a project manageable, banks should create a strategy and roadmap to systematically identify third parties using an inclusive definition. Banks should invest in the initial data-gathering phase and make it an enterprise-wide endeavor. Effective sources of relevant information include surveys conducted by the various lines of business, contract facilities and databases, accounts-payable systems, and legal counsel. The process needs to be sustainable or the population soon will become invalid. Banks should conduct an initial review of third-party relationships by identifying categories and potential risk factors to assist with prioritizing the evaluation. The project strategy and roadmap should start with the third parties that pose a higher risk. The project roadmap should include necessary activities and the timing and resource needs related to existing and future third-party due diligence and assessments.

Moving Forward
As financial institutions work to effectively comply with the regulatory guidance and manage the risks associated with third-party relationships, creating a strategy and roadmap will help achieve compliance and avoid an overly burdensome process.

A Look Ahead to 2020: How Bank Directors Can Guard Against Risk


risk-12-11-15.pngAs banks look to the year 2020, we’ve identified five key risks that need to be actively assessed and monitored as the industry changes and adapts to consumer demands and competition. When it comes to data security and technology, regulatory risk, finding qualified personnel, profitability, and bank survival, bank directors need to ask:

  • How do we as an organization identify these risks on an ongoing basis?
  • How do they affect our organization?
  • How can we work with management to manage future risks?

Here’s a snapshot of the risk areas, what’s anticipated as we look to the future, and steps you can take to stay competitive and mitigate risk.

Data Security & Technology
It’s important to keep up with your peers and provide services as your clients demand them. More sophisticated payment platforms that make it easier to access and transfer funds will continue to gain popularity, particularly mobile platforms.

Being competitive requires innovation, which means software, bank integration, and sophisticated marketing and delivery. Third-party service providers may be the answer to help cut expenses and improve competition, but they also present their own unique risks.

With innovation comes opportunity: attacks on data security will increase, making the safeguarding of data a high priority for banks. While technology is an important element to this issue, the primary cause of breaches is human error. To this end, it’s essential for management to set the example from the top while promoting security awareness and training.

Regulatory Risk
Expectations from the Consumer Financial Protection Bureau regarding consumer protection will intensify. Anticipate some added expenditure to hire and retain technical experts to manage these expectations. Regulations are on the way for small business and minority lending reporting, as well as the structure of overdraft protection and deposit product add-ons, among others. Directors and management need to evaluate:

  • Compliance management infrastructure
  • Staffing needs and costs
  • Impact of proposed regulatory change to the bottom line

Qualified Personnel
For instance, baby boomers are retiring at a rate faster than Generation X can replenish, making it more difficult and costly to attract and retain skilled people. Meanwhile, the shrinking availability of skilled labor in this country is costing organizations throughout the United States billions of dollars a year in lost productivity, increased training and longer integration times.

A bank’s succession plan for its people should:

  • Identify key roles and technical abilities in your organization
  • Assess projected employee tenure
  • Develop a comprehensive employee replacement strategy
  • Prioritize training and apprentice programs

Profitability
The bottom line at traditional banks will continue to be stressed as momentum builds for institutions to reduce product and service-related fees. Overhead expenses also will continue to increase as banks boost spending for IT infrastructure to support demands by customers for mobile technology and technical innovation and finding and retaining qualified personnel to manage complex regulatory requirements. Responses to these trends are already underway. Some institutions are:

  • Divesting of consumer-related products laden with heavy regulatory requirements
  • Sharpening strategic focus on holistic customer relationships with professional and small business customers to increase relationship-driven revenue
  • Exploring new or more complex commercial lending products and partnerships designed to increase interest income to attract customers in new markets

Banks will need to closely monitor the impact of regulatory initiatives on future earnings from fees and alternative revenue sources.

Bank Survival
Here are some proactive steps to consider as your bank prepares for 2020:

  • Develop an ongoing strategy for mergers and acquisitions to expand capital
  • Consider charter conversions to lend flexibility in expanded product and service offerings or a change in regulatory expectations or intensity
  • Evaluate the impact of higher regulatory expectations

To help identify and manage risk, management should plan regular discussions in the form of annual strategic planning meetings, regular board meeting agendas, and targeted meetings for specific events. The focus should extend beyond known institutional risks, such as credit, interest rate and operational, but should also look at key strategic risks.

If your institution can innovate with the times to stay ahead of risk and competition with a systematic approach, then the path to 2020 will be less fraught with difficulties.

A Customer Focused Response to Data Breach: the Key to Survival


security-breach-7-13-15.pngThe unthinkable has happened: Data security measures have failed and sensitive customer information was taken. The next steps your company takes to respond are crucial. A poorly executed response to a data breach event can further anger customers, increase regulatory scrutiny, generate a media storm and have a lasting impact on customer loyalty.

AllClear ID has been working with companies to effectively prepare for and respond to data breaches for over a decade. During that time, there has been a noticeable shift in consumer expectations after a breach. Today, consumers expect—if not demand—a well orchestrated response. And they expect it to begin soon after the breach is made public. Data breaches are constantly evolving: Already in 2015, financial institutions account for about 9 percent of all data breaches, according to the Identity Theft Resource Center. That compares to about 3.7 percent in 2013. Whether that figure will hold up throughout the year remains to be seen.

The demands placed on businesses to get a breach response right are more intense than ever, as is the scrutiny when a response is perceived as mismanaged.

Because of the high pressure to get it right, a customer-centric approach to preparation is paramount. If you fail your customers, one in four may leave, according to a study from Javelin Research & Strategy. So financial institutions cannot rest upon past great customer service and relationships with clients in the event of a data breach.

When a breach is discovered, what to do? Companies that keep the focus on customers before, during and after a data breach fare far better than those that do not.

Minimize Brand Damage: With customers at the forefront of any response, it is likely that both the institution and your brand will survive long-term. Granted, that doesn’t mean an institution won’t encounter a few negative headlines from the outset. But if the response is bungled, the damage will be far greater. Unhappy customers may speak out on social media. Some may leave. And the breach could tarnish your image for years to come and ultimately can affect your bottom line.

Plan in Advance: To successfully manage a breach with a customer focus, companies must first have a plan in place. The plan should incorporate elements of crisis and or incident management such as likely breach scenarios, key decision makers, and key partners who will assist in the response. This will help diminish delays and costly mistakes during the response, and facilitate a return to normal business operations more quickly. Now that we have witnessed multiple destructive cyberattacks against U.S. companies, it’s clear that having an incident response plan in place is no longer optional. A recent blog post discussed the need for preparation in advance of a breach.

Questions to consider when preparing for a breach response operation:

  • When and how will customers be notified?
  • How will we answer customer questions?
  • Do we have the customer service capacity to manage the calls we receive from angered or fearful customers? Will we be able to train them to address customers’ concerns and alleviate their fear?
  • What identity protection will we offer?
  • How will we make things right if a customer is negatively harmed?

Quality Customer Support During a Breach: As breaches increase in scale and complexity—and 2014 was a watershed year for that as well—consumers have seen a lot of breaches, but still may react in anger or fear. Their first stop for information is the hotline and webpage you publish. Clear, consistent communication and messaging is key in restoring customer confidence. Scripts and Q&As must be available to trained, expert call center partners immediately. Responsible and knowledgeable front-line employees can do much to diffuse the situation and lessen customer anxiety.

And make it easy for your customers to have access to the most important protection – identity repair. The 2015 Javelin Strategy & Research Identity Fraud Study found the link between data breaches and identity fraud has increased. In 2014, 12.7 million consumers lost $16 billion to fraud—and two-thirds of them had received a data breach notification within the same year.

As McKinsey & Company says, “Much of the damage results from an inadequate response to a breach rather than the breach itself.”

Put yourself in the customers’ shoes: They have trusted you with their most valuable information – their identity. Whether you keep their trust depends, in part, on how they rate your performance in the face of a crisis.