Almost daily, you hear of a firm disclosing an information security breach or announcing that their customer service website was hacked. Or, you read about a federal or state regulatory agency that is fining and sanctioning a firm for inadequate privacy and information security procedures. This sort of news drives home an important fact: Privacy and information security risk is very real. There is significant regulatory, financial and brand damage that firms can experience if they fail to have robust compliance programs in place to mitigate this risk.
A strict federal and state regulatory framework that is aggressively enforced, coupled with the ever-increasing challenges that new technology imposes, requires that financial institutions dedicate substantial resources at all levels of their organizations to mitigate these risks. A robust privacy and information security risk management program must deal with these challenges holistically to ensure that when — not if — a privacy or information security incident occurs, the negative impacts of it are minimized and promptly remediated.
The key for financial institutions is to understand that privacy and information security risk management is everyone’s business, from the CEO to the mailroom clerk. Financial institutions must know the applicable laws and regulations; identify the privacy and information security risks that they face; implement and reinforce policies, procedures and practices with all employees and agents; establish adequate corporate governance; and ensure that accountability permeates the organization.
There are several separate sets of laws and regulations that govern how financial institutions manage privacy and information security risks. These include federal and state privacy laws, the NAIC Model Regulation Act on privacy, state insurance departments’ safeguarding of customer information rules, and state information security breach laws. In addition, Massachusetts issued its landmark data security law back in 2010.
The current climate
Financial institutions must manage a constantly changing set of privacy and information security risks. New personal mobile devices, social media/social engineering, customer/agent/employee nonpublic personal information (NPI) managed by third parties and hactivism are among the most challenging. Dealing with these is a balancing act: Appropriate controls must be in place to mitigate risk, but financial institutions must be mindful of the need to avoid “breaking” their business with overly burdensome control structures. Ongoing communications involving business units, information security professionals, corporate counsel and information security compliance staff is crucial to striking the right balance.
Use of personal mobile devices is growing at a frenetic pace. In a desire to stay constantly connected, employees and agents seek access to their corporate email and administrative systems on their personal devices. This easy access increases the likelihood of data loss through lost devices where the owner has failed to activate encryption and password features. Plus, data can be compromised by a family member using the device. Given how business is conducted today, precluding employees and agents from using their personal mobile devices for business purposes would be difficult if not impossible to enforce.
Social media has become an important way for financial institutions to reach current and future customers. However, use of social media by employees and agents presents data loss risk to financial institutions – it is the target of choice for social engineers. Phishing, spear phishing and whaling are common ways in which financial institutions can suffer data loss during social media use.
Many financial institutions outsource functions and data management involving NPI to third parties, which presents its own set of challenges. If the third party fails to prevent unauthorized access to a financial institution’s NPI, the financial institution will have to remediate the breach and deal with the embarrassment and brand damage that will result from the incident.
As if these challenges weren’t enough, financial institutions now must also deal with hacktivism. Defined as the act of breaking into a computer system for a politically or socially motivated purpose, hactivism can cause loss of data, embarrassment and brand damage.
Managing privacy and information security risks starts with clear and comprehensive policies and procedures, which are easily accessible by employees. In addition, there should be constant reinforcement about the importance of privacy and information security through ongoing training, communications and awareness-raising events.
First and foremost, policies should address accountability for protecting NPI. The business units maintaining NPI are responsible for ensuring that any NPI they maintain is properly protected. Legal, compliance and information security professionals should work with the business units to support them in their efforts to protect the financial institution’s NPI.
Financial institutions can also implement data loss protection software to monitor NPI being sent unprotected via email, saved onto portable storage devices or saved in open file shares on corporate networks. The use of corporate email encryption software helps to reduce the risk of data loss by requiring the use of encrypted portable storage devices and limiting the number of employees accessing open file shares on corporate networks.
To reduce the risk of data loss via personal mobile devices, a financial institution’s policies should require physically safeguarding all personal mobile devices. Additionally, if there is a legitimate business reason to store NPI on a personal mobile device, it is critical to activate the device’s encryption functionality and make the password structure complex.
Reducing data loss risk
Financial institutions can reduce third-party data loss risk through strong data security and information security breach provisions in the contract language. It is a good idea to require third parties to periodically certify that they have adequate privacy and information security policies in place. Additionally, any data transmissions between the financial institution and its third parties involving NPI should be properly secured. Internal audit departments should audit the data security programs of third parties as part of their assessments of the controls of the financial institution’s business units. Lastly, information security reviews should be performed on third parties on a risk-assessed basis to ensure that the financial institution’s data is properly protected.
To prevent date leaks by employees and agents when accessing social media and personal email, financial institutions can scan Internet connections, block emails containing unprotected NPI and provide email encryption functionality for legitimate business situations where NPI must be sent via email. Data loss risk can also be reduced by restricting employees’ system access, as well as constant assessment of their need for accessing systems containing NPI.
Hackers seeking to access a financial institution’s systems can be thwarted by ongoing network scans, applying security patches and extensive penetration testing of the network and system applications, with any vulnerabilities detected by the testing promptly repaired.
Financial institutions should have a privacy/information security governance structure in place to ensure that policies and procedures are consistently implemented and enforced enterprise-wide. A senior executive of the financial institution, preferably one well-versed in technology, controls and operations, and reporting directly to the financial institution’s CEO, should perform oversight of the privacy and information security risk mitigation efforts by the business areas, legal, compliance and information security professionals.
Lastly, data loss should be managed through an effective incident management process. Prompt investigation and incident triage, combined with timely notifications to the affected individuals and, where required, state officials, can go a long way toward minimizing the regulatory censure and financial risks that could arise out of a breach, as well as limiting brand damage.
While managing privacy and information security risks can be a daunting challenge, financial institutions – by deploying the measures described above and making information security everyone’s job – can greatly decrease the likelihood of regulatory censure, financial loss and brand damage arising from these risks.
Originally published in the March 2013 LIMRA Regulatory Review.