Almost daily, you hear of a firm disclosing an information security breach or announcing that their customer service website was hacked. Or, you read about a federal or state regulatory agency that is fining and sanctioning a firm for inadequate privacy and information security procedures. This sort of news drives home an important fact: Privacy and information security risk is very real. There is significant regulatory, financial and brand damage that firms can experience if they fail to have robust compliance programs in place to mitigate this risk.
A strict federal and state regulatory framework that is aggressively enforced, coupled with the ever-increasing challenges that new technology imposes, requires that financial institutions dedicate substantial resources at all levels of their organizations to mitigate these risks. A robust privacy and information security risk management program must deal with these challenges holistically to ensure that when — not if — a privacy or information security incident occurs, the negative impacts of it are minimized and promptly remediated.
The key for financial institutions is to understand that privacy and information security risk management is everyone’s business, from the CEO to the mailroom clerk. Financial institutions must know the applicable laws and regulations; identify the privacy and information security risks that they face; implement and reinforce policies, procedures and practices with all employees and agents; establish adequate corporate governance; and ensure that accountability permeates the organization.
There are several separate sets of laws and regulations that govern how financial institutions manage privacy and information security risks. These include federal and state privacy laws, the NAIC Model Regulation Act on privacy, state insurance departments’ safeguarding of customer information rules, and state information security breach laws. In addition, Massachusetts issued its landmark data security law back in 2010.
The current climate
Financial institutions must manage a constantly changing set of privacy and information security risks. New personal mobile devices, social media/social engineering, customer/agent/employee nonpublic personal information (NPI) managed by third parties and hactivism are among the most challenging. Dealing with these is a balancing act: Appropriate controls must be in place to mitigate risk, but financial institutions must be mindful of the need to avoid “breaking” their business with overly burdensome control structures. Ongoing communications involving business units, information security professionals, corporate counsel and information security compliance staff is crucial to striking the right balance.
Use of personal mobile devices is growing at a frenetic pace. In a desire to stay constantly connected, employees and agents seek access to their corporate email and administrative systems on their personal devices. This easy access increases the likelihood of data loss through lost devices where the owner has failed to activate encryption and password features. Plus, data can be compromised by a family member using the device. Given how business is conducted today, precluding employees and agents from using their personal mobile devices for business purposes would be difficult if not impossible to enforce.
Social media has become an important way for financial institutions to reach current and future customers. However, use of social media by employees and agents presents data loss risk to financial institutions – it is the target of choice for social engineers. Phishing, spear phishing and whaling are common ways in which financial institutions can suffer data loss during social media use.
Many financial institutions outsource functions and data management involving NPI to third parties, which presents its own set of challenges. If the third party fails to prevent unauthorized access to a financial institution’s NPI, the financial institution will have to remediate the breach and deal with the embarrassment and brand damage that will result from the incident.
As if these challenges weren’t enough, financial institutions now must also deal with hacktivism. Defined as the act of breaking into a computer system for a politically or socially motivated purpose, hactivism can cause loss of data, embarrassment and brand damage.
Managing privacy and information security risks starts with clear and comprehensive policies and procedures, which are easily accessible by employees. In addition, there should be constant reinforcement about the importance of privacy and information security through ongoing training, communications and awareness-raising events.