Risk Management Agenda: 2008Top 10 Challenges - and Some Potential Solutions - that Financial Institutions Face
Hanging like the sword of Damocles above all is the subprime mortgage crisis, which sees institutions looking for ways to avoid foreclosures and challenges surrounding underwriting. These efforts will only further tax resources that otherwise could be channeled into information security issues.
And there are many information security issues to be faced.
Financial institutions, regulators, banking service providers, industry associations and information security experts - they all voice similar concerns about the top information security challenges facing the industry in 2008. Following is a list of the Top 10 risk management challenges -- and some strategies to meet them.
1) Keeping up with ComplianceWhat if you stretch your staff and budgets to the limit and still can't achieve compliance? This is a major concern of financial institutions - particularly the smaller ones.
"The smaller the institution, the harder it is to comply," says Justin Leapline, an audit and compliance consultant for Secure State, a Midwest information security assessment firm. "Because of the average size of most credit unions and small banks (less than 20 employees), they don't have the money or the people to take security seriously."
Historically, the Credit Union National Association finds that only about 10 percent of credit unions have a person dedicated primarily to compliance. The others generally rely on a senior officer to handle this area - on top of other, non-security responsibilities. Security, therefore, is put on the back burner, causing companies to miss things that may make them vulnerable to attack from both inside and outside of the company. The same, of course, is true at small banks.
The solution: Well, there is no shortage of new regulatory requirements coming down the pike. If your institution cannot keep up with the flow now, then it's time to either dedicate or expand your available resources. Non-compliance is not an option.
2) New RegulationsAnd if your current regulatory requirements aren't enough, here's a sampling of what to expect in 2008:
- ID Theft Red Flags - compliance deadline of Nov. 1. the question raised by Gartner distinguished analyst Avivah Litan, "Are financial institutions going to take this seriously and are regulators going to enforce it?" is already being answered by many institutions. (See: Finance Execs React to ID Theft Red Flag Rules)
- New FFIEC Requirements - update to the IT Examiners Handbook is expected sometime in 2008
- FFIEC Pandemic guidance - potentially the biggest business continuity issue of the year
- FDIC IT Risk Management Program amendments - the new IT exam questionnaire is out, and it deals with new issues such as vendor management. You can only expect other regulators to follow suit with new requirements.
- Anti-Money Laundering - the Bank Secrecy Act examination manual was revised in 2007, and there's every reason to expect new requirements in 2008.
- BASEL II -As banking institutions do more business internationally, then increasingly they must meet these recommended global banking standards.
Whether your institution is working toward compliance on ID Theft Red Flags or the recently released FFIEC Pandemic Guidance, "Make sure your risk assessments are current and up-to-date," says FDIC spokesperson David Barr.
That FDIC advice has already been taken to heart by Frank Bentz, Information Security Manager at Sandy Springs Bank. Bentz says one of the first risk management issues he will focus on is enhancing the bank's risk management process. Sandy Springs Bank, based in Olney, MD holds $3 billion in assets and is the second largest publicly-traded bank in Maryland. "We also look to acquire technology to improve security based upon the bank's risk and vulnerability assessment," Bentz says.
The goal of establishing enterprise risk management across her institution is one of Arlene Shinozuka's goals as director of compliance/security at Hawaii USA Federal Credit Union. The Honolulu-based federal credit union has $800 million in assets and 110,000 members. Shinozuka notes, "We will also focus on BSA, more specifically on suspicious activity monitoring and anti-money laundering monitoring."
3) Insider ThreatThis is something that financial institutions fear the most -- a trusted insider who either intentionally or unintentionally leaks data out of the institution. According to Eva Weber, an Aite Group analyst, the insider threat is a key fraud area that will continue to plague institutions in 2008. The causes range from malicious employees bent on removing information to the unintentional employee's mistake of falling prey to a social engineering attempt.
Also placing the institution at risk is outsourced business operations. Information security experts point to institutions that don't have proper protection then put themselves at risk from the data center, the help desk, the supply chain, vendors and contractors. Increasing incidents of fraud, theft and insider threat may arise from outsourcers who may lack accountability, loyalty, or security policy implementation.
Weber notes some of the actions that institutions have already started to do include knowing their employees better and performing background checks of both prospective and current employees.
Institutions may want to use technology solutions such as the ones implemented at the United States Postal Service Federal Credit Union based in Clinton, MD. The credit union monitors unauthorized network traffic over its networks with software that detects whenever certain types of sessions are instigated, such as FTP or Telnet sessions. The credit union also blocks instant messaging and certain internet sites, including MySpace access.
4) Identity TheftHow big is the problem of identity theft? It's the fastest growing crime in America, with 27.3 million victims in the past five years, and nearly 20 million in the past two years alone, according to a study from Javelin Strategy & Research. This crime costs more than $56 billion, or $6,383 per victim, annually, and has become so prevalent that an identity thief strikes on average every 3.5 seconds. ID theft has now surpassed drug trafficking as the No. 1 crime in America, according to the Justice Department.
With the estimated number of identity theft victims rising and marching orders given in the ID Theft Red Flags guidance issued in late 2007, the entire industry must answer how institutions are protecting their customers' information. Institutions must answer how they are educating their employees and customers, as well as how to create better mechanisms to verify new account openings, especially in the online environment. "Right now there's an absence of a really good mechanism to verify who is opening the account," says Gartner's Avivah Litan.
Institutions also need to work closely with local law enforcement to fight identity thieves. Further cooperation between public and private sectors "is the only way that we, as a society, can fight identity theft," says Identity Theft Assistance Center's President Anne Wallace.
Wallace notes there have been positive steps:
- Recommendations by the White House Task Force on Identity Theft;
- Growth of state and regional task forces devoted to identity theft;
- Initiative by Bank of America and the International Association of Police Chiefs to provide new tools for local law enforcement;
- Institutions also have been urged by regulators and the ID Theft task force to reduce the use of social security numbers as identifiers for customer accounts.
For 2008, institutions can expect to see a continued increase in identity thefts through financial fraud. Individuals will see personal information leaked over the Internet through blogs and personal web sites. Personal identifying information will be posted, traded, sold over the Internet, instant messaging, internet relay chat, (IRC), and other electronic platforms, as well as social networking sites.
5) Data Breaches Caused by Human Error"We have met the enemy and he is us," was the statement made by the comic strip character Pogo near the end of the Vietnam War. The unaware employee, consultant, contractor or third party service provider staffer is an institution's worst enemy.
To avoid becoming the industry's version of a TJX-level data breach, institutions need to develop corporate policies that protect the organization from employees' electronic behavior occurring outside the corporate perimeter.
Away from the protected network, users are more vulnerable and less secure. Human error can lead to leaking sensitive information on blogs, instant messenger, through chat rooms and texting. Inadvertent human error is a constant and will continue to contribute to lost laptops, PDAs, and other sensitive equipment.
Dennis Gorges, Corporate Compliance Officer at Industry service provider Jack Henry sees the human cause of data breaches broken down into three types:
- Intentional (malicious);
- Unintentional (they should know better)
- Accidental (lost tapes).
Financial institutions need to develop robust incident response and privacy breach management programs, and need to include all levels of the enterprise, include everyone in the planning and testing, so that when a breach occurs, everyone knows what to do.
FDIC's Barr also cautions institutions should ensure they are in compliance with other government agencies requirements (GSA and OEM have certain data breach requirements). "Institutions should be looking at those to make sure they are in compliance if they did experience some sort of a breach," Barr says.
6) Business Continuity -- Pandemic PlanningFor the past three years, financial institutions have heard the buzz about the possibility of a pandemic. In 2007, institutions saw more action by the Department of Homeland Security, federal banking regulators and the industry organizations charged with planning the industry's preparation for a pandemic. The Fall 2007 industry-wide pandemic test showed that institutions are readying their staff and operations for a pandemic. Bad news is that not enough has been done, according to the self-assessment survey conducted after the three week event.
The second set of FFIEC guidance on pandemic planning was released at the end of 2007, and institutions can expect that their regulators will ask about their pandemic plan and will want to see it as part of an overall BCP/DR plan for the institution. Roger Blake, Senior Information Systems Officer at the NCUA's Division of Supervision, says from an IT perspective regulators will start the year with enhanced focus on BCP and pandemic planning.
Elements to include in your institution's pandemic plan include a preventive program to reduce the pandemic's impact on operations; a comprehensive framework of facilities, systems and procedures to continue critical operations if large numbers of staff are unavailable for extended periods; testing of the plan and oversight to ensure timely updates; and ongoing review of the institution's pandemic plan.
7) PCI Compliance; Debit Card Fraud PreventionComplying with the 'digital dozen,' or the Payment Card Industry's 12 requirements for data protection, is a challenge for most financial institutions. But the price of not complying with PCI is costly -- just ask the TJX Companies, which settled the first of several court cases that may cost the global retailer upward of $500 million. Compliance with the PCI Data Security Standards means that your institution is better prepared to protect not only credit card data, but the rest of your institution's information.
Deterring and detecting debit card fraud is at the top of his list for institutions as a risk management issue for 2008, says Bruce Sussman, Senior Manager at Crowe Chizek. Others in the industry also listed this as a top risk management issue. Based on how your institution monitors fraud (either by fraud monitoring technology or a service provider) this is an area that needs attention.
With losses mounting into the billions (Gartner reported $2.75 billion lost to debit card fraud in 2005) the securing of your customer's cash needs technology solutions. One example is the Bank of America offer to notify a customer when a transaction has taken place, or alert them to any suspicious charges or changes to their account via email as soon as they occur.
8) Employee and Customer AwarenessIt's something everyone intends to do - better educate their employees and customers about the security threats that are facing institutions and customers. Now with the ID Theft Red Flags, it's also been pushed to the top of the compliance list. Institutions by Nov. 1 must have a written program showing how they are educating their employees and customers about identity theft.
American Banker Association's Doug Johnson, senior policy advisor for the largest industry association, lists this as one of the top risk management issues for 2008."Increasing your institution's security awareness pays off in several ways -- employees learn how to protect the data they're working with, and their awareness reduces the threat of the insider threat (either malicious or unintentional)," says Johnson. Many times the malicious insider can be stopped, if the people working with them are trained and are aware of the red flags that show the work habits and behaviors of a malicious insider. Do your employees know what to look for, what indicators there are that an insider is doing something on your networks or to your institution's data?
Bentz at Sandy Spring Bank plans to enhance the security awareness program for clients and employees. "It is an ongoing effort to educate employees and clients on risk and protection," he says.
9) Criminal AttacksWith the increased number of online attacks against financial institutions in 2007, including more sophisticated phishing and other types of criminal attacks aimed at both institutions and their customers, the coming year looks to be more of the same.
In January 2007, the internet criminals hit users worldwide with the Storm botnet. Because of such types of attacks, security analysts predict online banking services need to be better secured. One example of this from the late 2007 is the case of an unnamed bank in the Midwest that hired a firm to perform a penetration
test against its online banking site. The penetration testers took only five minutes to crack into the site with a fairly well-known type of SQL injection attack.
"We're going to see the usual list of suspects in 2008, in the fraud space particularly, with the evolving nature of fraud, phishing continues to evolve," says Aite's Weber. "Financial institutions are certainly instituting measures to stop phishing; it's difficult to rein in those customers who are perhaps still prone to phishing or pharming and are still giving out their personal information."
On the horizon also looms a new type of sophisticated Trojan, says FDIC's Barr. "There are some newer 'banker' Trojans that can really attack systems. And they're difficult to track and identify. So institutions should come up with some sort of a game plan to protect their systems."
In addition to traditional phishing attacks, institutions also need to prepare for malware-based attacks. This type of attack distributes malicious content to unsuspecting users through Web site visits and nefarious downloads.
Institutions are also cautioned to protect their high-end customers and their senior officers from individual targeted attacks. With so much available data on the Internet, CEOs and other individuals put themselves at risk for cyber and physical threats by protesters, activists and political groups. The internet has made it easier to access information about individuals, making them more accessible targets.
10) Managing Third-Party RiskThe FDIC sees vendor management as a trend important enough to include in its updated IT Risk Management Program Examination Procedures questionnaire in December 2007. Other banking industry regulators are also expected to look more closely at how their regulated institutions are managing their third-party service providers, and how strenuously they are examining the vendor's information security program and data protection strategies.
Responding to known and new security risks posed by using third parties is key, says Aite analyst Weber. Knowing what your outsourcers are handling, and being aware of how they are protecting the data in their care is paramount to security, she notes.
For institutions that have slogged through innumerable questionnaires and onsite audit requests to vet their third-party service providers, the pilot of the Financial Institution Shared Assessments Program (FISAP), a shared assessment program by several of the largest financial institutions under the aegis of the Financial Services Roundtable and BITs.org, offers hope. The FISAP, once fully operational, will reduce the need for individual assessments of service provider's, enhances members' internal risk analysis processes, and will allow financial institution's to align service provider testing with industry regulations.
What's your biggest Risk Management challenge this year, and how are you planning to tackle it? Share your insights with editor Tom Field.