Kaitlin Lavin
Executive Editor
Loyola University Chicago School of Law, JD 2017
Financial institutions can expect increased oversight and new regulations due to recent cyberattacks and data breaches in banks. Several banks have already reported data breaches this year, and many banks have been rattled by the cyberattacks on SWIFT—the messaging network connecting the world’s banks. In August, Bitglass, the total data protection company released its Financial Services Breach report, which revealed that thirty-seven banks have already disclosed breaches of their secure data in 2016, including five of the nation’s twenty largest banks. However, there are some preventive measures that compliance programs may take to avoid data breaches and cyberattacks.
This summer, the Federal Financial Institutions Examinations Council (FFIEC) issued a statement expressing concern about the SWIFT attacks and highlighting risk mitigation techniques. The FFIEC recommended that financial institutions conduct ongoing information security risk assessments. They should also perform security monitoring, prevention, and risk mitigation. Additionally, the FFIEC wants financial institutions to protect against unauthorized access, implement and test controls around critical systems regularly, manage business continuity risk, enhance information security awareness and training programs, and participate in industry information-sharing forums. At the end of August, CNN reported that SWIFT is still under attack. There have already been cyberattacks in Blangladesh, Vietnam, the Philippines, and Ecuador. Hackers used malware to circumvent local security systems and sent fraudulent messages via SWIFT to initiate cash transfers from accounts at larger banks. The cybertheft from Bangladesh’s central bank yielded about $101 million. The bank in Ecuador was hit for $12 million. The SEC, which regulates securities markets, has also began publicly stating its concerns about financial stability and cybersecurity. The SEC reported that it has found some major exchanges, dark pools, and clearing houses without cyber policies in place that matched the risks they faced. Programs should develop protocols to respond to cyberattacks and be more proactive about monitoring cybersecurity. Verifying compliance with SEC obligations requires periodic risk assessments with documented benchmarks for success. Ongoing investigations are important to identifying threats and vulnerabilities and avoiding noncompliance. In order to keep pace with cybercriminals, programs need to develop a more integrated approach to cybersecurity. Many organization have disjointed security controls, but an integrated approach would include analytics machine learning, and a higher degree of automation.
Financial institutions must already comply with data security and customer notification requirements under the Gramm-Leach-Bliley Act (GLBA). Guidance from federal banking regulators requires banks to establish a security breach response program and notify customers affected when a breach occurs. Financial institutions must also notify appropriate law enforcement authorities and file a Suspicious Activity Report in a situation that may involve a federal criminal violation which requires immediate attention. The notification should include a general description of the steps taken by a bank or other financial institution to protect the information from further unauthorized access or use. Financial Trades have been advocating for Congress to pass the Data Security Act of 2015, which would build on the data protection and consumer notice standards already required under the (GLBA). If Congress passes the Act, standards under the GLBA will be extended to all businesses that handle sensitive personal and financial data. The Act would also promote innovation in security and create uniform consumer protections nationwide.
There are some experts that suggest encryption may be the answer to protect “toxic” data from cyber-criminals. Many organizations are beginning to move sensitive data into the cloud. However, some people are beginning to question the effectiveness of encryption because as computers get more powerful, it becomes easier to crack encryption keys. Others have suggested saving less data that becomes a toxic asset and increasing regulations on corporations storing data.
Some best practices for any compliance programs in preventing data breaches and mitigating risks include establishing strong, secure passwords, improving and monitoring document shredding practices, monitoring email traffic, paying attention to possible social engineering and phishing scams, and identifying identity theft. Programs can work to strengthen privacy and information security practices by identifying the kind of personal information the business handles and the regulatory obligations/risks. Data breaches and noncompliance regulations can result in heavy penalties and enforcement actions. It is important to engage senior management to support information security programs and educate employees through ongoing activities that will increase awareness. All staff should also understand and be aware of security policies and procedures. It may be helpful to establish benchmarks and measure success or include privacy and information security requirements in the Conduct of Conduct policy. Programs should also continue performing risk assessments or audits and periodic testing. To strengthen cybersecurity defenses, programs need to understand where they are vulnerable and incorporate information from assessments into current policies and training.