Emerging Risks for Financial Institutions
Financial institutions include banks, trust companies, consumer finance companies, savings and loans, credit unions, pension funds, insurance companies, and mutual funds. Information are some of a financial institution’s most important assets. Protection of information assets is necessary to establish and maintain trust between the financial institution and its customers, maintain compliance laws such as the GLBA Safeguards Rule, and guard the reputation of the institution. What are some of the threats to information security and privacy that your business should be thinking about?
The push towards making financial services, such as online banking, available from the internet has made these services more convenient for customers and more cost effective for financial institutions. However, it has also become easier to commit fraud through impersonation. Password controls do exist to reduce this risk, however, exploits like email phishing which leads a customer to divulge their password to a site masquerading as a legitimate website, have increased the incidence of this type of fraud. Also, key loggers, a type of malware installed on a customer’s PC, are able to capture anything the customer types including account numbers and passwords. In most cases, the financial institution is liable for the losses resulting from this fraud.
Many financial institutions have achieved flexible growth of support systems and cost savings by outsourcing their systems to a cloud-based service provider. However, because this outsourcing model hides the underlying infrastructure from the users of its services, it can also make it very hard to assess if the service provider is adequately safeguarding the critical information assets of the financial institution. Note that the financial institution is still the custodian of its customers personal information whether this information is in its own systems or in the cloud service provider. In depth due diligence in the form of a risk assessment is a highly recommended action.
The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides privacy protections against the sale of private financial information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. But safeguarding customer information isn’t just the law; it also makes good business sense. When you show customers you care about the security of their personal information, you increase their confidence in your company. Even though GLBA has been the law since 1999, an increased emphasis on protecting personal information will mean the the FTC and other enforcement agencies will be very active enforcing the Safeguards Rule.
The most frequent source of your security failures are employees. If your employees are aware and educated about your information security policies, it will do much to improve the performance of your information security program required by the GLBA Safeguards Rule.
Here are some examples of security education and training topics to maintain the security, confidentiality, and integrity of customer information:
• Locking rooms and file cabinets where records are kept.
• Not sharing or openly posting employee passwords in work areas.
• Encrypting sensitive customer information when it is transmitted electronically via public networks.
• Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data.
•Reporting suspicious attempts to obtain customer information to designated personnel.
Here are some actions that financial institutions can take to manage these new risks. See our
Services page for more information on how Assurance Point can help.
• Conduct a Risk Assessment which will review your privacy and security policies, standards and procedures against the threats to internet-based user services and cloud-based outsourced services.
• Deploy a continuing Security Training program for you employees.
• Prepare for the worst by developing a Data Breach Management Plan.
