Sean M. McNaboe and Zachary Bush
Two industry-defining trends are converging, with important implications for how banks manage cybersecurity risk and related regulatory compliance. The first trend is the alarming proliferation of cyberattacks by bad actors breaking into digital networks. The second is the financial services industry’s increasing drive to cater even more digitally to the burgeoning market of tech-savvy millennials. Together, these trends raise a critical question regarding the policies, procedures, governance, and other aspects of your company’s compliance management system (CMS). Namely, is cybersecurity at the forefront of your CMS? This article explains why it should be and how to approach the challenge.
The list of staggeringly large cyberattacks has only continued to grow in recent times. Lately, one of the three largest U.S.-based credit reporting agencies revealed that hackers had accessed the sensitive personal information of up to 143 million Americans. The significance of the type of information stolen arguably makes this one of the worst data breaches ever.
The latest attack follows a series of data thefts announced across U.S. government and industry, including a major web services company in 2016 (3 billion accounts over two breaches), a giant retailer in 2013 (40 million accounts), a social media leader in 2012 (over 100 million accounts), and a payment services company in 2008 (130 million accounts). Last year, the U.S. Securities and Exchange Commission (SEC) was hacked, resulting in access to nonpublic information. In 2015, the U.S. Office of Personnel Management (OPM) announced that a data breach had targeted the personally identifiable information of an estimated 22 million people.
While the direct losses from data breaches such as these can be measured over time, the total cost can never be accurately quantified. Measuring reputational risk has always posed a challenge for senior executives, even though most regard corporate reputation as a primary asset.
The problem can be neatly summed up in a quote from former Federal Bureau of Investigation (FBI) Director Robert S. Mueller, III, who once said: “There are only two types of companies: Those that have been hacked and those that will be hacked.” Yet many companies find it challenging to reduce their exposure. In a 2016 cross-industry survey titled “Data Risk in the Third-Party Ecosystem,” sponsored in part by Treliant, 58 percent of respondents said they were not able to determine if their vendors’ safeguards and security policies were sufficient to prevent a data breach. (1)
The Millennial Variable
Why do these security issues matter now more than ever before to financial services providers? One word: millennials.
The millennial generation of people born roughly between 1980 and 2000 is the largest population group in U.S. history, totaling around 80 million. (2) As they move into their prime earning and spending years, they are forcing banks and lenders to reexamine how they do business.
A 2016 survey revealed that 88 percent of millennials might make a banking choice based on the bank’s online services. (3) Banks are being forced to continuously innovate to defend market share from the growing number of FinTech firms looking to disrupt the industry and capture the attention of this tech-savvy generation. The same survey also showed that 93 percent would change banks in the event the bank did not fully cover a loss of funds due to fraudulent activity. In fact, millennials have been shown to switch banks at a rate almost double that of other age brackets. (4) If you couple these findings with millennials’ proclivity for social media and the 24-hour news cycle, the potential exposure to reputational risk increases significantly.
Facing the Challenge
For a compliance officer navigating these treacherous waters, all is not lost. By emphasizing cybersecurity as part of your comprehensive CMS, you are signaling to your customers and to regulators that you are aware and prepared, and that personal information is protected. A comprehensive CMS should, at a minimum, address the following three areas:
Cyberattacks threaten the entire enterprise; cybersecurity should not just be delegated to the information technology department. In a speech to the Boston Conference on Cybersecurity in March 2017, then-FBI Director James Comey said that “it must be thought of at the board level, at the C-suite level as something that has to be embedded in every single thing that an enterprise does.” Clearly enunciated policies and support from the top down, as well as metrics reported regularly to senior management, are paramount to a robust CMS.
• Risk Assessment.
Periodic risk assessments are required to maintain an effective security program, and should identify moderate- and high-risk vulnerabilities. Any such exposures should be eliminated where possible, and otherwise mitigated through policies and procedures. Risk assessments should be performed at least annually, with adjustments to the frequency made as required by changing cybersecurity risk.
• Policies and Procedures.
Once a risk assessment has been reviewed, policies and procedures must be written, enhanced, and implemented accordingly. While there is no single, optimal approach to policies and procedures, the checklist below can help determine coverage and effectiveness:
Senior management roles and responsibilities
Data accessibility and security protection
Monitoring and identification of breaches
Communication/breach response plan
Disaster recovery/business continuity
No financial services company is immune to cyber threats. None is completely protected from cyberattacks. But through proper planning, testing, and increased diligence and oversight, you can help protect the reputation of your company with the same vigor that you apply to protecting your customers’ privacy. And you can do it while continuing to advance your digital capabilities and offerings to meet the appetite of the increasingly important millennial market.
View as PDF
1 “Data Risk in the Third-Party Ecosystem,” Ponemon Institute LLC, March 2016, p.5 https://buckleysandler.com/uploads/1082/doc/Data_Risk_in_the_Third_Party_Ecosystem_BuckleySandler_LLP_and_Treliant_R....pdf
2 US Census Bureau, 2012
3 Millennial Online Banking Survey, Morphis Insights, January 2016
4 Millennials and Banking: What the Data Reveals about Delivering a Great Customer Experience, Sean McDade, August 2016
Treliant Risk Advisors
, Compliance, Risk Management, and Strategic Advisors to the Financial Services Industry, brings to you New Coordinates, a quarterly newsletter offering insights and information regarding pertinent issues affecting the financial services industry. This article appeared in its entirety in the Fall 2017 issue. To subscribe to our quarterly newsletter, please Contact Us