Bank mergers and failures. Market fluctuations. Looming layoffs. The new administration and the changes it will bring to financial services regulation.
There is much in the news these days for financial institutions - and their customers - to consider. But at a time when consumer confidence in banking is at a critical juncture, so many of those aforementioned influences are outside of a banking/security leader's direct control.
But here are five factors you can control to ensure security and reassure shareholders and customers of your institution's safety and soundness.
Bad economy? Doesn't matter to banking regulators. Even if your institution is affected by bad loans or investments and you're dealing with the aftermath, regulators will still be examining your programs for compliance - and you'd better be prepared, says David Schneier, Director of Professional Services at Icons, Inc., a risk assessment firm based in Princeton, NJ.
"There isn't very much room to maneuver or modify what needs to be done," says Schneier, who spends much of his time working with banking institutions on their compliance efforts. "GLBA compliance is still required to continue operating. We've heard nothing from the field thus far that indicates that examiners are easing up in any way, nor should that be expected."
In challenging times, the spirit of GLBA is that much more relevant ,particularly as market conditions deteriorate and people grow desperate. "Accordingly, information security practices become much more significant to ensure the protection of both customer/member data and the institutions assets," Schneier says.
By taking a proactive approach to risk, Corporate One FCU in Columbus, OH managed to position itself to survive in this troubled economy.
"Corporate One's focus on managing risk developed long before these issues began," says Joe Ghammashi, Chief Risk Officer at the $5.16 billion corporate credit union. This is supported by the credit union's diversified investment portfolio. "Additionally, our appropriate pricing of risk has allowed us to build our capital base, as well as establish a strong earnings run-rate. We also have been proactive since last summer in developing and enhancing our liquidity sources. Consequently, we are not facing the issues that have hit other institutions."
The credit union's biggest challenge is perception - members' questions about the safety and soundness of all institutions. "We are making sure that our members understand that the assets we hold are of the highest quality and that we have ample liquidity to carry them for as long as we need," Ghammashi says.
Corporate One's work over the past three years on an enterprise wide risk management (EWRM) program has also paid off. "We integrated our business owners into the IT governance process and brought IT out of its silo into the environment of its business partners. We have adapted the COSO and COBIT frameworks to manage our systems, people and processes to, among other things, integrate technology and business together."
When it comes to fighting the insider threat, financial institutions fall into type A or B personalities just like most human beings, says Sai Huda, Chairman and CEO of Compliance Coach, a San Diego, CA-based compliance company backed by three of the nation's top 10 banks (Wells Fargo, Bank of America and Citigroup).
The Type A financial institution sees information security as a mission critical item. "At the Type A institution, security starts at the top with the board of the directors. They are very aggressive in complying fully with regulatory requirements and information security policies," Huda says. This is especially needed in the current environment where fraud is on the rise, and insider theft of information is at a high risk probability. The Type A institution focuses on insiders and asks who has access to what, why? They also focus on terminated employees. "Are they leaving with any confidential information?"
On the other hand are the Type B financial institutions that have a relaxed, laid back approach to information security. "They see it as something regulators require them to do, so they do it. They are not proactive. No news is good news. If there is no news of any breach, then everything must be okay with information security," says Huda. Their biggest failure is they are more trusting of insiders. They are focused more on outsiders. "It is business-as -usual with any layoffs. There is no enhanced scrutiny of practices to make sure insiders do not leave with confidential information," Huda notes.
Criminals don't take vacations, and the business of fraud is growing, says Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis. "While banks feel contraction during the current economic challenges, the business of fraud continues to grow."
Now more than ever, it is critical to catch fraud as early as possible -- ideally, to prevent it before it occurs. "Since the Identity Theft Red Flags Rules is in place, many institutions are finding ways to bring their fraud and compliance systems together in a more formal way to fight identity theft," Geister observes. In addition, as banks evaluate their systems, many are starting to merge AML initiatives with their fraud and identity theft initiatives, she says.
Phishers are among those fraudsters who are as busy as ever, says John LaCour, CISSP, Director of AntiPhishing Solutions at MarkMonitor and contributing analyst to the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report.
"Phishers seem inexhaustible," LaCour says. While the number of unique URLs declined by nearly one-third earlier this year due to lower Rock Phish activity, the actual number of attacks as measured by a combination of brand and phishing domain names increased 11 percent. "This indicates that traditional phishing is as strong as ever and increasing," LaCour concludes.
The number of brands being attacked increased by 7.6 percent, and financial services still remains the most targeted industry, according to the Phishing Activity Trends Report issued each quarter by the APWG. The group also reports crimeware-spreading URLs infecting PCs with password-stealing code rose 93 percent in the first quarter to 6,500 sites, nearly double the previous high of November 2007 -- and an increase of 337 percent from the number detected in the first quarter of 2007. Institutions need to have a phishing takedown plan in place in the likelihood their brand is attacked.
Schneier of Icons makes a final prediction that "old-fashioned holdups" will increase during these trying times. "The difference between what we're dealing with now versus 80 years ago is that whereas in 1927 there was a run on the bank to get your money out, the threat now is a run on the bank to get someone else's money out."
He observes that with so many digital pathways into and out of financial institutions, it makes it easy to forge financial documents, making the likelihood of fraud much greater. And then there is the prospect of targeting the unsuspecting ATM customer. "With ATM's in virtually every pocket of society these days, it's possible to see a marketable increase in good, old-fashioned criminal 'hold-em up' scenarios," Schneier says.
Institutions should begin reducing ATM crime and the increased threat of physical crime via a two-pronged approach. First and foremost is education. All financial institutions have pamphlets and programs designed to educate their customer/members regarding ATM safety (e.g. pulling the locked door closed behind you, counting your money after leaving the area, etc.) and they need to make sure this gets put out in front of their audience again, says Schneier. Second is a physical deterrent such as video cameras, sufficient lighting, un-obscured placement (move those shrubs), security mirrors (to see behind you) and functioning locked doors. Remind customers at drive thru ATMs to always make sure that the car in front of them has cleared the lane, don't put the car in park (keep it in gear and a foot on the brake) and to check side-view and rear mirrors before initiating the transaction.
Regarding robberies at teller windows, there's already training available providing clear guidance on steps to be taken, Schneier says. But financial institutions need to be more aggressive in conducting their training drills and perhaps increasing their frequency. It's also important that they think beyond only training the tellers. "In one institution recently, a non-business person was discussing how they often pass through the lobby and wouldn't know what to do if they encountered a hold-up," Schneier says. "Considering that all it takes if for one person to react inappropriately to send things out of control, this is an important consideration. All of the institutions employees need to know what to do."
Lastly, Schneier advises vigilance is the best control to have when dealing with the threat of criminal activities. "Knowing when someone or something appears out of place, knowing what to do about either a potential or confirmed incident is the surest way to navigate through the event."
