The financial services marketplace is influenced by two significant trends that directly affect financial institutions: 1) increasingly sophisticated security breaches related to consumer data, and 2) heightened regulatory oversight and compliance requirements. These trends contribute to the necessity for a strong, mature security program.
Data breaches continue to be costly for organizations, both from a financial standpoint and in terms of consumer confidence. According to the 2009 Annual Study: U.S. Cost of a Data Breach released in 2010 by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, the average organizational cost of a data breach increased among respondents from $6.65 million in 2008 to $6.75 million in 2009 (see chart). This figure includes activities intended to prevent a loss of customer or consumer trust. The most expensive data breach in 2009 cost a company in the study nearly $31 million to resolve.
Furthermore, the report indicates that data breaches cost companies $204 per compromised record, of which $144 pertained to indirect costs that include abnormal churn or turnover of existing and future customers. This is particularly relevant to the confidence account holders have in their financial institutions, given banks’ and credit unions’ reliance on technology to support many of their products and services.
In addition, the financial services environment is being impacted dramatically by increased regulatory scrutiny. From new rules such as Regulation E and the Durbin Amendment to security breach legislation enacted across the country, financial institutions must be both proactive and responsive with a comprehensive security and compliance posture that continues to evolve according to the expectations and requirements of the industry.
Recent high-profile security breaches highlight the need for financial institutions to concentrate on maturing and refocusing their existing security programs, both internally and across the supply chain. By starting with a comprehensive set of security expectations, rolling out risk-managed programs and facilitating their maturity over time, financial institutions will be better equipped to protect themselves against the ongoing security threats that impact their financial statements, and to maintain the trusted relationships they have with current and prospective account holders as well as third-party vendors.
Taking proactive steps toward maturing the security program is critical for financial institutions as the nature of security threats continues to evolve. The Federal Bureau of Investigation indicates that the number and sophistication of cyber attacks, including those from criminals and nation states, has increased dramatically during the past five years and is expected to continue to grow.
A viable internal security program is the foundation for a solid vendor awareness and risk management process. The latter is a key component of a security program, because regardless of where a breach may occur in the supply chain or why it happens, account holders who have entrusted their confidential data to a bank or credit union will likely see the financial institution as the party responsible for a breach — potentially impacting the relationship negatively.
Financial institutions should look for the following in third-party vendors:
- Financial stability. A vendor’s financial stability will impact its security efforts, including its ability to invest in the people, processes and technologies that help keep confidential data secure.
- A documented information security management program. This should combine physical and logical control measures and use a layered security model to provide end-to-end security of confidential information. Controls should be consistent with the comprehensive requirements defined in ISO/IEC 27002:2005, an information security standard published by the International Standards Organization.
- A mature internal security program. A mature program comprises the following elements: 1) a security program at a relative steady state that is embedded at all levels of the organization and that has been embraced as an integral part of the business; 2) the ability to address a changing set of variables related to risk; 3) the continuity of internal information security personnel who have significant depth and breadth of experience.
- Visibility and control over the entire supply chain as they relate to data protection. A vendor should have its finger on the pulse of its security position constantly, in terms of both a point-in-time reference and a long-term view.
- Assistance with meeting compliance expectations and visibility requirements. Through clear contract terms and a solid definition of confidentiality requirements, financial institutions can set the stage for what a vendor should provide in terms of compliance documentation. Institutions can also set expectations that will help support their need to perform due diligence with the vendor, which may include on-site audits.
- Performance of comprehensive annual external control evaluations. Key external evaluations to look for include SAS 70/SSAE 16 audits as well as third-party certifications, such as the Cybertrust® certifications currently provided by Verizon® Business and PCI (Payment Card Industry) certification. These types of audits represent a structured set of tests of the vendor’s control framework effectiveness that are performed under rigorous standards by an outside audit firm.
- An integrated security strategy. Vendors that effectively combine the four elements of security — physical security, information security, business continuity and compliance — show that they have an understanding of the implications of security practices across their organizations.
- Business continuity planning. Some key questions to ask: Does the vendor have a disaster recovery plan? Is that plan tested annually? If so, how did the company perform in its latest test? Does the vendor have more than one facility in case of unexpected service interruption?
With a comprehensive security approach that includes careful attention to risk management throughout the supply chain, financial institutions can help ensure that the vendors they entrust with their account holders’ confidential data will protect it as diligently as the institutions do.