Dec. 19: Primer on lender & bank cybersecurity, and protecting information; the CFPB’s data collection draws criticism

Recently the CEO of a growing lender that I work with challenged me, although they didn’t know it at the time. I was asked about cybersecurity to which I replied, “I don’t know much about it.” The response was, “We thought you did.” So in spite of my capital markets background I figured I’d better learn a little about computer system security.

So many rely on outside vendors to “guarantee” their data won’t be hacked, their system won’t be compromised, and their borrower’s data is safe. And so many lenders use the same vendors for the same – is there any way to differentiate themselves in the IT space to their borrowers? It is a lot easier for senior management to discuss hiring, warehouse lines, production numbers, staffing, even loan origination systems than it is to discuss cybersecurity.

Changing my password, which is the same for everything, from “12345” to “12346” isn’t going to work. Making it complex and then writing it on a sticky note to put on my computer screen isn’t a good idea. IT folks will tell you that antivirus software is essentially dead as a defensive tactic. Making your passwords more than 10 characters, and changing them every 4-6 months, helps. But that is on a personal level. On a company level even the most sophisticated technology is rendered ineffective if you don’t have the right people managing its implementation and use. Humans are… human, and prone to mistakes.

But hopefully the folks that you want to have guarding your computer system are the ones reading it – it is darned important. A survey by Travelers finds American consumers say their biggest cyber concern is that their bank account gets hacked followed by malware infections of computers and phones, online identity theft, offline ID theft, retailer hacks exposing their personal information, and breaches of their medical records. On the corporate side, a survey by The Economist on cyber incident readiness by businesses finds: 67% of executives say that responding effectively to an incident can enhance their firm’s reputation and more than 60% of organizations have an incident response team and plan in place. Do lenders have a team of people for this? Do smaller lenders have the financial resources to dedicate toward this? Or do they put all their hope and trust into an IT vendor for $6,500 a month?

If you have something stolen the thief is nearby. Not so with the internet. News media outlets have reported that a Russian cyber gang over the past several months has breached over 420,000 web and FTP sites to pilfer over 1.2 billion credentials which are tied to more than a half a billion e-mail addresses. How is some small lender going to combat that?

In 2014 the US Director of National Intelligence ranked cybercrime as the top national security threat, higher than terrorism, espionage and weapons of mass destruction. One area bankers continue to focus on is protecting against phishing. That makes sense when you consider the most recent Verizon data breach report finds a full 23% of recipients will opening phishing messages and 11% will click on attachments. For every 10 emails sent, criminals have a greater than 90% chance that at least one person will take the bait. Even scarier perhaps, testing finds close to 50% of users open emails and click on phishing links within the first hour.

Phishing is associated with over 95% of incidents attributed to state-sponsored actors. Another thing to point out from the Verizon survey is data on the frequency of data disclosures by incident patterns and victim industry. For the financial services industry, it found data breaches would most frequently surface from crimeware (36%), Web app attacks (31%), payment card skimmers (14%), insider misuse (11%) and miscellaneous errors (7%).

Big banks certainly have their eyes on it, but once again what about small and mid-size banks? In mid-2014 JPMorgan Chase Chairman and CEO Jamie Dimon sent a letter to shareholders indicating that Chase would spend $250 million on cybersecurity in 2014, with approximately 1,000 individuals focused on that effort. And he expected those efforts to grow exponentially in the coming years. R. Jason Straight wrote that the attackers will always have more compelling reasons to get into your network than you have to keep them out, and their likelihood of success is inevitably higher. The attacker only needs to be right once whereas the defender (the bank or mortgage company) must be right 100% of the time to prevent an attack. And thus many companies have shifted their focus to the next line of defense – minimizing the damage that can be done.

Cybersecurity is a business risk issue that can’t be addressed by IT security staff alone. IT’s primary role is managing systems rather than data – and does senior management know where their critical data assets are? Will HR tell you that employee’s data is more important than customer’s data? Will the CFO tell you company financial data is more important than the Ops department’s underwriting engines? Threats to information security now represent a significant business risk that extends across the entire company. Therefore regular collaboration among all parties is critical. How much data does a company need to hold onto? Data you don’t have can’t be compromised. And if you think a DOJ penalty or CFPB fine is steep, just wait until your company is a defendant in a class action lawsuit involving the exposure of every borrower you’ve dealt with, and their personal information in the hands of some gang in China.

It helps if you find a cybersecurity person/vendor that admits a determined attacker will eventually find an exploitable vulnerability that will allow them into your system. So the important thing is to limit the damage, and to emphasize building, maintaining, and testing an incident response capability. Senior management, IT, and legal must all work together – and if you’re a small company you may not even have one or two of those departments! Some companies are even too embarrassed to spread the word that they’ve been compromised. IT and HR must work together in designing a training system that focuses on identifying and protecting the organization’s vulnerabilities, and then consistently reinforcing them through recertification, mock drills, and performance benchmarking. Have your employees received any security awareness training? And if so, was it some canned module, or something actually applicable to the company? Do they know what is sensitive? Do they transfer data using flash drives that are easily lost or wind up in the trash?

In the case of Target’s breach, malware embedded itself point-of-sale systems after the attackers gained access through a third-party vendor, a small Pennsylvania HVAC company. So once it again it isn’t good enough to work on your own system – you must monitor your counterparties’ efforts! And know when your system has been breached – after all, the attackers will get in and you need to be ready. What is suspicious activity? How many attempts to hack into your system does it see every day? Can a company recruit skilled people who know how to recognize a threat or breach and react to it by limiting access?

Enter the concept of the “CIA Triad.” If you want to sound educated when spending time with your IT group at Happy Hour, you should know it stands for Confidentiality, Integrity, and Availability. Yes, one could argue that this is something Elliott Spitzer or Anthony Weiner wants from their “friends”, but in this case they are the three things that should be guaranteed in any kind of secure system. “Guaranteed” is a tough concept with anything. (“Can you guarantee there are no mice in your office?” “Yes.” “Maybe you just haven’t seen any.”) But the principle of CIA Triad is applicable across the whole subject of security analysis, from access to a user’s internet history of encrypted data across the internet. If any one of the three can be breached it can have serious consequences for the parties concerned.

A recent Fed report found banks use the following methods to enhance security: multifactor authentication (84%), time out due to inactivity (78%), encryption (55%), mobile device ID (54%), mobile notifications (53%), out-of-band authentication (36%); geo-location (21%); tokenization (10%) and biometrics (6%). So, some ways to protect yourself include staying vigilant, using multifactor authentication, getting vulnerability assessments, protecting your data, shredding documents, having a data breach response program, rehearsing likely scenarios, having good insurance, having layered security and  preparing as much as you can. It is impossible to stop a country with limitless resources from hacking your little bank, but you can certainly try to manage and mitigate risk.

What’s in the future of cyber security? Methods like tokenization, biometrics, and multifactor authentication will be the new normal to fend off attackers. Let’s start with tokenization and why it’s so important. A token is nothing more than a reference that maps back to more sensitive data at the bank. In short, it replaces account information with a secure alternative. Unlike a personal account number, it is also useless if stolen. Here’s how it works in simple terms. A person’s card number is substituted by an alias number (token) that links back to the customer’s real account through a highly secure server known as a vault. The token can be used the same way as a credit card number, but with this method, even if a retailer’s system is comprised, thieves can only get the tokenized data.

Biometrics makes you the password: fingerprints, eyes, voice, face, vein and signature patterns. Acuity research predicts biometrics will be used to authenticate 65% of all mobile commerce transactions in the next 5 years. Today, research by Biometix finds usage of biometric technologies among banks by type is approximately: fingerprint (48%), finger vein (12%), voice (11%), hand vein (9%), iris (7%), signature (6%), hand geometry (5%) and face (3%). However, given the popularity of the smartphone, voice, face and finger are quickly jumping to the top of the list. The major bank leader in all of this is USAA who has already rolled out biometrics. They say customers love it and indicate finger and face take about 2 seconds to authenticate, while voice recognition takes about 20 seconds.

Are regulators, bent on collecting and measuring personal data from lenders, doing their part in protecting it? The Consumer Financial Protection Bureau (CFPB) has undertaken a dozen large-scale data collection efforts, gathering highly sensitive information on hundreds of millions of American consumers even as the Bureau’s director has acknowledged that data held by the CFPB is “not 100 percent secure.”

The Financial Services Oversight and Investigations Subcommittee noted that, “Aside from the fact that the CFPB does not need to be collecting this vast amount of information to carry out its regulatory mission, it’s troubling that it has not taken more appropriate steps to secure this data. In fact, before this Committee just last year, CFPB Director Cordray said that he could not rule out the potential for a data breach at the Bureau,” said Subcommittee Chairman Sean Duffy (R-WI).

“We don’t know – and the American people don’t know – how much personally identifiable information the CFPB retains, how that data is protected and what the Bureau plans to do with all that data,” Chairman Duffy added.

The Subcommittee believes that the CFPB is collecting more information than is necessary to execute its regulatory mission. And a report from the Government Accountability Office (GAO) noted “serious concerns about the privacy and security of the consumers whose data are being collected by the CFPB.” Certainly the CFPB is non-transparent about its mass data-collection program—the agency does not reveal to the public specifically what data it collects, nor does it notify specific consumers about what information it has gathered about them or how it will be using it. The CFPB collects account-level and sometimes even transaction-level data that captures multiple aspects of consumers’ financial lives, such as information about credit cards and checking accounts.

Former House Speaker Newt Gingrich was quoted as saying, “The CFPB is prohibited in Section 1022 of Dodd-Frank from collecting personally identifiable information on Americans, but the Bureau is doing so anyway.  And it is doing so at a massive scale that rivals the NSA’s most controversial collection programs, but for much less compelling reasons.”

The CFPB’s data security program has multiple troubling weaknesses. The Bureau’s Information Security Continuous Monitoring program is rated at Level 1 out of 5—defined as “ad hoc,” and the data security protecting the Bureau’s consumer complaint database was found by the Inspector General to be deficient in multiple areas. The CFPB lacks even internal written procedures for “anonymizing” the data is uses.

I was walking by the bay when I heard splashing in front of me.

A member of Congress was thrashing around in the water.

I’m not a fan of his, given the damage that he and his like have done to the country, but he was clearly in some distress and looked as if he might drown.

So I did the right thing and contacted the emergency services.

Half an hour later and still no help had arrived.

I couldn’t help thinking that I had wasted a stamp.

Rob

(Copyright 2015 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)