////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// WHITE PAPER FINANCIAL INSTITUTIONS DATA BREACH RESPONSE GUIDE AVOIDING REGULATORY HOW DOUBLE TO JEOPARDY NAVIGATE THE FIRST How to Stay Compliant 48 HOURS While Adding Protection and Value for Customers
INTRODUCTION Financial institutions face a daunting task when it comes to navigating government data security and breach regulations and that s putting it mildly. At the federal level many rules are vague by design. At the state level, complexity runs deep: banks and credit unions must comply with different guidelines in the 47 states that have breach laws. Moreover, compliance is only one of many challenges financial institutions face today. They also must respond to a range of demographic and technology-related trends that complicate their ability to secure data and remain compliant. Key needs now include: Mobility and digital engagement Engaging with the millennial and high-value customer segments Technology integration to support outstanding customer experiences, streamlined processes and improved strategic decision-making Analytics for a better understanding of consumer behaviors and decision-making Ultimately, data reigns in modern financial institutions and criminals will go to incredible lengths to get their hands on it. Even if you re doing everything right from a security standpoint, your institution could still suffer a breach. This white paper: Explores the financial industry regulatory landscape along with some of the key trends that are influencing institutional operations. Explains how identity and data breach defense services can help your bank or credit union: Meet customer expectations Comply with state data breach laws while improving your standing with federal regulators Protect your brand reputation. Provides five tips for choosing a good identity and data breach defense services provider. WIDESPREAD THREATS, WORRIED CUSTOMERS Financial institutions face escalating and increasingly sophisticated cyber threats that put their relationship with customers at risk. FIs are under pressure to innovate for their customers, yet technological advancements are a double-edged sword. On the one hand, new technology brings customer convenience and greater engagement. On the other hand, it creates more customer and employee access points and the potential for security risks and gaps. Everyone from lone actors and insiders to criminal organizations may be looking for opportunities in those gaps. Criminals use FAST FACT: The finance sector experiences 300 percent more security incidents than other sectors. 1 1 Guide to Cybersecurity for Financial Services Firms, Lockheed Martin Corp., 2015. 1
methods ranging from hacking to social engineering to malware to find holes in processes and systems, and get at money in different ways. Sometimes, such as with account takeover or ransomware, it s direct. But there are plenty of indirect crimes related to data breaches. For example, crimes such as identity theft and new account fraud can go undiscovered for months or even years, in some cases. The Customer Protection Dilemma Customers are increasingly aware that they face risks online but that doesn t mean they act accordingly. 94 percent of millennials rely on online banking 3 yet 24- to 35 year-olds face the highest incidence of fraud and are least likely to take preventive measures. 5 62 percent of millennials and 77 percent of baby boomers worry about online fraud 4... yet consumers who don t believe they can effectively protect their financial data often ignore preventive measures. 6 GETTING TO THE HEART OF DATA-RELATED COMPLIANCE CHALLENGES Federal and state regulations related to data and customer protections are a confusing mishmash of rules. What s more, federal agencies tasked with protecting consumers add complexities and unknowns to compliance efforts. At the federal level, banking regulations are generally focused either on what happens before data is lost or on preventing fraud. There are no specifications about what financial institutions must do once data is lost. For example: Gramm-Leach-Bliley Act requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. 8 The Identity Theft and Assumption Deterrence Act of 1998 makes the FTC a central clearinghouse for identity theft complaints. It requires the FTC to log and acknowledge complaints, provide victims with relevant information and refer complaints to appropriate entities. 9 The Sarbanes-Oxley Act mandated a number of reforms to enhance corporate responsibility, boost financial disclosures and combat corporate FAST FACT: 80 percent of financial instiutions cite cyber risks as a top concern. 2 2 Guide to Cybersecurity for Financial Services Firms. 3 There s no slowing down millennials, First Data Corporation, 2015. 4 Online Fraud Perceptions: Millennials Vs. Boomers, ThreatMetrix, 2016. 5 2014 Identity Fraud Report, Javelin Strategy & Research. 6 2016 Identity Fraud: Fraud Hits an Inflection Point. 7 Online Fraud Perceptions: Millennials Vs. Boomers, ThreatMetrix, 2016. 8 Gramm-Leach-Bliley Act, Federal Trade Commission, https://www.ftc.gov/tips-advice/business-center/privacy-andsecurity/ gramm-leach-bliley-act. 9 The Identity Theft and Assumption Deterrence Act of 1998, Federal Trade Commission, https://www.ftc.gov/ enforcement/statutes/identity-theft-assumption-deterrence-act-1998. 2
and accounting fraud. It created the Public Company Accounting Oversight Board to oversee the activities of the auditing profession. 10 Key fraud and data privacy laws aside, several agencies also have mandates to protect consumers. Take the Consumer Financial Protection Bureau (CFPB), which is tasked with ensuring that banks, lenders and financial companies treat consumers fairly. 11 The CFPB can create new rules or guidelines or even go after institutions for an inadequate response to a data breach. But it s difficult to know how they may respond to different scenarios until they take enforcement actions. A majority of states at least require written notification in the event of a breach. But beyond that it s the Wild West, with varying rules from state to state. Let s briefly look at some of the considerations around the more opaque regulatory bodies and state-by- state compliance. STATE-LEVEL REGULATORY CHALLENGES Today, forty-seven states mandate that entities provide at least written notification in the event of a data breach. The timelines for notifications and requirements, however, vary. For example, Connecticut mandates that organizations provide breach notifications within 90 days. When Social Security numbers are exposed, organizations must also provide appropriate identity theft protection or mitigation services at no cost for at least a year. 12 In Oregon, on the other hand, businesses must notify customers of breaches impacting more than 250 people and provide a sample copy of the breach notification to the Oregon Attorney General. 13 Only Alabama, New Mexico and South Dakota currently have no requirements. State-level regulations are also evolving rapidly. In 2015 alone, 33 states considered new bills or resolutions. Most of the bills were focused either on reporting breaches to stage agencies or on broadening the types of personal information that should be considered in a security breach. Meanwhile, New York s Department of Financial Services made news by introducing some of the most stringent and far-reaching cyber security rules to date. The new roles, scheduled to go into effect in March 2017, focus on improving cyber security programs, governance and formal processes, among other requirements. Given evolving threats and increasing citizen awareness, it s likely that other states will adopt similar regulations in the future. A federal law could simplify matters to some extent, but currently there are no options in the works. THE CONSUMER FINANCIAL PROTECTION BUREAU The CFPB has a broad mandate, with a lot of room for interpretation. That s why many financial institutions are uneasy about what they need to be doing to protect customers and themselves from regulatory actions. The CFPB s goal is to protect consumers and promote fair, transparent and competitive markets. 15 At a high level, 10 Sarbanes-Oxley Act of 2002, U.S. Securities and Exchange Commission, https://www.sec.gov/about/laws. shtml#sox2002. 11 Consumer Financial Protection Bureau, http://www.consumerfinance.gov/?gclid=cnz8-orm_c0cfqqffgod1y8jvg 12 New data security law in Connecticut imposes new requirements on businesses, regulated entities, and state contractors, Data Protection Report, July 27, 2015. 13 Search Data Security Breaches, Oregon Department of Justice and Consumer protection. 14 2015 Security Breach Legislation, National Conference of State Legislatures, December 2015. 15 Compliance and Guidance, Consumer Financial Protection Bureau. 3
the CFPB has similar consumer protection jurisdiction over the banks and credit unions that the Federal Trade Commission has over practically every other type of business in the U.S. In other words, the banking industry has its very own federal consumer protection agency. 16 How the CFPB is going to pursue its mandate in the financial industry is unclear. Just consider that the CFPB pursued its first data security enforcement action in 2016 against an online payments company. The CFPB alleged the company was misrepresenting data security practices. It hit the offender with a $100,000 fine and training and security requirements and there wasn t even a breach. 17 It remains to be seen how the CFPB may react in the event of an actual breach incident with a financial institution. The CFPB does note that identity monitoring or identity theft protection services may help consumers correct identity theft related problems, but that the terms and conditions of the service are especially important. For example, it suggests that consumers carefully consider service options, making sure that: free trial offers don t include hidden fees, trial periods or cancellation requirements the provider hasn t been subject to actions by local consumer protection agencies or the state attorney general s office. 18 THE OFFICE OF THE COMPTROLLER OF THE CURRENCY The OCC has made cyber security actions a key focus area in recent years. Yet the OCC is far from definitive on what has to be done to protect consumers. The lack of clarity leaves significant leeway for enforcement actions. The OCC has participated in a Federal Financial Institutions Examination Council (FFIEC) effort to use a Cyber Security Assessment Tool that is designed to help institutions identify their risks and determine their cybervsecurity preparedness. 19 With respect to oversight, however, the OCC s role is limited to national banks, federally chartered savings and loan associations, federal branches and agencies of foreign banks and IAPs. 20 INDUSTRY TRENDS COMPLICATE MATTERS Financial industry trends don t make responding to broad and vague compliance challenges any easier. In a nutshell, many strategic areas that require near-term actions also create new security concerns and potential data exposure points. Let s briefly explore industry trends that are critical to competitiveness, yet add to challenges around protecting business and customer data and meeting regulatory guidelines. 16 How the CFPB and the FTC Interact, CFPB Monitor, July 7, 2011, https://www.cfpbmonitor.com/2011/07/07/howthecfpb-and-the-ftc-interact-part-i/. 17 No Breach Required: CFPB Conducts First Data Security Enforcement Action, Quarles and Brady LLP, March 2016. 18 What is Identity Monitoring or Identity Theft Protection Service?, Consumer Financial Protection Bureau, http://www.consumerfinance.gov/ askcfpb/1369/what-identity-monitoring-or-identity-theft-protection-service.html. 19 Cybersecurity Assessment Tool, Federal Financial Institutions Examination Council, 2016. 20 Enforcement Actions, Office of the Comptroller of the Currency. 4
TARGETING MILLENNIALS AND HIGH-NET-WORTH CUSTOMER SEGMENTS Whether you are focusing marketing efforts on millennials or high-income households, their data is at a premium not only for your institution, but also for thieves and fraudsters. The importance of winning over key customer segments can t be understated when it comes to ongoing success. Millennial Fast Facts 21 High-Value Customer Fast Facts Will control nearly $2 trillion in liquid assets by 2020 Control 41 percent of deposits 22 33 percent believe they won t need a bank in five years $5.8 trillion in investable assets 23 33 percent would have no issue with switching banks in the next few months 3.5 times more likely to consider switching financial institutions than other consumers 24 THE NEED FOR MOBILITY AND DIGITAL ENGAGEMENT Today s customers expect cutting-edge engagement options with financial institutions. Easy access to their accounts and products through their smart phones is especially important. The expectations are only increasing with fit tech companies from Silicon Valley entering the mix with the expectation that their technical chops can better meet customers evolving needs. 25 The new competition means that established financial institutions need to ensure that they are providing cutting-edge services. THE NEED TO LEVERAGE BIG DATA Analytics technologies have opened up new frontiers in understanding and serving customers, as well as compliance dangers. The ability to better see and analyze customer behaviors to stay ahead of the curve in meeting their requirements could provide tremendous values to financial institutions and their customers alike. Yet, if not managed correctly, could also present dangerous data exposure points. 21 There s No Slowing Down Millennials, First Data, 2015. 22 Top Trends for Digital Financial Services in 2015, Javelin Strategy & Research, March 2015. 23 New Moneyhawks: Highly Profitable and Engaged Customers Defining the Future of Banking, Javelin Strategy & Research, 2014. 24 Top Trends for Digital Financial Services in 2015, Javelin Strategy & Research, 2015. 25 2016 Trends in Banking and Payments, Javelin Strategy, January 2016. 5
TECHNOLOGY INTEGRATION AND CHANGES IN INTERNAL PROCESSES Financial institutions need integrated systems that can securely share data in real time to support mobility, analytics and other key capabilities and technologies. The importance of technology integration will only increase as new players enter the competitive landscape and the requirements to keep customers loyal continues to grow. GETTING ON THE RIGHT TRACK Figuring out how to respond to this mix of industry trends and challenges is no small feat. Unfortunately, there is no silver bullet. One thing is clear: Data protection strategies that consider what should be done after a data breach or loss can help: improve standing with regulators foster customer trust and loyalty. Most consumers contact their financial institution after they discover identity theft. That means financial institutions that partner with identity protection services can generate significant value for their customers. How? By easing the pain and cost of responding to fraud. 26 For example, with new account fraud, which drives the most damage to victims over any other type of fraud, victims spend an average of 15 hours trying to resolve the fraud. With expert support, the time and stresses can be reduced significantly. Ultimately, even regulators understand that no data security plan is foolproof. That s why the ability to show due diligence on post-breach response, in addition to enhancing security, is important. It underpins a stronger case for avoiding regulatory actions and fines. It s not enough to simply make a post-breach response offering or program available, however. To satisfy customers and regulators, you need to ensure that: sign-up is easy the services do not mislead or misdirect your customers in any way the offer blends almost seamlessly with other services. THE 5 THINGS TO LOOK FOR IN A PARTNER In today s financial world, identity and data breach defense solutions make a lot of business sense. A good solution provider can help your institution, employees and customers to recover from data breaches or fraud much faster and with much less frustration, expense and pain. The best-in-class solutions can even help enhance 26 Small Business Fraud Report, Javelin Strategy & Research, 2016. 6
your portfolio and brand reputation by providing 24/7 top-quality care for customers through channels that work seamlessly as an extension of your brand from the initial call through resolution. As with any type of service, provider choice can have a dramatic influence on the actual value of an identity and data breach defense solution. So what are some key things you should consider as you evaluate provider options? Here are five things that should be at the top of your list. 1. INDUSTRY KNOWLEDGE Compliance takes more than basic identity and data protections. Given the constantly evolving regulatory complexities, it s critical to choose a provider that: focuses on the financial service industry knows the regulatory requirements for every state you operate in and has the ability to help you respond in each of those states understands how to help you meet the requirements of key agencies, including the CFPB. 2. BRAND EXTENSION A provider capable of providing a personalized touch to service can help you increase customer loyalty and grow your bottom line. A good identity and data breach defense solutions provider should be a true partner, from onboarding through implementation, training and ongoing account management. 3. REPUTATION A trusted provider with a longstanding and outstanding reputation in financial services is critical. After all, your identity and data breach defense solutions provider will be so closely associated with your brand. Carefully consider: other clients a provider works with customer satisfaction ratings the average experience of the fraud specialists who will be handling your customers calls. Red flag: Providers who want to direct sell or upsell your customers. FAST FACT: Consumers rank reputation and low-cost as the most important attributes of a solution provider.27 27 2016 Identity Protection Services Scorecard, Javelin Advisory Services, June 2016. 7
4. ADDED VALUE The right solution should contribute to your institution s compliance posture and brand reputation. It should also deliver significant value relative to the cost. Look for a provider capable of providing: consistent, proactive service in resolving all of your customers identity theft concerns clear terms and easy enrollment (this is a must for a successful program that regulatory bodies will view favorably). 5. SOLUTION DEPTH AND SCALABILITY A good identity and data breach defense solution isn t just reactive it s proactive. Here are key qualities to look for: A product delivery team with a proven ability to stay ahead of the curve with solutions that meet customers evolving requirements. A solution that engage and help educate your customers. This not only promotes better information protection practices and peace of mind; it can improve customer loyalty. A provider capable of keeping up with fast-evolving threats and regulations by updating policies and products as the landscape shifts. CONCLUSION Chances are, there will never be a time when it s totally clear what your institution needs to do to comply with federal and state regulations. However, the fact that you don t want to get robbed and you want to protect your customers best interests will never change, so there will always be motivation to do the right thing from a security standpoint when it comes to securing data. If there was a sure thing when it comes to data security, this would be enough. Since there are no sure things in data security, and since your customers will turn to you for help if and when their data is compromised, reputable identity and breach defense services can be a smart investment. www.cyberscout.com 8