Financial institutions’ leaders must come together to deal with data security risks and compliance requirements, reports Illena Armstrong.

CEOs, government regulators and IT security pros sometimes may have disparate views on information security planning for financial institutions, but their ultimate end goal seems the same: Secure customer data.  

Still, varying strategies can rankle even the best laid plans. For the information security leaders who recently attended SC Magazine‘s 2011 Financial Services Roundtable, C-level executives and government regulators often confound the most ideal data security outcomes and the methods used to achieve these.  

Especially among CEOs, concerns about compliance and regulation rule, said Leigh Williams, who spoke at the event as president of BITS, a division of an umbrella organization called the Financial Services Roundtable, which is made up of about 100 various financial organizations, including banks, insurance providers, investor firms and others. (Williams has since left BITS to serve as the director of the Office of Critical Infrastructure Protection and Compliance Policy at the U.S. Department of Treasury. Paul Smocer, former technology risk manager at Bank of New York and CISO at Mellon Financial, who first joined BITS in 2008, is now the organization’s president.)  

Because the financial crisis led to everything from the creation of the Consumer Financial Protection Bureau (CFPB) to myriad regulations, CEOs want assurance from IT and information security executives that data security and data reporting standards put forth in these rules are upheld, Williams explained during the SC Magazine Roundtable, which was sponsored by HP Enterprise Security.  

“Foremost in their minds, for better or worse, is this avalanche of regulation,” he said. “You can argue about whether that’s a good thing or a bad thing, but it absolutely crowds out some of their thinking about opportunity and customer service and I know they’re frustrated about that.”

Many SC Roundtable attendees agreed, noting that while their CEOs don’t necessarily get into the detail of how they’re keeping compliant with regulations they do have firm expectations.  

“From a compliance and risk management perspective they’re very, very tuned in and I think it’s generating a lot of the push down in terms of action amongst our teams…” said one attendee who asked to remain anonymous.  

Multifactor authentication is of particular interest, agreed many SC Roundtable participants, especially given the updates earlier this year to the Federal Financial Institutions Examination Council (FFIEC) guidelines, which pushed for use of such technologies in 2005 to combat such attacks as phishing. Revisions specifically address corporate bank account takeovers, which have plagued financial services organizations of all sizes more recently. Small and midsize companies have been particularly targeted, losing millions of dollars after having their accounts hijacked by criminals to steal funds through fraudulent wire transfers.  

The new guidance directs financial institutions undertaking these high-risk transactions to implement a layered security approach, which might include detection and monitoring systems to flag suspicious transactions; dual customer authorization that requires employee sign-off on some transactions before completion; out-of-band verification that prompts the bank to ask customers to approve transactions; or the bank’s procurement of a list of approved payees from customers.

Despite the new guidance, demand from C-level executives for multifactor authentication is still high. Because of problems in retail environments, for instance, requiring employees to use such tools may assuage data theft fears for some. As well, in the case of strengthening business partner access to systems, identity management and authentication is critical, said some SC Roundtable attendees. Cost and overhead do pose problems, though, as do concerns about viability of solutions since the RSA SecurID compromise earlier this year.  

This incident, often touted as a prime example of an advanced persistent threat, or APT, in action, was successfully launched via a social engineering attack. Such tactics rely on the ignorance of users to initiate malicious executables that ultimately can lead to major brand damage. Security awareness training, then, should be a high priority, according to the FFIEC updates.  

Roundtable attendees conceded that end-users and customers alike can muddle the daily data security challenges they face even more. In their fervor to do their jobs or to execute a quick transaction, employees and patrons are quick to undervalue security, they noted.  

Another SC Roundtable participant – working for a large bank that asked for anonymity – said mobile security was proving exceptionally tricky given the variety of devices traders and other executives use. Because of Federal Communication Commission (FCC) regulations, which mandate that exchanges via these devices are monitored, the time and costs currently dedicated to this task is high. And, currently, he has found little help from security vendors to manage the heap of mobile tools. 

As a result, he and his legal team were looking into transferring corporate liability of data loss or exposure to end-users who rejected the company’s “locked down” devices. By having them sign documentation noting their wish to use their own devices for work, the goal is to move responsibility for compromised business data. “If the device is not owned by our company, then we don’t monitor it,” he said.

Another attendee working for an investment firm, who also asked to remain anonymous, said such a practice likely would be slammed by regulators.

“Aside from the discovery issues of trying to produce that kind of information, I don’t see the liability ever leaving.”  

If company data is stolen, no matter through what channel, and if company employees or partners are involved, it will be the data owner’s name that “is dragged through the press,” he said. “Our take so far is that the company’s going to be responsible for it.”  

Indeed, the monitoring and protection of confidential data, ultimately resulting in preventing its exfiltration, is yet another major employee-related concern for SC Roundtable participants.  

“Since the financial crisis, I’m hearing a lot of stories about how people leave companies and take the data with them,” said the Roundtable participant reviewing legal options to address the loss of data through mobile devices.

While his company is in the midst of testing one data leakage prevention (DLP) solution, he hasn’t been too impressed. Currently, the solution simply is in auditing or reporting mode because he is concerned about configuring it to actually stop potential data leaks for fear that normal business workflow will slow. With potential impacts to the bottom line in mind, he wondered just how well security solutions fulfill their market claims.  

When considering customer security, issues become even more convoluted – especially again considering widespread use of mobile applications, said Ryan Kalember, HP Enterprise Security, director, solutions marketing. Citing the example of technologists earlier this year using Bluetooth-enabled devices to hack into a car’s computerized system to stop it mid-drive, he said to the SC Magazine group: “If they can change fuel ratios with Bluetooth, imagine what they could do with your banking application that has no security.”

He explained that his division is working with banking customers to understand how their clients access systems through different channels, including mobile, web or ATM, so that they can get a more holistic view of these different activities. Through these efforts, not only would they be able to build profiles on what customers are doing and what channels they prefer, but there could be huge security benefits.  

“Probably the most interesting thing for me is being able to get a complete view across those different areas,” he said.

For instance, when customers log into their banking accounts online, the application connects the action to their online banking identities. When using credit cards as a physical location, that system records the transaction using the credit card number. To correlate those two different actions together, the overall corporate system must be able to identify these varying identity attributes as a particular customer’s, he said. By achieving this holistic view, a corporate system having different systems that touch unique transactional channels could alert security pros when a customer’s credit card is being used in a physical store in Tokyo at the same time that the associated account is being enlisted for some online purchase in New York City.

In addition to mobile security and data exfiltration issues, Roundtable participants also voiced concerns about the possibility of critical information being compromised through social networking and cloud services. Overall, use of such applications and devices is leading to major worries from all quarters of “data sprawl,” said Williams, formerly of BITS.  

Added another SC Roundtable participant from an international financial institution, “My sense is that there is a lot of data that is being collected that isn’t necessary and yet is at risk if it’s disclosed.”

To support organizations in addressing the countless ways data could be compromised and to tie together the sometimes contrasting viewpoints on ways to get there, Williams said BITS has created some 17 working groups to address data security and the many other requirements put forth in legislative mandates, such as Dodd-Frank Wall Street Reform and Consumer Protection Act.  

“In technology, we think all of those Dodd-Frank mandates will have some impact,” he said. “Some of them require the collection of data, some of them require customer access to information about them, some of them require the reporting of data to the CFPB or someone else which then has to be safeguarded somehow. All of [them] have created some concerns.”

He further noted that whatever the differences of opinion concerning data security among CEOs, information security professionals and legislators, information protection is center stage. It’s imperative, then, that budgets and associated risk management plans must stay focused on this objective.  

“There are enormous amounts of data being reported to every agency now, to every examiner, to every banking agency,” he said. “It’s important that we safeguard them. This creation of the CFPB is a reminder that we’re not just talking about the safety of our organizations and institutions, but we’re talking about the safety of and service to customers, too. That’s an important piece to all of these senior executives. They’d like to make sure that they do everything that they need to do to ensure that customers are being well served.”