You can Download this article as a PDF HERE
The frequency of online attacks against U.S. business continues to increase, along with the cost of defending against those attacks and mitigating any resulting data breaches. Cybercrime now costs a U.S. business $8.9 million per year, an increase of 6% from 2011 and 38% from 2010. Those findings come from the “2012 Cost of Cyber Crime Study,” which was sponsored by security intelligence tool vendor HP and released Monday (10/8/2012) by Ponemom Institute.
The average breach costs $214 per record compromised; another cost factor is that it’s taking businesses longer to respond to security breaches. On average, it now takes a business 24 days to spot and resolve an attack, although some cleanup operations extended to 40 days. On average, each cleanup cost $592,000, a 42% increase from the average reported in 2011 of $416,000. (Ponemon Institute and Hewlett Packard- 2013).
As the number of cyber attacks on financial institutions continues to increase, it is critical to protect your business. Cyber Security begins with a plan. This plan should be developed based on the requirements and risk of protecting third party Non Public Information (NPI). Requirements are driven by federal, state and self-regulatory organizations (SRO) representing the best practices and minimum techniques used to protect NPI and the account of its use. Risk is the harm lost NPI can do to an individual, family or company when used to conduct crime.
Cybercrime can fall into two categories-Active and Passive Cybercrime. Active is when the crime attacks a target directly. Examples of this include: identity thief, credit card fraud, processing platform takeover and website shut downs. Passive attacks listen to the party line (Internet) to collect information, which is not public, intercepting executive communications on financial decisions, intellectual property, legal strategies or summarized as “the stock tip”.
Financial Institutions need to protect their NPI from potential cyber threats, which includes the mortgage industry. The mortgage industry can learn from other industries that are highly regulated and handle a great deal of NPI. This includes areas such as, the life Insurance and securities industries, which have a significant amount of requirements to comply with compared to any other industries. Agents, Advisors, BGA, BD, Medical Service providers and Carriers handle NPI, PPI, financial, medical, educational information for which they are accountable for.
The below is to help your organization build a simple but effective security plan. A plan that will make you focus on your internal technology and controls for an internal operation or a good check list for working with a Cloud vendor to enable compliance. Remember, you can outsource the technology or process, but not the liability.
This is only a guideline for educational purposes; for a complete Cyber Security evaluation, please contact a certified Service Organization Controls third party evaluator.
Security Plan
Establish a Security Officer responsible to the company to oversee this process. At least one member should be an officer of the company (executive oversight). This individual needs to define and document its policies for the security of its system. Security policies are established and periodically reviewed and approved by a designated individual or group.
The entity’s security policies include, but may not be limited to, the following matters:
NPI
Classify data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights, access restrictions, retention and destruction requirements. Appendix A list the common items regarded as NPI.
Users
Identify and document the security requirements of authorized users. Know who is authorized to add, change, communicate and delete NPI. Roles are a common practice in defining access privileges.
Assessing risks on a periodic basis. Organizations add or change how NPI is accessed (Social media, Emailed, twitter, etc.) and should address the new risk and its solutions or policy change.
Preventing unauthorized access. Determine User’s use of login and password, sharing of the same is not a good thing. Also, assess who has User access authority. When adding new users, modifying the access levels of existing users, and removing users who no longer need access.
Any good plan should include assigning responsibility and accountability for system security. What should this cyber security expert do? Here’s some tips:
Any potential system changes should go through this individual and get this person’s approval before the change goes live. You need to assign responsibility and accountability for system changes and maintenance. Testing, evaluating, and authorizing system components before implementation is critical. Address how complaints and requests relating to security issues are resolved, as well.
In addition, users with access to NPI need to read and sign a privacy agreement. As such, users agree to keep NPI confidential or face loss of access and possible termination. Users with access to NPI should have a third party review of their background.
Your company also needs to communicate its defined security polices to responsible parties and authorized users. You should have an objective description of the system and its boundaries. Further, that description needs to be communicated to all users. The process for informing the entity about breaches of the system security and for submitting complaints is also something that needs to be communicated to authorized users. Changes that may affect system security and fully communicated to management and users who will be affected.
Office Security
Procedures need to exist to restrict access to the defined system. For example, you need security measures to restrict access to information resources not deemed to be public. Identification and authentication of users also has to happen. Further, you need full registration and authorization of new users. Restriction of access to offline storage, backup data, systems, and other system components such as firewalls, routers, and servers should also be part of any plan.
Data Center Security
When outsourcing your business platform it’s important to know what outsourcing are you entering into; public cloud or private cloud. Public cloud is typically where you are using their application maintained in a computing environment completely under the vendor’s control (Redtail.com, Saleforce.com, AgencyWorks, etc.). Private cloud vendors can come in two flavors, co-location or vendor provided. Co-location means the data center provider supplies a secure area (cage) where you provide all the hardware and software required to maintain the business platform. Vendor provided means the data center provider supplies all of the hardware and you provide the software to run. Depending on the relationship you enter into, compliance remains your responsibility.
Typically when obtaining Cyber Insurance the insurer will request all third party providers that have potential access to NPI to show they meet technology compliance. Most cloud providers that have engaged a third party CPA firm, which conducted audits of vendor’s policies, procedures and controls to ensure compliance.
As we continue to talk about creating a cyber security plan, we have to touch on infrastructure and systems management.The potential privacy impact is assessed when new processes involving personal information are implemented, and when changes are made to such processes (including any such activities outsourced to third parties or contractors), and personal information continues to be protected in accordance with the privacy policies. For this purpose, processes involving personal information include the design, acquisition, development, implementation, configuration, modification and management of the following:
>> Infrastructure
>> Systems
>> Applications
>> Websites
>> Procedures
>> Product and services
>> Databases and information repositories
>> Mobile computing and other similar electronic devices
Minimum Third Party Audits
Whether you outsource or insource, a minimum third party audit you should conduct is a Penetration Test conducted by a reputable group. These Penetration Test (Pen Test) attempt to break through your security and provide feedback on areas you should correct. If your information is accessible via the Internet, it is highly recommended that you conduct Pen Testing annually.
Public Privacy Statement
Companies that maintain NPI must publish to the public your commitment to secure the same. If any information is used outside of the processing you are providing (e.g., selling mailing list names collected) you must disclose that practice in your public notice.
Clean Desk Policy
Clean Desk and Clear Screen (CDCS) Policy ISO 27001/17799 are simple steps intended to protect NPI when you are not present in the office. Clear desk and clear screen policy are used to reduce the risks of unauthorized access to, or loss of, or damage to, information. This requirement should be contained in the user access authorization document.
>> Ensure that appropriate facilities are available in the office in which, depending on their security classification, computer media (disks, tapes, CDs) and paper files can be stored and locked away, including lockable pedestals, filing cabinets and cupboards.
>> Sensitive information should be locked away in a fireproof safe (and the security adviser will have to access the fire resistance of the safe in terms of the sensitivity of the information inside it and its location in order to ensure its survival for long enough to be rescued).
>> Personal computers, computer terminals and printers should be switched off when not in use and should be protected by locks, passwords and the like.
>> Everyone should be required to use password protected screen saver that automatically fires up after only a few minutes (between three to five is reasonable) of inactivity.
>> Incoming and outgoing mail collection points should be protected or supervised so that letters cannot be stolen or lost, and faxes and telexes should be protected when not in use.
>> Photocopiers should be switched off and locked outside working hours; this makes it difficult for unauthorized copying of sensitive information to occur.
>> All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.
Moving on, we have to discuss the Red Flag Rule, which requires many businesses to develop and implement a formal, written Identity Theft Prevention Program for the purposes of detecting the warning signs, or “red flags”, of identity theft throughout their day-to-day operations. Here’s what else you need to know:
The first step is to identify the relevant red flags you might come across that signal that people trying to get products and services from you aren’t who they claim to be. The second step is to explain how your business or organization will detect the red flags you’ve identified. The third step is to decide how you’ll respond to any red flags that materialize. Do you use service providers who might detect any of the red flags you’ve identified? For example, if you hire a company to handle your Part Two Call Center activities talk to them to see that they’re following your Program or have their own that complies with the Red Flags Rule.
Cyber Insurance
Most corporate liability insurance policies do not cover losses due to cyber-attacks, errors or omissions. Cyber insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce has described cyber insurance as a potentially “effective, market-driven way of increasing cyber security” because it may help reduce the number of successful cyber-attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber-threat.
Data Encryption
Last but not least, encrypt at rest, in transit and include a process for data and hardware destruction. Your greatest hope for protecting NPI is encryption. Most laws and regulations will ignore encrypted data if compromised; they call this “Safe Harbor.”
We all have the responsibility to protect and account for the use of NPI. Whether you’re paper or electronic based with your processing, the laws and rules remain the same. Top down, focus on encrypting everything, getting cyber insurance, training and educating your employees, and complying with laws and regulations.