By Margaret Weir Westby, CRCM, and Lisa Wolf, CRCM
There is no doubt that data security is on the average consumer’s mind, as well as on the agendas of federal and state lawmakers. This past June, ABA Daily Newsbytes reported on consumer concerns about privacy and data security. Citing a Verizon and Longitude global survey, the publication reported that “almost 7 in 10 consumers said honesty and transparency about how their personal data is used is something they look for in a company seeking to win their trust.” They further found that 42 percent of respondents emphasized the importance of companies clearly communicating their compliance with data regulations, and discovered that 29 percent of consumers in the U.S. would avoid using a company that had experienced a data breach. An additional 63 percent indicated they would avoid a company with such a breach for a period of time.
The current landscape
As a quick (and incomplete) primer, generally financial institutions must protect all “nonpublic personal information” relating to current and former customers under the Gramm-Leach-Bliley Act, the Right to Financial Privacy Act, and the Fair Credit Reporting Act. Remember, GLBA does not preempt state law if that law is consistent with GLBA and if that statute gives consumers more privacy protection that GLBA. In other words, you must know the state laws of every single state where you have, or have had, customers.
One thing is certain—all businesses, including financial institutions, are holding more data than ever before, and such data will likely increase as will analysis methods to use this data, as technology rapidly changes and develops. While data can provide protections such as those for use in identity authentication, it provides risk, as criminals constantly seek to exploit any system weakness to mine, use or misuse the data. While data breaches are often handled by other units of a financial institution, Compliance is well informed and positioned to assist in a strong, coordinated response to an incident.
Compliance’s role in a security breach
When a security breach occurs, where does your institution turn? In an institution with a strong compliance culture, employees will likely associate breaches with potential customer harm, so it may be natural for staff to report privacy-related incidents to compliance. Indeed, compliance can serve as a valuable resource in helping management execute the institution’s incident response plan. Establishing compliance’s role in incident response is essential and must occur before a breach occurs. Compliance must review and reassert this role, expectations, and resources on a regular basis.
Security breaches are often associated with cybersecurity risk; it’s easy to understand the enormous potential for cybersecurity breaches to cause harm to an institution. Depending on an institution’s size and complexity, cybersecurity and personally identifiable information data risks may be owned by the chief information security officer, an information security department, or a committee or team. While one of these areas will often have primary responsibility for customer information security, not all data breaches will necessarily be led by the information security team. For example, should a systems vendor error expose the names and addresses of the bank’s significant customers to the vendor’s other customers, the breach may fall under your incident response plan. It should still be reported and evaluated by the appropriate areas of the institution, but information security may not be taking a lead role in that incident response. An institution’s incident response plan should include sufficient representation from across the bank to allow for appropriate breach assessment and response.
When compliance is involved in a bank’s incident response team, it can play a key role as a strategic partner no matter the source of the breach. In an issue resolution setting, the function of the second line of defense is to guide management to a satisfactory resolution while minimizing risk to the bank. As with more typical compliance issue management, this role can be useful in security breach management, as well. Compliance is often deeply familiar with the interrelation between reputation risk, operational risk and compliance risk through its role in day-to-day compliance issues facing the institution. Security breaches often present all three types of risk, too. Compliance’s role as a strategic partner to the departments of information security, marketing, and others involved in the institution’s incident response team, can help the institution appropriately and timely respond to a breach and re-assess risk and opportunities to improve following a breach.
Breach assessment and response
A compliance department’s experience working on cross-departmental risk projects (such as regulatory compliance change management and compliance issue resolution) can make it a valuable resource to management in event of a security incident by helping identify internal stakeholders and guiding cross-collaboration. Compliance is often experienced with working to address different sources of control failures across the bank that are contributing to the institution’s compliance issues, such as:
- Automated systems versus manual processes
- Internal versus external failures
- Employee knowledge versus customer confusion
This experience translates well to assisting with security breach assessment and response.
When a breach occurs, compliance can help serve as a trustworthy but independent voice of reason, assisting departments in carefully assessing the situation while adhering to the institution’s incident response plan. In an institution with a less experienced incident response team, compliance can help develop a project plan following a breach, including establishment of timelines for action and roles and responsibilities.
Security breach assessment and response often requires multiple areas/departments of the institution (information security, marketing, customer-facing departments, etc.) to react and work together, sometimes with great urgency. Compliance may be looked upon to lead or help:
- Assess whether the nature of the security incident requires: 1) outside legal counsel to mitigate litigation risk; 2) the advice of external consultants with expertise in that type of incident; and/or 3) regulator notification.
- Ensure there is a detailed record built of the institution’s response actions and the evidence of system settings, detection logs, event logs, etc. are retained.
- Track and communicate developments internally to senior management and the board of directors.
- Evaluate the severity of any potential impact on the bank and its customers, including risk of identity theft.
- Identify affected systems, customers and plan public statements and/or customer communications.
- Serve as the communications liaison to external parties such as vendors, insurance companies, law enforcement and regulators.
In the case of a vendor breach, it may fall within the scope of compliance to:
- Communicate with the vendor to determine their incident response preparedness; Monitor the vendor’s execution of its incident response plan.
- Help evaluate the risk presented by the bank’s continued use of the vendor.
However, the type of security incident can affect the institution’s initial reaction. Compliance can best serve the incident response team by being adaptive to the situation and the institution’s needs.
For example, when faced with a data breach caused by a cybersecurity attack on the institution’s systems, Information Security’s immediate focus may be on containment of the issue leading to the breach. In this case the institution may look to compliance to lead the other aspects of the incident response plan. And if compliance is notified of a breach via a customer complaint, they could be expected to lead the institution’s incident response or just the complaint management aspects. Understanding the likely stakeholders within your institution and their experience with incident response management will also help compliance understand how it can be the most effective, whether as a project leader or a partner to management.
Additionally, at a bank with a cyber risk insurance policy that includes incident response assistance, compliance may serve as the liaison between the company and affected departments by directing information and decision points to the correct departments and ensuring that decisions are made and communicated timely. Cyber risk insurance policy coverage, incident reporting obligations, and insurance company expectations can vary widely. Depending on the type of incident and affected departments, managers may not be not familiar with policy details. By acting as a designated liaison, compliance can add consistency to the bank’s incident response process.
Even in an institution with a limited role for compliance, the department often has the skills to serve as a ready backup to guide management in incident evaluation and response. Compliance can offer guidance to management based on its own experience working across business lines on complex or difficult risk issues and share any expertise that it may have in breaking down institutional silos to effect change within the institution. Through lessons learned from compliance issue management, compliance is often capable of determining who should be involved first, and how different areas of the institution tackle risk-related problems most effectively.
Adapting this knowledge to help the incident response team manage and assess a breach–especially in a fast-moving environment–can guide the bank in effective security breach assessment and timely response.
Compliance can help the institution evaluate appropriate customer notification when management’s initial (and natural) first response might be to avoid the incident getting into the news. Compliance can guide management in understanding when customer and/or regulator notification is required under the institution’s incident response plan or federal or state law, and when such notifications are truly management business decisions based on perceived or realized reputation risk. For example, management may look to compliance to guide whether a vendor security breach notification letter is sufficient or if a notification must come from the institution, too. (Although if a vendor is sending out a communication, the institution should always have an opportunity to review it before it is sent out.) Further, when customer notification is planned, compliance can assist with evaluating whether the proposed notifications to customers are clear and transparent. This helps the institution balance the importance of providing useful information with the concern that the institution might place itself at greater risk by disclosing too much or the wrong information.
Security breach post mortem
Security breaches are a constantly evolving area of risk; no institution is immune, nor can all breaches be 100% prevented. It can be difficult for management to see immediate opportunities to improve in an area where all institutions are so vulnerable. Further, after spending significant time addressing a breach, management may be hesitant to spend more time introspectively evaluating the institution’s response. However, compliance is well aware that regulators expect an institution to be both reactive and proactive. In other words, to identify and solve problems as they arise, and to self-evaluate and implement reasonable controls with a focus on the future. Since compliance is experienced in both risk assessment and root cause analysis, they can be involved in the bank’s incident response plan by proactively helping management understand the value in post-breach risk evaluation and identification of controls improvements.
Following a breach, management will have real experience from which to draw upon in re-evaluating risk. Especially in institutions with difficulty implementing change, compliance can play a role as a proactive champion for change, working with the areas most affected by the breach along with any vendors that were involved to discuss a timely post mortem of the incident. After a significant or unique breach, an institution should consider formally reassessing its risk. Smaller incidents may trigger informal conversations or may be discussed at the institution’s next regularly-scheduled risk assessment and discussion. Also, many cyber risk insurance policies come with, or should come with, access to legal cyber incident coaches to help guide a response and provide legal cover. That firm’s focus may come from the view of mitigating the insurance company’s risk, which may not be the same as the institution’s risk. Depending upon the severity of the incident, consideration may be necessary to obtain counsel to ensure the institution’s own interests are covered. Nevertheless, an institution should negotiate for this coverage when obtaining its cyber risk insurance policy.
When the risk assessment occurs, the institution’s evaluation of the incident’s inherent risk to the institution should be considered, including both the reasonable impact and the likelihood of the institution suffering the impact. The strength of the institution’s controls should also be reassessed. Compliance’s expertise in root cause identification can also help management identify the root causes of any control failures, as well as opportunities to improve. Compliance can guide management in a thoughtful reassessment of whether controls functioned as expected, by asking the same questions as it would in a typical compliance risk discussion. Compliance should ask:
- Did the institution’s policies and procedures adequately guide the institution in addressing the situation timely?
- Did the institution follow its process? (For example: Was the breach reported through correct channels? Was management informed timely? Was the institution’s reaction responsive to the risk that materialized?)
- Were the right people in the room to evaluate and address the breach? Is the institution’s incident response team appropriate?
- Did other controls function as expected?
- Were affected vendors responsive and accountable?
In the event of a vendor breach, Compliance should help assess both the bank’s response and the vendor’s response. Questions may include:
- Did the vendor report the breach to the bank in a timely manner?
- Was the vendor transparent about the cause of the breach and was their incident response plan executed satisfactorily?
- Did the bank suffer unexpected consequences, such as reputational damage or financial losses?
- Should the vendor risk (or choice of vendor) be reassessed based on the incident?
- Review the contract with the vendor, are there service-level agreements or other warranties available taken advantage of?
Consider reassessing the risk of vendors if an incident uncovers additional unexpected risks. For example, you may want to reassess vendor risk if you discover that the vendor’s vendor suffered the breach, the vendor had more PII data than originally contemplated, or the vendor had fewer controls than expected. Further, if the bank is retaining the vendor following an incident, compliance may lead discussions with the vendor to ensure that the bank’s expectations regarding future incidents are clear.
Finally, if relying on cybersecurity insurance to mitigate its risk, the bank should also evaluate whether both the company and the policy functioned as expected. (Note that while the insurance company may also perform a post mortem on the incident, the bank should be mindful that the company’s focus is likely on mitigating their risk rather than the bank’s risk.) Compliance can contribute to this discussion by asking the following questions:
- If the incident was covered by the policy, was coverage adequate for the incident? (If not, evaluate where the bank’s risk appetite falls as far as obtaining additional coverage versus the risk of another incident of that type.)
- If the insurance company promised guidance and/or incident response assistance, did it deliver? Was the assistance useful or limiting?
Use your post mortem to assess whether your coverage is adequate; policies are negotiable and can cover data privacy, liability coverage for data breaches/losses, remediation costs and regulatory penalties as well as other coverage for other cybersecurity incidents, business interruptions and media liability.
Compliance could be the difference between a correct comprehensive response to an incident, or one that falls short and results in additional reputational harm to the institution. As such, compliance must work on a regular basis to assure all stakeholders in a potential breach understand the value compliance may provide, as well as continue to inform all parties of any evolving legal and regulatory developments. Compliance could make the difference between an adequate and comprehensive response to an incident, or one that falls short and results in additional reputational harm to the institution. So, pull up your chair at the table, and get comfortable–with all the pending legislative efforts in this space, you will be there a while.
Margaret Weir Westby, CRCM, is an adjunct professor at Boston University School of Law and an experienced regulatory compliance and legal professional with more than 25 years of experience in leadership roles with multiple financial institutions and consulting groups. Lisa Wolf, CRCM, is VP and chief compliance officer at 1st Source Bank in South Bend, Ind., overseeing compliance and fair lending for the $6.4 billion community bank. She began her career as a state deputy attorney general, litigating consumer protection cases and participating in joint investigations with other federal and state authorities.
