Cybercrimes cost the global economy up to $100 billion annually. For the banking industry, data breaches can cost more than dollars and cents: they jeopardize customer trust, harm the brand, and could lead to loss of future and current business.
Robert Carothers and Micah Fincher, partner and associate at Jones Walker, LLP, provided tips how to potentially avoid and address data breaches should they occur Thursday at the annual Bank Directors’ College at Auburn University, presented by the Harbert College of Business and the Auburn Technical Assistance Center. Carothers and Fincher were just two of the featured speakers in the March 14-15 event that updated 80 bank directors about new legislation that could lead to regulations, and best practices involving purchasing cards, among other topics.
Distinguished panelists included Michael Hill, Superintendent of Banks for the Alabama Department of Banking; Michael Dean, Regional Director of the Federal Deposit Corp; Dr. Loren C. Scott, President of Loren C. Scott & Associates; Kevin Hagler, Commissioner, Georgia Department of Banking & Finance; and Michael Emancipator, Vice President and Regulatory Counsel of the Independent Community Bankers of America.
“This conference provides you with a better understanding of what’s to come with the economy, interest rates, the next hot button from a regulatory standpoint,” said Boles Pegues, III, Executive Vice President at River Bank & Trust.
One such hot button was cybersecurity. Data breaches lead to identity theft and unwanted purchases on one’s debit or credit cards. To banks, data breaches can lead to downgrades in regulatory ratings, hinder applications relating to mergers and acquisitions, and enforcement action to address issues.
Then there’s cost. “If you have a data breach, it can be expensive,” Carothers told bankers. “You’ve got the cost associated with legal counsel, cost associated with hiring experts to help you understand the scope of the breach and make sure that you have in place controls that make sure you’ve stopped the ongoing security breach and that there are no further risks.”
Carothers and Fincher explained means for bankers to protect their institutions. One measure included educating employees how to spot phishing scams. Another method was simply updating software.
“Another root cause of data breaches is out-of-date, vulnerable software,” Fincher said. “You need updates to run so that you have the latest software. When you do erroneously click on the link or open the attachment, this minimizes the harm that malware could otherwise cause. The most common source of out of date software is Java. Go update your Java!”
Lost or stolen laptops are other sources. Encrypt them, Fincher recommended.
“Sixty percent of fired employees will take confidential information,” Fincher added. “If you know that you are going to fire an employee, you’d better lock them out of your system before you tell them. That way, you have neutralized their ability to cause havoc.”
How does an organization prepare for fraud on the front end? “The first step is the initial risk assessment,” Fincher answered. “Try to understand what data you have and where it is. Where is your sensitive customer information and how is it protected? We’re not just talking about customer databases, we’re also talking about those who have applied for accounts or a loan. Is there a database where that information lives? Ask yourself, ‘How can I do privacy by design?’ ‘Do those reports need the full account number?’ Is there some way we can truncate that account number and still identify that customer?’
“Another source of documents that have sensitive information are HR documents. They have employees’ Social Security numbers on them. What about external vendors? Think about what controls they have in place.
“Plan for an incident response. Once you have your data map, you know the universe of where your data lives. You want to protect it and you want to limit the access of who has access. Be proactive. Develop that plan. Don’t put it off and make it a priority.”