October is National Cyber Security Awareness Month (NCSAM) — a collaborative effort among government organizations, businesses of all sizes, educational institutions, nonprofits, and consumers to ensure everyone has the resources they need to be safe online. For financial institutions, it’s a reminder to prepare or update your cyber safety and response plan, not only for your organization but for your account holders. To date in 2015, the banking, credit and financial industries have reported 41 data breaches, exposing at least 408,000 records, according to the Identity Theft Resource Center (ITRC). The breached entities range in size from a 200-location independent mortgage company to global banks with high name recognition. The banking/financial industry already accounts for nearly ten percent of this year’s breaches, based on the ITRC’s numbers, and since the full scope of many of those breaches isn’t yet known, the impact is likely to be far greater than the base numbers indicate.
The sheer heft of those preliminary numbers, however, should underscore the fact that data breaches don’t just happen to the big boys; even a small bank can experience a cyberattack. When dealing with the aftermath of a data breach and achieving recovery is so challenging for financial institutions with vast resources and deep pockets, your small or mid-size FI simply can’t afford to be unprepared.
When a data breach occurs – and many cyber security experts say it’s a question of “when,” not “if” – will you know what to do?
Here are five key considerations when preparing your data breach response:
- Have a written data breach response plan that you update regularly.
While the majority of banks and other companies now have data breach response plans in place, not everyone is satisfied with the efficacy of their plan. A written plan is essential to outline how your FI will respond when a breach occurs; who will be responsible for key actions; and how you will communicate to customers, regulators and the media. But your plan can’t be static. It needs to evolve as conditions change, and you need to revisit, test and update it regularly – at least once a year, and more often if significant environmental changes occur. - Use a breach service for the right reasons.
While large financial institutions may have a dedicated breach response team, nearly all of them rely on a breach response service for monitoring and resolution. These service providers can help you refine your data breach response plan, react quickly and effectively if a breach occurs and keep you from running afoul of data breach regulations. Also, be sure you’re hiring a breach response provider for the right reasons. If personal identifying information is exposed in a breach, utilize a partner to monitor and stop new account inquiries. In addition, offer a resolution service. So if the consumer experiences an issue, they will have a dedicated, professional team to help them through the identity restoration process. Do not rely on credit bureau monitoring to catch misuse of existing credit and debit cards. In the instance of a credit or debit card data breach, consider internet monitoring for underground or dark site card number sales. - Keep control of the customer relationship.
The reputational damages of a data breach can last longer and be more devastating than the monetary losses your bank might incur. Effective, personalized management of your FI’s relationship with consumers affected by a data breach is the best tool for mitigating reputational damages and restoring customer satisfaction. This tool is simply too important to leave in the hands of an outside agency, so choose a data breach partner who will allow you to retain control of the customer relationship. - Offer identity theft protection and make it easy to enroll.
When a breach occurs, consumers feel frightened and insecure, and they want the breached company to take care of them. In fact, a study by the Ponemon Institute found that 63 percent of consumers who’d been affected by a breach felt the company that experienced the breach should provide them with identity theft protection, and 58 percent said they wanted credit monitoring services, too. Yet only a quarter of those surveyed had been offered identity theft protection. None of this is surprising when you consider one more stat from the report – nearly half of those affected by a data breach fear their identities will never be safe again. Establish a relationship with an identity theft protection provider as part of your data breach response plan. If a breach occurs, act quickly to offer this protection to affected customers and use online and phone registration tools to make it as easy as possible for them to enroll. - Choose a partner that understands your regulatory environment.
Data breach response regulations are complex on their own. When you consider that a financial institution may have branches in multiple states, that means your data breach response plan must account for state-by-state variances in notification laws. Privacy standards and banking industry regulations add even more complexity, so it’s essential that you choose a data breach response partner that understands your regulatory environment and is familiar with data breach regulations.
Take advantage of available resources this month and throughout the year for tips on keeping your financial institution and your account holders safe online.
Paul Bjerk is a Fraud and Risk Products Leader with Shared Assessments Program member, Deluxe Corporation. Connect with Paul on LinkedIn.
Reposted with permission from Deluxe Blogs