Security Excellence Is a Competitive Advantage

CU360
November 20, 2007 | COMMENTS

"The password to your account is about to be invalidated," reads the e-mail. "To prevent this, please click on the following link and enter all your security information."

The hapless member who follows instructions, of course, risks giving away access to one or more accounts to cyberthieves. And as such devious practices become more sophisticated, regulators tend to get nervous. In fact, that anxiety has led the Federal Financial Institutions Examination Council (FFIEC) to add another layer of rules to those governing financial institutions.

Under requirements drafted by the FFIEC, which was created in 1979 to establish uniform principles in federal bodies' oversight of the industry, financial institutions should have adopted more stringent controls on their electronic security by the end of last year. Specifically, they must examine the ways in which they communicate electronically with members/customers, whether those interactions are on websites or interactive phone systems. They must also determine what security threats exist on those systems, establish a process for assessing future risk, and formally educate their members/customers about security risks.

"Unfortunately, many institutions will make the minimum effort necessary to comply with the requirements, sigh in relief, and consider the task finished--thus leaving themselves unprepared for the FFIEC's next set of guidelines," says Debra Banning, a principal with Booz Allen Hamilton in McLean, Virginia, in the company's Strategy + Business newsletter.

This attitude doesn't just open the door to future noncompliance. It sets in place a debilitating cycle of increasing vulnerability. Given the constantly evolving state of security in financial services, institutions that take a casual approach to security are positioning themselves as the weakest members of the herd, and thus the most vulnerable to sophisticated "phishing" and "pharming" schemes. The FBI estimates that every incident of a Trojan virus attack costs financial institutions at least $38,000 in revenue loss and employee hours—and that figure doesn't take into account the harm to your reputation and loss of member confidence, which can be more damaging than the actual attack.

Instead of maintaining an ad hoc approach to foiling invasions and complying with regulations, financial institutions should craft an overall public-facing security strategy. Although it can be difficult to persuade senior management to invest in long-range plans, there's no better time to do it than when your credit union is facing an imminent regulatory deadline.

In aiming to go beyond regulatory compliance and achieve security excellence, financial institutions can institute a mechanism for self-analysis and self-improvement that allows them to anticipate their future security needs. In doing so, they'll meet their current burden of compliance, lessen the impact of any future regulatory guidance, reduce their risk exposure, and address members' concerns about the security of online banking.

Instituting such a robust risk-mitigation program involves three elements:

1. Determine the most appropriate technical solution, which can be the biggest hurdle. Institutions might not know how many websites they operate, security across the systems might be inconsistent, and key applications and services could reside on poorly secured systems. Therefore, assess your current level of risk exposure and determine risk-mitigation strategies that will balance compliance, business objectives, and member satisfaction. In implementing technical solutions, avoid overly complex approaches, which could have higher-than-expected direct and indirect costs.

2. Have in place an effective organizational structure to manage the initiative. A common roadblock to implementing new security standards is a decentralized institution, which can lead to inconsistent approaches to IT security across the enterprise, along with incomplete monitoring and accountability. Piecemeal fixes will not work. Grafting a centralized security program onto a decentralized organization often results in the corporate equivalent of organ rejection.

How might you address this issue? You can create a hybrid centralized/decentralized model, in which critical compliance activities and governance oversight are centrally managed, while less critical functions remain with the business units. Alternatively, you can construct enforcement mechanisms that shift the burden of compliance to the heads of the business units, rather than keeping it centralized at the main office. Regardless of the specific solution, you can manage risk exposure and regulatory compliance in a uniform fashion only if you have the right organizational structures in place.

3. Member awareness can be a key component of your defense against fraud and identity theft. A well-educated member can more easily spot phony come-ons, like phishing e-mails, and avoid being deceived. In fact, many financial institutions are finding that educated consumers are their front line of defense in reporting phishing and other fraud attempts. One basic but effective measure is to advise consumers to always type the institution's web address into their Internet browser rather than click on a link in an e-mail, because the e-mail could be fraudulent.

Making members aware of enhanced online security is a key differentiator in the marketplace. In a 2005 survey by Deutsche Bank Research, "security offering" was far and away the most important feature to prospective online banking customers, with 87% calling it their top priority. A well-publicized security program could prove a significant lure to new members in the highly competitive environment.

Check out CUNA's security-solution providers at www.strategicservices.cuna.org.