Four Ways for Insurers to Prepare for New NAIC Cybersecurity Rules

By Adam Hamm, Managing Director
Risk and Compliance

 

 

 

Cybersecurity and technology represent immense challenges and opportunities for all insurers and financial services companies. Organizations need to protect sensitive information and customer data to the greatest extent possible, and to recover as quickly as possible in the event of a breach.

Insurance companies store large amounts of personal information about their policyholders. Cybercriminals know this, and have been increasingly targeting insurers. The past two years have seen a dramatic increase in successful cyberattacks, exposing the personally-identifiable information of more than 100 million Americans. As a result, state insurance regulators have been looking for ways to protect consumers and ensure the integrity of the industry. This month, New York became the first state to adopt cybersecurity guidelines. And the National Association of Insurance Commissioners (NAIC) is working towards completing its Data Security Model Law.

Continue reading

Your Personal Information Is Not Personal Anymore – So Who’s Guarding It?

Scott Laliberte (2014)

By Scott Laliberte, Managing Director
IT Security and Privacy

 

 

We live in an age of great convenience enabled by technology. Snap a photo of your check on your smartphone to make a deposit, simple. Rollover an IRA from your home office, easy. Change the password on your bank account from the airport, no problem.

What is less apparent to consumers of these services is the risks they may be assuming by making use of these conveniences. And while few of us have the wish to give up our conveniences, we’d better be ready to demand the best processes and technologies available to protect us from the risk of fraud and identity theft.

For businesses, meeting demands for enhanced personal identity protection can be costly, and it introduces new inconveniences to their customers – something of which businesses are always conscious. It helps when consumers realize the value of better security, and even demand it, despite the potential costs and inconveniences. We are all familiar with the annoyance of forgetting our password and having to jump through a half a dozen hoops to get it back – but at least we recognize it’s our own interest that demands it.

Businesses are limited to just a few options when they want to confirm the identity of a consumer: These are things the consumer knows, things the consumer has, and things the consumer is. For instance, a consumer knows her password, date of birth, social security number, and the answers to several secret questions, like make of car or mother’s maiden name. Some of these are easy to guess; all are easy for a hacker to store and reuse: If one breach reveals the customer’s password and secret question responses for one site, hackers are smart enough to “replay” this information to hack other sites. Things the consumer has, like her cell phone, are harder for hackers to obtain. Adding an “out of band” element to authentication – like texting a PIN to the phone to authorize a logon to a website – protects customers even when hackers have other identifying data. Finally, things the customer is offer strong protection as well (though they also may be subject to replay or other issues). Biometrics, such as fingerprints and retina scans, are two methods in this category right now.

These are the kinds of protections businesses must now routinely offer and customers must demand, or at least reward with their patronage those businesses that offer them.

Here are some suggestions for businesses that wish to add themselves to the category of companies with strong, responsible customer identity protection:

  • Offer enhanced security features but allow your customers to opt in. Not all consumers will be willing to take on more complex authentication to protect their identities against theft. Some simply don’t care, and the complexity may drive them away.
  • Consider how fees might offset the costs of enhanced protection, and also how fees might affect customer loyalty. Monitor how these services are priced by other players in your industry.
  • Develop your in-house knowledge of the changing cybersecurity landscape and expedite development of your expertise in areas that are affecting your business the most.
  • Educate your consumers so they can recognize the value of the enhanced security you offer to protect them against significant losses – and why the added inconvenience is a minor hassle compared to the syphoning of their 401k, for example.
  • Employ advanced fraud analytics to monitor for suspicious activities and high-risk transactions.

From the consumers’ perspective, the following actions should help us to become partners in the effort to protect their own identity:

  • Sign up for identity theft protection services. These services monitor credit inquiries and can protect against thieves using stolen personal information to apply for credit in your name. While they may not be able to detect activity directed at your 401k, HSA, or other financial accounts, these services may provide support to resolve problems resulting from identity theft and some even offer insurance against loss.
  • Monitor financial statements promptly to ensure all transactions are valid.
  • Change passwords often; don’t reuse passwords on other sites. Vary your secret questions; choose questions with answers that are the hardest to guess (e.g., the name of your best friend in high school is harder to guess than your favorite color).
  • Welcome enhanced security features like out-of-band authentication (such as a PIN texted to your phone) and biometrics (using your fingerprint or iris) – especially for high-risk transactions such as changes to key account information (password, email, address) or transfers of money.
  • Vote with your wallet: Gravitate toward businesses that offer enhanced security features. Encourage your established providers, via survey responses and direct requests, to offer enhanced security features, and be prepared to pay for them – perhaps in higher fees; certainly in inconvenience.

Businesses will continue to benefit from offering convenient online features to their customers, as a way of achieving customer loyalty and competitive advantage. Consumers will come to expect faster, secure, seamless services as platforms and technology allow. Businesses and consumers alike will do well to stay informed about how to protect consumer data in this evolving landscape. As long as identity theft continues to reward hackers, they’ll keep looking for ways to circumvent security measures. We need to evolve our security techniques to keep up with the ever-changing threats from cybercriminals.

Fintech Faultline: Customer Experience Versus Security and Fraud

Blockchain, globalization, digitization, cybersecurity, fintech, new customer demands, and more. Money 20/20, the largest global financial industry event focused on payments and financial services innovation for connected commerce at the intersection of mobile, retail, marketing services, data and technology, gets underway this weekend (Oct. 23-26). Once again, Protiviti is proud to be an exhibitor sponsor and speaker at the event.
We will be posting daily dispatches from the event’s sessions, starting Sunday, here and on Twitter. Subscribe and follow us for current commentary, insights and reactions from industry experts as the event unfolds.

 

jason-goldbergBy Jason Goldberg, Director
Financial Services Business Performance Improvement

 

 

Financial technology, or fintech, firms are disrupting the financial services industry with their nimble structure and innovative payment, banking and wealth management services. Unburdened by legacy core systems, regulatory scrutiny and complex processes, emerging fintech companies innovate from day one, creating optimal customer experiences that are difficult for traditional financial institutions to match.

New entrants are significantly improving the customer experience in the person-to-person (P2P) payment sector, for example, by allowing transfer of funds with just a couple of taps on a smartphone. Despite the popularity of these payment apps, however, there is growing concern from consumers and regulators that some emerging fintech firms, in their haste to get ahead of their more-established competition, may not have focused enough on security and privacy controls.

We examine this dichotomy in a new Protiviti paper, Balancing Customer Experience with Security and Fraud Controls. But I wanted to whet your appetite with a small example.

A governing dynamic long known to established financial institutions is that success (or failure) brings regulatory scrutiny. The Consumer Financial Protection Bureau (CFPB) sent a strong signal earlier this year when it levied a $100,000 fine against a fintech company for failing to employ reasonable and appropriate measures to protect consumer data from unauthorized access, and for not encrypting some sensitive personal information. While the monetary value of the fine was not significant, it was an overture for other fintech firms to be more mindful of their practices.

This example should serve as a lesson for traditional financial institutions as they seek to partner with emerging fintech companies or emulate some of the more successful practices of these tech-savvy upstarts. The lesson is that innovation needs to be balanced with security, fraud, risk and compliance requirements from the earliest design phases of any technology transformation project.

Control functions such as risk, compliance and security are perceived to have an adversarial relationship with innovators, who sometimes sidestep compliance in favor of speed to market. And yet, it is critical to embed these checks and balances from the earliest planning stages of product design. The key is finding a balance between the two.

Despite their inexperience, emerging fintech companies may have an easier time of this, because of a cultural bias against silos and for collaboration. Traditional financial institutions may need to work harder to break down established mindsets and find security and compliance people who think more like innovators.

That’s really the crux of the matter. As traditional financial institutions seek to transform to answer customer demands around nimble and innovative experiences, it is important for them to remember that the transformation also requires changes to organizational mindset, processes and, of course, technology. A holistic focus on customer experience, with a balanced and integrated (not layered) security and fraud approach, will drive powerful customer relationships. Customers and the security of their transactions are at the heart of the financial services industry and, in that regard at least, established players still have the advantage.

Internal Audit and the Internet of Things

Jordan Reed MD HoustonBy Jordan Reed, Managing Director
Internal Audit and Financial Advisory

 

 

Depending on whom you ask, the business disruptor known as the Internet of Things (IoT) is either the launch pad for an indispensable digital future, or a Pandora’s box of unfathomable risks that have only begun to present themselves. Either way, that’s a lot to lay on a technology trend that only 13 percent of consumers had even heard of, as recently as 2014.

As with most disruptive change that has come before, the IoT poses both opportunities and threats. The internal audit function, as the line of defense tasked with scanning the horizon to ensure that emerging risks are known and accounted for in strategic plans and control frameworks, must now consider both the industry implications and the specific organizational challenges.

Small wonder it ranks among the top five priorities in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Judging by the packed house for our June 1 webinar on this topic, a number of you agree. We crammed a lot into that hour, and I’ll only be able to whet your appetite here. But here’s a taste, and some questions to take back to your organization.

To be clear, IoT is the term used to describe the online exchange of data gathered from uniquely identifiable objects, animals and people, without human-to-human, or human-to-computer, interaction.

This is the world of wearable technology — fitness trackers, heart monitors, insulin pumps, and other “smart” devices, like remote home thermostats. It exists primarily in the cloud, and also includes engine sensors, diagnostic controls and transdermal, and even ingestible, medical devices.

Risks, of course, include personal privacy, data security, system integrity and more. Conversely, companies face the risk of failing to adapt to a fundamental shift in the competitive environment. But there are also opportunities for risk mitigation through advances in predictive analytics and continuous auditing.

The archived version of the webinar offers a rich and informative discussion, with many good questions from our audience, who felt the content was timely and pertinent. In the meantime, here are some questions for internal auditors to take back to their organizations:

  • How is IoT deployed in our organization today? Who owns IoT or the respective components of IoT?
  • Have we considered the risks associated with our IoT presence? How have those risks been quantified and controlled?
  • Do we know what data is collected, stored, and analyzed? Have we assessed potential legal, privacy and security implications?
  • Do we have contingency plans for internet-connected “things” that are hijacked or modified for unintended purposes?
  • To what extent are third parties acting on our behalf? Do we have the right processes and SLAs in place to appropriately monitor those third parties?
  • What role does IoT play in our current strategy as an organization? How are we measuring the achievement related to any goals associated with strategic objectives?
  • What is the risk of not considering or further leveraging IoT possibilities? Are we using data analytics to its full potential?

This risk is clear and present. Disruptive innovations that once may have taken a decade or more to transform an industry are now occurring much faster. To stay ahead of the disruption curve, internal audit must quickly discern the vital signs of change and the related implications to the business model of their organization.

The IoT and the related risks will continue to evolve and we will continue to track those risks and developments here on our blog and in upcoming publications, so check here and on our website often.

Internal Audit at a Tipping Point and Ten-Year Trends

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen
Internal Audit Global Practice Leader

 

 

 

In the tenth year of our Internal Audit Capabilities and Needs Survey, we believe internal audit has arrived at a tipping point. The issue is no longer whether or not your function is evolving, but rather how quickly and effectively it is transforming for the future toward a more strategic, collaborative and data-driven operation while maintaining the highest performance quality. As an additional insight for our readers, our latest annual survey this year includes 10-year trend data to illustrate top priorities and how they have evolved, dating back to when we began conducting the survey in 2007.

Here are the most significant changes our trend data revealed:

  • Tech versus technique. The most apparent difference between 2016 and 2007 is that all of the priorities in 2016 are tied to data and technology, while all of the priorities of 2007 were tied to technique – from mastery of the COSO Enterprise Risk Management Framework to compliance with international reporting standards.
  • Agile versus rigid. In 2007, mastery of the highly structured Six Sigma project management methodology was one of the top technical needs in our survey results. In 2016, that same level of priority is being placed on less-structured, agile methodologies, reflecting the increasingly dynamic nature of risks today.
  • Big Data versus information. Data security/information security emerged as a top concern in our 2008 survey. Back then, the primary focus was on protecting trade secrets and intellectual property. Today, it is more about data utilization. And although the phrase “Big Data” has yet to appear among internal audit’s top priorities, it is represented on the list in 2016 as the Internet of Things – a growing trend that promises to disrupt everything, from demand planning to health care.
  • External versus internal. At the time of our first survey, all of the top capabilities and needs were focused internally, and many centered on the internal audit function’s emergent role in enterprise risk management. In the past three years, almost all of the top capabilities and needs reflect strategic responses to external threats and a changing risk landscape.
  • Consultant versus constable. This outward-turning focus is indicative of the internal audit profession’s growing focus on strategic risk management and consultative value creation. Practitioners have long talked about moving away from the traditional policing and compliance role. This changing perspective is strong evidence of the progress that has been made along those lines.

One important observation from this year’s survey: We have, without a doubt, entered the age of the Internet of Things – an era of machine-to-machine communication where the amount of data in the world has entered an exponential upward climb. The threat window from misuse of this data has narrowed to real time. And the only way to even begin to manage such a risk is to invest in and master data analytics. This is mission-critical.

Internal audit knows that. Year after year, for the past five years, we’ve seen data analysis technologies show up in our surveys as a critical deficiency. An optimistic interpretation of this trend would be that the profession is attuned to this critical threat and it therefore weighs heavily on the minds of respondents. A less optimistic interpretation is that internal audit lacks either the knowledge or the resources, or both, needed to deal with a recognized threat.

The reality, in our experience, is that data analytic capabilities in a majority of internal audit departments have not kept pace with the speed of risk. The tipping point, however, has been reached. This risk is on the run, and unless we, as a profession, act now to aggressively address this deficiency, there is a substantial risk of failure. It’s not often we are given such an imperative. Now is one of those times.

What do you think it will take to meet the challenge? Please share in the comments.

The full survey report, video, podcast and infographic can be accessed here.

Devices are mobile, is your security policy on board?

Scott Laliberte 2By Scott Laliberte
Managing Director, Information Systems Security

 

 

 

With 3.4 billion smartphones worldwide as of 2015 (and 78 percent of U.S. college grads owning smartphones), chances are your employees not only own one, but they’re also bringing them to work and using them to do work when not at their desks.

It’s the BYOD – Bring Your Own Device – movement. And while many employees may find this trend convenient – and the applications and cloud services that come with those devices certainly enable this convenience – the security risks do make employers worried.

Worry, of course, is best handled with information. Employers need to know exactly what the risks of BYOD are and deal with them head-on, by creating policies that address them.

These policies should address the obvious questions, and go beyond. How, for example, do you enforce usage policy on an employee-owned device, or handle forensics on incidents involving one, be it a smartphone, simple cell phone, tablet or notebook? It is not a simple task. Personal privacy and other ethical issues abound, in addition to technological ones.

A good way to start creating BYOD policy and addressing the security risks of mobile devices is by asking some basic questions:

  • Does your organization have the authority to seize and investigate the device?
  • Does it have the employee’s passcode and permission to use it?
  • Several mobile device management (MDM) solutions can provide controls on the device, limiting risk. Does your company have such solutions and does it have permission from the employees to use them on the devices?
  • Mobile apps are conduits into an employee’s device. Do you know what kind of apps are on an employee’s device?
  • Are those apps secure? Do they support strong authentication and protection of sensitive data?
  • Do those apps introduce risk to the device or to the data?
  • Are the apps accessing information from the user, such as geolocation and personally identifiable information (PII) that can create privacy or data security concerns for the company?
  • Do the apps introduce insecure services that attackers can take advantage of? In other words, are the apps, themselves, a weak link that hackers can exploit? Keep in mind that the more widely an app is used, the greater a target it becomes since it can yield greater rewards for the attacker.

Apps, of course, are only part of the problem. Many employees rely on cloud-based storage solutions that allow them to easily access or share their own documents via their cellphones and personal computers.

Companies need to ask similar questions regarding those services, such as:

  • Are employees allowed to use cloud-based storage solutions? If so, for all data, or certain types of data? What ensures the protection of data that is sent to the cloud?
  • If storing data in the cloud is too risky, how can employees access work material from their own devices? Is desktop virtualization practical for our company? What other ways are there to remove the data control point away from the device, so if the device is lost or stolen, the data is not jeopardized as well?

There isn’t one type of BYOD security policy. Each company must create its own, asking the questions above and designing a policy that provides the right amount of flexibility to its workforce without jeopardizing data security.

Do you have an opinion on BYOD? Please share in the comments.

2016 Audit Committee Agenda Webinar Q & A (Part 2)

We are continuing our Q&A series stemming from our January 7 webinar on the 2016 Audit Committee Agenda. We’ve been exploring audit committee priorities for 2016, based on the findings published in the latest issue of The Bulletin. This four-part Q&A blog series provides our responses to some of the many interesting questions from our 1,500 webinar participants that we were unable to address during the webinar itself. Jim DeLoach and David Brand address the questions below.

In our first installment, we touched on the relationship between the audit committee and independent auditors, new rules on lease accounting, and board-level engagement with cybersecurity. Cybersecurity is a top concern for audit committees right now, and it should be. For additional insight, see Issue 67 of our Board Perspectives series, which is devoted entirely to briefing board members on IT matters in a manner that directors can understand.

Q: Are you seeing cybersecurity experts being added to the audit committee?

David: Generally speaking, no. Organizations face a broad and ever-changing spectrum of risks. For that reason, boards and audit committees should be staffed with people from a variety of backgrounds who stay well-informed on the current risk landscape and emerging risks, and know where to go and whose advice to seek to educate themselves as needed – through the CIO, CISO, or independent cybersecurity experts. An exception to this, of course, would be technology companies, or organizations where technology is the centerpiece of the business strategy, and in such cases we see some boards setting up a separate technology committee. But from a purely risk oversight perspective, no.

Q: Do you see differences between cybersecurity risk and data privacy risk, and should a risk profile have both? Or do you see in the industry that these risks are combined?

David: Although there tends to be a heavy focus on cybersecurity these days, it is important to remember that information – including personally identifiable information (PII), non-public financial information, drug formulas, customer lists and price sheets – often exist in non-electronic formats, including paper printouts on people’s desks. Cybersecurity deals exclusively with electronic data that’s housed in computer systems. Data privacy risk encompasses information in all forms, and is therefore both distinct from, and inclusive of, cybersecurity risk.

It’s a misnomer to say if a company is doing cybersecurity, it has achieved data privacy. Data privacy is related to cybersecurity, but broader than cybersecurity.

Jim: Let me add that our 2016 Top Risks Survey report, which will be released in March, reports on cybersecurity risk and privacy/identity management risks separately, and both were highly rated in our global survey results.

Q: Do you have a toolkit available for auditing cyber risks?

Jim: The National Institute of Standards and Technology (NIST) has developed and publicized a cybersecurity framework that has become the de facto standard for control areas that need to be addressed. That’s the best place to start in the public domain.

Q: Why don’t more organizations use data analytics to support internal audit?

Jim: Good question. It’s hard to pin down the why. Improved data analytics has been one of the top-rated capabilities and needs in our annual survey of chief audit executives for the past ten years. If you are asking whether your organization should be investing in analytics to keep pace with an increasingly complex environment, the answer is yes.

We’ll pick up with this discussion of technology in Part 3 of this series. The archived version of the webinar can be accessed here.