Security and Privacy in Financial Services: Q&A Addressing Top Concerns

 

By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy

 

Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

Regulatory Hot Topics in Financial Services for 2017

 

Scott JonesBryan Comite, MD NYCBy Scott Jones, Managing Director
Internal Audit and Financial Advisory
and
Bryan Comite, Managing Director

Business Performance Improvement

 

Regulatory compliance is always top of mind in the financial services industry, and all the more so this year, with the sweeping, and sometimes conflicting, changes that many expect on the American political landscape. So it wasn’t surprising that our annual regulatory recap webinar for members of The IIA’s Financial Services Audit Center, conducted at the end of last year, drew a large and engaged audience.

The election of Donald Trump and Republican gains in the legislative branch suggest we may be heading into a period of regulatory reform. Indeed, President Trump said during the election process that he wanted to repeal aspects of the Dodd-Frank Wall Street Reform and Consumer Protection Act, and some analysts predict impact to the Consumer Financial Protection Bureau (CFPB), which was created under the Act.

On the other hand, the President has advocated reinstatement of Glass-Steagall, a Depression-era law barring banks from engaging in investment activities. The law was repealed under President Bill Clinton in 1999 — a move that the current president says set the stage for the financial crisis of 2007-2008.

And that’s just the tip of the iceberg. A change of control in Washington means new agency heads and a predicted slowdown in the pace of enforcement activities as the new administration finds its footing.

Nevertheless, financial institutions need to operate under the current rules and regulations until, and if, new regulations replace them. There have been several recent regulatory developments of note, and they were the subject the November edition of our Compliance Insights newsletter, summarized here. Specifically, they are:

  • New prepaid rules — The CFPB finalized a rule that significantly changes the regulatory environment for financial institutions offering prepaid accounts. The new rule provides stronger protections for consumers of prepaid accounts, including new protections for “hybrid” prepaid cards that contain credit features.
  • Reporting cybersecurity issues — The Financial Crimes Enforcement Network (FinCEN) published an advisory to assist financial institutions in fulfilling their Bank Secrecy Act (BSA) obligations regarding the reporting of suspicious activities related to cybersecurity issues.
  • Foreign correspondent banking risks — The Office of the Comptroller of the Currency (OCC) published guidance on the periodic risk re-evaluation of foreign correspondent banking, which is applicable to all OCC-supervised national banks that maintain these relationships. The OCC advises these financial institutions to routinely re-evaluate foreign correspondent banking portfolios.
  • Fiduciary guidance — The Department of Labor (DOL) released both the first and second in a series of frequently asked questions (FAQs) to provide additional guidance on the implementation of its new fiduciary rule, which concerns the expansion of the types of retirement products and communications that trigger fiduciary status for retirement investment advisers and is designed to ensure the advisers’ actions are aligned with the best interests of their clients. Recent press has reported that, as a result of the presidential election, there is a potential for actions to be taken that may modify the implementation of the rule, but no specific details or timing have been released.

Looking ahead to 2017, we anticipate that examiners will focus on sales practices and incentives; cybersecurity; compliance management, especially in the second line of defense; compliance with Bank Secrecy Act/anti-money laundering rules; stress testing; and vendor management.

We’d like to leave internal audit departments within financial institutions with some key points we believe are essential to an effective internal audit performance in this dynamic regulatory environment. Some are intuitive. Some may be new to some, if not others.

  • It all starts with an internal audit risk assessment and internal audit plan development. The right plan in this environment anticipates change. Interview various constituents in your organization (general counsel, chief compliance officers), as well as trusted advisers outside your organization. In addition to required annual reviews — AML, BSA, SAFE Act, and others — it’s important to understand your examiner’s expectations regarding emerging risks.
  • Having the right expertise is important. After developing an internal audit plan, it’s wise to take stock of the internal audit team and proactively address any capabilities gaps, internally through training, or externally through trusted partners with subject-matter expertise.
  • Flexibility and scalability are critical this year given the possibility of regulatory change. We’ve heard from many audit executives who say they are dedicating more special-project time to their internal audit plans, just in case.
  • And, as always, relationship management is key. In times of change, it is especially important to keep in close touch with the chief compliance officer and the compliance organization. We may not be able to anticipate all the changes we encounter, but how we react to that change can make all the difference. With the right frame of mind, proper planning, and the right team of advisers, internal audit departments can look to 2017 with confidence.

Compliance Insights Latest: Regulator Warns on Sales Incentives, New York Fed on Ethics, and More

Steve StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance

 

 

 

Culture and ethics are important in financial services; this much has always been clear to anyone working in the industry. Consumers and businesses alike place a great deal of trust in the system, and continue to hold it in high regard even in light of recent scandals and events that have highlighted certain questionable practices, testing this trust. But culture and ethics are much more than empty statements printed on a poster or in an employee bulletin and posted in the breakroom – a financial institution must take tangible steps to instill in its employees the values it declares publicly. Risks and rewards should be managed in a manner consistent with these values, as well as applicable legal and regulatory requirements and expectations and the best interests of the institution’s customers. In our most recent edition of Compliance Insights, we share the latest public statements from the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Bank of New York related to these topics.

In November 2016, the CFPB issued a bulletin regarding detecting and preventing consumer harm from sales and production incentives (we provide examples of such incentives in our current edition). The CFPB stresses the importance of proper oversight of employee incentives, particularly those that may pose potential harm to consumers if not designed and monitored appropriately. The CFPB expects financial institutions that employ incentive compensation programs to implement effective controls and risk management oversight of both employees and service providers participating in the programs. The CFPB reminds institutions of its expectations that they establish strong compliance management systems that detect violations of Federal consumer financial laws and, in particular, prevent unfair, deceptive or abusive acts or practices (UDAAP). The CFPB makes clear that compliance departments have an important role to play in managing the risks associated with these programs.

The CFPB bulletin was issued a month after William Dudley, president and CEO of the Federal Reserve Bank of New York, called for increased regulatory oversight to ensure accountability for misconduct and lapses of ethical judgment at financial institutions. Among his suggestions, Mr. Dudley articulated the need for tangible regulatory requirements rather than principled high-level statements. He proposed certain solutions, such as a database of banker misconduct and an annual, industry-wide culture survey. However – and clear to anyone involved in financial services – the responsibility for reforming culture ultimately lies with the banking and financial services industry itself, and financial institutions must make coherent, comprehensive efforts to correct any cultural and ethical weaknesses.

 In other compliance news, the Financial Crimes Enforcement Network (FinCEN), in coordination with the Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS), issued an advisory in September to help financial institutions identify and prevent the growing number of e-mail compromise fraud schemes.

The advisory includes a list of relevant red flags and detailed scenarios related to e-mail fraud schemes, and highlights the growing trend of cyber-enabled criminal activity. According to FinCEN, there have been approximately 22,000 reported cases of e-mail compromise fraud involving $3.1 billion in losses since 2013.

Finally, a study by the Global Association of Risk Professionals found that only half of the banks that were required to comply with Basel 239 risk data aggregation and reporting requirements by January 1, 2016 are in compliance. Risk data aggregation refers to a bank’s ability to consolidate various sources of risk data, such as loan default or derivative exposure across various business units.

For a more in-depth analysis of December’s compliance topics, you can read the full insights report here. We look forward to following and sharing more financial services compliance news with you in 2017. Happy New Year!

FSI CBOK Study: Effective Assurance Alone Is No Guarantee of Internal Audit Success

mike-thorBy Mike Thor, Managing Director
Leader of Protiviti’s North American Internal Audit practice

 

 

This year the internal audit agenda for the financial services industry is more than a little crowded. Global macroeconomic uncertainty, rock-bottom interest rates, soaring regulatory expectations, cybersecurity threats and attacks, legacy information technology (IT) systems, fintech, blockchain and other disruptive innovations — and that’s before we even get to fulfilling the core mission of delivering effective assurance.

The message of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study is clear: Assurance alone is no longer enough. Assurance remains at the core of the internal audit function — value-added work for stakeholders cannot detract from that. But survey respondents, which included executives and board members who work closely with internal auditors, indicated they want more. Specifically:

  • Consulting on business process improvements
  • Alerting operational management to emerging issues and changing regulatory and risk scenarios
  • Facilitating and monitoring effective risk management practices by operational management
  • Detecting shifts in the organization’s implicit risk appetite
  • Identifying known and emerging risk areas

More than 70 percent of board members and executives believe internal audit should take a more active role in assessing and evaluating strategic risks. This is a mandate for chief audit executives and internal auditors to think more strategically when evaluating risks and ensuring their audit plans are sufficiently risk based.

Implicit in all of these value-added functions is the importance of maintaining objectivity. Such consulting approaches a fine line that regulators tend to review closely. And, of course, all of that is in addition to assurance, which remains internal audit’s primary objective. The good news is that respondents gave internal audit high marks for assurance activities, and especially for establishing audit plans to assess areas or topics that are significant and highly relevant to the organization and consistent with organizational goals. There were five assurance areas, however, that respondents agreed could use improvement, including:

  • Effectively validating that executive management promotes appropriate ethics and values within the organization
  • Communicating which risks or activities of the organization are not covered by the internal audit plan
  • Assessing the adequacy and effectiveness of governance
  • Demonstrating sufficient knowledge of key IT risks and controls in performing audit engagements, and
  • Demonstrating sufficient knowledge of fraud and corruption to identify red flags indicating possible fraud or corruption when planning and conducting audit engagements

Looking ahead, executives and directors said they are increasingly turning to internal audit for advice on business process improvements and see opportunities for auditors to add even more value through data analysis and so-called “soft” skills, including change management and facilitating interdepartmental communication.

For more detailed analysis and survey results, you can download the report here.

Core Competency: The Case for FSI IT Modernization

Ed Page - Protiviti ChicagoBy Ed Page
Managing Director, FSI IT Consulting Practice Leader

 

 

 

In the financial services industry (FSI), “too big to fail” has a corollary that applies to core data systems. Call it “too big to fix.”

FSI companies are technology businesses. Every product and service they offer is technology-enabled, and the rapid evolution of mobile banking and digitization of processing makes technology even more critical.

The technology at the core of many of these companies, however, is outdated – layer upon layer of aging information technology (IT) systems, including mainframe computers dating back to the 1960s.

This dinosaur-age infrastructure (in technological ages) means high maintenance costs, ever-decreasing supply of knowledgeable staff to support it, and degraded business agility, among other things.

Add to this mix next-generation financial companies and businesses, which enter the market unburdened by legacy systems and ready to reap the competitive advantages of new technology from day one, and you, the bank with an outdated core system, now face the very real risk of being left behind.

With this state of affairs, one would think banks are scrambling to modernize their cores. Not exactly: Less than one-third of companies are considering core modernization, according to the latest Protiviti research. This is understandable: Core modernization projects can last years and cost hundreds of millions, even billions, of dollars. An IT executive wishing to make a business case for a project of this size, when the old systems continue to chug along, faces an uphill battle, to say the least.

Instead, many financial institutions forced to meet current market challenges do so by wrapping the old core in new functionality. While this practice costs less in the short run, it just adds complexity, and kicks the outdated infrastructure issue can down the road for someone else to deal with later.

There is reason for hope, however. FSI respondents to Protiviti’s 2015 IT Priorities Survey identified some important catalysts driving them to replace core systems. The three main ones are risk mitigation (aging technology and/or aging workforce): 64 percent; cost savings: 20 percent; and revenue generation (e.g., greater product/service innovation, time-to-market): 15 percent.

As FSI IT managers, aided by these catalysts, seek to make the case for core modernization, there are several approaches they can take to reduce sticker shock and minimize the risk of service disruption associated with an all-in core upgrade.

The lowest-cost option, and a good starting point for any IT transformation, is to clear the underbrush. The evolving nature of IT infrastructure, over time, can lead to an accumulation of redundant and non-productive technology. Simplification can streamline processes without affecting customer-facing services, improve performance, and lay the groundwork for more aggressive core modernization.

When it comes to actual replacement, a phased approach is another way to ease the pain. The phased approach consists of launching new functionalities incrementally and slowly replacing portions of the core over time. This beats “big bang,” or full, core replacement in terms disruption and cost, and although maintenance of old systems will continue to be needed for a while, the problem is not pushed indefinitely into the future. A recent Protiviti white paper on the subject covers these and other core modernization options.

Managing change takes skill and courage. By developing a well-reasoned plan for IT core migration you can help your organization cut costs, increase revenue, and mitigate the growing risk of an embarrassing IT-driven strategic crisis. And while doing nothing is certainly an option, I wouldn’t suggest you stake your career on it.

The CIO’s New World – Transformation, Innovation and the Impediments to Achieving Them

by Ed Page
Managing Director – Leader, Protiviti’s National Financial Services IT Consulting Practice

Innovation and IT transformation are hot topics these days. Our Emerging Risks and IT Priorities surveys highlight these points clearly, as there’s good reason for these trends.

Technology is evolving at an incredible pace, putting new capabilities in the hands of both end users and IT professionals alike. This creates a growing need for IT organizations to become more nimble as they seek to adapt to changes in both the technology landscape and consumer behaviors. A lot of attention is being paid to the impact of social, mobile, analytics, and cloud (SMAC) technologies, with many organizations moving towards Agile development methodologies and supporting tools (DevOps) as means of becoming responsive. These areas of focus fuel many of the innovation and IT transformation opportunities that we so often hear about.

On the other hand, there is little talk about the impediments that exist in many large IT shops. The unfortunate reality is that many large enterprises are simply not engineered to take full advantage of these new methods and technical capabilities.

For example, the IT infrastructure for most enterprises in financial services has been developed over decades, often complicated by the impact of multiple mergers and acquisitions. The result is an architecture that I liken to an archeological dig. At the top layer, you’ll find some of the shiniest and newest technology known to man, but dig a little deeper, and you’ll find that it’s built on top of layers and layers of older technology, some dating back three decades or more. The interdependencies between these layers are complex, so it’s not a simple matter to “rip and replace” the older parts of the environment, but absolutely mission critical. Dealing with this reality is not as easy or lacks the same level of sizzle as deploying new products and services, but it cannot be ignored.

This underscores the need for IT transformation, making the job of the CIO a lot like the manager of a large city that has to undergo urban renewal. The enterprise – the CIO’s city – has to keep operating flawlessly while the renewal occurs. Funding for infrastructure renewal has to be procured, risks have to be managed, and “detours” have to be planned and communicated – all while core infrastructure work is underway.

And it’s not just about the technology; working through organizational change has importance since processes are designed to support the current complexity. Successful IT executives will be those who recognize the need for change, then develop and execute a risk-managed plan to adapt their people, processes and technology to create a solid foundation within an organization to support the adoption of new technical capabilities and enable innovation.

These transformation challenges, as well as opportunities presented, are described more fully in our recent FS Insights article on The IT Hierarchy of Concerns and the Ambiguous Cloud of Emerging Technology.