Security and Privacy in Financial Services: Q&A Addressing Top Concerns


By Ed Page, Managing Director
Technology Consulting, Financial Services

and Andrew Retrum, Managing Director
Security and Privacy


Global cybersecurity risk has never been higher, especially at financial institutions, which are often targeted for their high-value information. Earlier this year, Protiviti published its 2017 IT Security and Privacy Survey, which found a strong correlation between board engagement and effective information security, along with a general need to improve data classification, policies and vendor risk management.

We sat down with our colleagues Scott Laliberte, Managing Director in our Cybersecurity practice, and Adam Hamm, Managing Director, Risk and Compliance, to discuss how these overall findings compared to those specific to the financial services segment, and why the financial services industry differed from the general population in some aspects. We outlined the comparisons in a recently published white paper. What follows is a sampling of some of the questions we addressed, with a brief summary of the answers. For a more detailed analysis and more data specific to the industry, we recommend downloading the free paper from our website.

Q: What are the top IT security and privacy-related challenges facing financial services firms today?

A: Disruptive technologies, third party risk, shadow IT — systems and solutions built and used inside the organization without explicit organizational approval — and data classification, are top concerns, not only for FSI firms but for survey respondents generally.

Data classification is a particularly challenging and important issue for the financial services industry — both from security and compliance perspective. We often talk about “crown jewels” — data that warrants greater protection due to its higher value. Establishing effective data classification and data governance are multi-year efforts for most institutions, and they must be consistently managed and refreshed. And, the difficulty of these efforts are compounded by the unique complexity of financial systems. Naturally, financial services forms are slightly ahead in the data classification game than their counterparts in other industries, due to their more acute awareness and ongoing and focused efforts, but they still have a long way to go.

Q: Boards of directors of financial firms are more engaged and have a higher understanding of information security risks affecting their business compared to other industries. What does this tell you about the level of board engagement at financial institutions?

A: Financial institutions are being attacked and breached more often than companies in other industries due to the high value of their information. As a result, regulators have been pushing boards at financial services firms to become more aware of and involved in cyber risk management. The Gramm-Leach-Bliley Act (GLBA), as well as guidance from the Federal Financial Institutions Examination Council (FFIEC), both encourage regular cyber risk reporting to the board and management. The New York Department of Financial Services similarly requires that CISOs at insurance companies provide a report to the board on the cyber program and material cyber risks of the company, at least annually. As we noted in the beginning, our survey found a strong correlation between board engagement and cybersecurity maturity in all organizations — so the higher involvement of financial services firms’ boards bodes well for their companies’ cybersecurity, provided directors get actively engaged with management on this topic.

Q: Over half of financial services respondents to the survey said they were “moderately confident” they could prevent a targeted external attack by a well-funded attacker. Is this an accurate assessment of most financial institutions?

A: Given that the probability of a cyber attack on a financial institution has become a matter of “when,” rather than “if,” we would not expect any institution to have a high — or even moderate — degree of confidence. It may be a measure of false confidence that so many organizations think they can prevent an attack. The onus is now on firms to assume that an attack is likely, and be prepared to limit its impact.

Q: Most financial services respondents indicated that they were working with more big data for business intelligence compared to last year. What should firms be concerned about with regard to their growing use of big data?

A: Big data includes both structured and unstructured data, which is more difficult to classify. Firms may also be dealing with new technologies with different security characteristics as well as more data distributed in the cloud. All of these factors complicate data management for financial institutions. As financial institutions rely more on big data, it is critical that they know what data to protect, its location and all of the places it might travel over its lifecycle in the system. Just as important is the need to control access to data and to protect the integrity of that data as more users interact with it for a growing number of reasons.

Q: More and more firms are using third parties to access better services and more advanced technology, but are financial institutions doing enough to counter new risks arising from third parties, such as partnerships with fintech companies?

A: Financial institutions are digital businesses, with more and more capabilities provided via mobile devices and through partnerships with financial technology, or fintech, companies. Many fintechs are small startup organizations that may lack the rigor and discipline of a traditional financial services firm. While innovation is necessary to compete in today’s fast-paced world, organizations need to take appropriate steps to ensure there are appropriate controls in place, and test those controls to minimize risk from third parties.

The full paper goes into significantly more detail on these and other questions than the abstract provided here, and presents the perspective of both security and risk and compliance experts. Let us know if you find it helpful.

Data-Rich Manufacturing Demands Cybersecurity of the Supply Chain, Too

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

and Tony Abel, Managing Director
Supply Chain


Few manufacturers would disagree with the view that the Internet of Things, big data integration and other advances in technology are boosting productivity, streamlining supply and distribution channels, and improving product support. But the WannaCry ransomware attack unleashed on businesses, governments and hospitals across the globe last month and the most recent attack this week delivered a sobering reminder that those digital-driven innovations carry very real risk.

That’s especially true for supply chains. Competition and efficiency demands increasingly compel manufacturers to enlist third-party vendors to produce components for an end product, meaning proprietary information and specification data is sent digitally across the globe, ready for cybercriminals to steal and exploit. One recent survey of 1,400+ supply chain professionals found that data security/IT incidents ranked as the most critical risk to supply chains.

Cyber attacks are likely to grow in frequency and severity, according to our recent Flash Report discussing the WannaCry ransomware event. In the report, we highlighted the need for companies to not only adopt a cyber defense, but also to continuously evaluate and improve it to protect against evolving threats. We noted, again, that many organizations continue to ignore cybersecurity – or at best are inadequately addressing it.

Opaque Supply Chains

It makes sense that businesses that are underprepared in their own cyber defenses have even less insight into the cybersecurity of their suppliers. But clearly they should. According to a 2016 presentation given by cyber supply chain risk management specialist Jon Boyens, a program manager with the National Institute of Science and Technology (NIST), 80 percent of all information breaches occur within the supply chain, and almost 60 percent of companies do not have processes for assessing the cyber security of their vendors. Similarly, more than seven out of 10 organizations lack full visibility into their supply chains.

Even more alarming, NIST anticipated that cyber attacks and data breaches would cause nearly half of the manufacturing supply chain disruptions in the next couple of years. Such incidents are costly. NIST estimated that 55 percent of the disruptions incur more than $25 million in damages per incident. In addition, supply chain breaches that steal or alter data could result in substandard products, the loss of intellectual property, and backdoor access into the manufacturer’s systems, all of which could further tarnish an organization’s brand and diminish its value.

Samsung’s recent bout with the flawed batteries that sparked fires in its Galaxy Note 7 phones illustrates the potential damage to a company’s reputation and bottom line. Samsung ultimately identified specifications provided to its suppliers as the culprit, but not before the company took a $5.3 billion hit to earnings and lost consumer trust. How much worse would it have been if a cyber criminal altered the specifications intentionally?

Supplier Checklist

The good news is that manufacturers can mitigate supply chain risks by ensuring that their third-party vendors are pursuing similar cybersecurity efforts as their own. Here are a few fundamental questions that we recommend focusing on when assessing supply chain IT risk:

  • Does the supplier’s culture promote cybersecurity and ransomware awareness throughout the organization? What kind of training are its employees receiving to recognize and address threats?
  • What cyber defenses are in place, and are they sufficient to counter the latest malware threats? Is the supplier up to date on indicators of compromise for recent attacks?
  • How frequently does the supplier conduct cyber risk assessments? Is the regimen sufficient to keep up with the rapidly evolving threats, and does it include defenses to block operational disruptions? Does the supplier consider the risks in its own supply chain (e.g., Tier 2 and Tier 3 suppliers)?
  • Does the supplier have an effective response plan? How often is it updated, and how often does the organization conduct threat simulations as part of its cybersecurity training?

Sound Agreements Needed

Manufacturers and suppliers seeking to reduce supply chain risk also should review contracts to ensure compliance. Items for each party to consider include:

  • Are the supplier’s cybersecurity obligations spelled out clearly in the contract, and does the language extend to the supplier’s subcontractors?
  • Does the contract include assurances that the supplier has the infrastructure to uphold its end of the contract?
  • Who are the executives or managers executing the contract for the supplier? Are they the most appropriate personnel in regards to understanding cybersecurity threats and the supplier’s ability to meet its obligations?

As cyber threats continue to escalate, it is important for manufacturers to gain visibility into their supply chains in order to assess their overall risk-mitigation and response capabilities. The ideas outlined here represent basic but critical actions organizations should be implementing as they strive to secure the increasing amount of sensitive data shared in the production and sourcing processes.

Fintech Perspective: Balancing Speed to Market With Sound Risk Management



Christopher Monk, Managing Director
Business Performance Improvement


Tyrone Canaday, Managing Director
Technology Consulting


As financial institutions develop innovative technology, in-house or by partnering with fintech companies, they need to carefully consider regulatory requirements for both third-party risk management and information security. Protiviti hosted a Fintech Innovation webinar on April 5, which addressed the need for banks and other financial institutions to balance sound third-party risk management with the desire for ensuring speed-to-market for new products and services in a bid to remain competitive in today’s marketplace. The attendees primarily consisted of traditional financial services companies (81 percent) – mainly banking organizations and some insurers. Fintech companies represented seven percent of the audience.

We want to highlight some of the results of the polling questions submitted during the webinar because they give insight into the current state of fintech innovation and the areas banking firms are most concerned about as they work to achieve a balance between innovation and sound risk management.

The collaboration is not without challenges. Of those saying they are facing challenges with their third-party risk management programs (a large majority), one-third consider coordinating activities and workflow between different groups in the organization responsible for managing parts of third-party risk, such as the business (the first line of defense), the vendor management office, procurement and the compliance and information security functions, to be the most difficult. Seventeen percent of respondents highlighted the difficulty in gaining coverage of all of the organization’s third parties across all of the lines of business in the enterprise. Other issues include understanding and keeping up to date with all of the evolving regulations, and managing the workload by enhancing the efficiency and scalability of the third-party risk management process.

Most significantly, almost half (44 percent) of all respondents indicated that their organization does not track the risks associated with fintech companies and other vendors effectively.

Addressing the challenges

For institutions that are just beginning their innovation journey, a good starting point is to ensure they understand what their current capabilities are, including those for actively managing third-party risks as well as data security and privacy risks. From there, firms can then begin to consider pushing forward with developing innovative products using a structured research and development (R&D) lifecycle. By layering the two efforts together, firms can ensure third-party considerations are addressed throughout the process, and the level of risk management rigor and scrutiny is increased as they progress through the R&D gates.

During our webinar, Protiviti experts guided attendees through the many ways in which fintech companies are disrupting the marketplace and offered a new third-party risk management framework that can help manage the risks inherent with partnering with smaller, startup firms and launching new technology products and services. You can access the free recorded version here, and we recommend a full listen.

For even more detail on how traditional financial institutions can balance the need for speed-to-market for new products with the need for information security and risk management compliance as best practices, refer to our newly published white paper: Enabling Speed of Innovation Through Effective Third-Party Risk Management.

Paul Kooney of Protiviti’s Security and Privacy practice contributed to this content.

2016 Vendor Risk Management Benchmark Study Results Released

infographic-2016-vendor-risk-management-benchmark-studyProtiviti and the Shared Assessments Program recently released the results of our jointly conducted 2016 Vendor Risk Management Benchmark Study.

This is the third year that Shared Assessments and Protiviti have partnered on this research, which is based on the comprehensive Vendor Risk Management Maturity Model (VRMMM) developed by the Shared Assessments Program. At right, you’ll find our infographic, and below is our podcast featuring Gary Roboff, senior advisor to Santa Fe Group and Shared Assessments Program, and Cal Slemp, managing director for Protiviti and leader of the firm’s Security Program and Strategy Services practice, discussing the key findings.

Learn more and find our full report at and

Compliance Insights Top News: Court Rules on RESPA Enforcement and CFPB Constitutionality

Steven StachowiczBy Steven Stachowicz, Managing Director
Risk and Compliance




In our most recent edition of Compliance Insights, we highlight the compelling news regarding the U.S. Court of Appeals for the District of Columbia Circuit’s ruling in favor of a large, non-bank mortgage servicer seeking relief from an order by the Consumer Financial Protection Bureau (CFPB) to pay more than $100 million in penalties related to the assessment of mortgage reinsurance premiums charged on loans dating back to July 2008.

The court ruled that the CFPB violated the servicer’s due process standards by retroactively applying a regulatory interpretation to invalidate a long-standing and accepted pronouncement from the Department of Housing and Urban Development (HUD) regarding the Real Estate Settlement Procedures Act (RESPA). The court also ruled that the CFPB’s case did not correctly consider the applicable statute of limitations, which could result in effectively “open-ended” liability for the financial servicing industry. The court further held that statutes of limitations apply not only to RESPA, but also to all 19 of the consumer protection statutes that the CFPB administers.

Even more notably, the court agreed with the lender’s assertion that the structure of the CFPB (created under the Dodd-Frank Act as an independent agency under a single director, rather than a board or group of commissioners) constituted “unprecedented and potentially inappropriate concentration of power in a single person,” in violation of the constitutional separation-of-powers doctrine. Although harsh in its criticism of the CFPB’s enforcement approach, the court rejected the lender’s request to shut the agency down until Congress could legislatively fix the constitutional concerns. Instead, it ruled that the director should serve at the will of the president, making the CFPB an executive department rather than an independent agency.

The ultimate effects of the ruling are unclear in light of the pending election and the likelihood of a CFPB appeal. Financial institutions should monitor developments in this case closely.

In other compliance news, the Federal Deposit Insurance Corporation (FDIC) has issued draft guidance on third-party lending. With a growing trend toward partnerships between insured depository institutions and third parties such as marketplace lenders and third-party technology providers, as well as recent challenges encountered by institutions implementing complex lending and servicing regulatory requirements, such as the TILA-RESPA Integrated Disclosures (TRID) in October 2015, third-party lending relationships are drawing increased regulatory scrutiny.

The draft, published in July, expands on the FDIC’s existing 2008 guidance regarding third-party risk management and outlines risk management considerations for depository institutions that have arrangements in which they rely on a third party to perform a significant aspect of the lending process, such as underwriting, origination, servicing and collection. The FDIC’s assertion here is that when banks partner with third parties, they effectively “integrate” the internal processes of the third party into their own system, increasing operational complexity and risk.  Transaction risks increase when assignee liability is taken into account. Consumer compliance risk is affected to the extent that the third party has established an effective compliance management system.

To mitigate these risks, the FDIC proposes that institutions implement a risk management program specifically for third-party lending arrangements, and robust processes to evaluate and monitor these relationships.

Other compliance topics covered in the October Compliance Insights newsletter include:

  • The Bahamas Leak and the Call for Global Transparency
  • CFPB Wins Tribal Lending-Related Case Against Nonbank Servicer
  • HMDA Implications of the Updated Uniform Residential Loan Application

To learn more about these developments and download the newsletter, click here.

Fraud and White-Collar Crime: A Conversation with Donald Rebovich and Scott Moritz

Listen to Donald J. Rebovitch, a professor of criminal justice and Director of the Economic Crime and Justice Studies Department at Utica College, and Scott Moritz, a leader of Protiviti’s Fraud Risk Management practice and former FBI special agent, discuss results of the joint Protiviti-Utica College survey and other topics in this informative podcast.

More Resources Are Required to Master Third-Party Risks

Rocco Grillo - Protiviti NY 2014 (hi res) (2)By Rocco Grillo
Managing Director, IT Risk




As corporate boards, auditors and regulators increase their scrutiny of vulnerabilities associated with third-parties, vendor risk management (VRM) – and particularly the danger of lost or compromised data through third-party service providers – remains cause for concern at most organizations. This is what Protiviti’s most recent VRM benchmarking survey revealed. The survey, conducted in partnership with the Shared Assessments Program, collected feedback from directors and senior management at more than 450 organizations across a broad spectrum of industries. The overarching conclusion: A lack of perceived improvement, year-over-year.

In 2014, Protiviti began working with the Shared Assessments Program, a consortium of financial institutions, Big Four accounting firms and third-party risk management leaders in insurance, brokerage, healthcare, retail and telecommunications, to gauge internal perception of third-party risk management, using Shared Assessments’ proprietary VRM maturity model. The model is a COSO-like framework with 126 detailed components grouped into eight high-level criteria, and is designed to assess an organization’s ability to recognize and remediate third-party vendor risks on a scale of 0 to 5, with 5 being a fully evolved state of continuous improvement.

In our 2015 survey report, we grouped responses according to the respondent’s level of responsibility: chief executive, vice president and manager. For 2015, average responses by category ranged from 2.4 at the C-level to 2.8 for managers. In 2014, the range was 2.3 to 2.8. The average response for vice presidents fell in the middle of this range. Clearly, not a lot of change here.

There are many ways these results could be interpreted. Personally, I’d like to believe the flat results are due to progress, offset by increased expectation. In other words: Vendor risk management practices are improving, but not enough to affect perception in the face of increasing scrutiny and rising expectations. I prefer this “glass half full” approach; you may think differently. In either case, the points below, drawn from the survey, hold true:

  • VRM programs require more substantive advances – Regulatory agencies, most notably the U.S. Office of the Comptroller of the Currency, have asserted that “average” risk management no longer suffices. Organizations must enact the mind shifts, organizational culture and behavioral changes required to meet and exceed rising expectations.
  • Cybersecurity threats are a prominent challenge – High-profile data breaches, often involving millions of customer records and personally identifiable information, are being reported with greater frequency. Strengthening cybersecurity is a top priority, and third-party data security is critical to this effort.
  • Financial services organizations are leading the way – The financial services industry was the first to establish a Coordinating Council for Critical Infrastructure Protection in response to federal pressure in 1998. VRM practices in this sector remain significantly ahead of those in other data-vulnerable industries, including healthcare and insurance.
  • The number and intensity of vendor risks, and cybersecurity threats in particular, is increasing – From 2009 to 2014, the number of cybersecurity incidents increased at an average annual rate of 66 percent.

Regardless of how you interpret the results of our 2015 survey, the message is clear: VRM remediation efforts to date have, at best, kept pace with increasing threats and scrutiny. Organizations need to accelerate their efforts and increase the quantity and quality of resources devoted to this critical governance issue.

I recommend taking a look at the study and related video and podcast here. A VRM self-assessment tool is also available at the link.