Monday, June 13, 2011

The Convergence of Data, Identity, and Regulatory Risks

This blog started 2011 with a post arguing for the inclusion of financial crime as a type of risk:
"Financial Crime (including topics like Money Laundering, Identity Theft, Fraud, Unauthorized Access, and Data Theft) is the next frontier in the evolution of Risk Management." 1/3/2011
Halfway through the year, this has been borne out in the headlines. While no institution is immune, headlines this week have given one clear example of what I was talking about:
"Citibank has revealed that it detected a data breach last month that exposed fully 1% of all its North American credit card customers’ account details. Citi has about 21.2 million credit card customers in North America according to its annual report, implying that close to 210,000 accounts may have been hit." Andy Greenberg, Forbes Blog.
Only 11 months ago, the remnants of Countrywide Financial settled a class-action lawsuit by setting aside $56.5 million (not including court costs) to cover claims of anyone impacted by an alleged data breach of 2.5m identity records. They, like Citi, were particularly criticized for delaying disclosure. This presumably allowed them time to assess vulnerability, fortify security controls, and perhaps get their legal arguments in order. At the same time, their delay gave identity thieves extra time to use the stolen data to defraud Countrywide's unsuspecting customers.

Countrywide's negotiated settlement puts the average hard-dollar cost of losing an identity record at $22. Many analysts estimate that the all-in number is four times as much once you factor in the soft costs such as reputation damage, lost business, and cost of additional controls. As a result, the rule of thumb I and many of my clients use to size up the cost of a data breach is $100 per identity. That makes Citi's breach quite costly!

In fact, Citi's latest incident comes atop a tide of recent compromises at a number of global firms, including a particularly disturbing breach of the "gold standard" RSA SecurID tokens which are used by many firms as an enhanced security measure for things like sensitive network access and large-dollar online banking transactions.

To pretend that these events "won't happen here" or "are black swans" and thus don't need to be factored into the price of doing business is as negligent as saying that mortgages never go underwater. Blithe assumptions like these are precisely why big, smart firms end up in catastrophe.

Finstitutions need to view financial crimes including data theft, identity theft, and fraud as risks which:
  • are intrinsic to their business, just like credit and market risks
  • are not outlier events, but rather are inevitable (and growing more frequent)
  • must be mitigated, monitored, and controlled
That's lesson one of 2011.

Today, 47 states have data privacy laws. It's the Internet, people! State-by-state laws don't make sense in this context. The good news is that, without a doubt, legislators and regulators alike have noticed these headlines and have stepped up their efforts to develop additional regulatory requirements to address the issue.

The Forbes blog goes on to say:
"The White House’s proposed cybersecurity policy outlined last month would include a mandatory federal breach disclosure law, and another bill proposed by Senator Patrick Leahy would similarly make concealing a data breach a federal crime."
These legislative proposals are atop upcoming FDIC regulations and FFIEC standards on authentication which will likely contain provisions addressing:
  • More frequent risk assessments focusing on authentication and related controls at least every 12 months and prior to implementing new electronic financial services
  • More robust controls as the risk level of transactions increases.
  • Layered security to detect and effectively respond to suspicious or anomalous activity both at initial login access and at initiation of online transaction
  • Multi-factor authentication, well beyond simple device identification and easily answered challenge questions
  • Increased customer education and awareness
Therefore, lesson two of 2011 is that regulatory compliance is another risk which should be incorporated into every FI's risk management framework, policy, and practice.