5 Steps to Minimize Your Cyber-liability

July 30, 2014 at 9:21 am Leave a comment

I’m here to tell you this morning that you will be breached and if you have been already, you will be again.  Cybercriminals are chameleons and they have the money to quickly adjust to the latest techniques meant to stop them.

For example, remember when “dual authentication” of your customer accounts was all the rage in IT security circles? The FFEIC even came out with a guidance mandating that depository institutions implement systems that demonstrate two forms of identification. It was originally updated in 2005 and updated again in 2012 to emphasize the need to “layer” your IT security.

To what do I owe my gloomy morning forecast?  Two informative posts, one by the CU Times and the other by the Information Technology Website underscored just how fast moving the game of cyber security cat and mouse is and unfortunately the bad guys win fairly often. Specifically, hackers have broken into 34 banks in Asia and Europe by bypassing a dual authentication system developed by Android and used for online banking. Check with your IT people to get the technical details, but the basic idea is that they used email requests to lure customers to a fake website. Marks opened the door to hackers by opening the email and going to the site through which the hackers could steal all the information they needed to get by the dual authentication system. What is astounding the experts is that the banks used SMS technology, which requires a customer to enter a new password every time they access an account. This is above and beyond what most U.S. credit unions and banks require.

So, is there anything you can do to mitigate the risk beyond making sure that you have a good computer person on speed dial?  In looking at cases examining the liability of financial institutions for data breaches, here are some of the points I would keep in mind. Although many of them are most relevant to those of you who offer business accounts, NCUA regulations require all of you to identify and monitor the “red flags” of identity theft on an ongoing basis.

  • Member and staff education is key. Your security is only as effective as your most careless employee or technologically “savvy” member.
  • In assessing commercial reasonableness of online business accounts, which are regulated by Article 4A of the UCC, courts consider (1) security measures that the credit union and customer agree to implement, and (2) security measures that the credit union offers to the customer but the customer declines. Make sure this is in writing and, if possible, attached to the contract.
  • You must respond to changing threats by offering new mitigation techniques. For example, remember now that hackers can electronically impersonate an employee, dual control and not dual authentication is becoming the baseline standard. This way, hackers have to obtain the login information for two employees before transferring money.
  • Here is the good news. Commercially reasonable and regulatory standards vary depending the size and sophistication of your credit union. However, this means that the policies and procedures you adopt must be unique to your credit union based on its resources and risk profile. This is one area where cutting and pasting a colleague’s policies the day before the examiner comes calling won’t cut it in the long run.
  • Similarly, the vendor contract really matters. Most of you will use vendors to implement your cyber banking. How much must the vendor indemnify you if its negligence causes a breach? Are both parties legally obligated to monitor developments in cybercrime and update protocols when appropriate? Are these changes integrated into your security procedures? These are all questions that, if asked, can help mitigate losses and maintain member confidence in your electronic banking.

Second Quarter GDP Growth Stronger Than Expected

A few minutes ago, news came out that second quarter GDP growth grew at a 4% rate, beating the expectations of economists.  In addition, the Government is reporting that household spending increased by 2.5%.

 

 

Entry filed under: Compliance, Economy, General, Regulatory. Tags: , , , , .

In What Order Do You Process Your Checks? Who Rules The Bond Market?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 442 other followers

Archives