Community banks collect more customer data than ever before. A data security plan will ensure this valuable information is kept safe from hackers.
By Mary Thorson Wright
It’s a robbery that no security camera, armed guard or time-locked vault can prevent. The perpetrators are hiding behind the computer screen, and their weapons are sophisticated and targeted to bank networks, e-banking systems and data stores.
To thwart the criminals, community banks must be committed to robust practices and stay nimble to keep up to date with the industry and with what customers demand. Here are three ways to protect customer information:
1. Cybersecurity starts at the top
The quality of policies, oversight and support from a community bank’s board of directors and management is essential to ensure the safety and security of customer data. The board and senior management are responsible for developing a bank’s data protection program. This should address the data security plan and include a cost-benefit analysis, risk assessment and due diligence process for the plan, including for third-party providers. It should outline goals and expectations that management can use to measure the plan’s effectiveness. Accountability for the development and maintenance of risk management policies and controls should also be built into the program.
To carry out the data security plan effectively, a community bank should ensure it has the appropriate security expertise. Keeping up with encryption technologies and processes may require skills to perform intrusion detection, firewall development or penetration testing and the like, which may not be organic to bank staff. Most bank employees are not versed in security and encryption technologies and practices. With the proper controls, outsourcing could provide a cost-effective way to attain special skill sets.
2. A robust data protection program delivers results across the board
What should the program include? First, ensure compliance with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act of 1999. While allowing for differences in the nature of a community bank’s operations, the guidelines present a series of questions designed for examinations that can guide a bank’s own evaluation of its information security program.
The guidelines emphasize the need for a written information security program or policy that has been approved by a bank’s board or an appropriate committee of the board. The written program must be appropriate for the size and complexity of the bank and its operations, and it should contain the objectives of the program, assign responsibility for implementation and provide methods for compliance and enforcement. All aspects of the program should appropriately cover vendor management and third-party oversight as they relate to customer information and data security.
A community bank should conduct periodic testing and monitoring of all data security controls. It should correct or modify the program to reflect issues that are identified, and it should update the program for changes in its operations and systems. The bank should conduct a periodic risk evaluation and risk assessment to identify and address changes in the threats or risks to its customer information.
Establishing an incident response program that is communicated widely to community bank employees and third-party vendors is critical. This communication should include specific actions required if or when a bank or its vendor suspects or detects that unauthorized parties have gained access to customer information systems. The response program should include appropriate reports to regulatory and law enforcement agencies and should reflect the Federal Trade Commission (FTC) Safeguards Rule, other federal requirements for responses to customer information and customer notice, and any state-specific requirements.
3. Daily practice equals successful outcomes
Once a data security policy and comprehensive security program are in place, a community bank should make sure everyone in the organization understands them and adheres to them.
In 2019, the National Cyber Security Alliance published the 10 most common cybersecurity misconceptions for small- and medium-sized organizations—and they’re rather surprising. They include the belief that the value of data is low, that outsourcing protects the institution and that bad actors are limited to those outside the organization. Needless to say, these are untrue.
Community banks should train widely, make customer privacy everyone’s job and make privacy a discussion, not just a form of mandated disclosure. This could include questionable emails, appropriate use of electronic correspondence with customers and employees’ use of outside computers and other equipment. Be sure to implement practices that err on the side of prudence, such as:
- Practice a need-to-know methodology even among departments and groups within the bank
- Limit access to those with a genuine business-purpose need to limit hackers’ opportunities. Reasonable access to consumer data should be provided in proportion to the sensitivity of the data and the nature of its use
- Protect what the bank collects to limit exposure, and take steps to ensure the accuracy of all data
- Destroy unneeded or outdated data when possible. Follow established rules for retention of bank records
Cybercrimes, such as intrusion and phishing, continue to flourish. Beyond the regulatory requirements, staying ahead of the hackers is key to a community bank’s reputation, its capacity to provide products and services to its customers, and its ability to prevent customer data from being vulnerable to fraud.
Mary Thorson Wright, a former Federal Reserve examiner, is a writer in Virginia.