Waiting for the FFIEC GuidanceAs Breaches Add up, Banks Prepare for New Directives
Wikileaks, NASDAQ, RSA, Epsilon -- the list of recent hacks and leaks continues to grow. And let's not forget the Heartland Payment System hack, which set the tone for how the financial-services industry deals with breaches and is still making news. [See: Gonzalez Seeks Guilty Plea Withdrawal]
I have to wonder what impact these newest breaches will have on the future. Specifically, will they affect the long-awaited update we expect from the Federal Financial Institutions Examination Council regarding online authentication guidance?
It's the institution's reputation and the risk that should be the most concerning. Those are the market drivers for change, rather the guidance itself.
As the RSA breach proved, layered security and authentication, which the FFIEC has touted since 2005 as necessities, are must-haves. But what about the security of other so-called personal identifying information or PII? As the Epsilon breach proves, e-mail addresses can easily be linked to consumer information, and the threat of targeted phishing attacks, better known as spear phishing, is frightening.
So, what can we expect in the way of this guidance, especially as it relates to e-mail security? Not much, says Aite Group Analyst Julie McNelley. In fact, she believes the formal release of FFIEC's online authentication guidance, which could be issued any day now, won't differ much from the leaked guidance draft the industry has been tossing around since the New Year's holiday.
"Just after the RSA breach, I wondered what impact that breach might have on the FFIEC guidance, if the regulators would take that breach into account and change some of the wording," McNelley says. "But from what I understand, that's not been the reason for the hold-up. It's been more about to two agencies disputing the legal wording than the substance."
That said, McNelley does believe the RSA and Epsilon breaches have already affected how banks view and handle security. Since RSA, many institutions have moved toward layered security and out-of-band authentication. And in the wake of Epsilon, many organizations will adjust how they handle, store and use e-mail addresses, even if online security guidelines don't include specific recommendations. "It's the institution's reputation and the risk that should be the most concerning," McNelley says. "Those are the market drivers for change, rather the guidance itself."
Protecting consumers and their privacy in cyberspace is of prime concern. And since everyone relies on e-mail, it seems odd that we have been reluctant to implement better measures to secure e-mail databases and e-mail communications themselves. Phishing attacks are nothing new. Banks have long invested time and dollars into consumer education campaigns that aim to curb vulnerabilities to phishing. "But financial institutions have not typically considered e-mail addresses to be PII," McNelley says.
That attitude, however, is shifting.
If banks are moving forward with investments and shifts in thinking, how concerned should they be about complying with new guidance from the FFIEC? Every industry expert and practitioner I've spoken with agrees banks should not be, and are not, simply waiting for new directives. Instead, they are accepting the draft update as a given and are moving forward with enhanced fraud-detection systems and improved online communications.
Ultimately, financial institutions are motivated by what regulators tell them they must do, as well as what circumstances dictate is the right thing to do. In this instance, the recent breaches and pending guidance are coming together simultaneously to influence banks' decisions. Except the breaches are a bit ahead of the guidance.
So, the big question is: When will the formal guidance be issued - before or after the next big breach?