With New Bank-Security Guidance, How Safe Is Your Firm?
You probably missed the guidance titled "Supplement to Authentication in an Internet Banking Environment," issued by the Federal Financial Institutions Examination Council last June. Granted, the FFIEC report isn't exactly a page-turner. But it may boost the safety of the funds in your corporate bank accounts.
And that's key, because if cybercriminals illegally access your company's account and steal money, your firm -- and not the bank -- may be on the hook. Just ask Karen McCarthy, president and CEO with Great Neck, N.Y.-based Little & King Integrated Marketing Group. In February 2010, thieves illegally accessed her firm's bank account, draining it of $164,000. While McCarthy has been able to recover about $100,000, all four employees remain on drastically reduced salaries, and the acquisition of Little & King by another marketing firm, which had been underway when the theft occurred, was halted. Bankruptcy remains likely, says McCarthy, who also founded something called the Cyber Looting Awareness and Security Project. "It's a lot of money to make up."
The regulation often referred to as Reg E, which covers electronic funds transfers, limits consumers' liability in cases of unauthorized transfers to $50 in most cases, although the amount can hit $500. However, Reg E doesn't apply to commercial bank accounts, says Doug Johnson, vice president and senior adviser for risk management with the American Bankers Association. Moreover, the decisions in court cases involving unauthorized transfers from business accounts have been mixed, with some courts finding for the banks, and some for the businesses that lost money, according to information from Guardian Analytics, a provider of bank security technology.
FFIEC's 2011 Supplement, which examiners were to start using this year, covers customer authentication, layered security, and other controls that can make online banking safer. The term "guidance" actually may be a bit misleading, though. "The only gray area is how examiners will interpret it," says Tom Hinkel, director of compliance with Safe Systems Inc., a provider of technology solutions to financial institutions. Rather than just offering up recommendations, he says, the approach is "thou shalt" or "thou shalt not."
Need for Robustness
The report resulted from FFIEC's finding that "risk assessment and management wasn't as robust as it needed to be," within some institutions, Johnson says. In particular, the new guidance calls for a dynamic, rather than a "once-and-done," approach to risk assessment, he adds.
The new Guidance recognizes the changes in the Internet banking environment that have occurred since 2005. "We're seeing the evolution of sophistication from the attacker side," says Kevin Richards, president of the Information Systems Security Association. While security at the perimeter of a network used to suffice, solutions today increasingly need to focus on improving the code within applications themselves.
The 2011 Guidance also says financial institutions should implement layered security programs, which it defines as "the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control." Program components could include fraud detection, monitoring systems and dual customer authorization through different devices.
Some Questions CFOs Can Ask
The solutions also should include processes to detect and respond to anomalous or suspicious behavior, the Guidance says. "It's really about monitoring users and being able to spot anything unusual before fraud can take place," says Terry Austin, chief executive officer with Guardian Analytics. To do this, the systems need to collect data on individual online banking sessions, including the computer, operating system, and network used, the customer's pattern of clicks, and the time and day at which transactions typically occur. With this information, the system is better able to spot unusual activity.
While bank executives are taking the guidance seriously, many have yet to implement the solutions they'll need to address it, a December 2011 survey by Guardian Analytics found. More than half -- 57% -- had completed their risk assessments, and 59% had formulated plans to fill any online banking security gaps. However, only 43% had purchased technology solutions; 49% intend to do so over the next six to 12 months. "They haven't yet fully absorbed the minimum requirements," Austin says.
CFOs who want to assess their banks' compliance with the new Guidance can start with a few questions, Austin says. "Ask: 'what is your fraud policy? What do you expect us to do? What will you do? If there is a fraud event, who is liable? Are you doing anomaly detection? Behavior monitoring?"
A CFO's Key Fob
If no policies change, or the bank says you don't need to do anything more, take that as a red flag, Hinkel says. "Whatever the financial institution does to implement additional layers of security will flow to the customer. It's not going to be something that's done behind the scenes."
CFOs can take action on their side, as well. Mike Stanek, chief financial officer of Hunt Imaging LLC, a manufacturer and distributor of dry and liquid toners and developers, possesses a key fob registered to the company's bank account. It regenerates a new number every few seconds. Stanek has to enter that number, along with a user name and password, before he can access the account. Software at the bank allows it to verify the number he enters. "It adds another layer of security," Stanek says.
Along with these steps, both the CFO and his or her banking partner need to continually monitor the changing nature of attacks, says Richards. "It's your money," he says. "Stay diligent and keep looking."