Three basic security practices banks need to implement now

The Consumer Financial Protection Bureau recently named three security practices that banks must implement to protect consumer data. For those that have not yet, the barriers to doing so may prove daunting.
Adobe Stock

Even as banks improve their security practices and technology, gaps remain in the armor they have established around sensitive consumer data, and regulators say they plan to take more punitive measures against institutions that lack any of three basic security controls.

Those three controls, each widely regarded by cybersecurity and privacy professionals as a basic measure any institution should adopt, are multifactor authentication, password management and timely software updates. Implementing each will present challenges for banks that have not already done so because of their large and diverse customer bases.

The three were enumerated in a circular released last week by the Consumer Financial Protection Bureau, which also said institutions could face liability if they do not implement one or more of the measures. As an example, the bureau noted its 2017 complaint against Equifax for the company's alleged failure to patch a known security vulnerability, ultimately leading to the exposure of 148 million consumers' personal information.

While banks tend to be ahead of nonbanks in terms of adopting cybersecurity and information security controls, the risk of breach is growing for banks as fintechs and cryptocurrency firms partner more with traditional banks. That is according to Eric Young, senior managing director at compliance and security consultancy Guidepost Solutions.

Earlier this month, the New York State Department of Financial Services announced that Robinhood Crypto, a subsidiary of the retail investing company Robinhood, will pay a $30 million penalty for "significant failures" in the areas of bank secrecy, anti-money-laundering obligations and cybersecurity. The fintech partners with JPMorgan Chase to process transactions on cash deposit accounts.

The CFPB's bulletin last week also reminded financial institutions that the Federal Trade Commission announced a complaint in March against the former and current operators of customized merchandise e-commerce platform CafePress for its alleged failure to implement patch management policies and procedures.

The CFPB is not the only regulator taking action against financial companies for their shortcomings on implementing security and privacy controls, Young pointed out, naming the New York State DFS as an example.

"Taken together, these enforcement actions demonstrate that new technology does not equate to better controls," he said. "Even if new regulations are implemented, the financial services industry must not forget longtime consumer protection, cyber, AML and sanctions laws that exist to protect consumers, markets and our national security."

CFPB

The Consumer Financial Protection Bureau said a company doesn't need to experience a data breach for the agency to consider taking action.

August 11

Even as early as 2005, regulators took action to press banks to implement one of the cybersecurity measures the CFPB recently recommended. Multifactor authentication was the subject of a 2005 regulation by the Federal Financial Institutions Examination Council that gave banks until the end of 2006 to implement the practice.

A report released just after the FFIEC's deadline, from Celent, a consultancy focused on technology for financial institutions, found that only about half of banks got their multifactor authentication deployments off the ground in time.

More recent data on multifactor authentication adoption among banks is lacking, but a report by American Banker released this year indicates two out of every three banks have plans to require customers to use two-factor authentication. Approximately the same number plan to require staff and third-party vendors to use two-factor authentication.

Not all multifactor authentication is created equally. Google found in a 2019 study that SMS codes were the least secure device-based authentication method. Authentication using SMS codes is susceptible to SIM jacking, a form of identity theft in which a criminal gains access to calls and messages sent to a given phone number.

By contrast, security keys — physical devices that typically connect via USB to prove an identity — prevented account takeovers in 100% of cases the company studied. This aligns with a widespread desire among security professionals, tech executives and others to move beyond passwords toward using on-device authentication methods. Even so, financial firms that have not properly implemented their multifactor authentication can fall victim to breaches.

A primary motivation for banks to use password managers is to help employees avoid reusing credentials or using weak credentials. This practice is by many estimates, including Verizon's 2022 Data Breach Investigations Report, the single largest driver behind security breaches. Password reuse and weak credentials give cybercriminals a means of guessing their way into secure systems.

Regularly patching systems is a struggle for many financial institutions, according to Lou Steinberg, co-founder at CTM Insights, a cybersecurity research lab and incubator. 

Patching entails applying security updates that remediate known vulnerabilities in software. The Cybersecurity and Infrastructure Security Agency keeps a list of those known software vulnerabilities and actions that firms using that exposed software can take. Typically, the action is to apply an update per the vendor's instructions.

But as simple as applying updates might seem, doing so is still an important part of basic security hygiene, Steinberg said. And the seemingly simple task can also prove complex in environments where a firm's systems reach a larger scale, as it must be accompanied by testing to ensure the patches are compatible with potentially legacy applications.

"Institutions with complex and fragile designs often avoid changes due to fear of breaking things," Steinberg said. "The best solution is to move to modern serverless and container-based apps, but that will take decades to roll out at places with thousands of apps and tens of thousands of servers."

For financial institutions that do not use serverless and containerized apps, Steinberg said they should get as close as possible to automatically deploying all security patches as soon as they are available.

Institutions must also hold vendors accountable for making sure apps do not break when new releases come out, Steinberg said.

Steinberg also recommended that, rather than using lengthy pre-release testing to vet security patches, financial institutions can use "canaries," meaning they first apply patches to a limited number of systems to limit the scope of any compatibility issues that arise from a security patch.

Of course, regulatory actions are not the only threat banks face if they do not implement multifactor authentication, security patching, or password management. Although imperfect, each provide an additional protection against reputational harm a firm can endure in the wake of a security breach, and Young said bank executives must not overlook those risks.

"Not implementing what might be viewed as minor, annoying controls such as multifactor authentication could lead to major unanticipated vulnerabilities," Young said.

For reprint and licensing requests for this article, click here.
Cyber security Regulation and compliance
MORE FROM AMERICAN BANKER