Using ERM to Protect Your Business from The Equifax Fallout

As with many data breaches, the general conclusion of the Equifax attack is that personnel were not aware of the issue beforehand. This conclusion, however, is false.

In early September, I anticipated that a vulnerability in Equifax’s software was known ahead of time, and that this scandal was, therefore, entirely preventable. A month later, the NY Times reported that the Department of Homeland Security sent Equifax an alert about a critical vulnerability in their software. Equifax then sent out an internal email requesting its IT department to fix the software, but “an individual did not ensure communication got to the right person to manually patch the application.”

The Equifax data breach was a failure in risk management. As a credit bureau that deals with the personally identifiable information (PII) of 200 million U.S. customers, Equifax has a legal and moral responsibility to safeguard their customers’ security, and to adopt the proper systems to do so.

For instance, if Equifax had an enterprise risk management (ERM) system in place, the warning from Homeland Security would have been properly recorded and assigned out to the appropriate personnel. This system would have provided transparency over the status of the task in progress, and would have triggered reminders until the vulnerability was patched and verified by the right subject matter expert.

A Point of No Return

It’s my opinion that this scandal is a point of no return for risk management. While data breaches have abounded in recent years, there has never been one of this magnitude or one that provides every piece of information hackers need to steal our identities. Of course, lawsuits and penalties are piling up around the company’s negligence, but these financial losses are nothing compared to the reputational damages Equifax will suffer—shares fell by 18% following the breach and have yet to fully recover.

What makes this scandal so unique, and therefore a point of no return, is that these reputational damages reach far beyond Equifax. Consumers can’t always choose whether they’re a customer of Equifax, but they can choose whether to do business with the institutions that gave away their information to Equifax in the first place.

I also believe that consumers’ outrage with this scandal will cause them to shift their money, loyalty, and trust to institutions that can demonstrate effective risk management. CEOs and boards of every company will have to prove their organizations have adequate enterprise risk management systems in place. They’ll find that more effective risk management and governance programs are necessary to keep their market shares up and their reputation clean.

Where to Go from Here

While this breach may appear to be an event of the distant past, we are in the eye of the storm. Stolen information can lie dormant for months or years as criminals wait to make their move, and when they do, you’ll have either taken this period of calm as a chance to forget the scandal, finding yourself ill-prepared, or a chance to get to higher ground, finding yourself fully protected.

To protect themselves, businesses must:

  • First, to determine where to focus your security resources, recognize that people, processes, and procedures are now the biggest risks. Businesses need to perform risk assessments across all departments to determine who has access to sensitive information and authentication processes, and what the business impact would be if these employees were to be impersonated.
  • Next, to address these risks, businesses must rewrite their procedures for authenticating the people involved in sensitive requests and actions both verbally and electronically. With so much PII now in the public domain, it is no longer safe to rely on traditional authentication based on these pieces of information. For example, the security question “What was your first car?” is not effective because the answer is now easily accessible. A more effective question would be “Who was your best friend in elementary school?”
  • Finally, it is important to keep your third-party vendors in mind. Vendors often have access to sensitive information and processes, which could have an enormous impact on your company. It is crucial, therefore, to extend your internal authentication procedures out to your third parties so that they are authorizing sensitive requests and actions as securely as your own organization.

Our world, including the business world, is becoming increasingly transparent, meaning it’s up to you to act with integrity and protect your stakeholders. Keeping the Equifax data breach in mind, along with enacting these tactical steps, will help you stay ahead of the competition and out of glaring social media headlines.

Risk and Crisis Management Explored at Cyber Event

NEW YORK—Cyberattacks and data security need to be high priorities for all businesses, experts stressed at ALM’s cyberSecure 2017 event here, Dec. 4 and 5. In fact, not only is failing to prepare for an attack or breach risky, it’s foolish, Kathleen McGee, internet & technology bureau chief for the Office of the Attorney General of the State of New York said in Monday’s opening address. She added that not reporting a breach in a timely fashion has its own set of legal and reputational risks, referring to the SHIELD Act (the Stop Hacks and Improve Electronic Data Security Act), introduced to New York State legislature by Attorney General Eric Schneiderman in November.

“Under the SHIELD Act, companies would have a legal responsibility to adopt reasonable, administrative, physical and technical safeguards for sensitive data,” she said Monday, adding that the standards would apply to any business holding data of New Yorkers, whether or not they do business in the state.

McGee noted that even though a company may not have all the details in the first 72 hours following a breach, reporting it to the New York Department of Financial Services (NYDFS) or another regulator is crucial. It is a legal requirement as part of the NYDFS Cybersecurity Requirements for Financial Services Companies, and even if all the pertinent information about an attack is not yet available, divulging what is known will prevent further enforcement action from the state.

“For some companies, data is the only commodity,” she said. “But in the past 10 years, risk assessments have not evolved as quickly as data collection.”

That observation lent itself to a segue for the next session, “Integrating Periodic Risk Assessment to Avoid Becoming the Next Target of a High-Profile Cyberattack.” Panelists covered the importance of formal risk assessments, which will be legally required by regulators like the NYDFS and the General Data Protection Regulation (GDPR) in Europe and goes into effect in 2018.

Moderator Eric Hodge, director of consulting at CyberScout, said education charts the path to a positive assessment and suggested using non-traditional training methods to onboard clients and employees over the course of a year.

“There are a lot of ways to educate other than the traditional annual training session set in a typical conference room,” Hodge said. “You can try white hat phishing to trap people in a safe way. Share your stories every month and be honest about your own failures. There are ways beyond just checking a box.”

eHarmony Vice President and General Counsel Ronald Sarian said his company has learned from its past incidents to better prepare and to update its ERM framework. The dating and compatibility company’s site was breached in 2012, before he joined the group.

“You need to do a data impact assessment and ask: What are your family jewels?” noted Sarian, who has implemented ISO27001 as the ERM framework to secure eHarmony’s international and cyber presence. “We had so much in place already that I thought we should take a shot at it. It takes at least a year but so far it’s working for us.”

When considering ransomware, experts from healthcare, insurance and electronic payments companies spoke passionately during a dedicated session about how they mitigate risks. Christopher Frenz, director of infrastructure at the Interfaith Medical Center strongly advocated for network segmentation, which he uses at the center, in an effort to keep intrusions contained.

As previously reported, Advisen’s recent Information Security and Cyber Risk Management Survey indicated that, for the first time in the seven years of the survey, there has been a decline in how seriously C-Suite executives view cyberrisk. With that trend in mind, panelist Christopher Pierson, PhD, chief security officer & general counsel of ViewPost, a provider of electronic invoice and payment services to businesses, outlined his approach to eliciting a response from board members.

“You can’t tell the board that [paying] is not an option, unless it’s illegal,” Pierson said. “Educate the board and explain that it is an option to pay terrorists and criminal syndicates. You’ll see the looks on their faces and then you’ll get them [to want to take action].”

Insurance Industry Responds to House Approval of NFIP Renewal

Insurance industry trade groups lauded the U.S. House of Representatives’ vote on Nov. 14, reauthorizing the National Flood Insurance Program (NFIP). The 21st Century Flood Reform Act (H.R. 2874) would reauthorize the program for five years and enact operational changes. Advocates from RIMS, the risk management society, the Property Casualty Insurers Association of America, and SmarterSafer.org also asked that the Senate waste no time in passing its version of the measure before its expiration on Dec. 8.

On Sept. 8, President Trump signed legislation passed by both houses to extend NFIP authorization until Dec. 8, which previously had been set to expire Sept. 30.

Dow Jones reports that the act’s reforms include:

  • Authorizing $1 billion to elevate, buy out or mitigate high-risk properties
  • Capping flood insurance premiums at $10,000 per year for homeowners
  • Removing hurdles to the private flood insurance market, which often offers better coverage at lower cost than the NFIP
  • Providing for community flood maps and a homeowner’s ability to appeal their flood designation
  • Better aligning NFIP rates to match a property’s true risk, particularly for in-land and lower-value properties
  • Improving the claims process for flood victims
  • Addressing repeatedly flooded properties, which account for 2% of NFIP policies but 25% of claim payments

While it applauded the U.S. House of Representatives for deciding to reauthorize the NFIP, RIMS, the risk management society, also urged the Senate to quickly follow-up before the program’s Dec. 8 expiration. Allowing the NFIP to expire would have “significant repercussions, impacting both corporate and residential property owners,” said RIMS Vice President Robert Cartwright Jr.

“Nearly five million American consumers rely on the NFIP to protect their homes, properties, and businesses,” said Nat Wienecke, senior vice president of federal government relations at the Property Casualty Insurers Association of America (PCI). “A long-term reauthorization is needed to provide consumers and markets with reliability and stability when it comes to flood insurance coverage.”

SmarterSafer.org, a coalition of taxpayer advocates, environmental groups, insurance interests, housing organizations and mitigation advocates, said in a statement that this year’s “historic hurricane season has pushed the nation’s debt-ridden flood insurance program past the point of bankruptcy once again, so we applaud the House for passing a legislative package that reforms the NFIP to ensure the program is financially sustainable for the future.” The organization also lauded the House for investing in recommended measures including “mapping and mitigation, addressing affordability and providing consumer choice in the flood insurance marketplace.”

The NFIP was created more than 50 years ago to provide affordable flood insurance as private insurers pulled out of the market. The program’s large debt led Congress to cancel $16 billion of its debt last month. NFIP now has about $6 billion to pay claims and $10 billion left that it can borrow from the Treasury Department, according to the Federal Emergency Management Agency, which manages the program.

Protecting Your Company from Rogue Employees

While employee malfeasance rarely takes down entire companies, it can result in serious fines, sanctions, court judgments, settlements and reputational damage. Big data analytics is one way leading companies are able to mitigate risk, by proactively detecting threatening or illegal behavior.

Traditional ERM Approaches Won’t Do

Compliance officers do their best. They generally work within enterprise risk management (ERM) frameworks to introduce corporate policies and procedures, conduct risk avoidance training and audits, and create inter-disciplinary committees. They work with IT to run compliance auditing software on critical structured data, including financial databases and transactional applications.

By targeting only well-behaved structured data, however, compliance officers can lose sight of one key fact—structured data is a small percentage of organizational data. Data storage analysts report that most organizational data are only 15% to 20% structured data and 80% to 85% unstructured. This leaves a huge volume of data that presents serious compliance risk to IP, especially electronic communications.

While e-mail, instant messaging, texting and social media are ingrained in our culture, traditional auditing software does not focus on communications. These threats often evade notice until the damage is done.

Here are some ways threats can escape the radar of employers that have traditional ERM approaches:

  • Limited ability to analyze unstructured data. The inability to monitor unstructured data leaves the company open to regulatory consequences and other risk.
  • Keyword searching to winnow down data sets often delivers a high volume of false positive results. Filtering techniques such as keyword searches may not be highly accurate and require intensive manual review. The result is higher cost and longer timeframes for manual-review projects.
  • Potential security issues. Communication platforms are rapidly proliferating. Employees might be sharing inappropriate corporate information on social media, yet these mentions often go unmonitored by the company, potentially missing evidence of employee misconduct.
  • Complex regulatory changes. Many governmental and industry regulations are already complicated, and their revisions only intensify complexity. For example, since introducing Dodd-Frank, regulators have written 224 of 400 expected rules and continue to modify existing rules.
  • Case-by-case approaches. Case-centric approaches to litigation, investigations and regulatory compliance matters impede applying learning and attorney work product on these cases to other matters. This inability lengthens legal reviews and investigations and multiplies costs. Case-based discovery also makes it difficult to discover widespread risky communications between employee groups and outside organizations.
  • Geographic and organizational silos. Relevant data is spread across different storage locations and eDiscovery platforms, creating distinct data silos.

A Cautionary Tale

Here is an example of risk that can go undetected until it’s too late, as it did at Wells Fargo. Banker 1 is responsible for reaching high quarterly sales goals. His manager increases his sales goals for the next quarter. Banker 1 emails a colleague complaining about how his goals are impossible to meet. Banker 2 suggests he try a creative process called “pinning,” which consists of a banker enrolling an actual customer in online banking to create a “sale.” The banker fills in the customer’s name and address but puts in a fake email address so the customer never receives banking communications. The banker meets his sales goals—and hopes the customer never finds out.

How Big Data Analytics Can Help

Analytics tools are already omnipresent in eDiscovery and compliance reviews. They include predictive coding, email threading and concept searching. They are highly useful for culling large data volumes to more manageable sizes. They also locate meaningful text and concept patterns so that reviewers can strategically work with high priority documents.

The catch is that these analytics can only filter to a point, and only work on a single-case basis. No matter how the case management software learns from tagging and work product, that learning cannot be applied across multiple matters if it resides on different review platforms or with different vendors. Each time a new case begins, reviewers and their software must start over. This leads to very long and repetitive document review processes, already the single most expensive activity in eDiscovery. Clients and attorneys also risk exposing sensitive information as the matter makes its way between document review platforms and multiple stakeholders.

A big data approach, versus specific analytics tools can continuously consolidate billions of documents into a central repository. It can also apply machine and human learning to enable the reporting of trends, new data relationships, and fresh insights into data across all cases—not just a single matter—for greater efficiency, cost control and risk mitigation.