The US Consumer Financial Protection Bureau (CFPB) recently fined payments startup Dwolla US$100,000 for misrepresenting its security practices.
Dwolla advertised its service as “safe” and “secure”, and claimed its security practices exceeded industry standards and were PCI compliant. Dwolla also claimed that it encrypted all sensitive personal information.
The CFPB found that in fact Dwolla’s security practices fell well short of industry standards, for example, Dwolla:
- failed to encrypt some types of sensitive personal information, including social security numbers
- did not adopt or implement a written data-security plan to govern the collection, maintenance, or storage of consumers’ personal information
- failed to conduct adequate, regular risk assessments to identify reasonably foreseeable internal and external risks to consumers’ personal information, or to assess the safeguards in place to control those risks
- provided little or no datasecurity training to employees on their responsibilities for handling and protecting the security of consumers’ personal information, and
- released applications to the public without having tested whether they were secure.
Link: Press Release from Consumer Financial Protection Bureau | Full CFPB Complaint
Credit ratings agency Standard & Poor’s has recently signalled that “cybersecurity as an emerging threat … has the potential to pose a higher risk to financial institutions in the future, and possibly result in [credit] downgrades.”
The ratings agency has gone so far as to say that if a bank or other financial institution is ill-prepared to withstand an IT security breach, it could be downgraded even without suffering an actual attack. And (more conventionlly) a downgrade may also be warranted after a breach, if the breach causes significant reputational issues with the potential to result in a major loss of customers, or if the financial or legal losses significantly affects the bank’s balance sheet.
With that in mind, Standard & Poor’s notes that it has begun to ask a range of questions regarding financial institutions’ preparedness against IT security breaches, including:
- Do you have a robust, well-documented program to monitor IT security risks?
- Does the financial institution have any third-party vendor oversight? If so, what kind and how much?
- How long has it typically taken to detect an attack?
- What containment procedures are in place if the financial institution is breached?
- Are emergency scenarios test-run?
- What software or other techniques are used to monitor attacks?
- What kind of expertise about IT security exists on the board of directors?
- How much does the financial institution spend on IT security, and what resources does it devote? What is the total tech budget this year versus last?
- Does the financial institution have any insurance to compensate for an IT security breach?
Link: Standard & Poor’s article
The Federal Trade Commission has closed its investigation into Morgan Stanley. In January 2015, Morgan Stanley announced that an employee had stolen the account information of 350,000 wealth-management clients. The FTC found that certain access controls applicable to a small set of reports were improperly configured, which allowed the employee to access and misappropriate the data.
The FTC reminded all businesses that as employees increasingly use personal websites and a host of online applications, companies should deploy appropriate controls to address the potential risk of broad access to such resources on work devices.
Link: FTC closes investigation into Morgan Stanley
The Banking Ombudsman has ordered a bank to pay $20,000 to a business owner after a bank employee methodically accessed the business company accounts, apparently without legitimate or authorised purpose.
The office recently released a guide outlining the approach it will take to privacy and confidentiality complaints.
Link: Privacy and confidentiality guide and case note