<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Subscribe to our Blog!
Show all

FFIEC E-Banking Security Guidelines: What You Need to Know

E-banking can be convenient and improve customer service along with other benefits. However, as with any process that involves the online transfer of personally identifiable information, there are risks. 

Cybercriminals take every opportunity to attack target-rich opportunities. E-banking, without proper security, attracts criminals intent on identity theft, ransomware, denial-of-service attacks, and any other way they can steal from businesses. 

Creating a strategy and implementing a secure IT infrastructure for your e-banking services mitigates the risk of cybercriminals successfully attacking your company.

Here are suggestions to improve security and minimize the risks from cyberattacks based on guidance from the Federal Financial Institutions Examination Council (FFIEC).

The FFIEC and E-Banking

A five-member agency of the Federal government, the FFIEC establishes guidelines and uniform practices and procedures for financial institutions. Guidelines from the FFIEC provide financial institutions with expectations for compliance. 

So that we have an established definition of e-banking, according to the FFIEC:

E-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels.

The Risks of Cyberattacks Are Real

Cyberattacks on financial institutions are on the rise with no end in sight. The recently announced Capital One breach is the latest high-profile example. On July 19, Capital One discovered that a third-party had gained unauthorized access to personal information related to the company’s credit card products. 

Luckily for Capital One, and their customers, they were able to immediately fix the issue and began working with law enforcement, which led to an arrest. As of now, it seems as if no customer information was used for fraud or other criminal purpose. 

While it looks like Capital One successfully contained any major damage from the data breach, other companies will not be as fortunate or as well-prepared. A successful cyberattack exposes your business to financial penalties from government regulations. More harmfully, your business can suffer reputational damage resulting in lost customers because they no longer trust you to keep their information secure

Data from research companies paint a frightening picture of the dangers. 

McAfee estimates that cybercrime cost the world economy $600 billion in 2018.

The Ponemon Institute study, 2018 Cost of Data Breach Study, reveals that the average total cost of a data breach (the cost of the breach itself plus the resources used to address the breach) in 2016 was $3.86 million. It also took companies an average of 197 days to detect a breach.

Time to detect is key, as companies that discovered and contained a data breach in under 30 days saved themselves $1 million. In the recent Capital One breach, the hack was actually reported by a third party based on what the hacker wrote on social media!

A robust information security plan will help you prevent data breaches and detect any that do occur faster. 

Cybersecurity is of paramount importance for every organization. 

For a more in-depth picture of data breach costs, download The True Costs of a Cybersecurity Breach by clicking here or on the image below.

Screen Shot 2019-08-12 at 1.08.32 PM

While it is impossible to cover all aspects of e-banking compliance in a single blog post, this list of guidelines will put you on the path to a more secure e-banking infrastructure.  

FFIEC E-Banking Security Guidance

E-banking security guidelines date to the Gramm-Leach-Bliley Act of 1999 and the “Guidelines Establishing Standards for Safeguarding Customer Information” published in the Federal Register on February 1, 2001. 

Any financial institution offering e-banking or related support services must secure confidential customer information from unauthorized access. 

A typical, though not exhaustive, list of e-banking components includes:

  • Website
  • Firewall
  • Intrusion detection system
  • Network administration
  • Security management
  • The Internet banking server
  • Applications for e-commerce such as bill payment
  • Internal network servers
  • Core processing system
  • Programming and support
  • Automated decision support systems

Together, these components deliver e-banking services. Individually, they each must be considered from a security standpoint, whether an in-house component or outsourced. 

Risks of e-banking change as quickly as technology and customer expectations. Even once you have a safe, secure e-banking environment, the challenge never ends. You need to continually improve your e-banking security to meet the constantly shifting cybersecurity threats -- and remain FFIEC compliant

The Security Plan -- 4 Specific Measures

Every financial institution needs a security plan. FFIEC guidelines provide four specific measures for consideration:

  • Identify and assess threats to consumer information by performing a risk assessment
  • Create a plan, in writing, with policies and procedures to minimize risks
  • Implement and test the plan
  • Adjust the plan as technology changes, as customer data changes, and to address shifting threats (internal or external) to your information

This plan must take into account physical records (paper-based or even microfilm) as well as electronic data. 

5 Building Blocks to FFIEC Compliance

There are five main “blocks” to use to build your e-banking security. Each block is essential. Overlooking or attempting shortcuts will expose your institution to more risk. While it takes time and effort to plan, create, and implement e-banking security, you must spend the time required to ensure that your information is protected. 

Who is Responsible for the E-Banking Strategy?

Ultimately, it is the responsibility of the board of directors and senior management to oversee the e-banking strategy. This includes the reasoning behind offering e-banking as well as accountability for managing all aspects of e-banking risks. 

Who is Responsible for the Outsourced Relationships?

Institutions which outsource any portion of their e-banking infrastructure are not excused from managing risk to their customer data. Every company remains responsible for its own customer data even when using a third-party. 

Senior management is also responsible for oversight of all third-party relationships:

  • Ensuring the outsourced partner has the necessary expertise to provide requisite services
  • Contracts that clearly specify privacy and security protections of customer data
  • Monitoring performance, service levels, and incident response

While third-party providers can bring cost-effective expertise into your e-banking environment, it also injects an additional element of risk into your system. The Capital One breach provides an example of this danger. The breach originated from a software engineer who worked for Amazon Web Services, which Capital One uses for Web hosting. Paige Thomspon is accused of exploiting a misconfigured application firewall to  gain access to 100 million Capital One customers. Do not ignore third-party risk by assuming that a potential partner takes security as seriously as you do.

The Information Security Plan

Providers of e-banking services must manage information security risk. Compliance with Gramm-Leach-Bliley, as mentioned above, is the baseline. The company must have the requisite expertise to provide security to customer data. Access and control are critical as is a secure IT infrastructure:

  • Physical access to equipment must be managed 
  • Policies must be in place to notify customers if a security breach occurs 
  • Authentication is critical to ensure only verified individuals have access 

Administrative Controls

Threats are not just external. A substantial number of data breaches are internal, either from employees who are poorly trained on security procedures so they don't know how to follow security guidelines or a smaller percentage of employees who perpetrate fraud and identity theft. Steps must be taken to minimize internal identity theft or fraud, including: segregation of duties, transaction reconciliation, error checks, and suspicious activity reviews. 

Legal and Compliance Issues

Without face-to-face interactions, e-banking introduces new risk elements. To mitigate these, companies should:

  • Provide customer privacy and security policies on their website
  • Ensure all communications comply with applicable statutes and regulations, including the E-Sign Act
  • Always clearly identify the official name of the company on any relevant communication

Where Do You Begin with E-Banking Compliance?

Customers expect the convenience of online banking. Customers also expect their private, confidential information to remain that way. 

While no information security professional can promise a 100% impenetrable defence, following these guidelines will give you the best chance of success. 

One of the best beginnings is to start with a risk assessment. To reach your destination, you need to establish your starting point or baseline, and that is precisely what a risk assessment does.

it security risk assessment finance

Rema Deo
Rema Deo

Rema Deo is the CEO and Managing Director at 24by7Security Inc. Rema is certified as a Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2. She holds a certificate in Cybersecurity: Technology, Application and Policy from the Massachusetts Institute of Technology. She also has a Master of Business Administration Degree from Symbiosis Institute of Business Management in Pune, India and a Bachelor of Commerce degree from the University of Bombay. Follow along the 24by7Security blog to learn valuable insights from Rema.

Related posts

September 17, 2019
August 13, 2019
August 6, 2019

Comments are closed.

Ensuring Your HIPAA Compliance with Business Associate Agreements
Achieving HIPAA Compliance: Your Guide to Properly Disposing of PHI Hardware