Complying with the Gramm-Leach-Bliley Act (GLBA) is required, not optional.
Given the July 2019 Equifax breach settlement news and other security breaches in the news, some individuals may have the impression that compliance is optional. To reiterate: GLBA has been the law since 1999. It mandates that financial institutions keep the private information of individuals private. As holders of personally identifiable information, financial institutions must protect that data from foreseeable security and data integrity threats, criminal and otherwise.
The Equifax data breach can serve as a wake up call and provide useful cybersecurity lessons for astute financial services companies and any other organization that holds customer data. Here are four key lessons to learn from the Equifax data breach.
The Equifax Breach
Before detailing these four lessons learned from the breach, here’s a quick recap.
In September 2017, Equifax revealed that the personal information of 147 million people had been exposed from a data breach. To put that number in perspective, 147 million people is roughly four out of every 10 people in the United States.
The breach occurred on the company’s Automated Consumer Interview System (ACIS) which the company used for consumer credit freezes, fraud alerts, annual credit reports, and more. The customer information exposed was a wealth of data, including Social Security Numbers, dates of birth, credit card numbers, and so on.
Here’s a quick timeline of the Equifax breach:
- March 2017, US-CERT alerts Equifax (and others) of a security vulnerability in Apache’s open-source software that is used to build Web applications
- The alert recommended an immediate update to a free patched version
- Hackers were already exploiting the vulnerability
- Equifax alerted the staffers responsible to patch affected software within 48 hours (per the company’s patch management policy) on March 9
- The scan performed by Equifax did not detect that the software was installed as part of their Automated Customer Interview System
- As a result, the vulnerability was not detected for four months
- When detected in July 2017, an outside forensic expert identified that hackers had used the vulnerability to access other databases with PII
For more detail, the FTC has a brief article discussing the basics of the breach that you can read here. The Government Accountability Office’s report from 2018 on the breach contains even more detail.
The GLBA Safeguards Rule and Lessons Learned
It is a simple fact that a company can do everything right regarding cybersecurity and still be successfully hacked. Good cybersecurity controls minimize risk. The goal for every financial services company should be to create a cybersecurity plan that facilitates GLBA compliance.
The Equifax data breach casts a spotlight on four elements of cybersecurity that, when properly executed, minimize the risk of a data breach:
- Patch your software
- Determine your level of vulnerability
- Prioritize security
- Choose partners wisely
These elements of cybersecurity are foundational to any cybersecurity strategy and are all included in the GLBA Safeguards Rule.
One overall lesson learned is that paying attention to the basics of security is critical. Some basic steps Equifax could have taken that could have limited the damage from the breach:
- Segment networks
- Have well-documented procedures and double-check that staff follows them
- DO NOT store admin credentials in plain-text files
- Periodically check software to ensure that it is configured correctly
Lesson 1. Patch Your IT Infrastructure
Cybersecurity is a never-ending game of catch-up for security experts. No software is perfect and cybercriminals are constantly probing for weaknesses to exploit. Security experts are doing the same. When a security hole is identified -- whether from an exploit by hackers or by the software companies themselves -- a patch is released.
Patch management is a key task for every IT department. However, many IT departments are overstretched and fall behind when keeping all patches up-to-date. Many successful data breaches, like the Equifax breach, occur as cybercriminals exploit a known weakness. The WannaCry ransomware attack in 2017 that knocked out hospitals in the UK and wreaked havoc across 150 countries targeted a known Microsoft weak point that an estimated 1.7 million computers are still at risk for due to lack of patching.
Keep patches to all your software up-to-date and document that they are. One reason for the large financial settlement is that Equifax did not ensure that employees followed the patching plan.
Lesson 2. Determine Your Level of Vulnerability
It is impossible to plan if you do not understand your current IT security posture in its entirety. At the same time, IT departments have a difficult time maintaining a basic patching schedule.
In-house IT departments also may not have the necessary skills to determine level of risk. An assessment can reveal insecure default security settings, missed security updates, and other vulnerabilities. If your institution does not have the requisite expertise, engaging a third-party expert to conduct an independent security risk assessment will provide the foundation upon which to build your cybersecurity plan.
Lesson 3. Prioritize Security
Chief security officers who report to the CIO could be limited in their security spend because the CIO is likely to be more concerned with budget than information technology. The reporting structure for security should roll up to the CEO/president or the person in charge of governance so that cybersecurity has an advocate at the highest level of the organization.
It bears repeating, keeping customer data secure is not optional for financial institutions (or other industries). The GLBA explicitly says so.
One possible solution is to outsource some or all elements of your IT security to a third-party provider, starting with a security risk assessment and/or vulnerability assessment.
Lesson 4. Choose Partners Wisely
Equifax and Apache initially engaged in a finger-pointing exercise, each blaming the other for the breach.
Using third parties for components of your IT or services infrastructure does not mean that you are blameless if a breach of your data occurs through a third-party service. The Safeguards Rule specifically notes that “In addition to developing their own safeguards, companies covered by the rule are responsible for requiring their affiliates and service providers to implement and maintain safeguards to protect customer information in their care.”
Document service level agreements on the protection and collection of customer data by any third-party partners. Remember always that it is YOUR customers’ data and that you are responsible for it. No excuses.
For tips to manage third-party risk, read How the FFIEC Expects Financial Institutions to Manage Vendor Risk.
Data Security as a Competitive Advantage
As business is increasingly transacted online, customers will gravitate to companies who repay their trust by keeping their PII secure.
As outlined the True Costs of a Cybersecurity Breach, the negative outcomes of a data breach are never limited to the costs to repair the breach.
Financial institutions need to learn the lessons of Equifax and adhere to the GLBA Safeguards Rule to create a cybersecurity strategy that minimizes the risks to their customers’ data. In this world of ever-increasing cyber crime, this is the best course of action where taking the appropriate data security measures can provide a financial institution with a strong competitive advantage.