​What top three issues for the financial services industry are keeping their Chief Privacy Officers and Enterprise Risk Managers up at night? At the recent SANS Data Breach Summit in Chicago, two leading U.S. financial institutions weighed in on where they are focusing their time and resources to mitigate what most industries today have accepted as the inevitability of a data breach.

Top of mind for these leaders are:

  • Evaluating, revising, and monitoring 3rd party vendor relationships
  • Navigating best practices for minimum retention and document destruction
  • Motivating employees to come forward when something doesn’t seem “quite right.”


Evaluating, Revising, and Monitoring 3rd Party Vendor Relationships

With respect to vendor relationships, consistency in analytic processes across the organization was deemed key to avoid disconnects down the road as to the many risks presented by third party vendors. It was also cautioned that often vendor assurances are not backed up by capital or resources, so organizations need to be diligent in reviewing vendor balance sheets for both capacity and willingness to honor contractual indemnification commitments. Regarding the increasing number of cloud service providers today, it was agreed that an organization should have alternate language at the ready to implement in negotiations with a cloud provider. It was also strongly encouraged that an organization document internally (and secure sign-off approval from the Executive Committee, C-Suite and/or General Counsel) regarding the risks it may be taking on by accepting a cloud provider’s “boilerplate” language.

White Paper: Protect Your Employees from the New Dangerous Realities of Identity Theft

Navigating Best Practices for Minimum Retention and Document Destruction

Regarding the discussion on minimum retention and document destruction practices, both organizations agreed that:

  1. Over-retaining documents expands the potential “footprint” of a data breach exposure unnecessarily
  2. You should be wary of having data sets stored in multiple locations within the organization
  3. While you can’t keep everything, it’s well-advised to conduct an internal data mapping/data inventory exercise to confirm “what you have” first before making retention and document destruction decisions.


Motivating Employees to Come Forward

Finally, successful strategies at encouraging employees to come forward included:

  1. Having a clear escalation protocol that everyone in the organization is familiar with to avoid the incident “scramble and blame game” at the point of a data privacy or security incident
  2. Establishing a privacy playbook and regular recognition award for employees coming forward with concerns
  3. Conducting regular internal phishing campaigns.

These exercises strengthen employee recognition of suspicious and emerging types of phishing attacks and make it easier to detect employees who are frequently unsuccessful in avoiding these “attacks.”

Collapsing internal silos and aligning key departments with consistent and ongoing communication regarding these issues not only assists Chief Privacy Officers and Enterprise Risk Managers in doing their jobs – it makes the organization as a whole better able to weather the storm of the inevitable breach.