Financial Services CPOs and Risk Managers Reveal Data Breach Preparedness Focus
Article on October 11, 2017
- Cyber Security
- Data Privacy
- Incident Response
- Legal and Regulatory
What top three issues for the financial services industry are keeping their Chief Privacy Officers and Enterprise Risk Managers up at night? At the recent SANS Data Breach Summit in Chicago, two leading U.S. financial institutions weighed in on where they are focusing their time and resources to mitigate what most industries today have accepted as the inevitability of a data breach.
Top of mind for these leaders are:
With respect to vendor relationships, consistency in analytic processes across the organization was deemed key to avoid disconnects down the road as to the many risks presented by third party vendors. It was also cautioned that often vendor assurances are not backed up by capital or resources, so organizations need to be diligent in reviewing vendor balance sheets for both capacity and willingness to honor contractual indemnification commitments. Regarding the increasing number of cloud service providers today, it was agreed that an organization should have alternate language at the ready to implement in negotiations with a cloud provider. It was also strongly encouraged that an organization document internally (and secure sign-off approval from the Executive Committee, C-Suite and/or General Counsel) regarding the risks it may be taking on by accepting a cloud provider’s “boilerplate” language.
Regarding the discussion on minimum retention and document destruction practices, both organizations agreed that:
Finally, successful strategies at encouraging employees to come forward included:
These exercises strengthen employee recognition of suspicious and emerging types of phishing attacks and make it easier to detect employees who are frequently unsuccessful in avoiding these “attacks.”
Collapsing internal silos and aligning key departments with consistent and ongoing communication regarding these issues not only assists Chief Privacy Officers and Enterprise Risk Managers in doing their jobs – it makes the organization as a whole better able to weather the storm of the inevitable breach.
Becker's Hospital Review - Kathleen Roney - January 8th, 2013 What should a hospital or health system include in its New Year's resolution? Completing preparations to protect patient records and reduce data breach stress. The "Third Annual Benchmark Study on Patient Privacy & Data Security" by Ponemon Institute reports that data breaches in healthcare are growing; insider negligence is the root cause; and mobile devices pose threats to patients' protected health information. Despite the fact that 94 percent of healthcare organizations surveyed suffered data breaches in the report, data breaches don't have to be disastrous if organizations take steps to operationalize pre-breach and post-breach processes to better protect patient data and minimize breach impact. So, how can hospitals and health systems do this?
The world of privacy and information security has changed so fast in the past five years that most organizations are racing to catch up. Business processes, policies, and technologies all must be adapted to deal with the explosion of cyber-crime and the evolving regulatory landscape. Change is hard, but one upside of all this change is that we have learned a lot about dealing with privacy and security threats, and we can apply that knowledge to new business planning, putting privacy and security at the core of new systems and processes. When you are starting up a new business, line of business, or even a new business process, you have a rare opportunity not only to match technology and processes to today’s privacy and security requirements but to look ahead and plan for what’s coming down the line.