By Nick Buri, Deluxe Corp.
A data breach can have a serious impact on your business, costing an organization $4.1 million on average (Javelin Strategy & Research). Investing in data breach preparation up front will determine how and if a financial institution recovers after one occurs.While traditional data breach threats like insider fraud and lost laptops remain, new breach threats like web application attacks and keylogging trojans are rising. As new techniques continue to emerge, no financial institution is immune. According to a recent Ponemon Institute U.S. Cost of a Data Breach Study, approximately 85 percent of businesses have experienced a data breach.
Preventing and detecting The methods for preventing and mitigating the impact of a breach continue to improve. There's no better time than the present to: 1) assess your financial institution's vulnerability to a breach and 2) incorporate steps into your response plan that fill in the gaps.
When reviewing your institution's current data breach response plan, first consider how well it prevents and detects a breach. To help streamline the process updates, leverage your institution's recent Red Flags Rules compliance work.
Business and technical controls should be clearly established, with an emphasis on prevention. A comprehensive, well-documented security policy is a necessity, it is only as good as its implementation. It is not enough for operations to know proper procedures. Thoroughly communicate departmental security roles and responsibilities to employees and outline employee communication methods in the plan.
Risk assessments should happen regularly. A breach drill can be a quick way to assess breach risk and can serve as a big wake-up call. Additionally, dedicate resources in each area of the business to monitor and research how your institution is protecting sensitive information. Encourage employees to give feedback on potential risks and make reporting easy.
Don't underestimate the effectiveness of accountholder fraud protection services like new-applicant screening tools and identity theft prevention services. They provide technical controls for detection and provide added-value service options for accountholders
Mitigating impact As your institution improves its breach response plan, add measures that help increase the speed of the response and minimize the business impact.
Begin by establishing a method for surveying the impact of a data breach. Gather facts to determine the scope of the breach. Consider who is affected, what information was involved, how the breach occurred and whether the data was encrypted.
Next, an incident response team should review the data breach facts. The team should be a designated, cross-functional team that is created before a data breach occurs. Based on the situation, determine who will lead the response team and assign other key areas of responsibility.
Drawing from the initial fact gathering and new information discovered, the response team should document all events related to the breach as soon as possible. Once events are documented, the response team leader should work with other team members to develop effective strategies for addressing key issues like: • Restoring data security and repairing affected systems • Preserving the financial institution's good name • Minimizing impact on accountholders and employees • Preventing additional data breaches
Sometimes the best way to learn is by making a mistake. Although a thorough, well-documented plan will help minimize the impact of data breach, there is always room for improvement. The plan should outline a post-breach process for reviewing lessons learned and deadlines for implementing improvements. This will help increase future confidence in your institution's data breach prevention plan and reduce time spent assessing risks.
Increasing loyalty While managing the operational side of a data breach, don't lose site of account holder impact. Sixty-five percent of the cost of a data breach is due to lost business (Javelin). Accountholders, along with law enforcement, SEC and other stakeholders, should hear the news of a data breach from their financial institution first, not from the Internet or a social media outlet.
Proactively alerting accountholders to the steps their financial institution is taking to ensure wellbeing can create a lasting effect. A McKinsey and Co. study on customer loyalty commissioned by Deluxe found that while 72 percent of accountholders left their institution due to a negative experience, 87 percent of accountholders gave more money to their institution as a result of a positive experience.
An accountholder data security breach notification template can be prepared in advance of a breach. It should cover specifics surrounding the breach and the immediate actions being taking to minimize the impact on operations. It is also an opportunity to highlight the operational controls your institution is activating to ease accountholders' concerns, such as offering a period of free credit monitoring or investigation and recovery services.
With crime rates historically rising during a recession and data breaches up 47 percent in 2008 (Identity Theft Resource Center), now is the time to help your institution be more prepared.