Even as banks improve their security practices and technology, gaps remain in the armor they have established around sensitive consumer data, and regulators say they plan to take more punitive measures against institutions that lack any of three basic security controls.
Those three controls, each widely regarded by cybersecurity and privacy professionals as a basic measure any institution should adopt, are multifactor authentication, password management and timely software updates. Implementing each will present challenges for banks that have not already done so because of their large and diverse customer bases.
The three were enumerated in a circular
While banks tend to be ahead of nonbanks in terms of adopting cybersecurity and information security controls, the risk of breach is growing for banks as fintechs and cryptocurrency firms partner more with traditional banks. That is according to Eric Young, senior managing director at compliance and security consultancy Guidepost Solutions.
Earlier this month, the New York State Department of Financial Services announced that Robinhood Crypto, a subsidiary of the retail investing company Robinhood, will pay a $30 million penalty for "significant failures" in the areas of bank secrecy, anti-money-laundering obligations and cybersecurity. The fintech partners with JPMorgan Chase to process transactions on cash deposit accounts.
The CFPB's bulletin last week also reminded financial institutions that the Federal Trade Commission announced a complaint in March against the former and current operators of customized merchandise e-commerce platform CafePress for its alleged failure to implement patch management policies and procedures.
The CFPB is not the only regulator taking action against financial companies for their shortcomings on implementing security and privacy controls, Young pointed out, naming the New York State DFS as an example.
"Taken together, these enforcement actions demonstrate that new technology does not equate to better controls," he said. "Even if new regulations are implemented, the financial services industry must not forget longtime consumer protection, cyber, AML and sanctions laws that exist to protect consumers, markets and our national security."
The Consumer Financial Protection Bureau said a company doesn't need to experience a data breach for the agency to consider taking action.
Even as early as 2005, regulators took action to press banks to implement one of the cybersecurity measures the CFPB recently recommended. Multifactor authentication was the subject of
A
More recent data on multifactor authentication adoption among banks is lacking, but
Not all multifactor authentication is created equally.
By contrast, security keys — physical devices that typically connect via USB to prove an identity — prevented account takeovers in 100% of cases the company studied. This aligns with a widespread desire among security professionals, tech executives and others to
A primary motivation for banks to use password managers is to help employees avoid reusing credentials or using weak credentials. This practice is by many estimates, including Verizon's 2022
Regularly patching systems is a struggle for many financial institutions, according to Lou Steinberg, co-founder at CTM Insights, a cybersecurity research lab and incubator.
Patching entails applying security updates that remediate known vulnerabilities in software. The Cybersecurity and Infrastructure Security Agency keeps a list of those known software vulnerabilities and actions that firms using that exposed software can take. Typically, the action is to apply an update per the vendor's instructions.
But as simple as applying updates might seem, doing so is still an important part of basic security hygiene, Steinberg said. And the seemingly simple task can also prove complex in environments where a firm's systems reach a larger scale, as it must be accompanied by testing to ensure the patches are compatible with potentially legacy applications.
"Institutions with complex and fragile designs often avoid changes due to fear of breaking things," Steinberg said. "The best solution is to move to modern serverless and container-based apps, but that will take decades to roll out at places with thousands of apps and tens of thousands of servers."
For financial institutions that do not use serverless and containerized apps, Steinberg said they should get as close as possible to automatically deploying all security patches as soon as they are available.
Institutions must also hold vendors accountable for making sure apps do not break when new releases come out, Steinberg said.
Steinberg also recommended that, rather than using lengthy pre-release testing to vet security patches, financial institutions can use "canaries," meaning they first apply patches to a limited number of systems to limit the scope of any compatibility issues that arise from a security patch.
Of course, regulatory actions are not the only threat banks face if they do not implement multifactor authentication, security patching, or password management. Although imperfect, each provide an additional protection against reputational harm a firm can endure in the wake of a security breach, and Young said bank executives must not overlook those risks.
"Not implementing what might be viewed as minor, annoying controls such as multifactor authentication could lead to major unanticipated vulnerabilities," Young said.
