Data Privacy: Practical Approaches for Financial Services Management Teams

Cyber risk has reached new levels. Data privacy is an area where many companies have yet to implement either an overall policy/procedural framework or suitable technical protections. Practical steps for management teams are provided for each of these two areas.

Earlier this year when I wrote an article for the inaugural technology issue of The Secured Lender cyber risk was reaching new levels and was the subject of daily headlines. So it was a natural topic to bring to the attention of finance company leadership teams who read The Secured Lender.

Since then, a few short months later, a further, almost unimaginable, escalation in cyber-risk news has occurred:

* The United States acknowledged the hacking of the blueprints and designs for many of its most advanced weapon systems/

* The WikiLeaks convictions were handed down, covering the revelation hundreds of thousands of supposedly-secure diplomatic cables/

* The Edward Snowden affair is said to have exposed the participation of U S. companies in intelligence-gathering as well as releasing some of America's most closely guarded secrets/

These most recent events place a spotlight on data privacy - an issue that, if not addressed properly, perhaps could become the fundamental factor that limits the ubiquity and universality of modern information technology. Consumers may simply opt for less connectivity if an application or vendor does not appear trustworthy. Lack of trust can serve as a frictional barrier that slows the adoption of a new technology or service.

If the steady drumbeat of headlines regarding data breaches are an indicator, data privacy is an area where many companies have yet to implement either an overall policy and procedural framework or suitable technical protections. It may seem odd to consider that corporations can achieve these protections when the US government, with its $80 billion-plus5 annual IT budget, cannot seem to do so. Yet management teams should not despair or become resigned to an inevitable loss, as many companies are able to avoid a breach or significant incident. Threat levels that organizations face are generally recognized to be related to their industry group. Governments are under attack from the most sophisticated persistent threats (whether internal or external). Financial services and utilities companies are considered next on the list for degree of threat6, with other industries facing lesser threats. The data privacy challenge for management becomes one of designing a program that stays one step ahead of the threat and to do so before a major incident/

So, in order to stay ahead of danger, as threat levels rise, companies should make improvements so as to maintain a margin of safety compared to the risk that their industry faces and the bar for financial services is very high. If you believe your bank or finance company lags behind competitors and industry norms, then these recent developments suggest that an urgent catch-up initiative should be launched. First, the goal should be to reach parity; and, then, to stay ahead of any possible threat. Within the financial services industry, the security and privacy standard is rising rapidly, which can be difficult to reach for smaller competitors.

What can financial-services management teams do to improve data privacy and how to proceed rapidly to reduce risk?

There are two parallel tracks to work on:

1. Creating a "documentation tree" that guides implementation. Ultimately, this will provide the necessary framework for employee termination upon discovery of intentional violation of data guidelines. Once created, the policies and procedures should be kept up-to-date, and employees should undergo mandatory annual training regarding their responsibilities.

2. Implementing procedural improvements, technical monitoring and protection solutions according to risk-reduction priorities. These steps should be pursued while the necessary program rollout proceeds. A corporate risk-management steering committee should allocate funding to technical improvements, track progress, allocate internal resources and adjust the program based on internal and external factors. These investments should be reviewed monthly or at least quarterly by a senior team within the company.

Because data privacy programs are essentially "defensive" undertakings, management does not control the timeline compared with "offensive" IT campaigns, such as new-product rollouts or entering a new market. So, while it may be tempting to proceed deliberately by documenting and improving the most-capable internal divisions first, the data privacy risk to the enterprise may lie in sub-scale and far-flung operations. A balance of implementing tactical technical improvements, while providing a well thought-out and executed program to cover the entire company, is the most likely outcome for multi-divisional and multinational companies.

Here is a listing of steps that typically lie on the two recommended tracks:

l The approach to creating a documentation tree usually consists of the following steps, in this approximate sequence:

a. Setting enterprise-level data policies that cover all considerations (including privacy, security, legal and regulatory compliance, disaster recovery and records retention)

b. Classifying all data according to those policies

c. Creating appropriate technical standards and data-handling procedures

i. In accordance with law (for example, Gramm-Leach-Bliley, HiPAA, PCI, EU and Canadian privacy laws)

ii. A records-retention policy driven by external and internal considerations (for example, three-year financial audit, seven-year tax audit, 30-year escheatment)

iii. Closely linked to records retention is the question of system backups, especially given that disk and tape versions of systems can both age and proliferate to the point at which excessive risk of disclosure is created.

d. Combating the "insider-information" threat

i. Background checks (across-theboard and more extensive checks for IT personnel)

ii. Principle of "least privilege" (that an employee's access is based solely on job role and responsibility)

iii. Enhanced protection/surveillance on privileged accounts ("super-user", system administrator, developer, Data Base Administrator, etc.). Note that the NSA was reported to have undertaken a program to reduce the number of engineers with such privileged accounts by 90% following the Snowden disclosures8

iv. Employee awareness campaign (avoid phishing, social engineering, malware)

e. Reviewing vendor contracts

i. Terms and conditions on data handling may not be strong enough for the sensitivity of the affected data

ii. SSAE16 (successor to SAS 70) certification - Was data handling, information security and data privacy in scope for the audit? Even if this was the case, this approach has limitations and a thorough vendor due diligence is recommended9

f. Creating an operational risk committee structure to prioritize improvements and govern data-privacy initiatives.

2. In many cases, especially in a catch-up scenario, technical protections can't wait until a full documentation tree is created and a risk assessment is conducted. Management teams may have to conduct a "quick-and-dirty" review in order to determine the most pressing shortfalls that are addressable in the near term. The resulting systems may fall into a general information security category and/or include specific data-loss prevention (DLP) systems that are engineered to solve data-privacy exposures.

a. Security standards should be met, particularly in

i. Perimeter security remediation to protect from external threats

ii. Internal compartmentalization (so that, if one client's or one division's data is compromised, the other areas of the company are not breached)

iii. Remediation of audit points (known control weaknesses)

b. Improvements should be considered across all technical platforms

i. Endpoints (tablets, PCs, laptops, smartphones, etc.)

ii. Data center (servers, storage, partner connection firewalls, internal firewalls, etc.)

iii. Media (tapes, thumb drives, hard drives, etc.)

iv. Perimeter security (firewalls, intrusion detection and prevention systems (IDS/IPS), application-level firewalls, exfiltration monitoring, etc.)

v. Communication links and transport (for example, HTTPS)

c. Protecting the "crown jewels" first is a valid strategy. Examples of trade secrets could include credit-adjudication methods or algorithmic trading methods. While examples of the most sensitive systems could include wire transfer and cash handling systems.

i. Data could be secured by segregating the data to a separate server with restricted access, and by using special protections such as IPSEC and encryption

ii. And the integrity of processing on these systems should be the subject of thorough recurring audits

d. Scanning and discovery across the network for social security numbers, credit card numbers, and personally identifiable information to determine if classification decisions are correct

e. Use of encryption in selected cases and at levels that make sense (e g., disc, database, table or field level)

f. Use of data-masking (for example, that systems only display the last four social security digits and show the full nine digits only in speciallydetermined use cases)

g. An assessment of as-built security settings and practices on internal systems, as compared to public cloudcomputing systems. This comparison may lead the company to consider alternative-hosting arrangements if it concludes its current practices are less secure than commercially available external hosting.

There may also be point solutions that become abundantly clear to the management team. These can be acted upon as needed prior to completion of the documentation tree. Examples may include:

* Laptop encryption (for the subset of employees with sensitive data, such as those in the human resources department)

* Banning the use of thumb-drives for many employees (e.g., in call centers) or forced encryption and logging/monitoring of hie transfers to external-storage devices for other employees

* Email and FTP gateway monitoring - Banning or monitoring of public file-sharing services, such as Dropbox

* Internal firewalls and other methods to limit disclosures from affecting the entire organization via compartmentalizing the network

* Limiting the number of system administrators10 through development of administration screens and monitoring the remaining superusers through technical means. For example, the prevention of the common use of root and admin staff IDs by multiple individuals is a specific weakness that organizations with less mature controls frequently suffer,

* Scanning all outbound attachments for sensitive information.

However, when starting implementation projects, management teams should be aware that progress may proceed slowly and sequentially, in three stages:

A. Monitor and create a baseline - set thresholds for detecting potential events - a balance will have to be struck between false positives and missed negatives.

B. Monitor and alert employees upon detections. After passing through the first stage, automated alerts issued, based on pre-set thresholds, will be more useful and trustworthy.

C. Stop data in transit. Because it interferes with the conduct of business, confidence in the technical solution should be high.

Before the policy framework and documentation tree is in place, financial-services management teams may find it difficult to terminate offending employees. This is often the case when employee policies are out of date. For example, many old policy frameworks rely extensively on the clause that company systems are permitted subject to an "appropriate use." It may create a legal problem and liability to terminate an employee who pushes beyond an unwritten limit of BYOD (bring your own device) policies, yet claims that what the employee was doing was appropriate.

Because of the delays embedded both in creating a document tree and in trusting the deployed technical solutions, it is recommended that these two initiatives be run in parallel, especially in urgent, catch-up situations.

As a final note, many tend to think of technology as steadily progressing towards an ever-greater interconnectivity -- and not thinking deeply about the security of their data until it is too late. It may be possible to learn a valuable lesson from a less-technologicallydeveloped country, Russia. The Kremlin recently purchased 20 typewriters as a method to secure its most sensitive leadership communications." It is a cautionary statement that should remind us that senior management is ultimately responsible for the inadvertent disclosure of their company's private data, tsl

1 Cyber Should be on Your Risk Management Agenda http://www. nxtbook.com/ygsreprints/CFA/ P3430i_tsl_may20i3/index.php#/20

2 The U.S. weapons systems that experts say were hacked by the Chinese http://www.washingtonpost.com/ blogs/worldviews/wp/2013/05/28/ the-u-s-weapons-systems-thatexperts-say-were-hacked-by-thechinese/

3 Bradley Manning verdict https:// pressfreedomfoundation.org/sites/ default/files/07-30-i3-AM-session.pdf

4 Inside the 2013 U.S. intelligence 'black budget' http://apps.washingtonpost.eom/g/page/national/ inside-the-2013-us-intelligence-blackbudget/420/#document/pi/aii7329

5 FY 2012 Information Technology Budget http://www.actgov.org/knowledgebank/governmentit/Documents/ Vivek%20Kundra%20-%20FY%20 20i2%20lnformation%2oTechnolOgy%20Budget%2002%2024%2011.pdf

6 Page 10 of the Defense Science Board Task Force Report:

Resilient Military Systems and the Advanced Cyber Threat lists critical infrastructure to include: power generation, communications, fuel and transportation, emergency services, financial services, etc.

7 Pentagon Five-Year Cybersecurity Plan Seeks $23 Billion http://www. bl00mberg.c0m/news/2013-06-10/ pentagon-five-year-cybersecurityplan-seeks-23-billion.html This program request apparently was in response to the data loss discussed in footnote 2.

8 NSA to cut 90 percent of systems administrators http://www.washingtonpost.com/blogs/federal-eye/ wp/20i3/o8/i3/nsa-to-cut-go-percentof-systems-administrators/

9 See the article by Jennifer Bayukwww.bayuk.com titled Vendor Due Diligence ISACA Journal Volume 3, 2009 and other references on her website to the limitations of relying on SAS 70 for assurance of information security protections

10 The NSA Intends To Fire 90% Of Their System Administrators To Eliminate Future Leaks http://www.businessinsider.com/nsa-firing-sysdadmins-2013-8

11 KREMLIN RECIPE FOR AVOIDING LEAKS: USE TYPEWRITERS http://bigstory.ap.org/article/kremlin-recipeavoiding-leaks-use-typewriters

John Nerenberg is a director in the IT & Applied Analytics Practice at AlixPartners LLP, the global business advisory firm. AlixPartners, LLP is a global business advisory firm offering comprehensive services in four major areas: enterprise improvement, turnaround and restructuring, financial advisory services, and information management services. The firm was founded in 1981 and can be found on the Web at www. alixpartners.com. The opinions expressed are those of the authoKs) and do not necessarily reflect the views of AlixPartners, LLP, its affiliates, or any of its or their respective other professionals or clients.