Financial Institutions: Have You Thought About Cyber Education For Your Customer

Category: Data Security
Type: Blog
Author: Alison Hawkins

Have you checked your website lately?  Everyone has some form of customer education for cyber security.  But do you have it posted on your website and have you included all of the minimum requirements?  Before you get called out during your next IT exam, it might be worth it to take a few minutes to check out your financial institution’s website to ensure you have addressed all of the “recommended” guidance.
 
Back in 2011 the FFIEC issued guidance (which we all know means do it, because it will come up as an exam finding/recommendation if you don't) regarding expectations for customer education with respect to cyber secuity.  The guidance was issued as a supplement to their Authentication in an Internet Banking Environment publication.  In that publication, institutions were required to comply by 1/1/2012 with several control upgrades, including a reference to “more active consumer awareness and education efforts”.   Within that publication 5 elements for customer, both commercial and consumer, education were provided as minimums for a financial institution’s customer awareness and education program.  Per the FFIEC guidance publication, the 5 elements of customer education efforts include the following:

  • “An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access; 
  • An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials; 
  • A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;  
  • A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and, 
  • A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.”

This references educating customers on what protections an institution will not provide. In addition, it states you should inform a customer of the circumstances in which you would contact them, not just how you will typically contact them. And we all love a good risk assessment, but now you are to suggest that your commercial customers perform the same activity and provide control opportunities they may want to consider implementing.  Thank goodness the guidance does provide a list of helpful controls in the Appendix.  

Let’s fast forward 8 years to today and the language in the Supplement that catches my eye is a reference to “significant changes in the threat landscape”, since 2005.  Boy, if they thought things had changed between 2005 to 2011, can you imagine if they had a time machine and could see the threat landscape today.  This is an area of ever increasing change with criminals becoming more and more creative every day.  Yet, it is sad to know that as many times as it is said and posted, we unfortunately are creatures of curiosity and we still seem to fall for the latest and greatest fraudster trick.   Criminals have a way of making the con look so believable, in some cases.  They are masters of phishing emails.  At a seminar recently the speaker mentioned a cyber criminal can lay dormant in a system for up to 2 years before they act.  In the particular incident, they learned how the person communicated through email and then flawlessly mirrored it to steal money through a wire transfer. I recently read an article on cyber threats that referenced a new customer coming in and asking a customer service representative if they could pull up a website, of course with the customer providing the address.  You guessed it, the website was controlled by a criminal who was then given the golden key to the employee’s computer.  We surely would never think of our own customers doing something so horrible.  As financial institutions we educate our employees and our customers, but it is important to remember that there is no such thing as too much education when it comes to cyber security.  The game is ever changing and we must stay up to date on the latest con. 

Here are some of the latest cyber threats:
https://www.fdic.gov/regulations/resources/director/risk/it-security.html 
https://www.ffiec.gov/cybersecurity.htm
Disclaimer:  This document is for informational purposes only.  It is not intended to provide legal, tax, accounting or other professional advice. No warranties or representations are made as to the accuracy or completeness of the information provided. Please note the opinions expressed in this presentation are not the opinion of or agreed upon by any other company, or financial institution I am affiliated with and/or through or to which  I provide consultation services. A review of regulations, Acts and guidance of the financial institutions regulatory authority should be referenced.

February 07, 2019
Back