Are banks doing enough with on-line security?
It seems lately, no one can’t escape the media coverage of high profile security breaches. A day doesn’t pass without some well known company admitting that they are a victim of a security breach. One constant target has been bank’s on-line systems ever since banks began offering on-line banking web sites back in the late nineties. With the advent of on-line bill payment and payroll capabilities as well as account to account or person to person payments complementing the traditional wire transfer transactional options, fraudsters have an attractive target for monetary gains. It seems as banks have implemented stronger and stronger on-line authentication systems, fraudsters have developed ever more sophisticated attacks. In the media coverage deluge recently of security breaches cross-industry, one court recommendation that was published on May 27th of this year has the potential to jump start the banking and security industry similar to what the original FFIEC authentication guidance did back in late 2005.
In the case of Patco Construction Company, Inc. versus People’s United Bank d/b/a Ocean Bank, the court essentially finds that the bank did implement all “commercially reasonable security” measures as outlined by the original FFIEC guidance as well as subsequent court rulings defined. Yet, the bank’s security was determined to not be optimal:
“It is apparent, in the light of hindsight, that the Bank’s security procedures in May 2009 were not optimal.”
Thus, in a complete guttural paraphrase of the recommendation document:
The bank met the minimum requirements thus the bank is not liable for returning any of the customer’s fraudulently stolen funds. Yet, at the same time, the bank’s security was sub-optimal. So, the bank met it’s sub-optimal regulatory obligations yet, the customer still lost their money.
What is the big deal? What appears to be implied to me in the recommendation is that the current FFIEC guidance is flat out not up to today’s threats. And, banks are legally off the hook to do anymore than with is contained in the outdated FFIEC guidance guidelines. As one industry analyst wrote “Businesses: at your own risk”
If the lead up to the 2005 FFIEC guidance was that banks weren’t doing enough to address on-line threats, have we reached the next precipice of more regulatory guidance?
In my opinion the answer is: Yes. Even non-banking Internet giants Facebook and Google have added stronger authentication solutions to their offers which I’ve covered before here and here.
The FFIEC was planning on updating their original 2005 guidance at the end of last year but it appears the five regulatory agencies couldn’t all agree on the final documented guidance. I believe the heat has now been turned up on the FFIEC to reach consensus and establish more up to date guidelines. Once updated and published, I believe we will experience another infusion of demand for more sophisticated security technology given the increase in regulatory backed bank demand. Stronger regulations will tip the on-line product budget priority to enhancing security over new features and functions.
Which startup will become the next Bharosa, Cyota or PassMark of this next wave of on-line authentication technology investment?
Articles RSS 2.0 Feed
Follow Midwest IT Survival on Twitter
[...] a co-mingling of all your individual customer’s data. As SOX, HIPAA and the increase in on-line security breaches had customer’s demanding secure data management back at the start of the previous decade. [...]
[...] analyst Avivah Litan, of whom I’ve communicated with in-person and blogged about before here, is critical of the guidance (here) and in general, her critiques are valid from my perspective as [...]