Breach Notification Priority for 2012BITS: Enforcement of Standard Notification Law is Coming
"As always, we've tried to focus on ... emerging issues to try and get ahead of the risk question," says Smocer.
BITS, the technology policy division of The Financial Services Roundtable, has issued whitepapers that focus on social networking and cloud computing. Now the organization is engaged in work around mobile financial services and mitigating risks relating to the services in this emerging arena.
BITS also is working with DMARC [Domain-based Message Authentication, Reporting and Conformance] to enhance standards in the area of e-mail authentication.
In order to keep pace with today's top risks, banking institutions must continue completing ongoing threat assessments of the environment. "Understand the differences that are occurring in terms of threats to the infrastructure and in terms of threats being introduced by new products or changes to products," Smocer says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
It's through strong risk assessments that financial institutions can understand ongoing vulnerabilities and make appropriate fraud-prevention investments.
During this interview, Smocer discusses:
- Initiatives BITS is taking to help push legislation that would enhance breach notification;
- How more collaboration between government and the private sector can improve cybersecurity;
- Steps BITS is taking to improve e-mail authentication as well as other areas of cybersecurity concern.
Smocer is president at BITS, where he leads successful initiatives to enhance e-mail security and advance practices for identifying and validating online customers.
Cybersecurity Legislation in 2012
TRACY KITTEN: What potential legislation do you see impacting the financial services industry as we embark upon the new year? What do you see happening over the course of the next 12 to 18 months?
PAUL SMOCER: There's certainly been an uptick in activity with regard to cybersecurity legislation on the Hill. I think over the next 12 to 18 months, we're likely to see legislation related to information sharing to updating criminal penalties and law enforcement tools, and probably in particular, with regard to critical infrastructure, a clearer definition of what the term critical infrastructure really means. I think there's a fair amount of traction on the Hill and there seems to be a growing level of support for those areas in particular to move legislation forward in the 2012 session.
KITTEN: What efforts is BITS initiating from a cybersecurity perspective, where potential legislation is concerned?
SMOCER: We're doing a number of things. We're educating our members in terms of the legislation that's being introduced and what subjects it covers in particular. We're working with our members and with the industry with regard to garnering their opinions of what's been introduced and supported as is appropriate for the legislation; in particular, the three areas I mentioned are areas where there's a high level of support from within the industry, as well as the area of cybersecurity research. I think we recognize that there are ways that we can improve the research that's being done by a collaboration of government and private industry, and we're certainly supportive of that idea and moving forward.
Data Breach Notification
KITTEN: Data breach notification is something that remains a concern for legislators, as well as the financial industry overall. What steps are financial institutions taking in the area of breach notification, and how do you see the legislative and regulatory environment impacting breach notification requirements in the coming year?
SMOCER: Let me start with what FIs are doing. I think FIs have, historically, been concerned certainly about data breaches and about notifying customers where there is an impact to them directly when it comes to a data breach. I think we see an environment today that's diffused. Most of the data breach legislation that exists today exists at the state level, so organizations that operate in multiple states, or who have customers in multiple states, are often subject to many individual pieces of legislation that they have to comply with.
There's - at the federal level for financial institutions - the Gramm-Leach-Bliley Act and its requirements with regard to data breach that have been implemented by the agencies in the regulatory framework. To answer your question generally, there's always been and will continue to be a lot of concern with financial institutions to make sure they're adequately notifying their customers if a breach occurs. I think that's part of the whole trust equation that financial institutions recognize they have a strong responsibility in. I think though, when we look legislatively, we're beginning to see the emergence of the concept of perhaps having a national-level breach notification law, that law probably based on the "best of the best" of the state-level legislation that exists today. I think we in the financial services industry already to some extent have that from Gramm-Leach-Bliley compliance, but we still have the state laws, as well. We're looking at a way that makes sense for the industry to have perhaps less diffusion and more standardization so that customers, regardless of their location, are receiving the same, strong notification where that's appropriate.
Cybersecurity Best Practices
KITTEN: Beyond the legislation, what steps is BITS taking to help the industry develop cybersecurity best practices?
SMOCER: We're doing a number of things now. As always, we've tried to focus on, particularly, emerging issues to try and get ahead of the risk question. As you know, we have recently issued papers with regard to the use of social networking and with cloud computing. We're currently engaged in work around mobile financial services and the risks and mitigations that relate to the offering of products in that area. And as well, we continue to work on e-mail authentication standards. Most recently we're working with an organization called DMARC [Domain-based Message Authentication, Reporting and Conformance], that's working on trying to enhance some of the standards in this area to make implementation of e-mail authentication a little bit easier. We continue to focus on areas of concern to our members and, as I said, primarily emerging areas, to try and make sure that the industry as a whole stays ahead of the curve.
KITTEN: Before we close, what advice could you offer institutions that are laying plans now for cybersecurity initiatives, such as some of the emerging technologies that you just talked about, and improvements in 2012?
SMOCER: If I were to offer a piece of advice, I would say continue doing what I believe everyone in the industry is doing, and that is: make sure that you're doing good, ongoing threat assessments of the environment, and understand the differences that are occurring in terms of threats to the infrastructure and in terms of threats being introduced by new products or changes to products. Financial institutions do a broad amount of threat assessment in a number of different categories, and it's that threat assessment that really helps them understand where the threats are, where controls need to be and where they need to invest their dollars going forward. As they develop their budgets, I think based on good threat assessments they make wise decisions about where to invest the dollars as is appropriate.