5 Pillars of Cybersecurity in Financial Services

By: Melissa Stevens, Senior Digital Marketing Manager, BitSight

Financial services are one of the best-performing sectors in terms of cybersecurity. BitSight analyzed the data to pinpoint a handful of basic facts, ideas, and principles that make the financial sector so successful at cybersecurity, and outlined those “pillars” below.

Pillar #1: You Have To Meet The Expectations Of Regulations (And Beyond).

Financial services is a regulated sector—and regardless of your feelings on regulation, it does get some interesting results. When you know that someone is holding you accountable and that this party has the authority to fine or potentially shut you down, you know you have to take action. Thus, financial service organizations typically have implemented proper protections and risk management solutions, invested in the right technologies, and hired the best talent.

And while regulations are mostly about compliance, it’s pretty well understood that compliance does not equal security. To properly manage risk (and go above and beyond your fiduciary duty), you need to identify the greatest threats to your organization and focus your time and attention there.

Pillar #2: You Must Have Vigilance In Your Cybersecurity Execution.

Any company could do the bare minimum when regulators come knocking and let things slide when they leave—but that would be a big mistake. Therefore, you need to continue to be vigilant every day, not only when you’re being monitored.

Executing consistently takes both training and resources. Part of the reason financial service organizations excel at cybersecurity is because of the amount of high-level executive buy-in. The top people in the organization typically demand and expect a strong cybersecurity posture and provide the resources needed to support world-class information security risk management programs.

Pillar #3: You Must Excel At Detection And Recovery.

High-performing financial service organizations recognize that you’re never going to stop every cyberattack. There are too many gaps and too many ways that someone can access and exploit a system. So while you need to excel at protecting your high-value assets and data, you also must excel at detecting security issues and recovering any data loss quickly and efficiently.

Pillar #4: You Need To Manage Risk In The Third-Party Ecosystem.

Many breaches that happen to financial service organizations originate on vendor networks. Financial organizations are keenly aware of risks in the supply chain and the need to properly manage those risks. This is a challenge of scale—how should an organization focus on areas that are of medium criticality and high criticality? This requires an investment of both time and resources; but when you consider the consequences to your data (or your members’ data) if a third- or fourth-party system goes down, it seems the investment is certainly worth it.

Pillar #5: You Should Consider Information Sharing.

Another thing the financial services industry does well is sharing information. The Financial Services Information and Sharing Center (FS-ISAC) is a mature industry forum created specifically for the financial services industry to share regarding cybersecurity in their sector. In it, you’ll find a tremendous amount of collaboration around threat actors and the capabilities of those actors. Members feel that acting in collaboration is better than acting in isolation—which makes membership in the FS-ISAC extremely advantageous.

A Final Note On Cybersecurity In Financial Services:

Cybersecurity has been of great importance in the financial sector because of the amount of regulation in the industry. Even if you aren’t subject to regulations, one of your vendors likely is, and their organization could be breached compromising your data.

But regulation isn’t the only reason that this is critical. It’s also critical because you’re in the business of trust. If your members lose faith in your ability to protect your information or provide a service reliably, your reputation and business may suffer as a result.

BitSight is the NAFCU Services Preferred Partner for Cybersecurity Rating. Learn more at www.nafcu.org/bitsight.

Card Fraud Lessons Exposed

By: Ann Davidson, VP of Risk Consulting at Allied Solutions

Recently Allied Solutions presented a webinar on card fraud in response to the reported increase in card fraud attacks. When polled, 81% of attendees stated they have personally experienced an uptick in card fraud during the last 12 months.

After this webinar, Allied reached out to individual financial institutions to perform an assessment of their risk programs and help uncover potential causes of the card fraud they were experiencing. Here’s what they found:

  1. Financial institutions were seeing increased instances of PIN fraud at the ATM.

Discoveries:

    • A fraud monitoring system (FMS) was not in place for PIN authorizations performed at an ATM.
    • All employees were granted the authority to change ATM PINs when requested by a caller.

Preventive Actions:

    • Confirm in writing from your PIN vendor that you have a FMS in place for all types of authorizations.
    • Ensure PIN change requests are performed using robust authentication measures, especially if you have a voice response unit (VRU); do not give your employees the authority to manually process PIN changes.
    • Review your PIN change reports to see if there is a notable increase in PIN changes.
  1. Financial institutions were seeing high daily dollar amounts on card transactions.

Discoveries:

    • Credit card limits were set at the line of credit for a 24-hour timeframe.
    • Debit signature limits were set to the available balance in the cardholder’s account.
    • Debit PIN limits for POS and ATM were set at $1500 and greater.

Preventative Actions:

    • Confirm you have daily dollar limits for ALL types of transactions.
    • Set your daily dollar limits to suit your organization’s risk appetite and tolerance.
    • Ensure daily dollar limits are set to accommodate the spending activity of your account holders.
    • Let your cardholders know they should inform your organization if they want the daily dollar limit raised to better accommodate their transactions.

The discoveries that were made after communicating with these financial institutions demonstrate the importance of ensuring you have strong security measures in place to help prevent fraud attacks, while at the same time verifying the strength of your card processors’ and vendors’ security layers.

Watch the recording of Allied’s Card Fraud on the Rise: How Financial Institutions Can Help Prevent It webinar, co-presented by Ann Davidson and Tammy Behnke, Program Executive at ProSight Specialty Insurance, to hear more about how you can remain more protected from card fraud.

Hear more about security breaches and learn what your financial institution can do to help prevent and respond to breaches by attending Allied’s upcoming webinar Data Breaches Continue to Rise: How Financial Institutions Can Prepare & Respond on May 4. Click here to register.

Allied Solutions is the NAFCU Preferred Partner for Insurance—Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP); and rateGenius. Learn more at www.nafcu.org/allied.

3 Questions for Your Mobile Banking Partner (Part 2)

By: Will Furrer, Senior Vice President – Product Group, Q2  

We pick up this blog series, addressing the last two questions your credit union should be asking a digital strategy company when developing a mobile banking plan.

Check out Part 1 of the blog series here to learn about the importance of providing a consistent experience on mobile.

Question 2: How does security work for the mobile channel?

Mobile security is a becoming more and more critical every day.  Due in large part to the fact that today’s mobile devices are essentially hand-held computers. As such, the risk of device compromise is something every member, and you as a credit union, should be keenly sensitive too.

Because of this, the security of your mobile banking solution can’t simply be the ‘latest and greatest’ protection available; it must be ahead of the times – using advanced techniques only behavioral modeling and machine learning can support.

Interconnectivity & Behavioral

Mobile banking is not the only type of digital banking your members will do, therefore, it is critical that your mobile security be part of a holistic view of each member’s behavior within your entire digital banking ecosystem.

A comprehensive picture of members’ behaviors across all your virtual channels, which answers questions such as: What operating system are they using for their banking? What time of day do they usually do their banking? What do their typical movements through the application look like?

The power of interconnected solutions – or better yet – of a single platform solution, are very much aligned with credit unions seeking to be the most trusted, secure brand their members engage with. 

Click for Q2 Case Study — Efficiency

Question 3: Does your mobile banking application provide support for commercial banking members?

As the majority of forward leaning credit unions seek to meet their members where they are, the need for small business features and functions available via the mobile channel is becoming increasingly important. Small businesses—a.k.a. SoHos— are making their way into the households of millions of Americans every year, who prefer to bank with a credit union due to the service, support, rates, and connection to the community where they live and work. However, neglecting their mobile business banking needs will in fact put the business of these profitable households in jeopardy over the coming years.

Feature / Function

Small and medium businesses (SMBs) require access to ACH for payments and payroll. Sometimes it’s only a few people, but more and more frequently SMB owners are using their personal accounts; meaning they are moving larger and larger amounts of money to more and more employees or contractors.

The great news is: your credit union can work with the SMB’s relationships to provide accounts for these potential members. It’s a win/win.  A win for the owner of the SMB—who is now able to manage their payroll via their mobile device, as well as approve wires and draft payments, which is what they expect from a progressive credit union like yours. And a win for your credit union in the form of new members.

Conclusion

Above all else, offering a business banking solution via mobile devices will provide your members the same freedom they have come to appreciate with your retail banking products—expanded to where they make their living, not just where they check their balances. Mobile commercial banking access is a clear separator for innovative credit unions, one that will benefit you and your members.

 

Q2 is the NAFCU Preferred Partner for Single Platform Virtual Banking Solutions—Including Online and Mobile—for Community and Regional Financial Institutions. Learn more about Q2 by visiting www.nafcu.org/q2.

3 Questions for Your Mobile Banking Partner (Part 1)

By: Will Furrer, Senior Vice President – Product Group, Q2  

With the ubiquity of the mobile-first member, implementing a mobile banking solution should be a top priority for your credit union. In this blog series, we will address the top three questions your credit union should ask a digital strategy company when developing a mobile banking plan.

Question 1: Does your mobile digital experience mirror your online channel?

People say the mark of a true champion is consistency. The same is true for mobile banking. Although mobile banking is seeing rapid adoption and growth by credit union members, it’s not projected to actually outpace interactions via the desktop until the year 2020.

The ability of your digital solutions vendor to provide a consistent experience—from data to workflows to functionality—should be high on the priority list as you make your selection.

Data Consistency  

When discussing mobile strategy with a possible partner, it’s important to ensure that all of your data is consistent between devices. When making buying decisions for a mobile banking partner, this attribute is often overlooked.

The accuracy of the data across devices—desktop, laptop, tablet, and mobile phone—is critically important. Without consistent data, you risk eroding the brand you work so hard to promote with your members; confused and frustrated members aren’t generally good brand promoters.

Consistent data across devices is table stakes for today’s multi-device member. Earn their trust, solidify your brand, and grow your digital channel strategy with consistency at its core.

Click for Q2 Case Study – Flexibility 

Dependable Experience

The branch used to be the central touchpoint for most credit unions. Today, however, more interactions are happening outside the branch than ever before.

Providing a dependable brand experience on any device, anytime, that’s in line with what your members need and desire, should be paramount in your decision making. The language and workflows your members are accustomed to on their computers should mirror that of their mobile devices.

The same care should be taken with the digital experience you provide your members, as the care you demonstrate when members are in the lobby of your credit union.

Click for Q2 Case Study – User Experience 

Reliable Functionality

Finally, where the rubber meets the road is with functionality. What members want is the ability to do everything they can do online on their mobile devices. Scheduling bill payments, aggregating accounts, categorizing expenditures and setting language preferences – all the value they’re afforded on their laptops and desktops, they also demand on their mobile devices.

Strengthen your credibility with your mobile members by ensuring they have access to all the features and functionality they have on their desktops, with a mobile banking tool that has the reliable functionality they can count on.

Click for Q2 Case Study – Brand/User Experience 

Look for Part 2 of our blog series for Questions 2 & 3 of what to ask your mobile banking partner, and to learn about implementing a mobile strategy.

 

Q2 is the NAFCU Preferred Partner for Single Platform Virtual Banking Solutions—Including Online and Mobile—for Community and Regional Financial Institutions. Learn more about Q2 by visiting www.nafcu.org/q2.

Card Data Breach Loss Prevention Checklist

By Ann Davidson, VP of Risk Consulting at Allied Solutions

Many of the large-scale card data breaches in 2015 involved the compromise of magnetic stripe data on both credit and debit cards. The data compromised in most of these card breaches involved either track 1 or track 2 magnetic stripe fraud (POS 90), as determined by the merchant during the transaction authorization. Because the track information can be duplicated, there will likely be a high risk for future fraud exposure if you opt not to block and reissue these cards.

For an in-depth look into payment card fraud risks that many credit unions are being hit hard with right now, watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It.”

Card Data Breach Loss Prevention Checklist:

  • Evaluate the compromised card number to help determine if the risk is high
    • A high risk involves the full unaltered magnetic stripe data from track 1 and/or track 2 – track 1 carries the cardholder name; track 2 does not
  • Confirm you’re utilizing “name matching” if track 1 data was part of the breach
  • Review card associations’ alerts and act immediately on at risk card data outlined in alert
  • Analyze at risk open card accounts to determine which cards are/are not still active
  • Review other card accounts to find out which cards are non-active and have already been closed due to fraud
  • Identify the fraud pattern to uncover the common point of compromise (CPP)
    • This is where the breach took place, not where the fraud occurred
    • Once discovered, report the CPP immediately
  • Block and reissue impacted, open card numbers when magnetic stripe has been compromised
  • Accelerate the reissuance of active cards prior to their expiration date
  • Consider reissuing the card 30 to 180 days before the date of expiration
  • Ask the card association(s) to take recovery action related to any expenses
  • Report the fraud to the Visa Fraud Reporting System and/or MasterCard’s Safe System, as this is a requirement under the card association(s) rules

Watch Allied’s webinar “Card Fraud on the Rise: How Financial Institutions Can Help Prevent It” to learn more about payment card fraud risks.

Allied Solutions is the NAFCU Services Preferred Partner for Insurance- Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown Protection (MBP). More educational resources and partner contact information are available at www.nafcu.org/allied.