Reuters reported that Consumer Financial Protection Bureau (CFPB) Acting Director Mick Mulvaney is scaling back his agency’s probe of Equifax, despite the fact that the recent breach of the credit reporting agency compromised more than 143 million people.
According to cybersecurity expert Brad Deflin, founder of Total Digital Security and a past speaker at AFP conferences and forums, letting the Equifax incident slide is particularly egregious. “Equifax took every opportunity to turn every one of these issues into profit-making and information gathering,” he said. “They even provided bad URLs for help websites that were also further exposed. And so to see the government relent and not use Equifax as an example to try to drive change is incredibly disappointing.”
Deflin added that the government only seems to be pushing companies that hold copious amounts of sensitive data to be reactive, rather than proactive. “They’re saying, after these things happen, you must report them or there will be consequences—as opposed to the preemptive elements or the broad cultural changes that need to take place to really make a difference,” Deflin stressed.
CORPORATES NEED TO STEP UP
If corporations were more proactive about protecting their customers’ data before an incident takes place, that could be a game changer, Deflin explained. Unfortunately, that isn’t happening.
“You don’t have people coming forward saying, ‘We want to be better corporate citizens, we want to get in front of this risk. We’re not just waiting for the regulatory changes.’ You just don’t see any of that; it’s very much reactive, according to something they have to do,” he said.
But if there are no consequences—and not only in terms of regulations—are companies really motivated to be proactive? Consumers still shop at Target and Home Depot. People signed up for a year of Equifax’s identity theft protection and credit report monitoring, even though the response website Equifax set up for the service had a whole slew of problems. So if consumers and the government aren’t seriously demanding anything to change, it’s highly unlikely we’ll see companies take those necessary steps.
According to Deflin, there is a huge disconnect between the sophistication of the aggressors, and the corporations that are supposed to be protecting this data. And if businesses don’t step up their game, that disconnect will only result in more incidents. “There’s very little understanding around how it’s not just an IT situation—it’s very much a cultural situation,” he said. “It’s not only treating the technology right and making sure your software is up to speed—it’s also putting your people in a position where they can think about it.”
For treasurers, that means shoring up security around treasury management systems (TMS). As financial technology continues moving to the cloud, it’s critical to ensure that your TMS has the right features to help prevent payments fraud and bank account compromise, noted Bob Stark, vice president of strategy for Kyriba. Furthermore, your software vendor’s own risk governance program must also be evaluated, as treasury teams are trusting very sensitive treasury data to their system providers.
“For example, does your treasury vendor follow ISO 27001 or similar standards?” Stark asked. “Has it invested in a security incident event management (SIEM) program and tools? Will third-party security firms share attestations that no vulnerabilities were found during system penetration testing? What network and data segregation is implemented to ensure the treasury vendor’s staff and outside parties cannot access client data? These types of questions are a minimum standard for what should be asked of treasury technology providers to ensure they are practicing proper self-governance.”
Indeed, treasury system vendors can and should be scrutinized to ensure that they are self-governing at a high level—especially in the absence of any government oversight. The more treasury departments can do to manage cyberrisk at a granular level, the better.