Employee Behavior Key to Lowering GLBA and Information Security Risk
Two recent regulatory fines, specifically related to employee activity, provide a stark reminder to our industry: Employee behavior—and management’s oversight of it—play a pivotal role in every financial institution’s overall compliance stance.
Wells Fargo was fined $185 million in 2016 after its employees opened approximately 3.5 million unauthorized customer accounts. More recently, the Financial Industry Regulatory Authority (FINRA) fined Raymond James $2 million in 2017 for failing to monitor employee emails as required.
Although these institutions are regulated by different agencies and rules, both violations involved employee activity. An additional connection is that some institutions are now experimenting with technology that can monitor more than just employee emails. American Banker reports that in the wake of the Wells Fargo scandal, “large banks have begun using IBM’s Watson artificial intelligence software to monitor employees for signs of misconduct.” But both American Banker and the Harvard Business Review warn that such monitoring carries its own risks, legal and otherwise.
It may be some time before the ethical and legal debate about employee monitoring is resolved and the cost of artificial intelligence technology for doing so is within reach for smaller institutions. In the meantime, there are ways to encourage and promote employee behaviors that protect your customers and your institution from risk.
Best Practices for Reducing GLBA and Information Security Risk
Banks invest heavily in technical tools and controls to comply with information security regulations like the Gramm-Leach-Bliley Act (GLBA). However, it is important not to overlook the human element of protecting the privacy and security of consumers’ personal financial information—which is the crux of GLBA. Employees interact with consumer personal information and your network and systems every day as part of their jobs.
Some of that activity can be managed or controlled through technical tools that keep employees from inadvertently or deliberately putting your institution or its customers’ data at risk. However, we’ve identified six routine employee activities that cannot be entirely controlled through technical tools. Implementing the following best practices for these activities will reduce your institution’s exposure to operational, compliance, legal and reputational risk as a result of information security lapses.
1. Open Emails with Caution: Today, email is one of the primary forms of business communication, with employees likely receiving hundreds of incoming emails a day. Even though email-filtering systems can detect and stop a significant number of emails socially engineered by nefarious actors to look legitimate, cyber criminals constantly update their methods to stay one step ahead of such technology. Therefore, human judgment is needed to help close that remaining gap.
Engage your employees in helping fight this battle by routinely talking to them about social engineering tactics at the team, department and enterprise level. Use real-life examples gleaned from social engineering testing, and conduct formal social engineering training with all new employees as well as routine refresher courses for all others.
The ultimate goal of such communication and training is to build a healthy sense of skepticism and a strong sense of awareness when checking email. At a minimum, your employees should handle every email as follows:
- Email sender’s address: If the sender is unknown, proceed with extreme caution. If the sender is known, carefully inspect the “from” address to look for slight alterations, which signal a spear phishing attempt.
- Body of the email: Incorrect grammar and spelling, along with threats or urgent messages within the body of the email, are clear red flags not to open any links or attachments.
- Links in the email: Hover over any URL links in the email. If the address displayed is different from what is written in the email, it is likely to a site loaded with malware.
- Still unsure: Attempt to verify the legitimacy of the sender by contacting them directly, or enlisting information technology staff for assistance.
2. Send Emails with Care: Your employees also likely send out a large number of emails each day. As an institution, you want to ensure that no information sent within such emails violates GLBA’s Safeguards Rule, which requires financial institutions to protect customers’ private financial information. The Federal Trade Commission advises financial institutions to help meet that obligation by “regularly reminding all employees of your company’s policy—and the legal requirement—to keep customer information secure and confidential.”
In addition, all employees should understand the need to encrypt any outgoing email that includes sensitive customer information, especially if it is from a public network. Again, there are technical tools that can detect such phrases as “social security number” in emails and provide a reminder to encrypt before sending, but it is wise to set up your employees as your failsafe. Make sure that all new employees understand your GLBA obligations and your information security policies and provide regular refresher training to all employees.
3. Use Social Media as Directed: Since the Federal Financial Institutions Examination Council (FFIEC) issued its Social Media: Consumer Compliance Risk Management Guidance in 2013, social media has become even more embedded in our society. More banks have a social media presence, and using it to communicate with customers has become more prevalent. This underscores the importance of frequently reminding employees about the details and merits of your social media policy.
The FFIEC guidance warns that, “Since this form of customer interaction tends to be both informal and dynamic, and it may occur in a less secure environment, it can present some unique challenges to financial institutions.” GLBA compliance is, of course, one of those challenges, but the FFIEC warns that this medium’s casual and familiar nature also increases the risk of non-compliance with other regulations, including the Truth in Savings Act (TISA); Truth in Lending Act (TILA); various Fair Lending Laws; and Unfair, Deceptive or Abusive Acts or Practices (UDAAP).
To combat these challenges, the FFIEC guidance calls for an employee training program that provides a comprehensive explanation of your policies and procedures in regard to work-related and other social media activities. It should also discuss the various compliance and legal ramifications that can occur if employees do not adhere to the policy.
4. Stick to Credible Internet Sites: Malware does not just come from email attachments and links. Employees searching the web can stumble upon sites chock full of malware. Technical controls can block the majority of these sites from being accessed by corporate computers, but to complete job functions such as research or customer prospecting, employees may feel the need to override such system defenses. Employees need to understand when it is acceptable to do so, and that in such instances, they should limit their web search to well-known and credible sites.
Institutions should also provide frequent reminders to employees about policies relating to personal Internet usage from corporate computers and appropriately deal with those who disregard it.
5. Be Password Savvy: An institution’s password protocols are only as strong and effective as the people who use them every day. Your protocols should be clearly and routinely reiterated to all staff with these helpful reminders:
- Do: Change your password immediately when directed by the system
- Do: Use the strongest combination of characters possible for your password
- Don’t: Share your password with anyone inside or outside the institution
- Don’t: Leave hints about your password in your work area
- Don’t: Use the same password more than once
6. Limit Data Access: Finally, employees in a managerial or administrative position also play a critical role in your information security program, as they are the ones to grant access to sensitive data or systems. They should be routinely reminded to actively limit access to both on an as-needed basis and to proactively rescind such access if and when the need no longer exists.
Partner with Your Employees to Create a Security Culture
Communicating these best practices to your employees is part of a deeper strategy to create a sense of shared purpose: It is in everyone’s best interest to protect the information in your institution’s possession and the systems that house it. The FFIEC Information Security Booklet calls this a security culture, which it says “is more effective when security processes are deeply embedded in the institution’s culture.”
In A Best-practice Model for Bank Compliance, consulting firm McKinsey describes what happens when such processes are not embedded: “Risk culture has a special place in the compliance playbook. Indeed, most serious failures across financial institutions in recent times have a cultural root cause leading to heightened regulatory expectations.”
At the end of the day, an institution’s board and senior management are ultimately responsible for the activities of employees, and institutions can face heavy penalties when such activities violate laws and regulations. Just ask Wells Fargo and Raymond James.
Amber Goodrich, compliance strategist for CSI Regulatory Compliance, has more than 10 years of financial industry experience. She is a Certified Regulatory Compliance Manager (CRCM) and Certified Bank Secrecy Act (BSA) Professional (CBAP).