- The average data breach takes 45 days to remedy at a cost of $15 million (which doesn’t include regulatory fines).
- A single breach could bankrupt a small to mid-size business.
- 97% of all companies have already been hacked.
Lenders Held Accountable With No Clear DirectiveLaw enforcement and government regulatory agencies are fighting cybercrime with a 2-prong approach – criminal prosecution and prevention. They actively prosecute criminals for all types of cybercrime including: hacking, identity theft, money laundering and account fraud. Money laundering alone tops $500 billion each year. And this figure is probably the tip of the iceberg. The stealth nature of computer hacking makes it next to impossible to identify and physically locate the criminals. It’s an overwhelming challenge, which has caused regulators in the US to shift their focus from prosecution to prevention. They are forcing accountability onto individual lenders, and requiring stringent, documented cybersecurity programs. These government directed programs can be tricky to implement. Regulatory guidelines typically include a broad objective like, “Anticipate and prevent security issues.” The guidelines include suggestions on how to achieve the objective, but there’s no clear blueprint for implementation. Regulatory penalties can be severe when you don’t get it right. According to Boston Consulting Group, the worldwide fines levied against lenders since 2008 exceeds $321 billion. Fines imposed when poorly managed cybersecurity programs caused banks, and more importantly bank customers, to get caught up in money laundering and fraud schemes that may have been financing terrorist organizations.
Digital Lenders Are Most VulnerableDigital lending is a fiercely competitive arena, driven by younger applicants who demand instant decisions from automated, data dynamic software systems. OnDeck an LaaS (lending-as-a-service) provider was recently quoted as saying, “We helped Chase take the small business loan process from six weeks to six clicks.” The nature of these warp-speed origination systems makes them vulnerable to fraudsters who use stolen identities, or synthetic identities hiding behind cloaking technologies. Today’s lending industry sits in the eye of a perfect storm, driven by three key components. First, alternative financing, fueled by fintech mobile apps, is growing by 51% per year. And traditional lenders are all going digital. It’s big news that’s catching the attention of hackers. Second, massive data breaches are throwing enormous amounts of personal financial data out on the dark web. And third, instant-decision software systems, often supported by third-party vendors, create a variety of vulnerabilities that cyber criminals are ready, willing and able to exploit.
Cyber Safety, Lender Best PracticesAt Turnkey Lender we’ve identified six cyber safety best practices that should be part of every lender’s playbook:
- build a solid foundation
- turn staff into cyber warriors
- detect fraudulent loan applications
- prevent account takeovers
- identify cross-device use
- deploy a cloud-based lending platform.
Build A Solid FoundationLenders who treat cybersecurity like a DIY project are taking a big risk. Cybersecurity must be an ongoing initiative led by a designated cyber safety director. Your company should tap the expertise of both cyber safety and compliance consultants to help you develop, implement and maintain your program. Their experience should include a strong track record in the lending industry. And experience defending cybersecurity programs that were audited by a regulatory agency. They’ll start by reviewing your entire ecosystem for potential security gaps, including: data collection, storage, encryption, transmission protocols, and interfaces with outside third-party vendors. Mobile apps require special scrutiny, including: platform, servers, GPS receivers, cameras, sensors, social media accounts, etc. And you’ll want to monitor and maintain proper security over the life of a financial product, not just during launch. Your program will include four distinct components:
- plans to protect against a breach
- plans to encrypt and obfuscate data in case of a breach
- plans to decoy data and lure attackers away from valuable information
- plans to respond immediately when a threat has been identified or an actual breach has occurred.