According to the latest SEC Risk Alert (“…cybersecurity is one of the greatest risks facing the financial services industry.”
Their position won’t surprise anyone in the global lending arena, especially in light of Yahoo and Equifax. Yahoo has the dubious honor of holding both first place and second place on the list of worst data breaches. Equifax may rank further down the list; but their breach is more problematic, because the database includes social security number, home address, driver’s license number and credit score for more than half the population of the United States. And it’s the half of the population with financial accounts and a credit history.
The Ponemon Institute recently reported that:
- The average data breach takes 45 days to remedy at a cost of $15 million (which doesn’t include regulatory fines).
- A single breach could bankrupt a small to mid-size business.
- 97% of all companies have already been hacked.
Lenders Held Accountable With No Clear Directive
Law enforcement and government regulatory agencies are fighting cybercrime with a 2-prong approach – criminal prosecution and prevention.
They actively prosecute criminals for all types of cybercrime including: hacking, identity theft, money laundering and account fraud. Money laundering alone tops $500 billion each year. And this figure is probably the tip of the iceberg. The stealth nature of computer hacking makes it next to impossible to identify and physically locate the criminals. It’s an overwhelming challenge, which has caused regulators in the US to shift their focus from prosecution to prevention. They are forcing accountability onto individual lenders, and requiring stringent, documented cybersecurity programs.
These government directed programs can be tricky to implement. Regulatory guidelines typically include a broad objective like, “Anticipate and prevent security issues.” The guidelines include suggestions on how to achieve the objective, but there’s no clear blueprint for implementation.
Regulatory penalties can be severe when you don’t get it right. According to Boston Consulting Group, the worldwide fines levied against lenders since 2008 exceeds $321 billion. Fines imposed when poorly managed cybersecurity programs caused banks, and more importantly bank customers, to get caught up in money laundering and fraud schemes that may have been financing terrorist organizations.
Digital Lenders Are Most Vulnerable
Digital lending is a fiercely competitive arena, driven by younger applicants who demand instant decisions from automated, data dynamic software systems. OnDeck an LaaS (lending-as-a-service) provider was recently quoted as saying, “We helped Chase take the small business loan process from six weeks to six clicks.” The nature of these warp-speed origination systems makes them vulnerable to fraudsters who use stolen identities, or synthetic identities hiding behind cloaking technologies.
Today’s lending industry sits in the eye of a perfect storm, driven by three key components. First, alternative financing, fueled by fintech mobile apps, is growing by 51% per year. And traditional lenders are all going digital. It’s big news that’s catching the attention of hackers. Second, massive data breaches are throwing enormous amounts of personal financial data out on the dark web. And third, instant-decision software systems, often supported by third-party vendors, create a variety of vulnerabilities that cyber criminals are ready, willing and able to exploit.
Cyber Safety, Lender Best Practices
At TurnKey Lender we’ve identified six cyber safety best practices that should be part of every lender’s playbook:
- build a solid foundation
- turn staff into cyber warriors
- detect fraudulent loan applications
- prevent account takeovers
- identify cross-device use
- deploy a cloud-based lending platform.
Build A Solid Foundation
Lenders who treat cybersecurity like a DIY project are taking a big risk. Cybersecurity must be an ongoing initiative led by a designated cyber safety director. Your company should tap the expertise of both cyber safety and compliance consultants to help you develop, implement and maintain your program. Their experience should include a strong track record in the lending industry. And experience defending cybersecurity programs that were audited by a regulatory agency.
They’ll start by reviewing your entire ecosystem for potential security gaps, including: data collection, storage, encryption, transmission protocols, and interfaces with outside third-party vendors. Mobile apps require special scrutiny, including: platform, servers, GPS receivers, cameras, sensors, social media accounts, etc. And you’ll want to monitor and maintain proper security over the life of a financial product, not just during launch.
Your program will include four distinct components:
- plans to protect against a breach
- plans to encrypt and obfuscate data in case of a breach
- plans to decoy data and lure attackers away from valuable information
- plans to respond immediately when a threat has been identified or an actual breach has occurred.
Turn Staff Into Cyber Warriors
The vast majority of system breaches are caused by employee error or third-party vendors who mishandle data. Unfortunately, hacking via these two entry points is on the rise.
Help your staff understand how easy it is to cause a breach. That it’s no more complicated than opening an email attachment, installing a thumb drive on a network computer system, sharing a document via personal email, or installing a business program on a personal computer. Your entire system can be instantly infiltrated with the intrusion lying dormant and difficult to detect until triggered from an outside source.
As soon as your team understands how they can become a hacker’s best friend (or worst enemy), then they’re already armed with the weapons they need to defend against an attack.
Your company may want to connect with one of many employee education programs that specializes in teaching and reinforcing cyber safety practices. They can even conduct blind tests to show your staff how vulnerable they are to a cleverly designed Trojan horse. The high cost of a data breach makes these programs well worth the investment.
Detect Fraudulent Loan Applications
Lenders are constantly balancing risk and reward. As the credit decision process becomes more automated lenders must determine the best way to use security filters to reduce risk. Underuse increases the risk of fraud as you approve more bad accounts, but overuse reduces sales revenue as customers abandon applications and go to your competition.
Start by implementing basic security protocols for AML (anti-money laundering), CIP (customer identification program) and KYC (know your customer). An advanced approach is to participate in a global shared intelligence database that flags stolen identities in real time. These tactics can all be integrated into an automated system, where potential fraud is detected and prevented without any inconvenience to a good application.
Prevent Account Takeovers
Another advantage of the global shared intelligence database is that it can help prevent unauthorized account access. Consumers and businesses tend to use the same user name, email address and password to open multiple accounts. So a fraudster can use the same stolen credentials to open new accounts and gain entry to existing accounts, where they’re free to siphon open credit or request a line increase. All without the owner’s knowledge.
We recommend a layered cybersecurity solution when it comes to account access. Start by encouraging customers to activate 2-factor authentication. Then integrate your software systems with a global shared intelligence database that flags suspicious log-in attempts from unknown mobile devices, known botnets or masked locations.
Identify Cross-device Use
Consumers demand omni-channel access to their accounts. On Monday morning a husband pays a bill before work from a home PC. On Wednesday lunchtime his partner deposits a check to their joint account using a smartphone with coffee shop WIFI connection. On Thursday afternoon she checks their account balance from her office computer. On Thursday night, while lying in bed, he updates profile information using a smartphone with home WIFI. And on Saturday morning they transfer funds between accounts and request a line increase over breakfast using their tablet or laptop with diner WIFI.
This level of cross-device activity used to be the domain of young techno-geeks, but Baby Boomers are getting in on the act. Their grandchildren activate online account access, and then walk them through their first transactions. Consumers of all ages are addicted, and lenders are scrambling to differentiate legitimate activity from fraud in real time. Customers appreciate protection when it’s invisible, but you risk losing them to the competition when a fraud alert disrupts their day.
21st century lenders need sophisticated software with real-time identity updates to ensure a seamless experience. A comprehensive profile includes: physical address, multiple users, multiple email addresses per user, multiple computer and mobile devices, as well as location geo-targeting for mobile devices.
Deploy A Cloud Lending Platform
Ratan Jyoti – Chief Information Security Officer (CISO) at Ujjivan Small Finance Bank – told us, “The burden of possessing, managing and maintaining the IT infrastructure has been the key challenge for the banking sector. Banking with the cloud has definitely been a game changer.”
SaaS or cloud-based software systems provide important security advantages for small to mid-size lenders who don’t maintain an in-house IT department or compliance team.
Cybersecurity is already included as part of their fully managed service package. The platform is constantly upgraded with new technologies to prevent cybercrimes, and new protocols that conform to the latest regulatory compliance guidelines. The software system will include cutting edge data encryption and data obfuscation methods to minimize damage when a breach occurs. Advanced systems employ deception and decoy technologies with luring techniques and engagement servers to entice an attacker away from valuable information.
Your hacker might find his way into your system, but the cupboard will be bare. If there’s nothing of value to take, then he’ll move on to an easier target.
A cloud-based lending platform can provide cybersecurity expertise, cyber safety technologies and protocols, as well as regulatory compliance updates. All without the need to develop and manage the program in-house.
US Lenders Drafted Into Service
Many countries around the globe recruit young hackers, and redirect their creative talents towards government-sponsored cyber safety programs. Unfortunately for US lenders most of their cyber talent supports private industry or criminal enterprise. US regulatory agencies are pushing prevention and accountability for cyberattacks onto the private sector. Lenders have literally been drafted into service, where they’re now serving as soldiers in the war on cybercrime.
The best way to prevent similar worldwide regulated lender accountability is through industry self-regulation where bankers, non-bank lenders and fintech providers pool intelligence. So everyone implements the strongest cyber safety programs available.