New Cybersecurity Regulation Risk Assessment for Financial Services: Text Messaging
In March 2017 the nation’s first cybersecurity regulation became law imposing strict cybersecurity measures on financial institutions operating in New York. The new rules specify everything from naming a Chief Information Security Officer, to risk assessments, event notification, encryption, penetration and vulnerability testing, training and monitoring and audit logs. CISOs must submit annual cybersecurity reports to the New York Department of Financial Services (DFS) and the banks’ board of directors, detailing programs and material risks.
Financial Services: #1 Cyber Attack Target.
The DFS action is not unexpected. In 2016, financial services became the #1 target of cybercriminals, according to an IBM threat index. Criminals like the direct access to cash from stolen bank account credentials or system compromises. Remember the heist from the Central Bank of Bangladesh last year? Bad actors hacked the computer of a bank official and sent instructions to transfer $1B to their accounts. The bulk of the transfers were blocked, except they did land $81M. A failure for the bank, not the criminal. Hackers also see the abundance of customer emails, addresses, social security numbers and phone numbers held within financial systems as attractive loot that they can sell for profit. Accessing sensitive market and trade information to gain advantages in the stock market is also a common cybercriminal motive.
Text Messaging as a Risk Category
The use of SMS (Short Message Service), also known as texting, is on the rise in financial services. Over the last few years, competitive pressure to offer consumer-focused banking access, as well as opportunities for increased internal efficiency has led to a surge in text usage. As a result, banks now offer customers “text banking” to confirm customer bank account and credit card balances, transaction confirmations and amounts. Not surprisingly, cybercriminal text message targeting is also a growing practice. SMS or text messaging usage and best practices is an area that New York financial services CISOs will want to zero in on as they develop their risk assessments, programs and reports in the coming months and year. In order to comply with the new cybersecurity regulation, text messaging must also become a category for risk assessments, event notification, encryption, penetration and vulnerability testing, training and monitoring and audit logs.
Beware of SMiShing Scams
Phishing emails are not the only way cybercriminals hunt for personal information these days. SMiShing — phishing through SMS is gaining popularity, warns the Office of Cybersecurity of the State of Washington. A typical SMiShing scam involves criminals sending bank customers a text alert that looks like it is from the bank. The text says something is wrong with their account and directs the bank customer to a toll-free phone number or website where they are asked for their account and password, social security number or other PII. Just this month, hackers used a combination of malware, SMiShing and an SS7 attack to wire themselves funds from a German victim’s bank account. One key element in the cyberattack success was the criminals’ targeting of “text banking” information — they used a financial transaction confirmation number from a bank text as part of their mechanism access to funds.
As financial services organizations take advantage of the cost saving and efficiency gains of a BYOD program, they must also account for cybersecurity and regulatory demands. Company employees increasingly use BYOD devices to text sensitive client information to each other, creating risks as more cybercriminals target mobile devices with malware phishing attacks. A Bloomberg video reports that a former UK banker was recently fined for texting friends about a confidential transaction. However, not all financial services organizations have embraced BYOD, preferring to stick with company-owned phones to mitigate these risks. Some institutions have gone even more extreme, such as megabank that recently banned texting and Apps like WhatsApp from company-issued phones in a refocus on compliance.
Speaking of Compliance
Financial texting is on the radar screen of many regulators. However, a recent Smarsh survey found that text messaging was the weakest link in financial institution archiving practices. Only 52 percent of the respondents use an archiving tool to capture, retain, manage and supervise these communications. 52 percent. New Financial Industry Regulatory Authority (FINRA) regulations have specific text archiving requirements, stating that “every firm that intends to communicate, or permits its associated persons to communicate, with regard to its business through a text messaging app or chat service must first ensure that it can retain records of those communications.”
Address the Challenge Head On
It is time for financial services to face the reality that employees are texting, whether sanctioned or not. For speed and efficiency, employees are conducting critical financial discussions with their colleagues and clients every day. Demand from mobile customers for increasingly convenient banking and more text banking will only continue to surge. These trends create more cybersecurity and regulatory risk management issues for the industry. As the financial services industry integrates texting into their operations and offerings, they must ensure that their text messaging is secure and compliant. Banning text messaging and messaging apps, however, does not have to be the solution. The financial services industry can achieve secure and compliant texting today via enterprise-scale secure messaging solutions/apps. As you conduct risk assessments and programs under the New York cybersecurity regulations, FINRA and others, consider the requirements to meet your texting needs.
Compliant Texting with Confidence
Vaporstream® Secure Messaging alleviates the risks associated with native SMS text. Financial services organizations can leverage the efficiency of modern day mobile messaging while ensuring business information and sensitive data are always secure, confidential and compliant. Vaporstream uniquely keeps you in control of the conversation, your data and its use, at all times, preventing data leaks, unintentional sharing and propagation of information that can lead to mistrust, lost revenue, fines and worse. With security and privacy at the foundation of everything we do, Vaporstream ensures that all texts are captured and archived to your repository of record for compliance purposes and processes. Texts are automatically removed from devices based on corporate policies, further protecting client privacy and the organization against breach /data loss. Contact us to find out more about secure messaging and how Vaporstream can help your teams communicate with confidence, meet regulatory requirements and embrace text as a competitive differentiator. Contributor: Kristi Perdue Hinkle