Tangible In the News

Mortgage Compliance magazine, October 9, 2015, Tory Barringer spoke with Allen Harper about the data breach risks that mortgage lenders and other financial institutions must manage.

Financial services providers not only must deal with the cyber risks themselves but must also do so in a credible manner or bear costly consequences from regulatory bodies as well.

The intentions of the regulatory bodies are just. Reported breaches do not just harm financial firms. Their customers bear quantifiable losses when hackers steal and exploit their personally private data . Allen cautions these firms and the regulatory bodies on the unintended consequences of compliance mandates: compliance does not equate to adequate security.

Those that merely strive to comply with the letter of the mandates do not sufficiently secure their business processes. The intent of the mandates is not to prescribe a checklist of remedies. Such a checklist could not possibly fit all firms of different sizes and other characteristics. Instead, mandates seek to compel firms to engage in continuous cybersecurity risk management. This means that each firm must develop and deploy policy, people, process, and technology that is customized to its unique implementation of its business processes. While a single prescription for eye glasses can help one or more people, it actually makes matters worse for most others.

Allen urged all to assume that the attackers will penetrate their defenses. The regulatory bodies are struggling to simplify and clarify the intent and interpretation of their mandates. We can clarify one point for firms here: preventative mitigations are not enough. The regulatory bodies seek affirmation that firms rapidly identify, contain, assess, and remediate intrusions, as well as notify potentially impacted customers accurately and quickly. Naturally, a firm’s ‘bottom line’ demands rapid restoration of affected business processes. In short, regulatory bodies want nothing less than irrefutable evidence of robust, holistic risk management from financial institutions. The regulatory bodies are pursuing and penalizing firms that fail to do so.

Original article at Mortgage Compliance magazine, “The Unseen Threat: Security and Compliance in the Digital Age”