If the gauntlet hadn’t been thrown before to protect financial and banking customers’ data, it’s definitely lying on the floor now. The recent circular bulletin from the CFPB makes it clear that financial institutions can’t slow-walk any security upgrades: “Inadequate security for the sensitive consumer information collected, processed, maintained, or stored by the company can constitute an unfair practice in violation” of CFPB regulations or even the Dodd-Frank act. It also provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols, and recently issued a statement via Twitter urging consumers to report financial institutions that do not offer sufficient multi-factor authentication (MFA) options.
Given the weight of the news, the circular is getting the attention of legal departments at banks and other financial institutions around the country. Some may have implemented phishing-resistant multi-factor authentication (MFA) solutions like security keys already across their employee network, but others may still be searching for a solution – especially at distant locations like local bank branch offices.
To better understand how organizations can take action to avoid future violations, the circular goes on to define exactly what a violation is:
- “(Something) that causes or is likely to cause substantial injury to consumers.
- (Something) which is not reasonably avoidable by consumers.
- (Something) not outweighed by countervailing benefits to consumers or competition.”
The language here is important, especially the “likely to cause” phrase in the first sentence. That means, as the circular itself says, that “this prong of unfairness is met even in the absence of a data breach.” So banks could be in violation of the law today, even before any problem becomes public, just by tolerating a situation where a breach is “likely” to happen.
In messaging that closely mirrored guidance provided for federal agencies and their third party suppliers by last year’s Executive order, this move from the CFPB shows how adoption of strong MFA can also be expanded via regulation in the private sector. In order to not only stay secure from increasingly sophisticated phishing attacks, phishing-resistant MFA should be part of banks’ plans for everybody in the organization – not just employees at a headquarters building. Now that CFPB has entered into the realm of MFA regulation, this may be the start of a movement where other regulators also start to focus on this issue.
The 2017 Equifax data breach was particularly called out as an example of something that constituted an “unfair practice,” and Equifax has had to pay the price for putting 147 million consumers’ information in jeopardy.
Here are a few other “unfair practices” that were explicitly named in the circular as liabilities for a company:
- Not requiring MFA for employees or not offering MFA as an option for consumers.
- Not having adequate password management policies and practices. In practice that means you should have processes in place to flag employees who are re-using or using default logins and passwords.
- Not routinely updating systems, software, and code or failing to make critical vulnerability updates when alerted. In practice, that means keeping track of what software is no longer maintained by vendors and understanding how your systems rely on particular third-party software packages. Equifax famously failed to patch a known vulnerability for four months, which gave hackers the access they needed.
How can you avoid risk if you’re tasked with guarding your employees’ and customers’ most sensitive data? Even if you are not working in the financial services sector, the standards that have now been set for them are a best practice for any company that wants robust security. Take these steps:
- Read the CFPB circular and have your own legal team assess your company’s liability (or presumed future liability) based on the standards.
- If you have not done so in two years, run a full-scale audit of how all employees authenticate and what areas need to be bolstered through phishing-resistant MFA. The audit should extend beyond privileged users to include everybody, especially those working at remote locations or with hybrid work schedules. The audit should include the software updating process to make sure there are no “Equifax-sized” holes in your system.
- Lay out a roadmap that schedules regular security audits in the future as well as planned security upgrade rollouts. The roadmap should include a communications plan with employees and customers so that no one is caught off guard by a new authentication process or routine.
For more information on how YubiKey can bring modern authentication to financial services companies, read Yubico’s Financial Services White Paper.