26 October 2007

Fraud Awareness: Investing in the Consumer...

A few months ago Bank of America started offering it's online banking customers the opportunity to take advantage of a 90 day free trial of Symantec's products. The extension of the security perimeter has begun and now the institutions have realized it's time to start subsidizing, mandating and influencing customers to be more vigilant.

Recognizing that defenses are only as strong as the weakest link, Bank of America has moved to shore up an area that largely is beyond its control: customers' desktops. In a move experts say is a step in the right direction toward improving online banking security, the Charlotte, N.C.-based bank announced a partnership with Symantec (Cupertino, Calif.) in which the bank will offer the security solutions provider's software to online banking customers.

According to Bruce Cundiff, a senior analyst with Pleasanton, Calif.-based Javelin Strategy & Research, the deal represents a banking best practice whose day has come. "Deputizing the customer -- bringing them into the security process ... adds layers of security," he says. No matter how strong a bank's security measures may be, end users' PCs end up being the weak links in the security chain, Cundiff explains. So it's in the banks' best interest to engage consumers.

The question remains, will the simple use of a tool like Norton mitigate the risk to the institution? Not likely. Tools alone will not stem the risks they seek to avoid, reduce or eliminate. However, the customer loyalty, reputation management and defensible standard of care will get an up-tick from this kind of behavior from the institution.

These and other measures Bank of America has offered to consumers such as "Safepass" and a down loadable "Earthlink" powered plug-in for the IE Explorer tool bar are again the tools that give consumers a false sense of security, because the bank has asked them to use these and endorsed them. Whenever you give people the feeling that they are completely protected, that is the point in time when they become complacent. They stop learning and stop paying attention to the cues and clues that they are in the midst of a fraud scheme or their identity has been stolen.

Hackers no longer need to be technical wizards to set up an operation to steal people’s banking information and then rob their accounts.

The number of hackers attacking banks worldwide jumped 81 percent from last year, and the number of hackers targeting credit unions increased 62 percent, according to SecureWorks. The figures are based on attacks on the Atlanta-based managed information security services provider's financial institution customers.

So why are there so many more hackers today? Joe Stewart, a senior security researcher at SecureWorks, says that hackers no longer need to be technical wizards to steal people's banking information. Hacking tool kits and malware are for sale in the online underground, he explains, noting that all hackers need are basic technical skills and the knowledge of where to go to buy what they can't build themselves.

"You go to a Web site and pay $100 to several hundred dollars, and you can buy a turnkey exploit package," says Stewart. "You can buy the malware, too, and then you're in business. ... All you really need to know how to do at this point is set up a Web site."

So what is the answer for the banks who have mounting operational risks that extend into the homes of their consumers who are banking online? More tools?

Whether the answer is more education, mandatory downloads of new software prior to logging into the SSL banking site or increased fraud detection systems the problem will not be solved anytime soon. So what can you do to mitigate the risk as a consumer?

First off, don't do any online banking with a firm who has not implemented multi-factor authentication. Many are still dragging their customers into the false thinking that a plain old user name and password alone will do the trick.

Second, as a consumer you have to lock down your identity. Go beyond the monitoring services such as those found from Equifax or Fair Isaac and use the services offered by Lifelock.

Finally, as a bank or financial institution providing investment services you must invest in the awareness building of your employees, partners, customers and your clients. The education of the consumer is still one of the most effective means for defeating the organized criminal, face to face or online. Think about the new ad campaigns you may have seen about fake checks and I think you will see what we mean.

19 October 2007

3rd Party Outsourcing: Compliance Management...

Hedge Funds who require outsourcing products or services in conjunction with their broker-dealers and clearing banks are still under the "Regulators" microscope. The focus on "Red Flags" is a continuous challenge in addition to the latest operational risk mandates and due diligence on 3rd parties.

This was highlighted by Geofrey L. Master of Mayer Brown last May in one of his articles from Mondaq:

"Further, and even more significantly, hedge funds must deal with many compliance requirements that are applicable to other parties that are part of the fund’s operating environment. An example of such indirectly applicable requirements is the compliance obligations faced by the fund’s investment advisor, its broker-dealers, and its clearing banks. These parties face distinct, and often significant, legal and regulatory requirements that necessarily impact the fund’s operations. In addition, the demands of fund investors, as well as other business environment realities, result in a variety of selfimposed operational requirements that function effectively as (and in some cases may actually become — through fraud claims, for example) legal requirements." "With regard to laws applicable to the service provider, compliance requirements range from licensing and authority-to-do-business issues to those directly impacting service performance, such as health and safety and environmental regulations and data safeguarding requirements."

The Governance, Regulatory, and Compliance (GRC) business process within the ranks of the hedge fund has a fundamental requirement to assure that outsourced entities are executing their responsibilities. Service providers are an extension of the Hedge Funds supply chain of information services and financial intelligence that investors have taken as a natural extension of the funds operational infrastructure. The EU Market in Financial Instruments Directive (MiFID) takes effect on November 1, 2007 and directly intersects with outsourcing services to 3rd parties.

Mark A. Prinsley also of Mayer Brown sums up the impact of MiFID on firms and how they are currently managing the risk associated with outsourced services:

In substance, the rules should largely reflect no more than sound and prudent practice in any outsourcing relationships. However, in relation to the management of the outsourcing relationships, firms will be required to retain skills and exercise risk management not just for the services provided by the service provider, but also in relation to the way in which the firm manages its outsourced activities. Inevitably, this will lead to the need for more resources and skills in the areas of management and audit to be retained by firms in the financial services sector that outsource their activities.

It is also important to note that the new rules will apply retroactively. Thus, while firms will not be required to re-write their existing outsourcing arrangements, it will be prudent for them to confirm, particularly for arrangements that may not have been "material contracts" - and therefore not previously notified to the FSA - that the arrangements do meet the new rules in areas such as retention of appropriate skills and resources and management of risk.

One solution for addressing this increased scrutiny within the EU and other firms who are looking to enhance their outsourcing resilience can look no further than the BS 25999 standards for Business Continuity Management.

"Continued operations in the event of a disruption, whether due to a major disaster or a minor incident, is a fundamental requirement for any organization. BS 25999, the world’s first British standard for business continuity management (BCM), has been developed to help you minimize the risk of such disruptions.

By helping to put the fundamentals of a BCM system in place, the standard is designed to keep your business going during the most challenging and unexpected circumstances – protecting your staff, preserving your reputation and providing the ability to continue to operate and trade.

BS 25999 has been developed by a broad based group of world class experts representing a cross-section of industry sectors and the government to establish the process, principles and terminology of Business Continuity Management.

It provides a basis for understanding, developing and implementing business continuity within your organization and gives you confidence in business-to-business and business-to customer dealings. It also contains a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle."

This new standard utilizes the same Plan-Do-Check-Act life cycle that many practitioners are already familiar with from previous implementation standards such as ISO 27001 for Information Security Management Systems. BS 25999 is suitable for any organization, large or small, from any sector. It is particularly relevant for organizations which operate in high risk environments such as finance, telecommunications, transport and the public sector, where the ability to continue operating is paramount for the organization itself and its customers and stakeholders.

03 October 2007

New Risks Require CEO Action: Beyond Awareness...

Here was our favorite question sitting in the room at the National Press Club this week during a "Deja Vu" moment, as the Department of Homeland Security and the Federal Trade Commission kicked-off the 2007 National Cyber Security Awareness Month.

"What demands, mandates or filings might be made on your organization from external organizations - public, private or regulatory - during this kind of disruption? What will your customers expect from you?"

The statistics are getting more attention these days due to the real pandemic of ID Theft and transnational crime syndicates now turning to mechanisms of financial fraud. This has surpassed the drug trade in terms of the revenue potential and the ease of acquiring and accessing our personal identifiable information.

The purpose of this summit in conjunction with the National Cyber Security Division (NCSD) of DHS is to examine ways to develop an actionable, sustained national awareness campaign and prevention program to inform Federal, State, and local government, educational institutions, small business users. The focus continues on protection of key resources, critical infrastructure and personal sensitive information and identities from man-made and natural threats.

The presentation that was most refreshing and relevant was from the Honorable Deborah Platt Majoras, Chairman, Federal Trade Commission. She highlighted some of the recent enforcement actions and the continued emphasis on business to assure their reputations by staying out of the popular press. These remarks by Betsy Broder, Assistant Director of the Federal Trade Commission’s Division of Privacy and Identity Protection at an event last month, further address the growing concern by business to adequately protect consumers information:

Law Enforcement on Data Security
"One important way to keep sensitive information out of the hands of identity thieves is by ensuring that those who maintain such information adequately protect it. To further that goal, the Commission brings law enforcement actions against businesses that fail to implement reasonable security measures to protect sensitive consumer data. Public awareness of, and concerns about, data security continue at a high level as reports about breaches of sensitive personal information proliferate."

The awareness agenda continues because it is still a long way from getting the public and the Small and Medium Enterprise to recognize the fiduciary duty they have to their customers. Even this web site OnguardOnline produced by the consortium of government agencies working together to fight cyber crime and improve awareness still have not found all of the answers.

The Business Roundtable's new publication on "New Risks Require CEO Action" has been well recieved due to greater reliance on the Internet for Business Operations. Here are a few of the most important questions that CEO's can ask:

1. Have we considered the dependence of our vendors and supply chain on the Internet?

2. What degree of consumer confidence in our data, services or products may be affected by a disruption of the Internet or corruption of data and services that are dependent on the Internet?

3. Have we set in motion a strategy for attaining early warning information to better protect our customers and corporate assets as well as our suppliers and partners?

The World Economic Forum estimates a 10 to 20 percent probability of a breakdown of the critical information infrastructure in the next 10 years - one of the most likely risks it studied. Additionally, it estimates the global economic cost at $250 Billion, one of the largest cost estimates of the risks examined.