GRC for financial firms: The latest threatsDate: Dec 03, 2009
Information security pros in the financial industries must stay up to date on the latest threats if they want to keep sensitive data secure and meet regulatory compliance requirements. In this video, expert Eric Holmquist explains what to look out for in the current threat landscape, including Automated Clearing House (ACH) fraud. He also discusses pandemic planning and how tabletop exercises are critical for successful disaster recovery planning.
About the speaker:
Eric Holmquist is president of Holmquist Advisory and former vice president of Advanta Bank Corp.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
GRC for financial firms: The latest threats
Kelly Damore: Can you talk about ACH fraud and why
professionals need to be worried about this.
Eric Holmquist: This is an area where we are seeing a lot more
Banks have the ability to move money electronically. A lot of
people have used electronic bill paying. You use this, you are
using an ACH. You are basically creating an electronic transaction
through the Automated Clearing House to move money electronically.
The one advantage of checks is that it made money move a little slower.
Now that were moving to a more paperless society and more is done
purely electronically, money can move very, very fast. Now the problem
is that the banks have a bit of a liability because there is a certain
window of opportunity when that payment could be challenged by the
account holder, they can say, 'I did not originate that request.' The
bank may have to reimburse that money, but the money could be long
gone, and they may have trouble getting the money back. That is a
challenge for the bank. What it does is it puts a real onus on the
organization to really, really know their customers.
Now every bank has controls in place. If someone is going
originate some sort of an electronic funds transfer, they have got
steps that they need to do to verify that this is the customer, but
crooks are not stupid. If there is a way to get around the system,
they are going to figure out how to get around the system. What this
means, again, this is a risk manager's approach. This is tearing
apart the process and asking, 'How are we validating this customer?'
Do not just take comfort in saying, 'We have got these four
validation steps we are doing, and then we are done, end of that.'
That is not managing risk. Part of what a risk manager does is say,
'That is great. What could go wrong?' and really taking the time to
think through what can go wrong.
For instance, information security professionals could be part
that conversation in saying, 'What information could be
compromised if, say, a third party's database was compromised?
Would that provide somebody enough information to piece together
an authentication to create an electronic transfer? We need to be
aware of that.' That may have implications on the security questions
we ask to verify a transfer, it may cause us to rethink some of that
and revisit some of those assumptions. It just gets back to that know
your customer and knowing where your data is, so they can very
much be part of the conversation of never stopping to ask what can
go wrong. Just because I built a control, does not necessarily mean
I have managed the risk, there still could be risk there. This is an
area where regulators are focusing on, and we are seeing an uptick
in fraud related to ACH. Clearly, somebody is doing something to
beat the system. As risk managers we have to keep asking those
hard questions: 'Can we get better?'
Kelly Damore: Do you have any suggestions for how
organizations can deal with H1N1?
Eric Holmquist: The whole pandemic question is a really
good one. I have talked to a lot of organizations, and while
there is a grand debate about how real this is and how likely
this is, I think that is not the point. I think that at the end of the day,
we simply have to accept the fact that you are going to have an
event at some point that is going to require large amount of staff to
be out of the office. It does not mean we have to get stuck in, whether
it is the H1N1, I think it is very possible but we need to be able to deal
with this. What this means is that people need to have thought through
the event in great detail. A lot of times when I have looked at people's
pandemic plans, while they thought through some of the elements,
you can tell built into the plan, there is still a certain amount of,
'We will make it up as we go.'
There are assumptions built in, assumptions like how long will
remain available? If we tell them, 'You cannot come to the office
because we do not want you in a concentrated space?' People
tend to assume they will be there a month later when we need
them back. Why are you assuming that? You are assuming
people will stay home if they are sick, that is a pretty bad assumption.
What this means is that we really need to have thought through the
assumptions that are built into our pandemic plan and really testing
some of those assumptions. This means a lot of conversation with a
lot people. It also means that we need to think through some of those
response provisions ahead of time. If I am going to send people out
of the office for an extended period, how long am I going to continue
to pay them for? These are not conversations you want to be thinking
through when the event is happening, you want to have thought it
through beforehand. This is also why training is so critical. Something
as if you are sick, stay home. You need to communicate that message,
particularly in this day and age where people are fearful for their jobs.
If they say, 'If I am sick, I could get fired,' I would rather you stay home
and be sick.
Cross-training in doing jobs. Cross-training has always been
people have done but it is even more critical when I might have to run
on a reduced staff. Another assumption is assumptions about if I have
to have people work from home. I have built in assumptions that phone
lines are available, people can work from home, and they can have
access to data they might need. Again, these are all the assumptions
that people make, but they cannot just assume. You cannot manage
intuitively, we need to think it through and talk it through.
Kelly Damore: Would you recommend a table top exercise?
Eric Holmquist: Absolutely. This is one where you simply cannot
enough. I say this for all of continuity planning or disaster recovery
planning, call it what you want. I think at the end of the day, we spend
so much time building plans, checklists, inventories, and all that. That
is all great, but you simply cannot beat the value of table top exercises.
Kelly Damore: Do you have any suggestions how security
can do more with less?
Eric Holmquist: It is a great question because every single
client I have
work with right now is dealing with the 'how do I do more with less.'
The compliance burden only gets bigger but my staff is getting smaller.
The threats are getting bigger and my staff is getting smaller. The
simple answer is this: Awareness, accountability, and actionability.
We need to build more awareness around risk and risk management,
so the more I am aware of your risks and you are aware of mine, the
more I can help manage those risks. The more I am aware of your
processes and you are aware of mine, the more I can support those
processes. There is actually a lot of ways that people can help mitigate
risk and help manage controls by helping each other, but we only do it
Businesses have long been notorious for working in silos. To
extent we can break down some of those silos and build better
awareness around processes, controls, and residual risk, the better
we can be at doing more with less. It all begins with having an
understanding of what those risks are, and to a certain extent, even
understanding what my compliance requirements are. The more I
can understand them, the better I can manage them, and then better
accountability for those. If I can build clear accountability where I know
exactly whose responsibility it is, then that is fine, I can do a better job
of managing that. If I am going to have to lose somebody, I know
exactly what it is I have to move to somebody else's job description
to do more with less. It is an efficiency question, yes; but at the end
of the day, it is more risk awareness and management question.
Kelly Damore: Thank you Eric Holmquist, for bringing
to our readers. We appreciate you taking the time with us.
Eric Holmquist: Thank you. Glad to be here.
Kelly Damore: Thank you for joining us today.