Tag: social media

17 Dec 2013

FFIEC Issues Final Social Media Guidance…and Challenges Remain

Originally proposed back in January 2013, and following a comment period in which they received and evaluated 81 official comments, the FFIEC has at last released their final guidance for financial institutions engaging in social media activities.  I expect all the regulatory agencies to adopt it soon (the FDIC has already, and pretty much verbatim).

According to the FFIEC, this final guidance is “…substantially as proposed, but with some changes“.  I wrote about this when it was first proposed and I encourage you to read my original post for the specific components of a social media risk management program.  This post will focus only on the major changes between the two, and four main “grey” areas that I felt required clarification for institutions.

I did a word-for-word comparison of the verbiage in the proposed with the final, and there seemed to be some softening of the verbiage in some areas (no doubt due to the comments received).  For example, originally the guidance said that “…this form of customer interaction…occurs in a less secure environment, and presents some unique challenges…”.  This was changed to “…Since this form of customer interaction…MAY occur in a less secure environment, it CAN present some unique challenges…”.  Other  areas were expanded, for example the requirement to provide “guidance” for employees was expanded to “guidance AND TRAINING“.  Also, the risk management component that included “…A DUE DILIGENCE process for selecting and managing third-party service provider relationships” was changed to “…A RISK MANAGEMENT process for selecting and managing third-party relationships….”.

There were minor clarifications to Reg Z and UDAAP expectations, and a fairly considerable expansion of the CRA requirement to retain public comments.  Fortunately this was limited to comments received only through social media sites run by, or on behalf of, the institution.  Comments made elsewhere would not have to be retained, as they are “not deemed to have been received by the institution”.  (Unfortunately this “not deemed to have been received” concept applies only to CRA comments, not complaints or disputes.  See #2 below.)  Finally the guidance makes it clear that email and text messages on their own do not constitute social media…unless (presumably) they are facilitated through a social media platform.

Here are the four “grey” areas that I think needed the most clarification for financial institutions, and my interpretation of the guidance:

  1. Does the guidance impose a single standard of expectations for all institutions regardless of their degree of involvement in social media activities?
    • No.  Although all institutions are expected to implement a risk management program, it should be consistent with breadth of the institutions involvement in social media activities.  And it should be designed with input from folks in compliance, technology, information security, legal, human resources, and marketing.  However, even institutions who choose to not use social media should be aware of the risks of not being able to respond to negative comments or complaints that may arise elsewhere. (More on that in the next bullet.)  So it looks as if a policy and a risk assessment are required regardless of the level of your involvement in social media activities, even if you choose to opt out.
  2. Would institutions be required to monitor and respond to all communications about the institution throughout the Internet?
    • No, but institutions are expected to understand the risks of NOT being able to respond, particularly the reputation risks of not being able to respond to complaints or disputes originating from other channels.  They also mention the “challenge” for institutions to protect their brand identity by being aware of the risk of someone “spoofing”, or masquerading, as the institution.  All these risks exist regardless of the institutions decision to engage in social media activities.  In fact, responding to a negative comment or spoofing attack may be much more challenging if you’ve decided to not engage at all, or even not to engage on a particular platform.  For example, if a comment is made on Twitter and you don’t have a Twitter account.  The guidance still recommends the use of social media monitoring tools and techniques to identify potential risks but leaves the procedural specifics, and any actual response, up to the institution.
  3. How much control would be required over employee use of social media, both during business hours, but more specifically on their own time?
    • Not as much as the proposed guidance first indicated.  The final guidance makes a clear distinction between employee “official” use, and employee “personal” use.  Institutions must establish policies and training that clearly outline what employees are, and are not, allowed to communicate in their official capacity.  But the guidance stopped short of requiring institutions to impose any restrictions on employee personal use of social media, saying only that institutions evaluate the risks for themselves and determine appropriate policies.  Since the potential for reputation risk exists regardless of whether employees are posting officially or personally, I believe you should strongly consider including guidelines for employee personal use in your training, even if it’s not covered in your policies.
  4. How much due diligence is required by institutions for social media providers?
    • Plenty.  And in my opinion vendor management is where the biggest challenges lie for financial institutions.  The guidance states that “…Working with third parties to provide social media services can expose financial institutions to substantial reputation risk.”  (emphasis mine)  And they point out that this guidance “…does not impose any new requirements…”.  So the regulators require the same degree of due diligence for social media vendors that they require for all other potentially high-risk service providers, and just as with any other outsourced relationship, you are expected to complete it prior to engaging with the provider.

But selecting and risk-managing social media vendors is much more challenging.  First of all, unlike with other initiatives, once you’ve selected your platform you don’t have a choice of providers.  If you choose to utilize Facebook or LinkedIn or Twitter for example, the provider is the platform.  It’s not as if you can select among multiple Facebook vendors!  Furthermore you are expected to be aware of matters such as the vendor’s reputation, their policies regarding use of your (and your customers) information, how (and how often) their policies might change, and what (if any) control you have over the vendors policies and actions.  So let’s take a look at these expectations in order:

  • The vendor’s reputation?
  • Their policies?
    • Social media vendors exist to sell advertising.  Their policies exist to support their profit model, which is to try to get their users to disclose as much information as possible about themselves in order to better target advertising.  Regardless of what they may state in their privacy policy, contrast their business objectives with yours.
  • How often might social media vendors change policies?
    • As often as they like, and without prior notification.
  • What control do you have over the vendors’ policies and actions?
    • None.

Once you’ve assessed all potential risks, your next challenge is to try to mitigate them.  Standard vendor risk controls for vendors consist of requesting, obtaining, and reviewing documentation such as financial reports, third-party audits, contractual confirmation of GLBA adherence, BCP testing results, etc.  But often requests for this type of documentation are either ignored or refused by social media providers, and even when documentation is provided, it doesn’t directly address your privacy, confidentiality, and security concerns.  Social media service providers are simply not used to dealing with the unique regulatory reporting requirements of the financial industry.  And accord to the FFIEC “…a financial institution should thus weigh these (residual risk) issues against the benefits of using a third party to conduct social media activities.”  Unfortunately, social media is one activity that must be outsourced.

One more thing to consider is that all social media providers are also (by FFIEC definition*) cloud service providers, and as such subject to all of the guidelines for Outsourced Cloud Computing as well.  Given the risk management challenges of social media, institutions may want to remember what the FFIEC had to say about providers that are unfamiliar with the financial industry, or unwilling to implement changes to their policies or procedures to meet changing regulatory requirements:  “Under such circumstances, management may determine that the institution cannot employ the servicer.”

So in summary, the FFIEC seems to be telling financial institutions “proceed if you must, but proceed cautiously…and don’t take any shortcuts”.  And I will repeat what I first said back in 2011…the challenge of risk managing social media boils down to this:  You are accepting an either (at best) higher level of residual risk or an (at worst) unknown level of risk, to achieve an uncertain amount of benefit.  Oh, and risk avoidance is not an option.

*”…cloud computing is a migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet ‘cloud.'” – FFIEC Statement on Outsourced Cloud Computing, July 10, 2012

24 Jan 2013

FFIEC Issues Proposed Social Media Guidance

(UPDATED – Added link to public comments)

Just out, this document is really a request for comments on the proposed guidance, but final guidance is likely to follow this very closely…and very quickly.  As many financial institutions are probably getting their social media policies together now (or updating existing policies), this is a must read.  Here is an executive summary (and please respond to the poll at the bottom):

  • First of all, the guidance does not impose additional obligations on financial institutions.  The responsibility to properly manage the potential risks associated with social media usage and access is no different than that which is required for any new product, service or process.
  • The FFIEC defines social media as the “…a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video”.  Also, “Social media can be distinguished from other online media in that the communication tends to be more interactive.”
  • Institutions are expected to have a risk management program in place that allows it to identify, measure, monitor, and control the risks related to social media…again, an expectation that exists for every other risk an institution faces.
  • It should be designed with participation and involvement from specialists in compliance, technology, information security, legal, human resources, and marketing.
  • Components of the program should include:
    • Board and senior management approval and involvement, including strategic justification of a social media strategy.
    • Policies and procedures (either stand-alone, or incorporated into other existing policies) addressing the proper use and management of social media.
    • Proper vendor management of social media providers.
    • Employee training, including both proper and improper activities.
    • A process to monitor all social media activity, whether initiated by the institution, or a contracted third-party.
    • Audit oversight.
    • Periodic reporting to the Board and senior management as to whether or not social media activities are meeting strategic goals.
  • Policies and procedures must address the following risks:
    • Consumer Compliance & Legal/Regulatory Risks, including:
      • Truth in Savings Act/Regulation DD and Part 707
      • Fair Lending Laws: Equal Credit Opportunity Act/Regulation B3 and Fair Housing Act
      • Truth in Lending Act/Regulation Z
      • Real Estate Settlement Procedures Act
      • Fair Debt Collection Practices Act
      • Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
      • Deposit Insurance (FDIC) or Share Insurance (NCUA)
      • Electronic Fund Transfer Act/Regulation E
      • Bank Secrecy Act/Anti-Money Laundering Programs (BSA/AML)
      • Community Reinvestment Act (CRA)
      • GLBA Privacy Rules and Data Security Guidelines
      • CAN-SPAM Act and Telephone Consumer Protection Act
      • Children’s Online Privacy Protection Act
      • Fair Credit Reporting Act
    • Reputation Risk, including:
      • Fraud and Brand Identity
      • Third Party Concerns where social media activities are outsourced
      • Privacy Concerns arising from the public posting confidential information
      • Consumer Complaints and Inquiries
      • Employee Use of Social Media Sites, including through employees’ own personal social media accounts
    • Operational Risk, paying particular attention to the requirements in the FFIEC booklets “Outsourcing Technology Services” and “Information Security”

As you can see, whether you have separate social media policies, or incorporate the elements into other policies, the requirements have expanded considerably.  Use this summary as a checklist as you draft your new, or update your existing, policies.

I have written before about the unique challenges presented by social media, and how it doesn’t easily lend itself to traditional risk management techniques.  This new guidance recognizes that, and makes it crystal clear that although it is difficult, you must still follow the same basic risk management procedures you use for everything else…Identify, Measure, Control and Monitor.

One final thought…you are expected to tailor your efforts to the breadth of your involvement in this area.  The standard “size and complexity” considerations apply here.  But even if you decide not to engage in a formal social media effort, you must still have a policy because you cannot completely avoid the risks of employees posting on their personal accounts, and third parties posting negative comments.  Unlike other endeavors, risk avoidance is not an effective control!

[poll id=”7″]

Comments are now closed.  If you would like to view comments, here is the link:  http://www.regulations.gov/#!docketDetail;D=FFIEC-2013-0001

12 Jun 2012

Managing Social Media Risk – LinkedIn Edition

By now everyone has heard about the breach at LinkedIn, where 6.5 million email password hashes were leaked (over half of which have been cracked, or converted into plain text).  Those who read this blog regularly know how I feel about social media in general:

“So managing social media risk boils down to this:  You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis.  Both costs (reputation, and other residual risks) and benefits (strategic and financial) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit.

This is not to say that social media can never be properly risk managed, only that the decision to engage (or not) must be analyzed the same way you analyze any other business decision.  And this is a challenge because social media does not easily lend itself to traditional risk management techniques, and this incident is a good case in point.

So once again, let’s use this latest breach as yet another incident training exercise.  In your initial risk assessment, chances are you classified the site as low risk.  There is no NPI/PII stored there, and it doesn’t offer transactional services beyond account upgrades.  Additionally, regarding the breach itself, only about 5% of all user password hashes were disclosed, and as I said previously, about half of those were converted into the underlying plain text password.  And what exactly is your risk exposure if your password was one that was stolen and cracked?  First of all, they would also need your login name to go with the password.  But if they were able to somehow put the two together, they might change your employment or background information, or post something that could portray you or your company in a negative light.  So there are certainly some risks, but they come with lots of “ifs”.  So low probability + low impact = low risk…change your password and move on, right?

Well maybe, depending on how you answer this question:  Is your LinkedIn password being used anywhere else?  If you have a “go-to” password that you use frequently (and most people do) you should assume that it’s out there in the wild, and you can also assume it is now being used in dictionary attacks.  So yes, if you are an individual user, change your LinkedIn password, but also change all other occurrences of that password.

But back to our training exercise…if you are an institution with an official (or unofficial) LinkedIn presence through one or more employees, even if they’ve changed their password(s), you may still be at risk.  If the employee uses the same password to access your Facebook or Google+ page, or remotely authenticate to your email system, or access anything else that is connected to you, your response procedures should require (and validate) that all affected passwords have been changed.  In fact, since you have no way of knowing if your employee has a personal LinkedIn (or Facebook, etc.) presence,  it might be good practice to have your network administrator force all passwords to change just to be safe.  You may also want to change your policy to state that  internal (or corporate) passwords should never be duplicated or re-used on external or personal sites (although enforcing that may be a challenge).

As far as what you can do to reduce the chance of this type of incident happening again, there isn’t much.  You have to rely on your service providers to properly manage their own security.  You do this in part by obtaining and reviewing third-party reviews (like the SOC reports) if they exist,  but also by reviewing the vendor’s own privacy and security policy.  For example, LinkedIn’s privacy policy says this about the data it collects from you:

  • Security
    • Personal information you provide will be secured in accordance with industry standards and technology. Since the internet is not a 100% secure environment, we cannot ensure or warrant the security of any information you transmit to LinkedIn. There is no guarantee that information may not be accessed, copied, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. (Bold is mine)
    • You are responsible for maintaining the secrecy of your unique password and account information, and for controlling access to your email communications at all times.

Even though they have made public statements that they have taken steps to address the root cause of the breach, given the above policy there is no indication that LinkedIn feel it necessary to obtain a third-party review for validation of their enhanced privacy and security measures.  Granted, given the nature of the information they collect and store they may not feel compelled to do so, and you may not require it, but at the very least you should expect the passwords to be secure.

The first step in managing risk is to identify it.  In this case because of the breach, the unanswered questions*, the lack of a third-party review, and their privacy policy, you are accepting a higher level of residual risk with them than you would normally find acceptable in another vendor.  You can still rationalize your decision strategically, but you must quantify the expected return and then document that the return justifies the increased risk.  And then do the same for your other social media efforts!

 

*Indeed there are several issues raised by this breach that are yet to be answered:  How did it occur?  Could the breach be worse than disclosed?  Why did they encrypt the passwords using the older SHA1 hash algorithm?  Why did they not salt the hashes?  Why didn’t they have a CIO?  Did they truly use industry standards to secure your information?  If they did, those standards are clearly inadequate, so will they now exceed industry standards?

15 Nov 2011

2012 Compliance Trends, Part 1 – Training

This post will begin a series of 5 topics that I consider to be good candidates for increased regulatory scrutiny in the coming year.  For each topic, I will make the case for increased scrutiny based on 3 criteria:

  1. Recent audit and examination experience,
  2. Regulatory changes, and
  3. Recent events.

In keeping with my policy of trying to provide clear actionable solutions to each challenge, I will also provide suggestions to keep you ahead of the trend.

The first topic is actually making its debut appearance this year, and although training has always been important for financial institutions, it only recently crept into the top 5.  And this is really a two-part trend;

Employee training and Customer training.

First, the case for employee training.  I have always placed the importance of this in the top 10, but a recent event and examination experience have moved this into my top 5.  The recent event is the RSA breach, which I first wrote about here right after the news broke in March, and again here a couple of months ago.  This turned out to be a rather standard social engineering attack conducted over a long period of time exploiting the trust of a single employee.  The FFIEC defines social engineering this way:

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset or as a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Additionally we continue to see employee security policy and awareness training questions in every pre-examination questionnaire, regardless of whether the examiners are Federal or State.  With the increased use of social media by financial institutions, and the understanding that the employee is still the weak link in the security chain*, I  predict increased need for, and emphasis on, employee training.

Customer training has always been a best practice, but it’s now a requirement.  Also referred to as customer awareness and education, the case for customer training as a trend is two-fold.  The first is the recent updated FFIEC guidance on Internet authentication.  Customer training is listed as one of the effective controls that may be included in a layered security program for both retail and commercial account holders with Internet access capability (in other words, almost all account holders), and compliance starts in January.  According to the FFIEC, customer training should contain, at a minimum:

  • An explanation of what is, and what isn’t, covered under Reg E.
  • Under what circumstances the institution may contact the customer and request log on credentials.  This one is the most important, and even though the answer is probably “never”, it can’t be repeated enough.
  • A strong suggestion that the customer perform their own risk assessment.  (The verbiage in the guidance actually leaves out the word “strong”…I added it.)
  • To go with the previous risk assessment, a list of possible controls that the customer may consider, including where they may get additional assistance.  (Institutions may be tempted to offer their own assistance, but I recommend against it.  Not only may this prove to be a resource drain, it may also inadvertently set you up for a liability claim if a customer does experience a breach.)
  • A list of institution names and contact numbers for the customer to use in the event they notice suspicious account activity.  Make sure to include off-hour contact information if applicable, as most recent exploits have occurred on weekends and other non-business hours.

The second reason for the importance of customer training is the realization by the fraudsters that customers are an easy target.  As one recent example of this trend, Trusteer just issued a warning that fraudsters are actually setting up call centers to facilitate ID theft by targeting merchants.  This goes way beyond simply installing malware and grabbing login credentials,  this attacks the most secure elements in the transaction chain; controls such as the one-time passwords, IP blocks (black lists) and positive pay (white lists).  Although the actual details of the attack are fascinating…and frightening…at its core this is really nothing more than an extremely sophisticated social engineering attack, and as such the standard social engineering controls apply.

In summary, re-examine your employee AND customer training and awareness programs, and plan on increasing your training in both areas in 2012.  Make sure your customer training contains at least the minimum elements, and that you periodically repeat the training.  Finally, conduct testing on both groups to validate comprehension where you can (easier for employees than customers), and document everything!

 

*Additional reading:

http://www.csoonline.com/article/print/691910

 

16 Mar 2011

Risk Managing Social Media – 4 Challenges

Twitter, LinkedIn, Facebook, Google+…the decision to establish an on-line presence is a very popular topic these days, and it is extremely easy to do, but effectively managing social media risk can be frustratingly complicated.  In many ways. it just doesn’t lend itself to traditional risk management techniques, so the standard pre-entry justification process is much more difficult.  And because you are expected to assess the risks before you jump in, many of you may already be accepting unknown risks.

I see 4 big challenges to managing social media risk:

  1. Strategic Risk – If you determine that engaging in social media would be beneficial to achieving the goals and objectives of your business plan, you’ve made a strategic decision.  But even if you decide NOT to engage, you’ve still made a strategic decision because strategic risk exists if you fail to respond to industry changes.  (“If you choose not to decide, you still have made a choice”*.)  And you are expected to justify your strategy by periodically assessing whether or not you have achieved the goals you anticipated when you made the decision  to engage in social media, which leads to challenge #2:
  2. Cost / Benefit – This is closely related to strategic, but relates to the difficulty of quantifying both the costs (strategic and otherwise) and the tangible benefits.  Most institutions decide to engage in social media as a “me too” reaction, but 1 or 2 years later they can’t go back and validate their decision on business grounds because they didn’t have well defined, quantifiable, expectations going in.  Anchor your decision on a set of specific goals, which could include increased brand or product exposure, but which should ultimately be defined  in terms of an increase in capital and earnings.  And although there is a very small financial barrier to entry, there are other costs which leads to my next challenge;
  3. Reputation Risk – This is where the decision to not engage in social media really manifests itself, because reputation risk exists regardless…it cannot be avoided.  All it takes is one disgruntled employee or customer (or a competitor) to post a negative comment about you or your products or services on-line, and your reputation could suffer.  If you do have an on-line presence, you may be able to quickly respond to counter the comments, but if you decided to stay out you have no recourse.  Also, are your employees blurring the line between their professional lives as official (and controllable) representatives of your institution, and their (un-controlled) personal, on-line lives?  In a traditional risk management model, each risk identified would be accompanied by an off-setting control or set of controls.  In the case of reputation risk, there really in no way to off-set, or control,  the risk.  This brings me to the final, and perhaps biggest, challenge;
  4. Residual Risk – This is the end result of the risk management process; the amount of risk remaining after the application of controls.  Essentially, this is what you deem “acceptable” risk.  Since social media risk can never be completely avoided (see #3 above), you are already accepting some measure of risk.  The challenge is to quantify it.  Auditors and examiners expect you to have a firm grasp on residual risk, because that is really the only way to validate the effectiveness of your risk management program.  An uncertain or inaccurate level of residual risk implies to examiners an ineffective (or even non-existent) risk assessment.

So managing social media risk boils down to this:  You must be able to justify your decision (both to engage and to not engage) strategically, but to do so requires an accurate cost/benefit analysis.  Both costs (reputation, and other residual risks) and benefits (strategic) are extremely difficult to quantify, which means that in the end you are accepting an unknown level of risk, to achieve an uncertain amount of benefit. Ordinarily that would be a regulatory red-flag, but clearly many institutions currently have an on-line social media presence.  So at this point the question becomes not so much how did they arrive at that decision, but how will they justify their decision (and manage the risk) going forward?

 

*Lee, Geddy; Lifeson, Alex; Peart, Neil

12 Jan 2011

Trust and Risk Online

In a recently released paper by the Brookings Institute, they address the issue of trust in an increasingly on-line business environment.  They focus on the difficulty of establishing, maintaining and verifying identity on-line, and how the trust relationship between on-line services and consumers is being threatened by weaknesses in this identity layer component.

Although the paper is not specifically geared for the banking industry, it does contain several items of interest to bankers.  Discussion of on-line identity attacks is relevant to the emerging interest in social media.  Social engineering is also a topic of interest to banks, and has been for some time.  There is also a mention of the Red Flags model, and how compliance with the regulation (which started 12/31/2010) requires a strong identity authentication component.  They do note that the existing FFIEC authentication guidance is a good model, but they recognize that the Red Flags, and other financial institution guidance, falls short because:

“…three of the top five targets for phishing attacks in 2010 (eBay, Facebook, and Google) are not financial services web sites (Gudkova, 2010), and are thus are not necessarily covered by extant rules. Many other online services, including webmail sites, web hosting sites and social network sites are frequent targets. Clearly they are attractive targets for malicious actors seeking identity information, even if those identities are not actually the paying customers of those firms. Access to credentials of these sites can expose highly sensitive information and serve as the jumping off point to serious and highly customized fraud attempts.”

In the end, financial institution risk managers must carefully consider the risks of this “identity layer” in the current environment, and weigh them against the potential benefits of social media.  The paper is definitely worth a read…highly recommended.