Blog

A Dozen Questions for Assessing Data Breach Risk

businessman walking tight rope toward a question mark in the air
By Kevin Malicki

2 minutes

Being proactive can protect your credit union and its members.

Sponsored by Harland Clarke

Recently, I was on a call with a financial institution that was much like many other discovery calls. They provide us with pain points, and we speak to how our solutions can address them. Like most financial institutions, this client had a particularly hard time wrangling third-party risk management and mapping internal controls to risks. So I asked this question: “Do you use Equifax?” The client said, “Doesn’t everyone?”

Here’s why this is important: The former Equifax CEO has been called to Congress and interviewed extensively on how a breach of this magnitude happened, why there was such a lack of urgency in contacting clients, and what course of action is being taken to resolve the problem and ensure it doesn’t happen again—because every piece of data Equifax had was obtained from the institutions themselves. Have you considered your own business risk in this situation?

It’s very unfortunate that 143 million people—nearly one out of every two people in the United States—have been impacted by this tragic event. A breach or theft of personal financial data can be life-changing. With so much potential damage to the average American consumer, regulators will want to hold the businesses doing business with Equifax accountable as well.

If you work with a third party and share data with them, the following questions need to be considered:

1. Have you read your contract with the third party?

2. Do you know where your third-party contract is?

3. Is it up to date?

4. Does it contain a clause regarding a breach of information?

5. Does it outline a communication plan in the event of a data breach?

6. Where does the communication plan “live”?

7. Has it been tested?

8. What oversight do you as a financial institution provide to the third party?

9. Do you have a recent SOC I and SOC II form? Did you review it? Does it note vulnerabilities or exceptions?

10. Where is your risk assessment document?

11. What controls do you have in place?

12. Where are your audit results? (Has your audit firm provided you with audit results? Has Equifax?)

We’ve also created a handy checklist of these kinds of questions that every financial institution should ask in the wake of a data breach. Download it here.

Kevin Malicki is director of product management for governance, risk and compliance at Harland Clarke, headquartered in San Antonio.

Read about five ways your fraud team can best manage the changing foundation of fraud prevention in “Planning, Post-Equifax.” Also read “Navigating Risk” by Vince Hui of CUES strategic provider of risk management services Cornerstone Advisors, Scottsdale, Ariz.

You might also be interested in attending CUES School of Enterprise Risk Management, Aug. 13-16, 2018, in Denver.

Compass Subscription