Perhaps you heard recently about the Equifax Data Breach. No? Then perhaps you were one of 143 million consumers whose data may have been compromised. We know where a data breach of this magnitude leaves Equifax: with a tumbling stock price, extremely dissatisfied customers, and vulnerability to lawsuits. We also know where this leaves the average American consumer, many of whom have frozen their credit or decided to invest in credit monitoring protection services.
But where does this leave financial institutions, many of whom supply data to third party vendors on a daily basis? Likely, it leaves many evaluating their own governance, risk, and compliance policies when it comes to how they manage account holder data.
From a legislation perspective, many are using the recent data breach as an example of why the Consumer Financial Protection Bureau (CFPB) final arbitration rule shouldn’t be repealed. Unfortunately, under CFPB, class actions against financial institutions can’t be formed for data breaches. Because there isn’t a legislative risk, however, doesn’t mean there aren’t reputational risks for institutions who don’t take extra steps to protect customer data.
Whether or not the CFPB legislation changes in the future, hopefully headlines like this demonstrate the importance of getting a Vendor and Third-Party Risk Management process in place (even better to get a tool or software to automate program supervision and make it easier so things “don’t fall through the cracks.”) Every financial institution handles data differently, and they may have data safety risks with any provider, not just the credit bureaus. It can happen within any vendor/third-party relationship where data is involved. Data breaches on such a large scale as we’ve seen in the news recently happen because institutions are not properly monitoring the controls third party vendors claim to have in place.
As a starting point, below are three ways financial institutions can mitigate data risk:
- To prevent data breaches of this scale from happening again, any vendor with a large volume of personal identifiable information (PII), should have the same controls in place that institutions have.
- Additionally, institutions need to audit their vendors to ensure these controls are in place and are functional.
- Lastly, annual SOC reports should be heavily scrutinized for program compliance.
To prevent future breaches of this scale, The Fed has eluded to creating a group that would focus primarily on Fintech relationships, which may not be a bad thing. This would create uniformity and allow best practices to be shared in the industry in hopes of better managing the relationship and mitigating risks. In the meantime, having an agency devoting time and resources to preventing data breaches could help the institutions as well as it’s vendors in a uniform risk management approach.
>>Ready to improve your institutions’ risk and compliance efforts? Click here to get the 40 question checklist, “Questions Institutions Should Ask When Assessing Data Breach Risk.