The breach of a card loyalty marketing company this week has reignited discussions about the roles banking institutions, regulators and others play when it comes to mitigating third-party risks (see Vendor Breach Exposes Card Data, PII).
U.S. banking regulators have made it clear they're looking to banking institutions and others to ensure the security standards of the payments processors and vendors with which they work are up to par. But banking institutions have repeatedly said ensuring ongoing security of outside entities is difficult - and they need regulators to step in and help.
Banking institutions should scrutinize the security practices of the third parties to which they outsource. ... But they can't bear all of the responsibility.
The problem is, while everyone is debating the lines that should be drawn, breaches are still occurring.But perhaps publicity about these incidents will serve as a catalyst for regulatory action.
Need for Oversight
Al Pascual, senior analyst for the consultancy Javelin Strategy & Research, says breaches like the one that struck Loyaltybuild, the third-party loyalty branding company in Ireland, reinforce the need for more oversight of outsourcers and other third parties.
Earlier this year, the National Association of Federal Credit Unions asked Congress to hold breached retailers, processors and other third parties accountable when their lax security practices result in the leakage of card data. The Five-Point Plan for Regulatory Relief recommends establishing national standards for the protection of all financial information, including payment card data. It also recommends holding merchants and others accountable for expenses, such as costs associated with card re-issuance, if card numbers and details are exposed during a breach.
The NAFCU also is asking that merchants, in particular, be required to share their data security policies with customers. And it recommends that the burden of proof after data breaches fall back onto the entity that is attacked, rather than, as is the current practice, relying on card issuers to trace the fraud back to a common point of suspected compromise.
Additionally, the trade association's plan calls for creating uniform federal enforcement standards for data security, which would prevent merchants and other outside parties from storing card and other financial information.
That kind of enforcement might have made a difference in a breach like the one suffered by Loyaltybuild,says Neira Jones, a card fraud expert in the United Kingdom. "The third party was obviously storing data, which was not protected with common sense security practices," Jones says.
Data storage by a third party is addressed in the most recent version of the Payment Card Industry Data Security Standard, which was issued Nov. 7 and takes effect in January (see PCI Update: Focus on Third-Party Risks).
Banking regulators have addressed third-party risks, too. But they contend the onus to ensure third-party security falls on the banking institutions.
The Office of the Comptroller of the Currency recently issued updated guidance about how to address third-party risks (see OCC: New Guidance for Third-Party Risks).
The OCC's updated guidelines note eight specific areas where banking institutions need to make improvements to their vendor management programs. And the OCC points out that banking institutions face new and increased operational, compliance, reputation, strategic and credit risks when dealing with third parties.
Other federal banking regulators, such as the Federal Deposit Insurance Corp., have issued similar warnings for banks (see FDIC: Improve Vendor Management).
And now it seems even some banking associations are jumping into the game by working to develop best practices banking institutions can follow to ensure they are adequately addressing third-party risks.
Next week, the Financial Services Information Sharing and Analysis Center is expected to issue recommendations for banks to follow when it comes to their use and reliance upon third-party software. Those recommendations, I've been told, will include controls that will help organizations ensure that secure software development best practices are applied by software developers.
Banks' Obligations, and Limitations
Certainly, banking institutions should scrutinize the security practices of the third parties to which they outsource the processing, storage and use of consumer card data and other sensitive information. But banking institutions can't bear all of the responsibility.
As Aite fraud analyst Shirley Inscoe points out, banking institutions, even with enhanced due diligence and oversight, cannot prevent third-party breaches. "These continuing instances of data breaches and hacking incidents may appear to infer banks are not taking this responsibility seriously," she told me, shortly after the OCC issued its updated guidance. "The OCC is reminding them of their responsibility and shedding additional light on how to fulfill the requirements. Unfortunately, as we all know, it is very difficult to protect against data breaches and hacking incidents in today's environment."
Alan Brill, senior managing director for security consultancy Kroll, stresses that banks' contracts with third parties should clearly spell out that these vendors bear the financial burden for breaches of their systems.
But that's only part of the solution. We need more government oversight of third parties and punishment for those that do not employ adequate security measures. Without enforcement, what motivation do these third parties have to pay attention to security?