Mobile Security: Act Now
Including Mobile Banking in Risk AssessmentsMany financial institutions are not addressing mobile banking security risks in a targeted way. Mobile banking is not a prominent part of their risk assessments and mitigation strategies. But it should be.
See Also: How to Take the Complexity Out of Cybersecurity
Although federal regulators have yet to spell out clear-cut mobile security requirements, banks and credit unions cannot afford to wait for federal guidance before taking action. They need to put plans in place now to mitigate emerging risks, such as attacks from mobile malware and device identification challenges posed by roaming IP addresses.
Bankers who procrastinate could face the dire consequences that follow account breaches.
BITS and other organizations have offered advice on mobile banking security that financial institutions can put to use. But regulatory guidance is still pending.
Mobile Security: At a Glance
The Federal Financial Institutions Examination Council hasn't issued mobile security mandates ... yet. And while I don't think we'll see anything specific to mobile before the end of 2012, I'm pretty certain mobile already is coming up during FFIEC authentication compliance audits.
Industry pundits may be split about when mobile directives are coming, but they're in agreement that they're coming. Those directives could arrive in the form of an addendum to existing guidance; they could be laid out in an FAQ; or they could comprise their own guidance all together.
Regulators are gathering information and assessing where institutions stand on mobile security. It's just a matter of time before they put their heads together and come up with a way to address mobile more specifically.
Mobile's missing mention in the FFIEC's Authentication Guidance raised eyebrows in June, when it was issued. [See FFIEC Authentication Guidance.]
Now the Federal Deposit Insurance Corp. has hinted guidance or suggestions for mobile security and risk mitigation could be on the way. In July, Jeff Kopchik, FDIC senior policy analyst said, "We are thinking about mobile," during a BankInfoSecurity webinar on FFIEC Authentication Guidance..
Five months later, the FDIC issued some insights about mobile and its connection to existing guidance in the Winter edition of Supervisory Insights. "Should a risk assessment identify new risks or vulnerabilities, financial institutions should address them promptly to appropriately and effectively mitigate the risks for the institution and its customers." [See "Mobile Banking: Rewards and Risks."]
It's not a matter of if mobile mandates are on the way. It's more a matter of when.