By Ron Daly
Since the GAO’s July 2 recommendation (again) that NCUA be authorized to examine third-party technology vendors as a precaution against cyber threats, we’ve seen nearly as many headlines on this topic as on security hacks.
There’s no question that security breaches are increasing both in frequency and severity, and financial institutions need to take stronger measures to protect consumers’ personally identifiable information. But do we need the regulators to solve an operations issue?
Adding another layer of regulation would increase compliance costs to credit unions – and, ultimately, it’s credit unions that would also pay for more examiner training and staffing. Further, it would create redundancies, as NCUA is already able to oversee credit unions and their service providers. More costs mean less value to members.
Rethink Data Security
Yes, we’ve seen explosive growth in cybercrime; consumers and businesses are conducting more transactions online, and stealing PII is a lucrative business. But that doesn’t mean we should create more regulatory hoops for credit unions to jump through. Instead, our industry should take a fresh look at how it safeguards member data.
For years, financial institutions have been experts at protecting customer data, understanding that they must do it differently than other businesses. It’s the knowledge of data security and commitment to keeping PII safe that earned the industry its reputation for trusted institutions. But most security measures today are no longer adequate.
Current practices call for encrypting documents as they are sent via the Internet (encryption in transit). But anytime a sensitive document is sent from one person to another – whether via email, scan or fax – it’s vulnerable to attack as soon as it reaches someone’s laptop or a server and is decrypted. It may be placed behind a firewall, but as we’ve all seen, cybercriminals have learned how to breach firewalls.
A best-practices approach is to encrypt members’ personal information both in transit and at rest.
Adopt Encryption At Rest
As a firm dedicated to safeguarding consumers’ personal information, Virtual StrongBox is on a mission to see the concept of encryption at rest take hold – and not just at credit unions and banks. Any organization that holds consumers’ personal information should use encryption to lock down its data.
StreamlineWworkflow
In addition to accessing files that consumers have uploaded to their secure storage, credit unions can now also to distribute sensitive files to a member’s online safe-deposit box via our secure file-exchange system. Credit unions can now pass mortgage documents or other confidential files to members’ individual boxes or to all members’ boxes, increasing both security and workflow efficiency. When the average mortgage takes 40 days to process, eliminating the need for papers to be mailed or customers to come in to the branch, can really speed up the process.
Using encryption at rest may not stop all data breaches or cybercriminals’ ability to steal millions of people’s personal data files; but if those files are encrypted, it would be virtually impossible to reconstruct them. Most crooks would rather find an easier target.
Whether through our process or elsewhere, the industry should implement this secure technology. We don’t need more regulation; we need better internal safeguards.
Ron Daly is the president/CEO of Virtual StrongBox, Inc., a company known for protecting personal data the “financial institution way.” Virtual StrongBox provides credit unions with a host of automated file exchange and file storage services. For more information, visit www.myvirtualstrongbox.com.