In addition to direct monetary losses from an incident, breaches also create a significant hit to the trust an institution enjoys. That lost trust causes customers to leave, and creates a loss in confidence among partners and even regulators. The resulting customer churn is expensive, as is the loss of confidence among regulators which can result in more aggressive audits. It’s just human nature to look more closely following a security incident. And then there’s the higher cost of business insurance that follows a breach.
While they’re naturally targets among cyber-thieves, financial services firms are also very heavily regulated. Now, that’s no secret but it helps to highlight why, in addition to mitigating the damage of attacks, financial services firms should make sure they have solid incident response and e-discovery capabilities in place. These capabilities - properly integrated with IT, IT security, risk management, legal, HR, and business executives - should be on the ready to respond to potential cases of system abuse, fraudulent transactions, unauthorized, or repeated, access attempts to systems and applications, and incidents involving customer financial data.
What many people overlook is that there are quite a few regulations that require these capabilities be in place. And if they don’t require it directly, their mandates make them essential.
For instance, the Payment Card Industry Data Security Standard (PCI DSS) is often overlooked when it comes to e-discovery and incident response. However, as is pointed out in this Information Law Group post, while PCI DSS doesn't directly require an incident response capability, it certainly does through the resulting requirements that are set, and now commonplace, among merchants and their payment processors:
In reality, however, a merchant's true obligations in a security breach situation are dictated by the merchant agreement it has with a payment processor or acquiring bank. Most modern merchant agreements will require the merchant to comply with the operating regulations and security programs of the relevant card brands. However, these contracts may also have additional duties relating to incident response, including different reporting requirements, audit rights and indemnification obligations.
If you are accepting a certain volume of credit card payments chances are you are contractually required to have adequate incident response capabilities in place.
Same is true if you are a public company, the Sarbanes-Oxley Act of 2002 requires companies have the ability to prevent, and detect fraud, as outlined in this this FindLaw article:
Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company's] assets that could have a material effect on the financial statements.
Section 302 also specifically identifies internal fraud as an event that would require disclosure by senior management. Put simply, an adequate internal control structure must include "controls related to the prevention, identification and detection of fraud."
It’s not just those two, albeit rather substantial, regulations that require financial services firms’ and others to have effective incident response and e-discovery capabilities in place. There’s also the FTC’s Red Flag Rules designed to identify and fight identity theft, as well as the Gramm-Leach-Bliley Act ‘s Notification Rule.
Each of these regulations, as well as numerous others, make incident response and e-discovery capabilities essential. In fact, there isn’t a financial services firm that doesn’t need to be able to quickly find and provide documents necessary for GLBA or Red Flag rule compliance for incidents involving privacy or potentially even fraud.
Of course, all of this is easier written in a blog post than done. Like many things in life, success requires the right combination of technology, people, and practice. We believe Guidance Software provides the right technology for both e-discovery and incident response, so all you need to do is make an incident response plan, put in in place, and test and practice - this way when something unexpected occurs you’ll be ready.