Ten Most Important Stories of 2007

As we reflect on the biggest stories of 2007, it's clear that bad news was big. Some of our most popular stories were about Commerce Bank, Ameritrade and the ever-increasing threat of identity theft.

See Also: The State of Organizations' Security Posture as of Q1 2018

But common themes emerge as well. From the well-publicized hacks, we know that information security crimes abide by no geographic or national boundaries. Wherever banking institutions conduct online business, so do criminals. From the disasters, we've seen business continuity plans put to the test, and we've seen institutions derive lessons learned to build into their risk management strategies. From the myriad regulations handed down by the feds, we see new emphasis on familiar topics that may well prove to be the biggest stories of 2008:

• Risk Assessment - In the wake of the TJX breach, where a few thousand dollars worth of protection might have prevented millions of dollars of settlement costs, we're going to see a greater focus not just on the risk assessment process, but on security executives ensuring that their business partners understand fully the cost of information security - and the risk of doing nothing.
  
  
• Vendor Management - So much is outsourced these days - especially in Internet banking - that it isn't enough to ensure your own processes and systems are secure. You need to ensure your vendor's information security, too. With the FDIC now building vendor management into its pre-examination IT risk management questionnaire, it's clear that this will be a key topic in 2008.
  
  
• Customer Education - Inherently, we all know that we can't do enough to educate our customers about the risks and rewards of banking online. But realistically, we're limited by resources. This will change in 2008. With the rise of cyber crime and the resolve of regulatory agencies to combat it (see ID Theft Red Flag Rules below), smart money says that next year will go down as The Year of Customer Education. And we'll continue to do our part to help you do yours.

Read on to see a countdown of the Top 10 Stories of 2007.

Breaches happen. And in this case, the size of the breach isn't the question. What happened was not a major breach; "only a small segment" of Commerce Bancorp's 3 million customers were affected. But the cause of the breach? An insider released customer account information. The hard lesson: The insider threat is one that all financial institutions are aware of - but too few provide adequate protection.

The scourge of identity theft is hitting your institution's customers, and in this article we cover some solid security ideas that should be part of any institution's information security awareness and education program.

Financial institutions have been educating their customers about identity theft for many years, but this comprehensive plan pushes this topic even higher on the list of must-do's for all institutions. Coupled with the ID Theft Red Flags guidance issued in October 2007, this report shows strong educational efforts and increased criminal enforcement is part of the coordinated approach envisioned by the task force, led by the Federal Trade Commission and the Department of Justice. This Task Force report was issued by a collective 17 federal agencies, including financial institution regulatory agencies FRB, FTC, FDIC, NCUA, OCC, OTS and the SEC.

In early December, the FDIC issued a new version of its IT Risk Management Program Examination Procedures (IT-RMP). Revisions were added to provide more coverage in service areas that the FDIC sees as posing new or emerging risk management issues.

The questionnaire was enhanced to provide coverage in vendor management and outsourcing, credit card and payment system risks, and the overall state of the institution's information security program. Historically, other regulatory agencies have taken their lead from the FDIC, so it's fair to assume new rules may be coming for all banking institutions in 2008.

The phishing scene is getting more crowded these days, and the relationship between phishing attacks and malware is changing, according to information security experts. Now, non-traditional phishing emails and new types of phishing attacks are targeting customers of progressively smaller and smaller institutions. In newer blended scenarios, customers receive a spoofed email that includes some type of request or incentive to visit a particular Web page. If they click the link to this Web page, malware is secretly installed on the user's computer. This allows criminals to take control of the user's computer to steal personal information, send out spam, or both.

The Payment Card Industry Data Security Standard (PCI-DSS) is overseen by the PCI Security Standards Council, an independent council originally formed by American Express, Discover Financial Services, JCB, MasterCard and Visa in 2006. The 12 requirements of the PCI-DSS are designed to help retailers and other businesses that process card payments to prevent credit card fraud, hacking and other security issues. A company processing, storing or transmitting credit card numbers must be PCI-DSS compliant to risk losing the ability to process credit card payments.

The PCI compliance date was June 30, 2007, and many companies likely failed to meet the deadline. But it's a safe bet that compliance timelines were condensed after this news story broke.

San Diego was the big story in late October - the devastating wildfires that swept through the County and caused several banks to close down and enact their disaster recovery plans. For the most part, the plans worked as advertised - businesses reopened seamlessly.

And then there's the disaster we haven't experienced, but which every institution fears: The pandemic.

This year saw a nationwide pandemic test that measured the industry's ability along with participating institutions' ability to function during a pandemic. Results were mixed, but the resolve remains clear: The pandemic threat is real, and we all need to prepare for it.

First there was the President's Identity Theft Taskforce Report that was issued in March. Then, at the end of October came the final guidance on ID Theft Red Flags. Institutions have until November 1, 2008 to be compliant with it.

Clearly, the ID Theft Red Flag Rules guidance will be one of the top risk management issues for financial institutions in 2008. The questions are: How quickly will institutions move to become compliant, and then - post Nov. 1 - how aggressively will regulators seek to enforce it?

The Bank of India Hack story broke in early September and - at the time -- garnered the most reads of any story on our website. The significance? Not that it was the biggest or boldest hack, or even that it occurred at an exotic bank in a far-off location. Rather, the news to CEOs and CISOs is that these attacks know no boundaries, and the Bank of India case is a prime example of what can happen to any institution anywhere.

Indeed, soon after came word that Commerce Bank, a Midwestern chain based in Missouri, had been hacked, and customer information had been accessed.

It was one of the first stories of the year, and today it's still the biggest. The story line: Massachusetts-based retailer TJX revealed that more than 46 million credit and debit card accounts were hacked in the data breach, going back as far as 2003. Later, court documents revealed that number may be more than 96 million customers affected. The bottom line: Industry analysts predict the price tag of the breach could go as high as $1 billion when all the settlements are paid. Certain banks have settled with the retailer, and TJX has strengthened its network security and overall security posture. But the question remains: Who will be 2008's TJX?