MANAGING CYBER RISK:
WHO HAS YOUR INFORMATION?
Contributing authors
Tom Lawton
Donna Goddard
Edward P Gibson
The views and opinions expressed in this paper are those of the authors and do not necessarily reflect the official policy or position of Thomson Reuters.
STATEMENT OF INTENT
Corporate treasurers must consider the cyber risks associated with many of their core activities, including
the provision of client identity documents to their financial institutions (FIs). It is therefore crucial that they understand the nature of the risks they face, the value of the data at risk and the solutions available to manage that data.
More about Edward P Gibson can be located at www.Linkedin.com/in/EdwardPGibson
1. MANAGING CYBER RISK:
WHO HAS YOUR INFORMATION?
Contributing authors
Tom Lawton
Donna Goddard
Edward P Gibson
The views and opinions expressed in this paper are those of the authors and do not
necessarily reflect the official policy or position of Thomson Reuters.
STATEMENT OF INTENT
Corporate treasurers must consider the cyber risks associated with many of their core activities, including
the provision of client identity documents to their financial institutions (FIs). It is therefore crucial that they
understand the nature of the risks they face, the value of the data at risk and the solutions available to
manage that data.
2. Managing Cyber Risk: Who has YOUR information? 2
Introduction
This white paper will explore the ever-increasing global threat of cybercrime; with
a particular focus on the specific cyber risks faced by corporate treasurers when
disseminating the strictly confidential data necessary to comply with regulations
governing Know Your Customer (KYC) due diligence; and finally explore the steps that
organizations can take to reduce the risk of their information being compromised.
3. Managing Cyber Risk: Who has YOUR information? 3
CYBERCRIME â A GROWING THREAT
The methods employed by cyber criminals are becoming ever-
more sophisticated, making it challenging for organizations
to stay that crucial step ahead of the criminal underworld.
This concern is echoed in the C-suite as was demonstrated in
the PwC Global Economic Crime Survey 2014: nearly half of
respondents reported that the risk of cybercrime had increased
(a 23% increase over 2011), with 49% of global CEOs concerned
about cyber threats to their organization.i
We are operating in the age of digitization. Many previously
physical items (such as some forms of hard copy documentation
and even photographs) now exist mainly â or in some cases
only â in the digital world. The impact of this creates both
opportunities and challenges for organisations. However in
order to take advantage of the benefits, companies need to
address the impact of âinformation overloadâ, caused by more
and more data being received, collected and stored every day.
Moreover, much of this information is confidential or business-
critical and if it was to be stolen or accidently leaked it could
lead to significant financial and reputational damage. Several
high profile cybercrime incidents hit the headlines in 2014. In
one case, criminals hacked into and leaked the confidential
emails of the co-chair of a well-known global brand, leading
to their resignation. This and other incidents have meant that
cybercrime and cyber security are understandably becoming very
much a focus of the Boardroom.
THE KYC/AML LANDSCAPE AND DATA SECURITY
Traditionally a banker would be expected to either know their
clients personally or have them introduced by someone who did.
Globalization has provided the opportunity for organizations
to do business anywhere and with anyone. However with
opportunity has come the challenge of having to navigate
jurisdictions they are not familiar with to undertake âknow your
customerâ checks . At the same time, knowing exactly who you
are doing business with has become more crucial than ever in
the wake of significant events like 9/11 and the financial crisis.
Recent reports of hefty fines for non-compliance serve to
demonstrate the stance that regulators are taking and their
expectation that organizations exercise the appropriate
level of due diligence. Banks and FIs (in an attempt to avoid
financial and reputational damage) are taking what they
believe to be necessary steps to demonstrate that they take
their responsibilities seriously. Unfortunately, due to a lack
of a defined anti-money laundering (AML) standard, this has
resulted in them requesting increasing volumes of information
from their clients. In addition, the lack of a defined âstandardâ,
results in banks interpreting legislation in different ways, leading
to further requests for information from their clients. Whilst
this is understandable â indeed necessary given the current
climate and lack of âstandardâ â it has resulted in corporates
facing myriad challenges: not only are large amounts of time
and effort needed to collect, validate, store and maintain the
vast quantities of information that is being requested at any one
time, but there are also very real risks surrounding the security of
this strictly confidential data.
DATA SECURITY RISKS
There are three risk stages to be aware of when trying to ensure the confidentiality, integrity and availability of your sensitive personal
data:
DATA LIFECYCLE RISK STAGES
CREATION DATA IN USE:
Data when in use at the endpoint (i.e. laptops, workstations, etc.)
DATA IN MOTION:
Data when transmitted outside of the secure network (i.e. email,
web, etc.)
DATA AT REST:
Data in storage (i.e. file shares, databases, etc.)
USAGE
TRANSMISSION
PRESERVATION
RETIREMENT
I http://www.pwc.com/gx/en/economic-crime-survey/
4. Managing Cyber Risk: Who has YOUR information? 4
DATA IN USE:
This is typically data when it is in the process of being created
by an organization or worked on by the FI within their corporate
networks.
Areas for concern in this stage might come from physical theft,
incorrect data being input and insecure destruction of physical
copies once electronic versions are created.
DATA IN MOTION:
This stage relates to the risks to data when being transferred
between the organization and the FI. Transmission channels
can include a number of options including sending via email,
sending either hard copy or a version transferred to USB/CD/
DVD in the post or uploading to internet sites.
Ensuring the secure delivery of confidential documents to the
correct recipient can create challenges. Current methods are
often neither efficient nor secure - frequently material is sent
unencrypted via e-mail or post. Donna Goddard, an information
security professional at Thomson Reuters says, âYou donât always
need to have hard copies of material; electronic copies, as long
as they can be independently validated, are acceptable for most
situations.â
However, because a lot of regulations governing AML and
KYC were written before the digital age, some FIs still insist on
original documentation, especially in regions such as Asia and
Africa. This is problematic because documents commonly get
lost or delivered to the incorrect person. James Kelly, Head of
Treasury at Rentokil Initial, comments âMy team can spend the
whole day checking with postal couriers to see if the documents
were received by the correct person.â Sending documents via
email is not always secure either, as organizations may not have
the correct procedures in place to ensure that information is sent
securely. This information can be intercepted but more often is
misdirected if for example someone types in the incorrect email
address.
DATA AT REST:
This stage relates to risks to data when being stored in
databases or shared drives.
Once companies have ensured their documents have arrived
securely at the FI, they retain little or no control over where and
how this strictly confidential information is being stored or who
can access it.
Corporates have to rely on their financial counterparties
implementing appropriate controls to effectively manage their
information. For example, encrypting data held in databases,
implementing appropriate access management procedures and,
in the event of a disaster, trusting that the FI has implemented
robust disaster recovery and backup policies.
THE HUMAN FACTOR
A key theme between each of the risk areas above is the human
factor.
No matter how advanced the control environment, the human
element presents an opportunity for things to go wrong. For
example, an organization could have the best security system
in place, but if a member of staff accidentally left confidential
information on their desk overnight for a colleague to see, this
simple error could negate all of the technical controls in place.
Organizations need to ensure that their employees are properly
trained. Not only on the most appropriate methods of managing
confidential information, including, for example, data encryption,
but also with regard to simple processes, such as how to create a
secure work environment.
Understanding basic concepts in relation to the quantity of
the data required for the KYC process is also crucial for both
organizations and FIâs. Limiting the amount of information held
to that which is absolutely necessary reduces the cyber risk and
makes it easier for FIs to comply with data protection legislation
that requires them to ensure that data held on a subject is
current.
THE VALUE OF THE DATA AT RISK
The nature of the documents that are being requested by
banks is often strictly confidential. For example, documentation
regularly required to open a single bank account could
include the passports of all signatories; the names, addresses
and dates of birth for all directors; and the certified Articles
of Incorporation. If this information were to be leaked or
stolen, it could have significant personal or business-critical
consequences for the individuals and organization concerned
- as seen in recent high profile cases. James Kelly comments
further, âWe have had instances where we have asked signatories
for passports, utility bills and dates of birth and the directors
have been quite concerned about how they are going to be sent
and what we are going to do with the data. I think we owe a duty
of care to our signatories and anyone we are sending data on
behalf of.â
THE CUSTOMER EXPERIENCE
In addition to dealing with myriad security risks around the
provision of client identity documents, corporate treasurers are
also often on the receiving end of poor customer service as a
result of numerous bank requests. Banks and FIs have a legal
obligation to comply with regulations, but they must create a
balance between compliance and a good customer experience.
At a recent industry round table there was an excellent example
shared by Ed Gibson, the ex-chief cyber security advisor for
Microsoft in the UK. This poor customer experience was around
the provision of client identity documents and the need to
manage the security risk. As a US-based citizen, Gibson
transferred money to his foreign FI in the UK and was contacted
by email within 24 hours of the transfer. Suspecting a phishing
attempt, he did not reply. A few days later a letter arrived by
post from the FI requesting identity documentation by either
post or email. He sent the information via email, but received
no acknowledgement. Two weeks later, he received another
letter asking why he had not sent the requested information,
upon which he contacted his UK branch and they advised that
the documents had been received. Three weeks later, a further
letter arrived requesting the documentation. Gibson comments,
âThe experience left me with several unanswered questions
about who had my information and where my documents were
being stored. It was undoubtedly an unsatisfactory customer
experience.â
TIME TO TAKE STOCK
It is clear from the above that current processes of document
dissemination are not delivering a favorable customer experience
or keeping pace with the need for heightened security in the face
of growing cyber risk. This is further exacerbated by the fact
that both cyber security risks and changes in data protection
legislation are evolving at a pace that many companies struggle
to keep up with. Simply erecting a protective IT barrier may not
5. Managing Cyber Risk: Who has YOUR information? 5
ii https://www.treasurers.org/under-attack
be enough â sometimes the perpetrator comes from within or
has access to an insider. Once again, it is the human element
that potentially poses the greatest risk.
On the other hand, fairly simple measures can go a long way
towards mitigating risks. The UK Information Commissionerâs
Office (ICO) says that in many data breach cases, the measures
which could have prevented the breach or reduced the level
of harm to individuals would have been simple to implement.
Corporate treasurers must therefore take stock, identify the full
range of risks within their role and formulate a coherent plan to
manage these risks.
TAKING STEPS TO MANAGE THE RISKS
When it comes to managing risk in the KYC/AML space,
strategies will differ depending on organization type. Large
FIs, for example, are in a position to call on specialized security
functions. They can adopt a layered approach to information
security, spanning technology, process and people-focused
security mitigation programs. Larger firms can usually also
access security technologies such as DLP (data loss prevention)
or ID (intrusion detection) across every end-point or network
interface. Smaller organizations, such as buy side firms, may not
have access to these resources, and should consider how best to
deploy their limited resources.
Tom Lawton, Head of Risk at Thomson Reuters Org ID
comments, âIn a previous security role, business leads often
asked me where they should start and what the most important
security measures were. I would always highlight five areas for
them to focus on: a lockdown of base operating system builds to
remove default settings and open services; security patching to
keep defenses up to date; malware detection; strong passwords;
and network segregation (layering the network to separate the
highest and lowest value assets). This list would always be a
starting point of how to build effective defenses.â
Every firm should have an inventory of all physical devices,
systems, software platforms and connections to external sources
catalogued and available for inspection. There should also
be a written information security policy that outlines who is
responsible for security and the governance structure in place.
Protection of firm networks and information is vital. This is a
minimum requirement, but getting expert help may be the best
way forward for many organizations.
Goddard says, âWhen it comes to KYC and information security,
organizations need to stop trying to do everything themselves,
specialize in what they are good at and let experts in this field
deliver workable solutions.â
She goes on to say, âOne of the key things I would recommend
an organization to do is leverage external parties that have the
expertise that you need. Quite often the temptation is to try and
muddle through with people internally, but this is not necessarily
the cheapest option. If you partner with the right organization,
theyâll often be able to recommend ways in which you might be
able to implement things that could save you money in the long
run.â
Technology and external partners are certainly available to help
mitigate the cyber risk around the provision of client identity
documents. KYC utilities and managed services can help
organizations to distribute client identity documents securely
through central repositories or portals.
The concept of a central repository or portal offers several
benefits. Firstly, data is stored securely: there are appropriate
measures in place to ensure both physical and environmental
security, as well as device security and malware protection.
Solutions such as Thomson Reuters Org ID use industry leading
protocols to encrypt network communication for all sensitive
traffic. In addition, with Org ID information is stored in two data
centers in the United Kingdom that are subject to European data
privacy laws â the strongest privacy framework in the world.
When asked about the time-consuming challenge of keeping
vast amounts of information up to date, Goddard responded,
âWhen choosing an external partner, it is crucial to use an
organization that is used to handling large amounts of data,
processing it and storing it.â Organizations should do their
research and ensure that the third parties they work with have
disaster recovery and backup plans and have been externally
audited and assessed.
This much is certain: cyber criminals will try to find a way to hack
your information, so getting expert help could be an important
advantage to help organizations stay a step ahead.
CONCLUSION
In order to remain competitive, comply with legislation and
protect their data, organizations should do the following:
· Implement a coherent security policy, which should be reviewed
on a regular basis.
· Engage with internal and/or external auditors as they are
often an invaluable resource and can view their organizationâs
security procedures with objective eyes.
· Undertake a full risk assessment and determine the likely
implications of a security breach involving sensitive data.
Board-level awareness and support of this exercise are crucial.II
· Leverage the expertise of third parties to help you streamline
processes and manage cyber risk.
· Finally training is absolutely critical. Implementing the most
effective security framework in the world will not be worth the
paper it is printed on, if employees are either unaware of its
existence or do not know how to comply with it.
Sadly, cyber risks are here to stay and there is no silver bullet,
it is just about managing risk in the best possible way. As
Goddard says, âYou should never be spending so much on
security that your business does not exist.â It takes a mixture of
the appropriate processes, technologies and people to mitigate
cybercrime; however technology can help and has the added
benefit of being able to demonstrate to regulators that an
organization is taking cybercrime and security seriously. As
Gibson commented, âThe regulator will look favorably at any
organization that has taken reasonable steps to help ensure
the sanctity of their internal controls and security. That canât be
overstated in my experience.â