GLBA Compliance: Trends to Watch, Traps to AvoidInterview with Nathan Johns of Crowe Chizek and Company Gramm-Leach-Bliley - it's at the heart of every financial institution's security program. In this exclusive interview, Nathan Johns, formerly of the FDIC, discusses current GLBA compliance trends, including:
TOM FIELD: Hi. This is Tom Field with Information Security Media Group. The topic today is GLBA compliance, and we are talking with Nathan Johns with the Risk Consulting Services of Crowe Chizek and Company, LLC. Nathan, thanks so much for joining me today.
NATHAN JOHNS: You're welcome.
FIELD: Nathan, just as an introduction, why don't you tell our audience a little bit about yourself and what you do with Crowe Chizek?
JOHNS: Sure. As you mentioned, I am Nathan Johns with Crowe Chizek. I am an executive in our Risk Consulting practice. I primarily do IT audits and consulting for financial institutions, primarily on data information security and privacy type matters. Prior to coming to Crowe Chizek I was with the FDIC for approximately 15 years with the last stop being in Washington, D.C., where I wrote a lot of the guidance pieces, including portions of Graham Leach Bliley and other exam procedures and training for their examiners at that time.
FIELD: Well, very appropriate to ask you about this then. What do you see as the current trends in GLBA compliance and examinations?
JOHNS: As far as examinations go, Graham-Leach-Bliley has been in effect for a number of years now, and so the examinations have gone through several cycles. So the examiners have a lot less patience or tolerance for institutions that still haven't made significant progress in addressing Graham-Leach-Bliley. I guess kind of the adage is they are not looking at it as something that the institution can come back with and say 'well, we weren't aware of it or we don't understand it' at this point.
So they are looking at institutions to be beyond that and have made good faith efforts in really attempting to meet the part of Graham-Leach-Bliley, have programs in place and they are okay. Programs don't necessarily have to be perfect, but they are a lot more tolerant if there has been the effort and there needs to be modifications or adjustments made to the programs. But they are looking for the programs to be in place, to be fairly mature, to at least have the different components that would make up a good Graham-Leach-Bliley program in place. They don't necessarilyï¿½if they are not perfect, they are not necessarily going to beat up an institution, but they are looking more for the effort.
FIELD: What would you say are the elements of a GLBA where you see the institutions continually being challenged now?
JOHNS: There are a couple of different areas where we've noticed the institutions being challenged. The first of which is just the changes within technology and the risks themselves, and maintaining a program that is adaptable enough and updates itself on a frequent enough basis where it keeps up with those changes and the challenges.
I mean there have been studies that have been done out there about the different ways and the frequency with which information is compromised. Most of the studies come back and can actuallyï¿½a system getting hacked into is very low as far as a percentage of where the real risk is and where the real vulnerabilities and exploits have been taking place. More common are things like a lost laptop or a vendor losing information like bank updates as they are being shipped. Or even paper files, somebody gaining access to them or paper files being lost. A lot of times it's about maintaining good controls over your vendors, and what types of security do they have in place, and how do you assure yourself that they have adequate security and security over laptops and CD's and thumb drives and asking the question should we encrypt them and how much would it take and how much effort and what tools to use on things like that, which are much more mobile and much more likely to get exposed to on people outside of the organization.
So, I guess there are two ways to look at this. The good news is that people are doing a pretty good job at the perimeter and the firewalls and all of that to protect the organizations. The bad news is there is this whole other piece that involves things that are a lot less under the control of the organization, such as vendors and mobile devices and thumb drives and things like that.
FIELD: Well, you make a good point there because I wanted to flip this around and ask where institutions find in their successes, and it sounds like you see some areas where they are doing pretty well.
JOHNS: Absolutely. And I think, going along with what I said, I think that they really are doing a pretty good job of protecting the perimeter even in light of the challenges of the technology changes and the threat changes that are new threats coming up more frequently than even daily, but they are doing a pretty good job of having programs that are dynamic that keep up with that. They get updated regularly; they grow and change along with the threats they are facing. So I find that they are doing a better job on that than they are on some of the other areas, which actually are leading to more of the compromises or more of the data breaches, such as the lost laptops or with thumb drives or paper files and things like that.
FIELD: Now Nathan, I'm thinking in terms of 501(b) as well in the types of things that institutions have to be mindful of with, you know, with the board development, with information security program development, vendor management, you name it. How do you find institutions are doing with the elements of 501(b) and what they are examined on?
JOHNS: You actually brought up a point, or an area, where I've seen mixed success. At a lot of institutions it is still being looked upon as that IT area, and I think with some of the things I brought up it becomes fairly clear that, yeah, I could use an important piece of this, but it is an organization-wide responsibility. It requires training of employees across the organization to be mindful of what they are doing and their piece in this in protecting that laptop or protecting the paper files that they have. So there is this whole training aspect. Even the information technology piece of it requires training of the individuals to make sure that they are locking their computers while they are away form them and items like that to be aware of social engineering, giving--what information they give out, the attempts that people make to gain information such as passwords so they can get to sensitive information and things like that. So training becomes a very important piece of it.
In addition, the other thing that you brought up as well with the board involvement. It's not just an IT issue, it's organizational wide, so it is very important that this be driven from the top down and given that level of importance that they are aware of it and that they take it seriously and that they expect the organization, not just the IT department, to handle this issue.
FIELD: Now you are out among institutions, and certainly you see the economic conditions that they are in, yet they are already working on their Identity Theft/Red Flags Rule compliance, which in a lot of cases is an unbudgeted item. They don't have additional resources out there. How do you see institutions coping with their compliance issues where really they might have fewer financial resources than they have had previously?
JOHNS: I think that is an important point to bring out. Really, Graham-Leach-Bliley emphasizes a risk-based approach, and it starts with a risk assessment. A lot of times when we come in and help an organization through this process and think through this process, what they are identifying in the risk assessment is, are they spending a lot of time and effort on certain controls? And they may not necessarily be the controls that they are relying on the most, so they may spend a lot of time on--well let's just use an example to make this a little more concrete.
They may spend a lot of time and effort on an intrusion detection system, which is important, and it is a control, and it is a valuable control and can give them good information, and they may test it fairly regularly. But in the risk assessment they may find that there are other controls that they are relying upon more that they are not necessarily testing as much. So, some of the risk-based approach of Graham-Leach-Bliley, and if they do a good job on the risk assessment, can show areas where they can cut back on testing, or maybe even the expense on implementing a control or a new technology by looking at all the other controls, all the other layers that are already in there and seeing what they can leverage based upon the risk of that particular area.
So in addition to highlighting areas that they may need to address further, it also can be that the risk assessment process can be an area where they can say we are testing this far more than we have to for the amount that we are relying upon this control. And so that is one way in which they can kind of cut back in certain areas in the testing and potentially even in the investment and technology controls given the economic times. But without the risk assessment, it is very difficult for them to justify that to senior management or to regulatory authorities.
FIELD: So, really the risk assessment almost becomes a resource assessment as well?
FIELD: I want to take you back to vendor management, Nathan. You know this has clearly been part of the guidelines for years now, and yet we see the OCC, the FDIC, the NCUA coming out with additional bulletins on this, and it just raises the question: Why can't banking institutions do vendor management to the satisfaction of their regulators?
JOHNS: I think there are a couple of different factors that are in play with vendor management. The first of which is initially when a lot of the institutions that we worked with started trying to get their arms around vendor management, they did a poor job on risk ranking the vendors. They essentially almost took the step of treating them all equally. Well, not all institutions vendors are equal. I mean the information that they have access, what the functions are that they perform for the institution are different, all those things make it so that they should treat those vendors in significantly different ways, and the amount of effort that they put on the vendors should be significantly different.
The regulators did notice this, and typically what was happening was the very important and very key vendors and vendors with access to critical information and customer sensitive information were being treated the same as insignificant vendors, and probably those vendors were not being looked at as often as they probably should have been, or the regulators would have liked them to have been. And probably the vendors on the lower end were being looked at more frequently. And the regulators are never going toï¿½well, I shouldn't say are never, because as soon as I say that they will s y something about it but, rarely do regulators say something that you are doing too frequently. So they are not really going to complain about you looking at a low risk vendor more frequently than they want you to, but they will comment on they don't think you are looking at a higher risk vendor as often as they would like.
So the emphasis has always been on doing more, doing more versus the risk-based approach of okay, we can cut back some on these lower risk vendors, but we do need to pay more attention to the higher risk vendors and being able to support that. And I think that is really one of the things that have driven the regulators in those particular areas as really saying, "you really need to pay more attention to these really critical vendors, and maybe once a year isn't enough to be evaluating them because they are so critical to your organization."
That being said, and another factor that is kind of driving the regulators is, and this has been occurring for years now, but it is increasing reliance upon vendors that aren't necessarily in the United States or maybe sub-contracting with vendors that are outside of the United States as well. And oftentimes it is without the institutions' knowledge if you have a contract with service provider or vendor, you may not even know who else they are doing business with or have that within the contract they have to let you know.
That poses the risk of all the various different international laws and what is protected and what isn't protected in various areas throughout the country, or throughout he world. So, the regulators have taken notice of that. It is a factor in that the requirements of Graham Leach Bliley may not necessarily be the same requirements of wherever the information ends up. And so it is up to the bank to make sure that that is enforceable through the contracts and also that they are aware of exactly where that information is going.
FIELD: So, you spend a lot of time with institutions. Are you starting to see some progress on vendor management?
JOHNS: We are actually starting to see some significant improvements in what we are seeing with vendor management. Once we get them to understand that it really is a risk based approach, and that the requirement is on high risk vendors essentially a re-evaluation once a year, but that if it is important enough it makes sense to do it more often and then if they are doing that on the most critical vendors they can justify cutting back on other ones. But they really need to be able to show that they are not just using the annual review as kind of their benchmark, but that they are really putting thought into the process.
FIELD: That makes sense. Risk-based - the term I keep hearing over and over is sort of the buzz term of the year, and it is really getting a lot of cachet out there I think.
JOHNS: You know, I think so, but I think there is a lot of value to it, especially given the economic times. In risk-based, and everybody is using that term, but I think it is all about supporting what you are doing. Showing that you are paying attention to areas that you have greater exposure and spending your limited resources on those particular areas and cutting back on other areas and being able to show that that isn't exposing the institution to a great deal of, well, financial risk is one thing, but also the customers and their information isn't getting exposed by cutting back in certain areas as well. It is not just all about financial exposure to the institution because a lot of it comes down to protecting the consumer and trying to put a price tag on that is very difficult, but it is also very important.
FIELD: That makes sense. Nathan, one final question for you. I want to think in terms of somebody that might be coming into a banking security career and being handed the task of maintaining GLBA compliance. If you could give advice to someone taking over that role, where should they begin?
JOHNS: The very first thing that they would need to be aware of is, it has to come from the top of the organizational. And if they are coming in and the organization is looking at it as just an IT issue or just an IT problem, that they need to educate the organization and get it pushed up. Then they also need to, and I am going to use the term again, the risk-based approach, focus on where the true risks are. Otherwise, this quickly will become something that is too large of the organization because you can, quite frankly, spend as much money as you want to on controls and trying to control risk. And if you spend a billion dollars to control risk, yeah, you are probably going to not have any security incidents or any compromises of information or anything like that, but also you are going to quickly be out of business. So it is important to establish a risk threshold for the organization and what they are willing to accept as far as risk, and manage the program around that.
Then it comes down to really doing a good job of quantifying the different threats that are out there to the organization and identifying what controls are already there that will mitigate those risks. So it truly comes down to saying, okay here is a level we are shooting for and where are we above this and where are we below this. Identifying those gaps and bringing things up to that level, but also, are there other places where we can be more efficient?
FIELD: Makes sense. Nathan, I appreciate your time and your insights today. It has been very valuable, and I am sure the audience will enjoy.
JOHNS: Thank you very much.
FIELD: We've been talking with Nathan Johns of Crowe Chizek and Company. For information Security Media Group, I'm Tom Field. Thank you very much.