New Rules Would Require Formal Policies, Monitoring, Employee Training for Banks and Other Financial Firms
Financial firms are among the millions of businesses that have flocked to social media to promote their products and encourage customer interaction. According to one recent study, an estimated 99 percent of credit unions are using some form of social media, and most commercial banks now have an active social media presence as well.
While social media can be an effective way for such organizations to engage customers, it also poses new security risks. In light of this, the Federal Financial Institutions Examination Council (FFIEC) released a draft earlier this year of new guidelines for social media, which it defines as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” The proposed rules would apply to banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau and state regulators. The final version is expected to be published later this year.
The proposed regulations would require that organizations have a documented social media policy in place, enforcement, and employee training. Moreover, financial institutions would need to conduct due diligence when using third party services to ensure they understood the regulations and policies that financial institutions must follow.
The FFIEC’s 31-page document, Social Media: Consumer Compliance Risk Management Guidance, recommends a social media risk management program that includes seven key components:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how social media usage contributes to the strategic goals of the institution (for example, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;
- Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws, regulations, and guidance. Policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;
- A due diligence process for selecting and managing third-party service provider relationships in connection with social media;
- An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws, regulations, and guidance; and
- Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that periodically evaluate the effectiveness of the social media program and whether it is achieving its stated objectives.
Although many of the comments posted in response to the draft were concerned about the burden of additional regulations, and the potential privacy issues regarding individual employees, the seven basic principles of the regulations appear to be on the right track. Criminals are increasingly using social media to attack financial institutions, especially through phishing and spoofing, and many organizations still haven’t addressed the potential risks through formal plans and policies.
A case in point is that according to a recent study by Microsoft, cited in an RSA report, phishing via social networks in early 2010 was only used in 8.3 percent of all attacks. By the end of 2011, however, 84.5 percent of attacks were delivered through social media – a phenomenal increase. The rapid rise in incidents did not require a commensurate increase in the bad guys’ skills; rather, they used social media to their advantage. Criminals can compromise bank employees’ personal social media accounts and use them to solicit customer information from unknowing victims, or easily view publicly-available LinkedIn profiles to determine which bank employees have special access to private customer information based on their title and rank. Those are just two examples of how easy it is for bad actors to get their hands on information that can be used for phishing and spoofing. These types of threats can not only affect a firm’s reputation, but can also open the door to more advanced and stealthy attacks to get inside the network.
Cyveillance offers a variety of ways to help financial institutions protect their brands and address the FFIEC’s guidance, including cybersecurity training, anti-phishing and response services, and brand protection services, including social media compliance..