-
Most banks' websites are believed to be free of the much-publicized security flaw, but network devices, servers, mainframes and mobile apps could still be at risk.
April 17 -
Regulators have reacted as expected, but large banks say theyre not vulnerable to the security flaw. Nonetheless, security questions remain.
April 11 -
A devastating security flaw in the internet could bring added risks to banks' online and mobile apps.
April 9 -
Three key crisis response concepts can help bank leadership teams avoid the fate of Target CEO Gregg Steinhafel, who resigned this week in the aftermath of the company's holiday season cyberattack.
May 9
With the revelation of the Heartbleed security bug a few months behind us, it makes sense to stop and consider what the event taught U.S. banks about themselves and their retail customers.
The Heartbleed vulnerability in a popular type of open-source security software allowed attackers to steal data from companies' networks. As the world learned, the software did not belong to any specific organization or company, but was practically omnipresent across various companies' infrastructures. Moreover, while Heartbleed initially seemed to have impacted only websites, it was soon realized that mobile applications and various other software programs were also affected by this vulnerability.
Heartbleed was not just another security incident. Rather, it will have long-term ramifications as to how bank executives perceive their own IT infrastructure and how they address emerging customer concerns.
Banks now realize that they have heightened responsibilities toward customers when it comes to communicating security concerns. While the Heartbleed incident was still in its early days of public discourse, many banks and their regulators issued statements asserting the security of their infrastructure in order to allay consumers' worries. Some financial institutions, such as Bank of the West, even elected to
Meanwhile, bank executives learned that open-source software is everywhereused by airlines, public agencies, health providers, universities and just about every other aspect of the online economy. I am told that even some IT executives at large global banks were surprised by this fact. Heartbleed tore apart the perception that open source is not a part of corporate infrastructure once and for all. As CSO Online reporter
As banks internalize these new potential risks, they may elect to operate differently. In the short run, banks may have a knee-jerk reaction and try to limit their use of open-source technology, though I doubt such plans will prevail in the long term. Some banks may opt to make a rigorous examination of their internal open-source dependencies in order to assess possible exposures. And like many large technology companies, banks may begin contributing either manpower and/or money to key open-source initiatives in order to ensure that these critical open-source projects are safer and more heavily tested.
Heartbleed also taught retail banks that the regulatory community expects rapid, comprehensive responses to significant security incidents. In a rather unusual occurrence, the Federal Financial Institutions Examination Council issued a specific
These examples mark a turning point as to how rapidly banks need to change their plans to deal with security vulnerabilities. While banks don't tend to share their operational plans with the public, it is safe to assume that regulators' quick turnaround prompted banks to put into place broader representation on their rapid-response teams, including individuals from information security, press relations, investor relations, business continuity and other departments.
Heartbleed was a game-changer because it fundamentally altered the basic perceptions and impressions that retail banking clients have of their banks, and vice versa. These new understandings may not radically impact the relationships banks have with their clients right away, but they do provide insight into how bank-client relationships will continue to develop over time.
Joram Borenstein is vice president at financial crime, risk and compliance firm NICE Actimize and a recognized expert in cybersecurity, compliance, payments protection, and risk management. He has instructed financial regulators from across the U.S. and has spoken at dozens of industry events.
