LOS ANGELES — The sudden ordinariness of corporate data breaches has led to feelings of helplessness inside the financial industry.
That sense of despair is apt to be particularly prevalent at smaller institutions, where the resources available to stave off sophisticated cybercrimes may not match the expectations of their regulators.
So what can a small firm do in the face of well-organized bands of hackers?
Actually, quite a bit, according to experts who spoke at the Mortgage Bankers Association's recent annual technology conference.
Here are four steps that banks, mortgage companies and other financial institutions can take to prepare for a digital attack.
Write an Incident Response Plan
This is perhaps the most important move an institution can make — not only because it will give employees marching orders during a stressful time when executives' time and attention might otherwise be stretched thin, but also because it might also buy goodwill from regulators.
The incident response plan should include input from information technology staffers, but it should not be written solely by the techies. It should include a list of who needs to be called, and a plan for communications outside of the company.
"It's really not that costly to develop that plan," said Jonathan Gloster, chief innovation officer at Van Dyke Technology Group in Columbia, Md. "But it is very costly after the incident to try to pull together the pieces."
Fully Vet Vendors
Over the last half-decade or so, the banking industry has grown accustomed to being held accountable for the actions of its vendors. And while much of the attention has focused on lapses in consumer protection, gaps in data security can be just as problematic, or more.
After all, the infamous 2013 breach at retail giant Target reportedly began with an email phishing attack that was sent to employees of a Target heating, ventilation and air conditioning vendor.
So banks need to make clear what they expect of their vendors when it comes to data security. The good news is that vendors now expect this type of scrutiny from financial institutions.
"When you're in a regulated industry like ours, there's just a certain expectation of the vendor community that if they want to swim in these waters, they need to meet certain requirements," said Shawn Malone, vice president for business compliance at Radian Guaranty Inc. in Philadelphia.
Promote Good Data Hygiene
Data breaches are often the result of employees making careless decisions, whether it's leaving a password on a sticky note or losing track of a thumb drive.
Experts say that companies can help protect themselves by continually reminding employees to be mindful of data security.
"There are so many things that you can do that are very simple, like reminding your employees not to take personal information home," said Daniel McKenna, a law partner at Ballard Spahr's Philadelphia office. "We have seen it pay dividends. It's a very cost effective thing to do."
Stay in Touch with the Authorities
Waiting until after a data breach has occurred to establish a relationship with state attorneys general and other local authorities may leave institutions starting off on the wrong foot.
It's better to contact authorities beforehand, said Douglas Gansler, the former attorney general of Maryland. Being proactive, and being able to present an incident response plan that has been produced responsibly, sends a message to law enforcement that a company takes data security seriously.
"A year ago even, certainly two years ago, regulators would look at companies that had an incident as the defendant," said Gansler, who is now a law partner at Buckley Sandler in Washington, D.C. "And that's really changed over time — from 'The company screwed up' to now 'The company's been victimized.'"