With the revelation of the Heartbleed security bug a few months behind us, it makes sense to stop and consider what the event taught U.S. banks about themselves and their retail customers.
The Heartbleed vulnerability in a popular type of open-source security software allowed attackers to steal data from companies' networks. As the world learned, the software did not belong to any specific organization or company, but was practically omnipresent across various companies' infrastructures. Moreover, while Heartbleed initially seemed to have impacted only websites, it was soon realized that mobile applications and various other software programs were also affected by this vulnerability.
Heartbleed was not just another security incident. Rather, it will have long-term ramifications as to how bank executives perceive their own IT infrastructure and how they address emerging customer concerns.
Banks now realize that they have heightened responsibilities toward customers when it comes to communicating security concerns. While the Heartbleed incident was still in its early days of public discourse, many banks and their regulators issued statements asserting the security of their infrastructure in order to allay consumers' worries. Some financial institutions, such as Bank of the West, even elected to blog about Heartbleed in order to answer common questions. This was a dramatic shift from the generic-sounding advice banks typically issue in the event of security breaches: don't open email from unknown parties, keep operating systems updated, and regularly monitor accounts for suspicious charges. I suspect that as time goes on, consumers will expect their banks to keep them even more deeply informed about their actions regarding specific security incidents.
Meanwhile, bank executives learned that open-source software is everywhereused by airlines, public agencies, health providers, universities and just about every other aspect of the online economy. I am told that even some IT executives at large global banks were surprised by this fact. Heartbleed tore apart the perception that open source is not a part of corporate infrastructure once and for all. As CSO Online reporter Maria Korolov wrote, "Open-source software is widely used in business avoiding open source completely is not an option, but blindly trusting the open source community to fix all mistakes is also problematic."
As banks internalize these new potential risks, they may elect to operate differently. In the short run, banks may have a knee-jerk reaction and try to limit their use of open-source technology, though I doubt such plans will prevail in the long term. Some banks may opt to make a rigorous examination of their internal open-source dependencies in order to assess possible exposures. And like many large technology companies, banks may begin contributing either manpower and/or money to key open-source initiatives in order to ensure that these critical open-source projects are safer and more heavily tested.
Heartbleed also taught retail banks that the regulatory community expects rapid, comprehensive responses to significant security incidents. In a rather unusual occurrence, the Federal Financial Institutions Examination Council issued a specific warning about Heartbleed and offered prescriptive guidance to financial institutions based on their total number of assets. In Canada, the Office of the Superintendent of Financial Institutions declared that it was working with Canadian financial institutions to make sure they were addressing potential exposures.
These examples mark a turning point as to how rapidly banks need to change their plans to deal with security vulnerabilities. While banks don't tend to share their operational plans with the public, it is safe to assume that regulators' quick turnaround prompted banks to put into place broader representation on their rapid-response teams, including individuals from information security, press relations, investor relations, business continuity and other departments.
Heartbleed was a game-changer because it fundamentally altered the basic perceptions and impressions that retail banking clients have of their banks, and vice versa. These new understandings may not radically impact the relationships banks have with their clients right away, but they do provide insight into how bank-client relationships will continue to develop over time.
Joram Borenstein is vice president at financial crime, risk and compliance firm NICE Actimize and a recognized expert in cybersecurity, compliance, payments protection, and risk management. He has instructed financial regulators from across the U.S. and has spoken at dozens of industry events.