BID Daily Newsletter
August 10, 2017

BID Daily Newsletter

August 10, 2017

Lessons From An Online Audit

Statistics show the IRS audited about 0.70% of returns filed for the year of 2016. Of course, that is the average and the percentages begin to soar the more you make to almost 20% at the highest compensation levels. For its part, PwC says the purpose of a financial audit for a company is to form a view on whether the information presented in the financial report, taken as a whole, reflects the financial position of the organization at a given date. Among things auditors do not do is they do not check every figure in the financial report; judge the appropriateness of business activities, strategies or decisions; or test the adequacy of all internal controls to name a few. Clearly, audits vary based on type, duration, focus, etc. but they all generally revolve around a detailed review by someone with skills in that area.
Maybe it is time for banks to think about a different sort of audit related to protecting against cyber threats, while safeguarding customer privacy.
According to the results of the Online Trust Alliance's 2017 Online Trust Audit & Honor Roll, 52% of the top 1,000 websites have strong cybersecurity and privacy practices. That is good, but the number drops significantly when it comes to the websites of the US banking industry's largest players. According to the audit's findings, 65% of the websites of the 100 biggest US banks failed to meet the OTA's standards for best practices regarding Internet security and privacy.
The OTA basically performed an audit, which was conducted without the knowledge or participation of the websites that were analyzed. It looked at three major components: site security, consumer protection and privacy.
OTA examined everything from each site's consumer protection aspects, to its server, the security of its infrastructure and even transparency and privacy disclosures. Websites were penalized for security breaches and vulnerabilities, while bonus points were awarded for companies with emerging best practices in regards to overall site security and protection of customers' privacy.
The biggest reason for banks' poor showing in the OTA's audit was insufficient email authentication of the origin of customer emails. Shockingly, this is an area where 45% of banks received failing ratings. The second weakest area was privacy, where 34% of the top 100 banks received failing ratings. Finally, overall site security was the third biggest concern for banks' websites with 17% receiving failure ratings.
One major factor that harmed banks' overall rankings was the growing number of data breaches they experienced over the past year. Although we have addressed this issue before, it bears repeating - a proactive IT team is critical for banks to stay on top of all the latest cyber risks.
Given the growing number of phishing emails that consumers receive from forged email addresses these days, email authentication is an area where banks should pay particular attention. This is especially important since such authentication allows customers to identify who can send email on their behalf.
While community banks do not fall within the OTA's audit, the results can be used as examples of areas to be particularly diligent about. As identity theft and cybercrime continue to rise, bank customers are increasingly concerned about privacy and the security of their information. Knowing this, community banks should make every effort to highlight the precautions they are taking in these areas of concern.
The main way to do this of course is to regularly communicate with your customers. Share things to watch for regarding security such as emails and remind customers continually not to share personal information or account information. It is hard work to keep your bank and your customers safe, but occasional audits of your process and approach should help.