It’s a lender’s worst nightmare: You wake up one morning and your company is all over the news. Every teenager with a Reddit account has your customers’ names, addresses, and routing numbers. You have to freeze operations but find the cash flow to keep paying employees. You’re managing a media fiasco and bracing for massive lawsuits, dodging angry phone calls and emails from every which way.
The financial and reputational costs of a cyber incident can linger for years. Victims never forget the fear, inconvenience, and harm incurred when their information is exposed. The good news is, there are steps you can take to mitigate the risk of a data crisis. Follow these four rules to keep your borrowers’ personal information safe.
When lenders handle sensitive information, it must always be encrypted and shared through a secure online platform, never through email or chat. Lenders should use platforms specifically designed for safely handling information like bank records, payroll data, and social security numbers. A good platform should regularly have its cybersecurity standards audited and verify the standards of any third party partners or subprocessors.
This is especially important to consider when borrowers or applicants are asked to submit documents or submit verification of income. Unlike internal employees, who deal regularly with sensitive information, borrowers may not understand the risks inherent in sending data electronically. When receiving personal or financial information, lenders should always instruct borrowers of the proper protocols.
The more employees that have access to logins and accounts, the greater the likelihood of an accidental breach. Carefully control the number of personnel at your firm who interact with sensitive data. Give employees access only to the data that’s essential for their job duties. It only takes one person’s careless response to a phishing scam to bring even the largest company to its knees.
Limiting access means controlling physical data sources, as well. This includes restricting who uses certain laptops and mobile devices and carefully securing paper files and server rooms. Prohibit equipment and keycard sharing except where necessary. Ensure former employees return or destroy equipment when they depart the company. Limit who can take files or devices out of the office, and permanently delete old data that’s longer in use.
Countless identity thefts still occur for the simple reason that otherwise intelligent people use passwords like “Password” or “12345.” And many significant corporate data breaches are caused by weak, stolen, or even nonexistent credentials. In one 2019 data leak, for example, over 24 million financial documents were exposed because two servers completely lacked passwords. For this reason, lenders need to protect their borrowers’ information with strict password requirements.
Passwords should be impossible to guess, updated regularly, never shared, and saved only with an appropriate password manager. They may need to be changed or updated when an employee leaves the company. Passwords should never be emailed between employees or shared over Slack, and they definitely shouldn’t be visible around the office. Think twice. That Post-it note stuck to the corner of your monitor could be tomorrow’s headline.
Every organization that deals with sensitive information should have a cybersecurity crisis management plan in place. Team members must be educated not just in how to avoid a data breach, but how to react if a serious incident does occur.
A good cyber-crisis plan should include things like:
- Cybersecurity trainings for employees, to protect against phishing attempts and other risks
- Protocols for how the company will detect attacks and data leaks
- A list of who will be responsible for managing a crisis and their duties
- Directives on what to prioritize if a serious data breach occurs
- Instructions for internal and external communications in the event of an incident
- Criteria on when critical operational functions can resume
- Regulatory and legal compliance information
- Plans for investigating the crisis once it ends and how forensic information will be used to prevent future attacks
A good cybersecurity plan starts with educating your employees. Make sure everyone at your company fully understands how phishing and other common scams work. Use examples to help them recognize different varieties. Enumerate the potential consequences of a breach and just how grave they can be. Teach every member of your team how to avoid vulnerabilities and stop crises before they happen.
Data breaches can be avoidable if you take the proper precautions, but there’s no way to guarantee 100% security. You may do everything you can to protect your borrowers’ information. But at some point, somehow, something still may leak.
In the event that you fail to keep your customers’ information private, the most important thing is to be honest. Let your clients — and, if necessary, the public — know how the incident occurred. Whatever you do, don’t stay silent or try to conceal things from clients or the media. If you’re not able to stop a data leak from happening, be responsible about mitigating the damage. It’s the only way to earn back the trust of your borrowers and your partners.