How does cyber security relate to your AML system?

Inherently, as a financial institution doingbusiness every day, you capture sensitive data about your customers. That sensitive data includes customer, account, and transaction data, and is housed in your Anti-Money Laundering (AML) system, if not other places as well. Your accounting system is likely well protected from insider fraud and internet attacks, but your AML system may be an unlocked door to the same data if it is not similarly protected.  If you are vulnerable to these risks, your company could be responsible for breaches of confidentiality, lose customers and money, or be subject to lawsuits. This is one way we believe cyber security relates to AML. This article will define what the threat to your AML system and what steps you can take to further protect it through policies, procedures and programs, such as a SSL certificate

 

The scenario

 

Every day, you sit down and log in to your AML system to run reports or check alerts. Do you know how that data gets to you? Just in case you don’t, let’s make sure. Your sensitive data exists in two different states, Data-At-Rest and Data-In-Flight.  Data-At-Rest is the data stored in your AML server or your PC.  Data-In-Flight is the data as it travels between these locations, whether you are querying a transaction or updating customer information. The cyber security vulnerabilities we’re going to discuss, as they relate to AML, are related to Data-In-Flight.

 

Threats

Local Hosting

If your AML system is hosted locally, that means it is usually on-site at your institution or a branch of your institution and is managed and monitored by your IT department. However, just because your AML system is hosted locally, typically on an intranet or remote access such as a VPN network, does not necessarily make it safe by that alone.  According to an article written by Tracy Coenen, a forensic accountant and fraud investigator, "Companies are most at risk of fraud from their employees, since they have access to information and assets" (Coenen, 2014).   Since your AML system holds sensitive data which includes your customer, account, and transaction data, it would be proactive to take every measure possible to make sure it is as secure as possible.  As previously discussed, when your sensitive data travels from the AML server to your computer it is referred to as Data-In-Flight.  Data-In-Flight is usually transferred in "cleartext", meaning it is readable to anyone who can view it. Data-In-Flight is vulnerable to programs such as Packet Sniffer’s, which may be placed on your network by a rogue employee or a hacker during a network breach.  A Packet Sniffer copies the data as it travels between the AML server and your computer, and if the data is not encrypted, whoever controls the Packet Sniffer may now have access to your sensitive data.

 

Remote Hosting

In a scenario where your AML system is hosted remotely simply means that your server is hosted by a vendor who hosts it on their network on your behalf.  The most common way to connect your desktop to their network is through a dedicated line.  As data flows from your desktop to the server, it is Data-In-Flight.  Threats to this data are increased by this additional connection via the dedicated line.  In addition to your data residing in a different location and travelling, you are now subject to the policies and procedures of the hosting company, which may be less secure than your policies. If this sounds like your institution, you’ll want to make sure that your vendor is providing you their policies and procedures, and reporting on how often they’re scanning their servers for Packet Sniffers and the like.

 

The cost of compromised data

 

The average cost to a company after a data breach is $3.5 million and rising (Ponemon Institute, 2014).   It can be gleaned that the more customers you have, the more it costs when there is a breach.  However, that is only the cost of investigations, notifications, and responses.  This amount does not include losses related to customers leaving due to lack of confidence, or falling stock prices.

 

 

How you can prevent this

 

With the proper policies, procedures, and programs, you can minimize the risk of data breaches to your business.

Policies and Procedures

How can you help yourself in the battle against data thieves?  Tracy Coenen recommends that, "…companies invest in a comprehensive fraud prevention program. This will cost money up front, but that investment is easily recovered by a reduction in the company’s fraud risk."  Policies and procedures, when followed by all employees, make it difficult for hackers and rogue employees to gain access to your sensitive data, which makes you a much less tempting target.

 

There are also some important questions that you’ll need to consider:

  • Is there a strong password policy in place?
  • Do you require that passwords change periodically?
  • Is your company insured against data theft/breach?  
  • Do you have multi-authentication or challenges in place?
  • Is the data breach procedure in your Business Continuity Plan up to date?  See Memorandum 07-16 from the Office of Management and Budget (OMB) for outlining a breach procedure. (Johnson, 2007).
  • Has there ever been a risk analysis based on data breaches performed?
  • Is there a procedure in place to deactivate employee logins and revoke access to the AML system when an employee changes departments or leaves the company?

Programs

The policies and procedures outlined above will help prevent or reduce damage from data breaches, but there is a way to further protect the sensitive data transmitted to and from your AML system.  The easiest and most common way to protect your customer data is to make sure your AML server has Secure Sockets Layer (SSL) security enabled.  

SSL.com (Info.ssl.com, 2005) defines it as:  

 

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

 

This secure connection is created by generating a site with an SSL Certificate.  Your company most likely has a contract with a trusted SSL vendor, and setting up a new site is not expensive, difficult, or time consuming.  Your IT department or outside consultants can perform the setup.

 

Here is how the web server will create the secure connection:

 

Image Credit: Dadian, 2013

 

Conclusion

 

Due to increased security measures, most businesses have taken greater effort to circumvent the cyber crimes that exist, your sensitive data is safer than ever.  However, there are still opportunities to further mitigate the risks to your sensitive data.  Make sure your sensitive data is protected; wherever it may exist, breach policies are in place, and appropriate programs are working with you to minimize your risk.  We recommend that you check with your IT department to see what measures have been taken to secure your AML system and consider an SSL certificate of your AML system to give you some extra security from the vulnerabilities that exist inherently.

 

 

 

References

 

Coenen, Tracy. (2014, September 29). Are Your Employees Committing Fraud? (Fraud Files Forensic Accounting Blog) http://www.sequenceinc.com/fraudfiles/2014/09/are-your-employees-committing-fraud/

 

Dadian, Dina. (2013, November 11). SSL – what it means, how it works and where it is used. (SSL – what it means, how it works and where it is used.)http://www.powersolution.com/ssl-what-it-means-how-it-works-whereused/

 

Info.ssl.com. (2005, June 7). What is SSL? (What is SSL?) http://info.ssl.com/article.aspx?id=10241

 

Johnson III, Clay. (2007, May 22). Executive Office of the President (Safeguarding Against and Responding to the Breach of Personally Identifiable Information).https://www.whitehouse.gov/sites/default/files/omb/assets/omb/memoranda/fy2007/m07-16.pdf

 

Ponemon Institute. (2014, May 5). News & Updates (Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis) http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis