FFIEC Guidance on Social Media Risk

For the past 60 days, the writers and thinkers at infotex have been working diligently on our Social Media Guidance Response Kit.   Given that we conduct “public presence reviews” and “social media reviews” as part of our IT Audit process, we came to this table with a healthy understanding of the risks banks face due to social media.  And while the guidance is very helpful in relation to compliance risk, it misses the mark when it comes to helping banks manage the overall risk of Web 2.0 technology . . . . the use of interactive applications served over the internet.

But wait . . . .

What the guidance does well:

Before this becomes too much of a flame-post, let me say that the guidance does serve some important functions:

1. The guidance DOES properly define the problem:  both in the way it defines social media, and in the way it expresses the many risks associated with the phenomenon.
2. The guidance simplifies the risk expression into four risks:  compliance, legal, reputational, and privacy.   (But it “only gives a nod” to the security risks, and thus this article.)
3. The guidance maps out, in appropriate detail, the intricate web of laws and regulations impacting the use of interactive internet applications (currently called social media).
4. Thus the guidance serves as a map (for those who would) showing us how to TAKE compliance risk in the areas of lending products, deposit services, and payment systems.  ^{Footnote #1}

And in their defense:  the FFIEC released an advance copy of this guidance on January 23^rd of last year . . . almost a year in advance of publishing the final guidance on 12/11/2013.  They did this to seek comments from the public, and while 81 official comments were received, it does not appear that any were related to information security.

But what the guidance misses:

The above benefits are great, but if we do not also address security risk . . . . what’s the point?  The guidance only gives a slight nod to the notion of security (and in that, the concern was privacy.)  But in our opinion the majority of the risk is going to be in the employee and customer sites, not in the institution-owned sites.  The guidance fails to adequately address malware, social engineering, and account takeovers.

So fortunately:

Infotex is creating a guidance response kit that will allow your team to quickly assure compliance while concurrently installing a simple review process that keeps you in compliance.  And for those who are already adequately addressing security risk, the kit allows for a stand-alone approach.  A video will show you how to focus solely on the compliance aspects of social media (and thus only the requirements of the guidance).

However, if you feel insecure about the security risk exposure from employee and customer social media assets, the kit will also give you the ability to expand the asset focus to include not only your own bank-owned site, but also the risks associated with employee and customer social media assets.

Simplicity is the key.  The kit will be simple:  language to insert in a board policy, a customize-able set of standards, and the review process (tracked with a simple excel spreadsheet).  We’re also working on training materials for your management team members and such, but that’s just the icing on the cake.

The review process will require a periodic meeting between team members (as defined in the guidance.)  It will combine risk assessing with auditing, and deliver a risk-rated report of any gaps between the guidance, the security framework, and your actual presence.

The meeting structure allows all social media assets to undergo a compliance (plus other risk if you wish) review and allows you to keep the entire process contained to the meeting (plus the agenda and the minutes).  We’re thinking this review meeting can be semi-annual for institutions that very active in social media, and annual for other institutions.

So when?

We’re doing the best we can to get the Social Media Guidance Response Kit onto our e-commerce site as soon as possible.  Our hope is that we will be posting it by the end of the month, so that we can be showing you how to use it during our workshop at the Indiana Bankers Association on March 26^th.

Footnote #1:  We’re not so sure community-based banks will be that excited by the prospects of a map to deploying payment systems, lending products, and deposit services on social media.  It seems that only big-banks . . . maybe innovative regional banks . . . will be able to take advantage of the volume that would be necessary to justify these risks.  In other words, we don’t see First Bank of Nowhere spending a lot of money renting a re-branded Facebook banking app.  However, please keep in mind, most (but not all) of us thought Facebook was going to be a fad when we reluctantly wrote our first social media policy in 2007.

Original article by Dan Hadaway CRISC CISA CISM.
(Alias: the one who thought Facebook was a passing fad!)

Founder and Managing Partner, infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”