Posted by: David Schneier
breach, compliance, data breach, FDIC, NCUA, regulations, regulatory, Regulatory Compliance
The other day I was watching my cat attempt to catch his own tail. Now I know that by itself it’s not unusual for cats or dogs to attempt such a feat but for this one in particular it was unusual as I’ve never seen him do it before. He’s a remarkably athletic animal and so what I witnessed turned out to be something a bit different. He started spinning so fast that at one point he actually gained altitude and spun more than a complete rotation without the benefit of legs. At the same time, he somehow managed to extend his forepaws just enough to grab the tip of his tail and once done, dropped back to the ground to enjoy his success. He went on to do the same exact thing twice more before calling it quits.
Why I bring this up is because sometimes I feel that my industry does the same exact thing only in writing.
After staying up late last Sunday night to follow the developing story regarding Osama Bin Laden, I remember quite clearly what was going through my mind. It was a delicate blend of relief, national pride and something that can best be described as detached ambivalence. I also experienced a touch of concern wondering if those aligned with the terrorist leader would attempt some measure of revenge and wishing that I wasn’t traveling this week. I also remember wondering if my children were going to remember this moment in any measurable way so that perhaps one day they might tell their children the story about where they were when they heard the news. But what I didn’t think at all about was how this turn of events was going to impact the banking industry. Apparently I was missing something.
When I had a chance to scan the industry sites on Monday, a number of them had lead stories about how important it was for banks to step up their monitoring efforts in the wake of Bin Laden’s death to detect the movement of monies used to fund terrorist organizations. Several rehashed the impact that 9/11 had on the banking industry discussing AML and BSA. One even had a story that sort of spun things in a way that might make the reader think the banking industry was at increased risk of disruption due to malicious efforts.
Really? I mean, really?
The only silver lining to any of this was that it sort of pushed the Sony data breach to the back of the line which was another hot topic that had me scratching my head. Many industry experts were clamoring about the enormity of the breach (no one actually knows how big it is, it’s all speculative at this point). Several articles were thinking aloud about how significant this incident could be if it also included credit/debit card information. Some were estimating that the potential cost of the breach could set records. If I didn’t do what I do for a living this would have had me freaking out a bit. But really in the end I know better and by putting things in perspective could see that this wasn’t another Heartland but really something more closely resembling the Epsilon breach. Sony clearly stated that while there was the potential that credit card information might have been exposed it was less than one percent of the total number of accounts involved and all were exclusively outside of the U.S.A. So for most of the tens of millions of Playstation users who were affected, it was pretty much a minor event
At the end of my workday on Monday and after reading all the blaring headlines and posts dissecting the Bin Laden and Sony story, I came to the conclusion that my banking clients had nothing new to worry about that wasn’t already on their radar when they left for the weekend the previous Friday. All of the institutions for which I have knowledge of their operations were already addressing what they needed to address AML/BSA requirements and none of them had any new exposures due to the Sony breach (unless of course they had a Sony Playstation at home). All those headlines and so little to learn from any of it.
Really? I mean, really?
There are legitimate news stories that can and will naturally extend themselves to banking and regulatory compliance but not all of them will. And not all re-occurrences of a now all-too-common affliction (data breaches) require a “stop the press” mindset. I remember shortly after the Heartland breach was announced back in 2009 being onsite at a credit union client. I was amazed by how much it impacted their operational area but only until their COO shared with me that this was only the most recent such event and it was something they had to deal with fairly regularly – what I was witnessing was, sadly, a new type of business as usual. Here I was thinking Heartland had been a game changer but all it was in the end was an unusually large incident. Some banking media sites at the time rode that story for months despite the fact it was only big in scope but not in impact.
And so in the end I wonder what exactly is the difference between publishing content about an event that isn’t really an event and my cat chasing his tail.