Posted by: David Schneier
ACH, assess, assessment, assessments, Audit, auditor, audits, banking, banks, business, CISA, CISO, community bank, compliance, credit unions, CU, exam, examination, examinations, examiner, examiners, exams, FFIEC, financial institutions, general controls, GLBA, identify theft, identity theft, information security, information security office, Information Technology General Controls, internal audit, internal controls, ITGC, NPPI, observations, oversight, personally identifiable informaiton, PII, privacy, risk assess, risk assessment, risk assessments, risk management, risk-based, risks
A few years back when I first cut over to working somewhat exclusively with financial institutions I memorized an elevator speech that still somewhat defines who I am and what I do professionally. Part of the speech pointed out that my firm helped “banks and credit unions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A&B”. To this day when anyone inquires as to what I do for a living this surfaces in some form as an answer.
Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work. The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same. But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?
I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information. So why isn’t the level of scrutiny equal across all three of them? While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical. Why is that?
I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk. I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike). Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that. But where the risks are real they’re really real. The type of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers. Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.
I recently completed a boatload of documentation to get my family on a new health insurance plan. I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required. I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain. In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts. So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information. And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.
To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer. They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it. There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO). Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager. However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.
The question has to be asked: Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are not? Why aren’t insurance companies required to comply with FFIEC-type guidance? Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions? And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective. Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure? Having been on site for both and examined their internal controls I can’t answer that question, that’s for certain.