Last month, the Consumer Financial Protection Bureau (CFPB) investigated Dwolla, an e-commerce and online-payment company. It found Dwolla guilty of risk management negligence regarding data security practices.
The investigation has some significant implications. Before we take a deeper look, here are a few key takeaways:
The Facts of the Dwolla Case
Dwolla claimed to use “safe” and “secure” transactions to protect consumer data from unauthorized access. On its website, Dwolla claimed its data security practices exceeded industry standards. It also indicated that all sensitive personal information was encrypted and mobile applications were safe and secure.
However, the company didn’t live up to its marketing; its ERM efforts did not match industry standards, and its data security practices fell short. Deception about risk management capabilities is illegal, and regulators across the board are enforcing related standards.
Dwolla’s risk management negligence was discovered because it failed to:
How Significant Is This Development
Again, Dwolla wasn’t attacked and didn’t suffer a data breach. It suffered for misrepresenting the strength of its risk management program, systems, and capabilities. This means regulations requiring organizations to disclose the effectiveness of their risk management programs (initiated by the SEC in 2010) have spread to other regulatory agencies. It’s similar to Sarbanes Oxley spreading from the SEC to all federal and state regulators.
Above all, the Dwolla case should serve as a warning to smaller and/or private organizations. It’s time to take either of two roads:
The CFPB has very broad supervision – it oversees banks, credit unions, and many other financial institutions – meaning a huge number of organizations could find themselves in Dwolla’s shoes.
Additionally, company size is no longer a good predictor of who might be looked at next. In essence, the “not me” excuse is no longer valid. Compounding this is the fact that it doesn’t take a data breach or other security failure for there to be serious trouble.
As a result of all the above, this development is very significant. Claiming best practices without meeting those standards is considered misrepresentation and negligence.
Risk management isn’t about the “what if.” It’s about how effective your program and systems are. To assess the effectiveness of your ERM program, take this free RIMS Risk Maturity Model exercise. Any score less than “repeatable” is considered risk management negligence by the SEC, CFPB, and many other regulators. Evaluate your capabilities before auditors and regulators use the assessment to do the same.
To learn more about how to implement a proactive, best-practice security program, download our eBook, SEC Cybersecurity: An Annotated Guide. Read another of our blog posts for a different example of board-level accountability and poor risk management.