It seems to me that the systematic incentives in place with EFX simply do not require good security.
Security is expensive. But fraud/breaches at a CC company hit the wallet directly and hence it is relatively cheaper to invest into securing their infrastructure. With EFX though, there is no direct loss of revenue; it is the CC companies that are hit. Until now there was no directly measurable effect of their security practices and so it didn't incentivize any investment. And lastly these are old organizations with old systems and a lot of momentum, and again without a correcting force.
If someone was starting up a new credit reporting agency today can you imagine the security/compliance/auditing gauntlet they would have to run through to even open the doors? Very interesting events indeed.
If someone was starting up a new credit reporting agency
today can you imagine the security/compliance/auditing
gauntlet they would have to run through to even open the
doors? Very interesting events indeed.
Perhaps, but you'd be surprised to learn fintech / new insurance companies aren't compliance ready espeically at launch time when they are already serving customers (in fact, I doubt some of them were even licensed when they first started). As long as you can dodge the ball / ask for extension, you are fine. This is why you'd hire a skillful security compliance officer to negotiate with the auditors. Or, you can choose to run your startup in stealth mode first, and then slowly deal with the laws.
My experience with compliance is not in the fin/banking industry, and perhaps doesn't apply to anybody at all. When I had to deal with SOX compliance, I just had to make sure audit logs were in place and they were exported to a safe and auditable log, along with clear documentation about where things were, roles and privileges of different user groups, how accounts are created/terminated/updated etc, rather we have backups or not.
If you say developers must have access to this production S3 bucket, totally cool, for as long as the manager responsible for this system is aware (if written somewhere will be even better). The auditors don't care the actual implementation. If your internal site superuser login is admin/admin, they don't care. If you allow public access to a secret portal, they don't care. Your boss signs off the risk, auditor is happy to move on to the next item. Auditors don't care how many times you backup a day, or which copy is retained for 7 years as per SOX; as long as you did everything SOX requires, you are good.
YOU DO NOT tell auditors how your system actually work because that's digging a grave for yourself. You sell your system to auditor like speaking to a customer, with as little information about the backend as possible. This is called minimize impact zone. If your system runs on five different DBs, have ten micro-services, a couple monitoring and alerting tools, and a dozen other stuff, well, please do not tell them all of the above. Choose what you can present and what you can defend. Limit what you show.
The auditor just wanted to see if there were logs and whether management had any clues what was going on. Don't spill the secrets so they won't question (e.g. do not tell them there is a publicly accessible secret portal). Communicating with auditor is a very mindful skill, not something to be taken lightly. If you encounter a very technical auditor, yes, you'd face a tougher interview, but they are not there to judge your incompetence, just going to keep asking questions till you spill secrets, then HAHA, they now have something to write.
For an institution like Equifax, there are too many holes to cover up at once, so they will limit exposure as much as possible. I'd say being a credit agency they also have leverage, although that's just my conspiracy: all four agencies work with each other to make sure no one's credit is affected by compliance report... No one wants to piss off a credit agency.
I work with auditors regularly, can confirm. Naively believed in my first year of employment that this was a cooperative relationship with them there to help us understand our security weaknesses. Boy was I corrected on that quickly!
Security is expensive. But fraud/breaches at a CC company hit the wallet directly and hence it is relatively cheaper to invest into securing their infrastructure. With EFX though, there is no direct loss of revenue; it is the CC companies that are hit. Until now there was no directly measurable effect of their security practices and so it didn't incentivize any investment. And lastly these are old organizations with old systems and a lot of momentum, and again without a correcting force.
If someone was starting up a new credit reporting agency today can you imagine the security/compliance/auditing gauntlet they would have to run through to even open the doors? Very interesting events indeed.
reply