Bank Reaction to Caller ID Spoofing May Attract FTC & SEC Attention
On Tuesday, Krebsonsecurity posted an article describing a new telephone bank scam in which Citibank and a few customers fell victim to caller ID spoofing. As reported by Brian Krebs, hackers used Caller ID spoofing to trick the bank’s automated telephone system into revealing past transaction information, which they then used to impersonate the bank and contacted the consumer directly. The hackers simultaneously held calls with the bank and the card holder to trade information between the two for identity theft. Krebs’s article is complete with information for consumers on how to prevent these incidents. Again, here is the link.
For Citibank, there may be legal and regulatory questions from the U.S. Securities and Exchange Commission and Federal Trade Commission.
Citibank is publicly traded on the NY Stock Exchange and therefore, subject to SEC oversight and guidelines. Over the last five years, the SEC increased its focus on cybersecurity. In September 2017, it launched a Cyber Unit to combat cyber misconduct and now issues annual cybersecurity guidance to investment management companies.
This year, the SEC’s Office of Compliance Inspections and Examination again released its “Cybersecurity and Resiliency Operations” publication. Therein, the SEC carefully denoted that this “is not a rule, regulation, or statement of the U.S. Securities and Exchange Commission. The Commission has neither approved nor disapproved its content. This statement, like all staff guidance, has no legal force or effect[.]” However, it also states that cybersecurity is and was “a key element in its examination program over the past eight years.” Included in OCIE’s guidance are very generic recommendations on mobile device security and vulnerability scanning designed to remind SEC subjects that these matters play a role in compliance and inspections.
The FTC has sharper teeth for cybersecurity enforcement, as it is tasked with monitoring financial institutions and their efforts to protect consumers. One of the laws used by the FTC is the Gramm-Leach-Bliley (GLB) Act, which requires “financial institutions” (all businesses, regardless of size, that are “significantly engaged” in providing financial products or services) to ensure the security and confidentiality of consumer financial data, also known as the “Safeguards Rule.”
More specifically, the Safeguards Rule requires the following from organizations such as Citibank:
A written information security plan that describes consumer protection efforts. The security efforts must be proportional to the institution’s network, size, and the type of data it protects;
Designate an employee (or group thereof) responsible for information security for the company;
Carefully select service providers who also follow the Safeguards Rule;
Assess cybersecurity efforts to protect consumer data, especially in the areas employee management and training, information systems, and detecting and managing system failures; and
Adjust security measures in response to assessments and/or changes in business operations. In other words, security should not be static.
Intentionally flexible to allow companies to design security that best fits their individual networks and data, the Safeguards Rule also allows the FTC the same level of flexibility in evaluating compliance.
The FTC further recommends routine audits to detect improper disclosures of customer information and if detected, immediately begin corrective measures, customer notification, and employ strategies to determine the occurrence or extent of data breaches.
Here, Citibank was made aware of the potential for improper disclosures using Caller ID spoofing and issued a statement in response to Brian Krebs’s inquiry. Therefore, it will be interesting to watch the response from Citibank, the SEC, the FTC, and any state agencies with interest.
Fortunately for Citibank, the Caller ID spoofing occurred before the implementation of the April 2019 proposed changes to the FTC’s Safeguards Rule, which if passed, will require more specific cybersecurity requirements such multi-factor authentication access for all customer information.