We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

Regulators Target Risk Management Negligence in Small to Mid-Sized Firms

user-pic
Vote 0 Votes

Last month, the Consumer Financial Protection Bureau (CFPB) investigated Dwolla, an e-commerce and online-payment company. It found Dwolla guilty of risk management negligence regarding data security practices.

The investigation has some significant implications. Before we take a deeper look, here are a few key takeaways:


  1. 1.  Dwolla payed a civil penalty of $100,000, despite the fact that it did not suffer a data breach. This indicates "a broader trend among regulators to change the focus of enforcement from post-scandal investigation to prevention and risk management effectiveness disclosure adequacy." The company's damaged reputation will likely result in lost customers, which could have an even greater impact than the penalty did.
  1. 2.  This is the CFPB's first application of something similar to the SEC disclosure standards. It foreshadows additional enforcement activity for risk management negligence, according to Data Protection Report.
  1. 3.  The lack of a data breach makes it clear that even small private companies like Dwolla are on the bureau's radar. Any company (large, medium, or small) is at risk of similar action.
  1. 4.  This enforcement action indicates risk managers are being held increasingly accountable for a) risk assessments of their organization's control adequacy and b) their companies' risk disclosures all the way down to the front lines.

The Facts of the Dwolla Case

Risk Management Negligence.jpg

Dwolla claimed to use "safe" and "secure" transactions to protect consumer data from unauthorized access. On its website, Dwolla claimed its data security practices exceeded industry standards. It also indicated that all sensitive personal information was encrypted and mobile applications were safe and secure.

However, the company didn't live up to its marketing; its ERM efforts did not match industry standards, and its data security practices fell short. Deception about risk management capabilities is illegal, and regulators across the board are enforcing related standards.

Dwolla's risk management negligence was discovered because it failed to:


  • 1.  Actually implement the data security policies it claimed were in fully in place.
  • 2.  Conduct risk assessments, evaluate control adequacy, and monitor risk effectiveness. These steps should have occurred across the organization out to the front lines.
  • 3.  Implement an ERM system to support its risk management claims.

How Significant is this Development?

Again, Dwolla wasn't attacked and didn't suffer a data breach. It suffered for misrepresenting the strength of its risk management program, systems, and capabilities. This means regulations requiring organizations to disclose the effectiveness of their risk management programs (initiated by the SEC in 2010) have spread to other regulatory agencies. It's similar to Sarbanes Oxley spreading from the SEC to all federal and state regulators.

Above all, the Dwolla case should serve as a warning to smaller and/or private organizations. It's time to take either of two roads:


  • 1.  Up the ante on risk programs and practices, or
  • 2.  Chance a publicized callout for risk management negligence and suffer the associated regulatory enforcement action.

The CFPB has very broad supervision - it oversees banks, credit unions, and many other financial institutions - meaning a huge number of organizations could find themselves in Dwolla's shoes.

Additionally, company size is no longer a good predictor of who might be looked at next. In essence, the "not me" excuse is no longer valid. Compounding this is the fact that it doesn't take a data breach or other security failure for there to be serious trouble.

As a result of all the above, this development is very significant. Claiming best practices without meeting those standards is considered misrepresentation and negligence.

Risk management isn't about the "what if." It's about how effective your program and systems are. To assess the effectiveness of your ERM program, take this free RIMS Risk Maturity Model exercise. Any score less than "repeatable" is considered risk management negligence by the SEC, CFPB, and many other regulators. Evaluate your capabilities before auditors and regulators use the assessment to do the same.

 

To learn more about how to implement a proactive, best-practice security program, download our eBook, SEC Cybersecurity: An Annotated Guide. Read another of our blog posts for a different example of board-level accountability and poor risk management.



Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT