U.S. financial institutions, including banks, credit unions and alternative lending firms, should make it a practice to ask business borrowers managing consumer data if they have completed data security compliance exams as a precaution against a breach that could contribute to loan default.
“We know that a major data breach can bring a company to its knees financially, and potentially put it out of business,” said Eric Ratcliffe, Director at 360 Advanced, a nationwide IT assurance and compliance services firm providing integrated compliance solutions for business-to-business service providers. “High on the loan committee’s list of critical considerations should be whether a potential borrower in the consumer data management business has achieved third party data security compliance examinations. It’s just good due diligence given the current realties.”
Ratcliffe observed that commercial insurance carriers and underwriters are already offering better rates for clients managing consumer data if they have successfully completed a data security compliance audit. Many are requiring the exams as a condition before writing a policy. Typical examinations providing data security safeguards can include the Service Organization Controls (SOC) 1 and 2, Payment Card Industry (PCI) and the Health Insurance Portability and Accountability Act (HIPAA) standards.
According to the Verizon Data Breach Investigations Report, financial firms were hit with the most data breaches in 2015, with some 795 breaches, followed by the accommodation/hotel sector (282), information sector (194), public sector (193), retail (137), and healthcare (115).