OCC 2013-29 Compliance: Why Secure File Sharing for Banks Needs to Include Partners
OCC 2013-29 compliance requires banks to take responsibility for the security practices of their key partners. Financial institutions can achieve compliance with OCC 2013-29 and other regulations with secure file sharing for banks.
The Weakest Link
According to a recent survey, bank executives were asked if their bank would be vulnerable in the event one of their vendors were to experience a cyberattack or data breach.
Almost half (44%) of all respondents answered “yes.” What’s equally concerning is that 34% said they were unsure their bank would be vulnerable. Only 21% of respondents said they don’t believe their bank would be vulnerable. (Note: these figures do not total one hundred percent due to rounding.)
As banks and other organizations incorporate partners and vendors into their workflows, it increasingly entails providing access to their networks. This requires opening a port for each vendor so that the vendor can access the information they need from outside the firewall. Naturally, the more ports these organizations open, the harder it is for banks to manage, monitor and defend their data. This is the present day challenge with secure file sharing for banks.
Citi and Scottrade Bank are just two examples of high profile data breaches involving banks and their business partners.
OCC 2013-29 Compliance
Data breach prevention isn’t the only reason secure file sharing for banks must be a top priority. In 2013, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2013-29, providing guidance for banks about their responsibility for the security of data entrusted to third parties.
The Bulletin lists several risk management requirements for banks to address, including assessing a third party’s information security program and the potential information security implications of a third party having access to a bank’s systems and its confidential information.
Specifically, a bank must determine whether the third party has sufficient experience in identifying, assessing, and mitigating current and potential threats and vulnerabilities. Banks must also evaluate the third party’s IT infrastructure and application security programs.
Ultimately, if a third party falls short in information security, OCC 2013-29 makes it clear the bank will bear some of the responsibility. Therefore, compliance or, more specifically, avoiding a compliance violation, is an additional driver of secure file sharing for banks.
Achieve OCC 2013-29 Compliance with Secure File Sharing
A secure file sharing solution, such as the Kiteworks secure file sharing and governance platform, provides a single, controlled interface that integrates with on-premise and cloud-based content systems so banks and other financial institutions share files securely with trusted third-parties, improving risk management practices for any work outsourced to a third party.
Secure file sharing for banks is achieved with:
- a hardened VM appliance that can be deployed in a private or hybrid cloud
- encryption of content in transit and at rest
- encryption key ownership
- ATP and DLP integrations to prevent malicious files from coming in and customer data from leaking out
Banks also achieve the highest levels of file sharing governance with granular policy controls and role-based permissions that ensure sensitive information is only accessible by authorized users.
Protecting customer data and demonstrating compliance with OCC 2013-29 is mandatory for banks and other financial institutions. Secure file sharing for banks and other financial institutions is the critical path to achieving data privacy and regulatory compliance.
Frequently Asked Questions
Regulatory compliance refers to the adherence to laws, regulations, guidelines, and specifications relevant to an organization’s business processes. Compliance is crucial for maintaining the company’s reputation, avoiding legal penalties, and ensuring the safety and security of operations.
Regulatory compliance affects different industries in various ways, depending on the specific regulations applicable to each industry. For instance, healthcare organizations must comply with regulations like HIPAA that protect patient data, while financial institutions must adhere to regulations like the PCI DSS that aim to prevent financial crises. Department of Defense contractors must comply with CMMC. Non-compliance can result in severe penalties, including fines and reputational damage.
Some common challenges include keeping up with changing regulations, managing and securing data, training employees on compliance requirements, and allocating sufficient resources for compliance activities. Additionally, global organizations may face the added complexity of complying with regulations in multiple jurisdictions.
Organizations can demonstrate their compliance with regulations through various means, such as maintaining comprehensive documentation of their compliance activities, conducting regular audits, and providing training records. In addition, some regulations may require organizations to submit regular reports or undergo external audits to demonstrate their compliance.
Data encryption plays a crucial role in regulatory compliance as it helps protect sensitive data from unauthorized access. Many regulations require organizations to implement appropriate security measures, including encryption, to safeguard data. By encrypting data, organizations can ensure its confidentiality and integrity, thereby helping to maintain compliance.
Additional Resources
- Blog Post Understanding SOC Reports
- Glossary What is the Difference between FISMA Compliance And Security?
- Blog Post What is Compliance Data?
- Blog Post What is PCI Credit Card Compliance?
- Blog Post What is Email Compliance?