By Joel Bruckenstein
About two weeks ago it was widely reported that two major financial services firms, Genworth and Jackson National, suffered data breaches due to a MOVEit hack. MOVEit is a software used to transfer large data files. In the case of these two firms, a vendor of theirs, PBI Research Services, used MOVEit, leading to the exposure of confidential client data. PBI is a third-party vendor used by Genworth and Jackson National in scanning social security data to determine whether a policyholder may have passed and triggered death benefits under a life insurance policy or annuity contract.
The two firms mentioned above are not the only ones that were impacted by MOVEit. Over 1,700 firms and government agencies use MOVEit.
While any data breach involving client data is disturbing, the actions of both financial services firms to quickly identify the issue, notify all relevant parties and remediate the breach are actually indications of strong cyber policies according to Brian Edelman, the CEO of FCI Cyber, nationally recognized expert specializing in Cybersecurity Protection and Compliance.
“Every financial services firm should have a Mass Vulnerability Response plan in place, says Edelman. The fact that Genworth and Jackson National responded quickly and appropriately indicates that they both had strong programs”.
Edelman believes that a significant number of financial services firms have exposure to MOVEit. The fact that so many have not made any statement of exposure suggests to him that there may still be vulnerabilities out there.
“I would suggest that every advisory firm have their designated security officer reach out to their vendors to inquire whether or not they have been impacted by the MOVEit vulnerability”, Edelman says.
So, what lessons can we learn from this situation? The first one is somewhat
counterintuitive: The firms that made the initial headlines, Genworth and Jackson National, demonstrated that they had strong policies in place that allowed them to respond rapidly and appropriately. The second is that the financial services industry needs to take further actions to better protect client data in the future. Firms that do not have a robust Mass Vulnerability Response plan need to improve their readiness, because other vulnerabilities are likely to occur in the future, and we need to be better prepared for them.