David Murray is the chief information security officer at Genworth Mortgage Insurance, where he leads the IT security
efforts to protect company and customer information. Murray has been in IT for 30 years, as an application developer,
many years as a database administrator, and the last 18 years in IT security. At Genworth, he has IT security responsibility
for Genworth’s U. S. mortgage insurance business, and IT security oversight for Genworth mortgage insurance operations
in Canada, Mexico and Australia.
Marcy Zeplin is an enterprise risk manager for Genworth’s Global Mortgage Insurance Division with responsibilities
around the advancement of enterprise risk management, including IT risk management, across the company. She also
has led the information-security awareness program at Genworth Mortgage Insurance for the past three years. Zeplin has
held the position of enterprise risk manager since 2013 but has been with the company for 20 years, holding various roles
within the U.S. mortgage insurance business in commercial analytics, business intelligence and finance.
Scotsman Guide Residential Edition |
ScotsmanGuide.com | October 2018
Imagine a mortgage company is considering an information
technology project to eliminate data stored in systems. The
data is no longer relevant, but since the company’s systems
had not been built with automatic purge mechanisms, there
is fear that if not done correctly, systems may malfunction.
Much analysis is needed, making it a costly project.
A company executive remarks, “There’s no business value in
this project. Why should we do this?”
What the executive is saying is there’s no business gain
— no increase in revenue, reduction in cost, increase in
operational efficiency, nor customer value in the project —
just high cost and lost opportunity because the IT resources
could be used elsewhere.
This is a logical business argument, but is this the entire
story? Are there other factors to consider? Here is
what should be added into the equation: data
breaches, regulations and public/customer perception, along with the impacts those may have on
Face the risks
Data breaches are in the news every week. Boardrooms
are feeling the pressure to be better protected. Politicians
and regulators are deciding if the government should
intervene. The more data you have that can be exposed,
the greater the risk.
The Ponemon Institute’s 2017 Cost of a Data Breach
Study puts the cost of a breach at $156 a record.
For financial institutions, the cost is estimated at $245
a record. How many records do you have? How much
would it cost if those records fell into the wrong hands?
If you reduced that by 20 percent, what might your
Then there’s the concern over new regulations.
Mortgage originators answer to many regulatory
agencies. Most regulators now have some concern over
protecting this data, what’s called personally identifiable
The New York Department of Financial Services cybersecurity regulation, which applies to any financial services
company doing business in the state, provides guidance on
data-retention rules. It suggests you must delete any nonpublic information no longer needed for business purposes.
The National Association Insurance Commission’s
Insurance Data Security model law, recently adopted
by South Carolina, imposes similar requirements on insurance companies. It is likely that in coming years many
states will adopt similar laws setting guidance on data
retention. This means that poor data hygiene could result
in fines and penalties. Age and quantity of personally identifiable information will likely determine the size of any fine.
Culpability for inaction
While data breaches have become more commonplace,
actions leading up to the breach and how you respond do
matter. Consider two different scenarios and how customers
might respond after a breach.
In the first case, Company A has had a strong security posture and deleted unneeded personally identifiable information so the data breach involved only their current, active
customers. The company responds timely, adequately and
effectively demonstrates that they have routinely purged
customer data no longer needed for business or compliance
purposes. In today’s environment, they’ll likely be forgiven
with negligible impact.
Company B on the other hand has a good security posture
but has not done a good job managing data. When they get
breached, the data is not only for current customers, but customers from long ago. The size of the breach in terms of impacted consumers is larger by many times. The costs associated with
notifications, credit monitoring, etc., increase dramatically.
A regulator may consider this as negligence and levy fines.
Then there are the customers. Does the customer base lose faith
in the business as not being well-managed and go elsewhere?
Department store retailer Target suffered considerably after a 2013 data breach when hackers stole credit and debit
card information from about 40 million of its customers and
other information affecting 70 million people.
Target saw a significant drop in customer traffic following
the breach. Target did recover, but at a considerable cost.
How would you personally feel if you lost a customer because of mishandling their sensitive information, especially with the influence of social media, which can be used to
quickly spread this news?
Identify business need
So, what should you do? First, identify your data. Do you know
exactly what data you have, its age, and where it is stored?
After you have your inventory, then you need to develop a
strategy for deciding what to keep and what to delete.
The first step should be to delete or trash any data that
you know for a fact is no longer needed — and ask yourself
if your client would expect you to retain anything other than
contact information. Regulations like those adopted in New
York indicate you should delete data you do not have a business need to keep.
It is possible many data elements may have long-term
business value for maintaining a customer base, historical
trending, cyclical analysis, etc. But what about personally
identifiable information associated with those records? You
should have a solid business need to keep this data, otherwise those elements should be deleted.
<< Consequences continued from Page 67
Continued on Page 70 >>