On Tuesday, EFG Companies announced a pair of achievements aimed at bolstering its commitment to deliver data security for its clients, partners and contract holders.
The company gained two certifications, including:
• Certification by the Payment Card Industry Security Standards Council (PCI SSC) as PCI Data Security Standard (DSS) compliant; and
• Recertification with the Service Organization Control 2 (SOC 2) under the Statement of Standards for Attestation Engagements 18 (SSAE 18) guidelines from the American Institute of Certified Public Accountants (AICPA).
In 2016, EFG said it was the first F&I provider to achieve SSAE 16 certification.
As retail automotive companies increase their use of digital sales and technology to house personal and confidential information, EFG acknowledged that data breach incidents have a direct impact on revenue.
According to the nonprofit Identity Theft Resource Center, more than half of all small businesses in the U.S. experienced at least one security or data breach in 2021, a 17% increase from 2020, at an average expense of $250,000 to $500,000 per incident.
“Outside of its own proprietary applications, EFG integrates with close to 25 external platform and menu providers across its seven channels of business,” said Maurice Hamilton, vice president of technology at EFG Companies.
“With the amount of confidential consumer information collected in the retail automotive, home warranty and lending industries, data security is mission critical to successfully conducting business, and we aggressively pursue heightened controls and protocols each year,” Hamilton continued in a news release.
Hamilton pointed out that SSAE 18 certification is the most widely recognized information security standard, demonstrating to clients and contract holders that EFG has the necessary processes in place to ensure that personal and confidential information is secure.
EFG noted that SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy.
Meanwhile, EFG highlighted that PCI Data Security Standards (PCI DSS) protect payment account data for merchants, service providers and financial institutions throughout the payment lifecycle, removing the incentive for criminals to steal it. Specifically, PCI DSS contains a set of requirements based on collaboration between major card brands including American Express, Discover, Mastercard and Visa, to prevent payment data breaches and payment card fraud.
EFG said that companies achieving certification can deliver a higher standard of security for personal confidential information and compliance with federal, state and local regulatory requirements.
“The pandemic has greatly accelerated the use of digital tools, and our clients rely on EFG’s technology for everything from rating and selling products, fulfilling contracts and processing claims to managing reinsurance positions and reporting,” said John Pappanastos, president and chief executive officer of EFG Companies.
“We take our role as a business partner seriously and have taken the necessary steps to deliver the utmost data security – not only for our own data but that of our clients, partners and contract holders,” Pappanastos went on to say.
The global outbreak of COVID-19 and the subsequent shutdowns across our nation have made an unprecedented impact on lenders and the way they conduct business. From the pandemic’s onset, lenders have faced multiple external and internal challenges, and they continue to struggle months into the outbreak.
For auto lenders, this means that previously developed processes and long-established ways of conducting business may no longer work. To adhere to stay-at-home orders and social distancing requirements, auto lenders have had to quickly pivot to create new, touchless processes to work with borrowers remotely and account for possible delays at Department of Motor Vehicle (DMVs) locations. The implication of such a pivot is the need for the rapid adoption of automation. This includes process digitization, rethinking customer experiences, and scaling internal teams to accommodate the growing amount of work from new lending opportunities, like the Small Business Administration’s Paycheck Protection Program, or the increase in auto repossessions. Many lenders are looking to their vendors to help manage the auto titling work and adjust to the imperatives of digital business processes.
With any change, challenges are sure to follow. As the number of defaults grows, so does the need for automation to ensure auto lenders minimize errors and properly manage regulatory compliance — something that is now more critical than ever. Lenders, and by proxy their vendors, must also keep data security top of mind while having teams working remotely. The pandemic has already prompted an increase in cybercrime and fraud, and that trend may only get worse as unemployment rates remain high. As auto lenders continue to adapt to a new normal in a COVID-19 world, where should they focus their efforts?
The new normal for auto lending
Auto lending was the second fastest-growing asset class pre-COVID-19, with $1.3 trillion in total balances. This strong growth stemmed from over a decade of slow unemployment and a stable prime market. Increased consumer confidence also led to higher than average loan amounts and strong sales in the luxury sector. Post-COVID-19, we are likely to see a drop in auto loan originations, many payment deferrals put in place, and refinancing to help offset auto loan debts for consumers.
It’s important to remember that DMVs are also adjusting to the new ways of business by prioritizing transactions based on their criticality. For example, an expired driver’s license would likely take priority over a vehicle lien. Rules are being tightened and enforced more vigorously than before, leading to a surge in rejected titles. Some DMVs have updated the required forms, fees, and jurisdictional requirements.
Lenders are also operating in a new way, many with reduced staff or some staff continuing to work remotely. With both DMV and lender resources constrained or seriously stressed, auto lenders are at a greater risk of non-compliant titling. When lenders look to their vendors to handle titling work, capabilities in automation, data security, and process digitization can make all the difference.
The road to recovery starts with data security
For many lending institutions, the pandemic has fast-tracked their digital transformation. The ability to complete titling work effectively and efficiently, no matter the location, ensures customers have easy access to lending and banking services without having to visit a branch location. This shift has made it critical for lenders to move toward automation to remain competitive and profitable. Additionally, as more Americans lose their jobs, borrowers will have less liquidity, and lenders will likely see higher auto defaults and repossessions. This, too, will accelerate the drive to eliminate in-house, manual, and paper-based processes to better manage a higher volume of repossessions.
However, the transition to remote work has presented cybercriminals with new opportunities to steal personal identifiable information (PII) and other secure data. According to a recent report from Microsoft, COVID-19-themed cyberattacks spiked to nearly a million a day during the first week of March. Fortunately, those numbers have since declined, but it is a good reminder of how important it is to stay diligent with protecting client data.
Sending and receiving data is an essential part of vehicle and equipment titling. Each time a lender sends sensitive information outside of its network, the organization is exposed to risk. Partnering with a provider that ensures data security is imperative. Lenders should also strongly consider using Application Programming Interfaces (APIs) with end-to-end encryption to reinforce security. End-to-end encryption is the most secure way to communicate and share confidential information online. By encrypting data at both ends, it prevents anyone “in the middle” from intercepting private communications or PII that could lead to identity theft.
Consider your vendors’ adherence to your data security standards
All lenders recognize the importance of data security. Still, effective control must extend beyond the boundaries of your organization to include the various third parties that have access to your systems and data. Since an API is a gateway to your data, your vendors must use the most up-to-date Transport Layer Security (TLS), which provides end-to-end data security during communication over a network. Older versions are more easily comprised.
One way to ensure that your vendor’s encryption is secure and compliant is by partnering with a Service Organization Control (SOC) compliant organization. A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the security of a system at the service organization. A SOC 2 designation confirms that the service organization is compliant in the following areas: security, availability, processing integrity, confidentiality, and privacy (also known as trust services criteria).
Remember, data security is only as strong as its weakest link. By ensuring that vendors are secure and compliant, lenders can more effectively control their risk.
Conclusion
In the best of times, titling is complex and challenging because of the varying requirements across all jurisdictions. Add a global pandemic and state shutdowns into the mix, and the challenges increase exponentially. The pandemic has also caused a massive spike in cyberattacks, and auto lenders are not immune to the risks. As more and more lenders move their business online, security has become an even greater priority for lenders, making it critical to choose the right partner for data security and transaction transparency. Vendors who become an extension of lenders’ teams must be subjected to the same level of scrutiny to ensure proper data security.
During this time of uncertainty, automation and working with the right partner can help alleviate the challenges associated with growing data security concerns, team scalability, and remote work. In addition, a sound data security approach can enable lenders to continue processing titles, even in those jurisdictions where DMVs are experiencing huge backlogs or only provide limited services.
Travis Ellis is the product owner for motor vehicle at Wolters Kluwer Lien Solutions and can be reached at [email protected]. Marina Hardy is the product marketing associate director for motor vehicle at Wolters Kluwer Lien Solutions and can be reached at [email protected].
The U.S. Justice Department on Monday morning made a major announcement in connection with the Equifax data breach, calling it “a day of reckoning.”
With Equifax leadership “grateful to the Justice Department and the FBI for their tireless efforts,” officials said a federal grand jury in Atlanta returned an indictment last week charging four members of the Chinese People’s Liberation Army (PLA) with hacking into the computer systems of the credit reporting agency and stealing Americans’ personal data and Equifax’s valuable trade secrets.
The nine-count indictment alleges that Wu Zhiyong, Wang Qian, Xu Ke and Liu Lei were members of the PLA’s 54th Research Institute, a component of the Chinese military. The Justice Department said they allegedly conspired with each other to hack into Equifax’s computer networks, maintain unauthorized access to those computers, and steal sensitive, personally identifiable information of approximately 145 million American victims.
“This was a deliberate and sweeping intrusion into the private information of the American people,” said Attorney General William Barr, who made the announcement. “Today, we hold PLA hackers accountable for their criminal actions, and we remind the Chinese government that we have the capability to remove the Internet’s cloak of anonymity and find the hackers that nation repeatedly deploys against us.
“Unfortunately, the Equifax hack fits a disturbing and unacceptable pattern of state-sponsored computer intrusions and thefts by China and its citizens that have targeted personally identifiable information, trade secrets, and other confidential information,” Barr continued.
According to the indictment, the defendants exploited a vulnerability in the Apache Struts Web Framework software used by Equifax’s online dispute portal. Officials explained the defendants used this access to conduct reconnaissance of Equifax’s online dispute portal and to obtain login credentials that could be used to further navigate Equifax’s network. The defendants spent several weeks running queries to identify Equifax’s database structure and searching for sensitive, personally identifiable information within Equifax’s system.
Once they accessed files of interest, the indictment indicated the conspirators then stored the stolen information in temporary output files, compressed and divided the files, and ultimately were able to download and exfiltrate the data from Equifax’s network to computers outside the United States.
In total, the Justice Department said the attackers ran approximately 9,000 queries on Equifax’s system, obtaining names, birth dates and social security numbers for nearly half of all American citizens.
The indictment also charges the defendants with stealing trade secret information, namely Equifax’s data compilations and database designs.
“In short, this was an organized and remarkably brazen criminal heist of sensitive information of nearly half of all Americans, as well as the hard work and intellectual property of an American company, by a unit of the Chinese military,” Barr said.
The Justice Department said the defendants took steps to evade detection throughout the intrusion, as alleged in the indictment. They routed traffic through approximately 34 servers located in nearly 20 countries to obfuscate their true location, used encrypted communication channels within Equifax’s network to blend in with normal network activity, and deleted compressed files and wiped log files on a daily basis in an effort to eliminate records of their activity.
“Today’s announcement of these indictments further highlights our commitment to imposing consequences on cybercriminals no matter who they are, where they are, or what country’s uniform they wear,” FBI Deputy Director David Bowdich said in a news release. “The size and scope of this investigation — affecting nearly half of the U.S. population, demonstrates the importance of the FBI’s mission and our enduring partnerships with the Justice Department and the U.S. Attorney’s Office.
“This is not the end of our investigation; to all who seek to disrupt the safety, security and confidence of the global citizenry in this digitally connected world, this is a day of reckoning.”
The defendants are charged with three counts of conspiracy to commit computer fraud, conspiracy to commit economic espionage, and conspiracy to commit wire fraud. The defendants are also charged with two counts of unauthorized access and intentional damage to a protected computer, one count of economic espionage, and three counts of wire fraud.
The investigation was conducted jointly by the U.S. Attorney’s Office for the Northern District of Georgia, the Criminal and National Security Divisions of the Department of Justice, and the FBI’s Atlanta Field Office. The FBI’s Cyber Division also provided support.
Justice Department officials added Equifax cooperated fully and provided valuable assistance in the investigation that triggered a consumer settlement approaching $700 million.
“The details contained in the charging document are allegations,” officials said. “The defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.”
Reaction from Equifax
In a separate statement, Equifax chief executive officer Mark Begor shared the company’s gratitude for the actions by federal agencies.
“We are grateful to the Justice Department and the FBI for their tireless efforts in determining that the military arm of China was responsible for the cyberattack on Equifax in 2017,” Begor said. “It is reassuring that our federal law enforcement agencies treat cybercrime — especially state-sponsored crime — with the seriousness it deserves, and that the Justice Department is committed to pursuing those who target U.S. consumers, businesses and our government.
“The attack on Equifax was an attack on U.S. consumers as well as the United States,” he continued.
“Cybercrime is one of the greatest threats facing our nation today, and it is an ongoing battle that every company will continue to face as attackers grow more sophisticated,” Begor went on to say. “Combating this challenge from well-financed nation-state actors that operate outside the rule of law is increasingly difficult.
“Fighting this cyberwar will require the type of open cooperation and partnership between government, law enforcement and private business that we have experienced firsthand,” he added.
Begor noted that Equifax has made significant progress and investments to protect data during the past two years. The company is spending an incremental $1.25 billion between 2018 and 2020 on enhanced security and technology as part of its EFX 2020 cloud technology transformation.
“We have made tremendous progress toward embedding security into everything we do,” Begor said. “Our industry-leading cloud technology transformation will make us more secure and enable us to innovate and develop solutions with our differentiated data assets to better serve our customers and consumers.
“Today’s announcement is another positive step forward in helping us turn the page on the cybersecurity attack as we continue our focus on being a leader in data security,” he continued.
Begor closed with a few other points about the collaborative effort needed to stop another incident from happening.
“These cyberattacks on U.S. companies continue to escalate and are increasingly challenging to defend when well-financed state actors are involved,” he said. “We recognize that cybersecurity issues impact our entire industry, and we will continue to work openly with our peers, customers and partners, to tackle emerging security challenges, document best practices, provide vital data security thought leadership, and work together to deliver solutions that benefit both the security community and consumers.
“Working together is the only path to defend against these attacks,” he continued. “We greatly appreciate the work of every FBI investigator and Justice Department prosecutor who participated in this investigation.”
EFG Companies and Inovatec are taking extra precautions to make sure the data their clients entrust to them remains safe and secure.
Inovatec, a cloud-based software solutions provider, recently announced that it has completed its SOC 1 Type II and 2 Type II audits. The company insisted these moves demonstrate Inovatec’s commitment to high-quality service for its clients by ensuring necessary internal controls and processes are in place.
Meanwhile, EFG Companies recently achieved a new level in data security for both clients and contract holders with the Service Organization Control 2 (SOC 2) Certification under the Statement of Standards for Attestation Engagements 18 (SSAE 18) guidelines from the American Institute of Certified Public Accountants (AICPA).
Several years ago, EFG Companies recapped that it took proactive steps to secure its own data and achieved SSAE 16 certification in 2016. Since then, EFG continued its efforts to further augment the company’s security measures, investing close to a quarter of a million dollars annually on security enhancements, and achieving SSAE 18 certification in December.
According to recent risk-based security research, 3,800 publicly disclosed data breaches occurred in the first six months of 2019, exposing up to 4.1 billion records. This represented a 50% increase over the last four years.
As companies increase their reliance on technology to house personal, confidential information, that same research indicated data breach attempts are expected to increase, as well.
KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of Inovatec’s controls that may affect its clients’ financial statements. SOC 1 Type II is a report on the controls at a service organization that was established by AICPA. This report follows the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements.
The standard demonstrates that an organization has adequate controls and processes in place. The SOC 1 Type II audit report includes Inovatec’s description of controls as well as the detailed testing of its controls over a minimum six-month period.
SOC 2 engagements are based on the AICPA’s Trust Services Criteria. The SOC 2 service auditor report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Inovatec’s controls to meet the standards for these criteria.
“The successful completion of our SOC 1/2 Type 2 examination audits provides our clients with the assurance that the controls and safeguards we employ to protect and secure their data are in line with industry standards and best practices,” Inovatec information security officer Christian Reina said in a news release.
KirkpatrickPrice president Joseph Kirkpatrick added, “Many of Inovatec’s clients rely on them to protect consumer information. As a result, Inovatec has implemented best-practice controls demanded by their customers to address information security and compliance risks.
“Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Inovatec,” Kirkpatrick went on to say.
Like Inovatec, leadership at EFG Companies emphasized that SSAE 18 certification is the most widely recognized standard providing companies with a method for reporting information about the design and operation of internal systems and controls relating to privacy and security regulations. SOC 2 reports evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality and privacy.
“Over the last few years, we’ve enhanced our digital capabilities to integrate seamlessly with our client’s systems, while also ensuring the security of their proprietary information and private consumer data,” EFG Companies vice president of technology Maurice Hamilton said in a separate news release.
“We methodically complete every technology enhancement, with both usability and security in mind.”
EFG Companies stressed the SSAE 18 certification demonstrates to clients and contract holders that the firm has the necessary processes in place to ensure that personal and confidential information is more secure than almost any other product provider.
With the amount of confidential consumer information collected in the retail automotive industry, data security is mission critical to successfully conducting business going forward, according to John Pappanastos, president and chief executive officer of EFG Companies
“In this digital era, our dealer and lender clients rely on EFG’s technology for everything from rating products and processing claims to reviewing reinsurance positions and billing,” Pappanastos said.
“Additionally, as the automotive industry moves into online retailing, dealers, lenders and manufacturers have recognized the need to not only protect their own data, but also partner with administrators that have the same laser focus on data security and compliance,” he went on to say.
