Every Bank Needs This Checklist

Financial institutions face daily challenges when it comes to compliance, protecting customer data, and managing third-party risks. With a heavy focus on internal security, the risk of equipment leaving the premises for recovery, recycling or disposition is often an after thought.

Complying with Regulations

Under regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act (SOX), financial institutions are required to select and retain service providers who are contractually obligated to implement safeguards for consumer data protection. Noncompliance with these regulations can rack up millions of dollars in penalty fees and even land bank officers in prison. It is critical to ensure the security of any outside company that may handle data-containing equipment, even at the end-of-life.

Protecting Customer Data

Along with regulatory compliance, banks must make sure all customer data is protected from a breach. According to the 2017 Ponemon Institute Cost of Data Breach Study, the average cost paid by an organization as a result of a single data breach was $3.62 million. Heavily regulated industries such as financial services have a per capita data breach cost substantially higher than others. The average global cost of data breach per lost or stolen record in 2017 was $141. However, in financial services the average cost was $245. The financial industry also showed the highest level of susceptibility to customer loss after a data breach.

Vetting Third-Parties

When it comes to companies looking to buy, repair, recycle or dispose of used IT equipment, there are MANY options to choose from. For financial institutions, it is critical to choose wisely. Proper security vetting of any electronics recycler or IT Asset Disposition (ITAD) provider must be conducted before turning over equipment, even if it has reached end-of-life. Many brokers and electronics recycling companies make claims that they can’t back up in regards to security, so be sure to ask for proof. Visiting the physical location can also be highly valuable. If there is any hesitation to schedule a tour, or if the facility does not feel secure in person, those are red flags.

Certifications can make the vetting process easier. Any R2 or e-Stewards certified location will have up-to-date documentation from a verified third-party auditing company to ensure the processes are indeed what they say. e-Stewards and R2 certification requirements satisfy regulations such as SOX, GLBA, and several other regulations.

Follow the Checklist

With a thoroughly vetted, trusted IT Asset Disposition company as part of a bank’s security protocol, complying with federal regulations and managing customer data security becomes a bit easier. Follow the checklist when choosing who to work with for end-of-life IT equipment:

☑ Proof of data security safeguards (R2 or e-Stewards audits)
☑ Training procedures for employees to ensure sensitive data is protected
☑ Proof of Chain of Custody documentation for all data-containing devices
☑ Secure and permanent data destruction
☑ Onsite visit of facility verifies security
☑ e-Stewards and/or R2 Certification for security, environmental, health and safety standards

If your bank or financial institution has an upcoming computer refresh scheduled or has IT equipment stockpiled in the back room, SEAM can help. Our growing South Dakota location is based in Sioux Falls and services customers across the upper Midwest, from North Dakota to Nebraska. Contact us for a free quote.