Enhance Security in Financial Services with Agreement Technology
The rapid rise of digitization accelerated by remote transactions is introducing new risks into the financial services industry. This is making security a higher priority than ever before.
The drivers of digitization's rapid growth include consumers’ increased use of mobile devices to transact digitally, the rise of remote and hybrid work, and the increasing popularity of open banking (which involves third-party data sharing via APIs).
According to the 2022 State of Cybersecurity report by Arizent/American Banker, these same factors that are compelling financial institutions to rapidly modernize their systems and processes are also raising their cybersecurity risk profiles. When coupled with the unique challenges of the pandemic and recent geopolitical disruptions such as the crisis in Ukraine, it’s easy to see why the awareness of cyber-vulnerabilities has grown over the past few years.
Consider that three in four banks and insurers experienced a rise in cyber crime since the beginning of the pandemic. Consumers reported losing more than $5.8 billion to fraud in 2021, representing an increase of more than 70 percent over the prior year. And geopolitical turmoil is leading to bolder actions by bad actors, including the notable rise in Russian cyberattacks on U.S. banks.
Regulators taking note
Regulators have expressed concern about the rising tide of cybersecurity threats, compelling them to take more aggressive action in the form of new proposals and guidance related to cyber-incident reporting and information security programs.
For example, in May 2021 the Biden administration issued an executive order that prioritized improving the nation’s cybersecurity, with an emphasis on public-private partnerships. The order called for “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
Fast-forward to March 2022 when Congress passed, as part of the Consolidated Appropriations Act, a requirement that critical infrastructure operators must alert the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a hack and within 24 hours of paying a ransomware demand.
That same month, the Securities and Exchange Commission (SEC) issued a proposal to amend its rules on cybersecurity risk management and disclosure rules for publicly traded companies.
In addition, agencies like the Federal Financial Institutions Examination Council (FFIEC) and the Federal Trade Commission (FTC) have published commentary on how bank and non-bank financial institutions can improve their information security and risk management practices. Their recommendations include periodic assessments of how institutions manage authentication, verification and access controls of internal and external users, as well as activity tracking to help detect unauthorized activity and potential threats.
In August 2022, FINRA additionally issued a notice reminding broker-dealers and other firms of their obligations to identify and minimize risk of signature forgery and falsification. Firms should adopt both proactive and reactive processes and steps to mitigate forgery risk. Such processes should include centralized methods for reviewing email correspondence and digital audit trails; strong methods for authenticating and verifying signer identity; and updated workflows and user management settings to make unauthorized use of agreements more difficult.
These are just a few recent examples of how U.S. regulatory and legislative bodies have been urging all institutions managing critical infrastructure—particularly financial services institutions—to place greater emphasis on cybersecurity.
They demonstrate the evolving nature of cybersecurity as well as the broad array of standards and regulations (mandatory and optional) that financial institutions should adhere to when establishing a secure and compliant environment.
To reduce security risks, financial institutions must continually improve their security posture and invest in improved authentication, access controls and proactive risk management.
Five ways DocuSign helps secure your agreement process
Fortunately, as financial institutions expand their digital businesses, DocuSign is well-prepared to help them protect sensitive information stored or captured throughout the agreement process. Through our different standards and technology, DocuSign offers five ways to help financial institutions secure their agreement processes:
Adherence to stringent security standards: DocuSign meets or exceeds stringent global security and privacy standards, including ISO 27001:2013 certification and SOC 2 Type 2 audits. Notably, DocuSign is one of a limited number of companies that follow Binding Corporate Rules approved by European Union Data Protection Authorities as both a data processor and data controller. DocuSign eSignature and CLM have also been awarded FedRAMP authorization at the Moderate impact level.
Centrally manage users and accounts: As eSignature usage grows throughout the organization, especially across different lines of business, companies need better ways to centralize control and efficiently manage their DocuSign usage and deployment. DocuSign Admin Tools offers powerful features like Claim Your Domain, which prevents employees from having private accounts using company email; Bulk Actions, which allow administrators to efficiently manage a large number of users at the same time; and Single Sign On (SSO), which enables administrators to control DocuSign user access with one or more identity providers like Okta, OneLogin or Azure AD.
Protect access with identity solutions: Digital identity is essential to financial services—by both helping to support rigorous Know Your Customer/Anti-Money Laundering (KYC/AML) requirements, as well as mitigating risk. DocuSign offers customers a portfolio of enhanced identity solutions for authenticating and verifying signer identity beyond email.
The Identify portfolio includes ID Verification, DocuSign’s digital identity-proofing solution that can be embedded as part of a mobile-first eSignature experience. It offers signers multiple ways to prove their identity from virtually any device and in several convenient ways, such as submitting a photo of their driver’s license, using their online banking login credentials or answering knowledge-based questions. In addition, the portfolio also offers SMS/phone authentication and solutions to meet digital signature requirements across the world. To learn more about how ID Verification can help support institutions in meeting KYC/AML requirements as part of onboarding, read more here.
Detect and respond to unauthorized activity: Another element that comprises a well-rounded security program is the proactive monitoring and detection of unauthorized activity. With DocuSign Monitor, organizations can track eSignature account activity to guard against security threats and provide oversight of their entire DocuSign environment. Monitor provides near real-time visibility into eSignature account activity across the company—including web, mobile, and API activity—and uses advanced analytics to detect potential threats, whether from malicious outsiders or rogue and negligent insiders.
Monitor also notifies customers of potential threats with rules-based alerts, and helps customers investigate those potential threats by providing ready access to in-depth data points that help security teams investigate the activity that triggered the alert. For example, firms can analyze agreement activity through the lens of various fields, such as IP address, location and time to identify suspicious activity. Lastly, Monitor helps administrators quickly respond to verified threats—mitigating the risk and potential damage resulting from unauthorized activity.
Build in custom checks via API: Institutions leveraging the DocuSign eSignature and Monitor APIs can tap into award-winning capabilities to control all elements of an agreement. This includes the ability to build in logical checks to ensure agreements are being appropriately sent and signed. For example, administrators can check if (a) the recipient’s email address and/or phone number matches the client’s record, and that (b) the sender and signer email and IP addresses are distinct, and more.
As financial services organizations grow their use of eSignature and increasingly standardize on DocuSign for their entire agreement process, robust security protocols become more and more important. That’s why DocuSign has invested significant resources and capital into developing an industry-leading, multi-layered platform to help you protect your—and your customers’—information.
“When we talk about innovation, member experience and best-in-class security,” says Thomas Novak, VP and chief digital officer at Visions Federal Credit Union, “DocuSign is quite literally in lockstep with where we want to take things.”
To take a deeper dive into how DocuSign is leading the way in security and helping to protect your critical data throughout the agreement lifecycle, check out the on-demand recording of our recent webinar about Enhancing Security in Financial Services.