"President Trump just signed the $2 Trillion Coronavirus Rescue Package
(CARES ACT) into law."
It is expected that droves of small businesses will be looking to apply for Small Business Administration (SBA) Loans under the Paycheck Protection Program (PPP) and other types of loans to keep their businesses afloat in these uncertain times.
Many banks and lending institutions are using the nCino application, which runs on the Salesforce Platform, to perform loan origination, processing, and underwriting functions. Many of these same institutions are also tracking other commercial and retail sales opportunities or servicing issues using Salesforce Sales or Service Clouds. With its verticalized approach to Financial Services, Salesforce is clearly a dominant player.
People / Process Exposure
We hypothesize that these same institutions are likely to hire more loan officers and/or processors to keep up with this increased demand. This will result inevitably in some people with inadequate experience or training participating in the lending, sales, or servicing processes. Other, more nefarious people, are likely to seek to slip through the candidate vetting process to capitalize on the opportunity this explosive increase in demand creates. In either case, it’s essential to ensure that the sensitive information stored in the Salesforce instances used by these institutions is as secure as it can be.
What Can You Do?
Here are some general guidelines to help get you started securing your Salesforce org:
- Identify and understand the type of data that will be needed for loan processing and stored in your Salesforce platform. Determine if new fields may be required to accommodate the government's lending rules under the Paycheck Protection Program (PPP) for an SBA loan that helps businesses keep their workforce employed during the Coronavirus (COVID-19) crisis.
- Review the data classification of your fields in the Salesforce platform. If new fields have been introduced recently, take the time to classify these fields based on your institution's data classification framework. Be sure to pay close attention to fields that contain highly sensitive information, i.e., Tax ID/EIN, Social Security Numbers, etc. Identify highly sensitive information as high risk so that it can be treated with more extensive controls.
- Determine if sensitive data should be encrypted while at rest and understand the business impact of encrypting those fields BEFORE enabling the encryption. When the processing demand hits, loan processors will need everything working smoothly so they can process as many loans as possible - quickly, and accurately.
- Determine who should have access to sensitive data, and what functions they should be able to perform on those fields and objects (i.e., view only, edit, delete?). Loan processors should be enabled to perform their job functions without exposing sensitive data unnecessarily if it's not required for their workflows. Try to focus on the principle of least privileged access.
- Make sure the changes to sensitive fields are being tracked, so changes to these fields can easily be reported / audited.
- Understand the security controls that are in place and be able to provide comprehensive compliance and oversight reporting. While we are in a state of "hurry up!", it's also important to be able to prove the controls and historical context that are implemented for the inevitable audits in the future.
For further information on securely enabling a remote workforce on your Salesforce Platform, check out this Town Hall or read the Blog here. To inquire about products and services that can help you more easily and quickly secure your Salesforce org, contact us: