As a result of the recent proliferation of data breaches, cybersecurity is increasingly a top compliance concern for nearly every business. Financial institutions are especially vulnerable, given the amount of sensitive and personal customer data that they maintain. It is, therefore, vitally important that financial institutions take steps to ensure that they have implemented appropriate procedures to help minimize the likelihood that a breach will occur and, if one does occur, to have an appropriate response plan in place. Financial institutions should consider the following in evaluating their risk and determining their cybersecurity preparedness.
*Consideration #1: understand the regulatory landscape. As data breaches continue to increase in frequency and magnitude, more focus has been placed on developing regulations and legislation to combat the increasing risks. A thorough understanding of the evolving regulatory and legislative landscape related to data security is of key importance for any company’s cybersecurity preparedness. Although cybersecurity legislation is still developing and varies by jurisdiction, a common thread in that legislation relates to notification and information-sharing obligations following a breach. For instance, at least 47 states have laws requiring companies to provide notice to government authorities and/or affected consumers following a breach.
In addition, on December 18, 2015, President Barack Obama signed into law the Cybersecurity Information Sharing Act of 2015, which provides a framework for sharing information between the private sector and government related to cybersecurity threats and breaches. Financial institutions must have a working understanding of these and other relevant data breach laws and regulations to ensure proper preparedness.
*Consideration #2: assess the institution’s risks and develop appropriate policies and procedures. In order to create an effective cybersecurity program, a financial institution must first assess the risks specific to its particular operations. In making that assessment, it is important to keep in mind that cybersecurity readiness is not a one-size-fits-all proposition. That is, regulators recognize that financial institutions of varying sizes have different risk parameters and should, therefore, have different approaches to cybersecurity preparedness. To that end, the Federal Financial Institutions Examination Council (“FFIEC”) developed a Cybersecurity Assessment Tool, designed “to help institutions identify their risks and determine their cybersecurity maturity.”
The Cybersecurity Assessment Tool provides “a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time,” by evaluating the following domains: (1) cyber risk and management and oversight; (2) threat intelligence and collaboration; (3) cybersecurity controls; (4) external dependency management; and (5) cyber incident management and resilience. Financial institutions of all sizes should use the Cybersecurity Assessment Tool to evaluate their risks. In fact, as part of their examinations, many regulators now expect to see proof that financial institutions have used the tool to provide a risk assessment.
Once a financial institution has thoroughly evaluated its cybersecurity risks with the help of FFIEC’s Cybersecurity Assessment Tool, it must develop a plan to manage and minimize those risks. In March 2013, the FFIEC issued a statement “to alert financial institutions to specific risk mitigation related to the threats associated with destructive malware.” That guidance provides the framework for financial institutions to develop their cybersecurity programs. Among other things, the FFIEC guidance encourages financial institutions to take the following steps:
- Securely configure systems and services
- Review, update, and test incident response and business continuity plans
- Conduct ongoing information security risk assessments
- Perform security monitoring, prevention, and risk mitigation
- Protect against unauthorized access
- Implement and test controls around critical systems regularly
- Enhance information security awareness and training programs
- Participate in industry information-sharing forums
It is important to remember that, although the FFIEC guidance provides a comprehensive framework for developing a cybersecurity program, because the technology and methods used by hackers and other bad actors to obtain sensitive data change rapidly, financial institutions must regularly review and update their cybersecurity plans to ensure that those plans account for the latest threats. Further, it is not enough to simply have written cybersecurity policies and procedures. Rather, efforts must be taken to implement those policies and procedures through regular employee training.
*Consideration #3: vet vendors. Vendors create a significant risk to financial institutions’ efforts to prevent cyberattacks. That is, vendors often have access to or are in possession of the very data financial institutions seek to protect. Indeed, law firms, product and service add-on partners, payment processors, and others are often entrusted to access or maintain financial institutions’ customer data in the ordinary course of business. However, it is important to remember that just as a chain is only as strong as its weakest link, so too is a cybersecurity plan.
Therefore, financial institutions must ensure that their cybersecurity plans include an evaluation of each vendor’s respective cybersecurity vulnerabilities and preparedness. Those evaluations should include ensuring that vendors have implemented procedures to protect sensitive data, and that those procedures are as thorough in nature as those implemented by the financial institution itself. Simply put, a financial institution’s vendors must be expected to protect sensitive data with the same level of care that the financial institution itself takes to protect the data. Anything less seriously jeopardizes the strength and meaningfulness of the financial institution’s cybersecurity efforts.
Further, financial institutions should evaluate their contracts with vendors to ensure that those contracts require vendors to protect data that they gather, store, disseminate, maintain, or otherwise obtain from the financial institutions. Moreover, financial institutions should consider including provisions that govern liability related to a breach. Because damages related to a breach can flow from various sources, such as reimbursement to affected customers, legal fees, interrupted business expenses, and reputational damage, liability-shifting provisions should be drafted carefully to account for all possible categories of damages.
*Consideration #4: devise and implement a breach response plan. A written data breach response plan is important for a number of reasons. Perhaps the most important of which is to ensure that, in the event of a breach, financial institution personnel understand how to respond in a way that minimizes damage to the financial institution and its customers. In addition, having a written response plan is good evidence during litigation that a financial institution was prudent and acted reasonably.
Although response plans should be tailored to each financial institution, with consideration given to relevant local and federal laws, generally they should include procedures for the following:
- Documentation of events leading up to and following a breach
- Immediate communication with company personnel regarding a breach and instructions on how to react
- Coordination among members of a designated response team that includes key management and technology personnel, in-house and outside counsel, and the applicable law enforcement agencies
- Steps to identify the cause of a breach and processes to eliminate the source of a breach
- Public relations strategy for notifying the public and affected customers of a breach
Once a financial institution’s response plan is in place, it is important to simulate a data breach and practice implementing its response plan. A dry run will help key personnel familiarize themselves with the process and ultimately increase the likelihood that the plan will be implemented properly in the event of an actual breach. Further, practicing the response plan will help reveal any deficiencies that may need to be addressed.
*Consideration #5: consider cybersecurity insurance. Finally, financial institutions should consider acquiring cybersecurity-related insurance. While such insurance obviously increases costs, in the event of a data breach, such insurance can be economically beneficial by helping to offset potentially millions of dollars in costs and damages.
Bottom line. Given the increasing risk of data breaches, it is imperative that financial institutions take steps to minimize their vulnerability to such breaches and have proper response plans in place, before a breach occurs. Implementing the tips provided in this article will help to ensure that financial institutions are well on their way to achieving cybersecurity preparedness.
This post was originally authored by me and first appeared in Clarks’ Bank Deposits and Payments Monthly, January 2016.