If you are the CEO, CISO or General Counsel of a financial institution (FI) of any size, you have likely been thinking about what you must to do to secure your institution’s sensitive financial data. It is also likely that you have been considering how your institution would respond when tested by a data breach or loss. If you have been watching the news or taking the temperature of the industry over the last two years, you are probably aware that financial institutions have become a primary target of foreign and domestic cyber attacks, warfare and crime.2 This article will address measures that must be taken by FIs in order to mitigate catastrophic security events and avoid wholesale brand collapse in the wake of such events.
In 2005, the Federal Financial Institutions Examination Council (FFIEC) issued guidance to assist FIs in the development of in-house procedures that would serve to streamline an institution’s response to a cyber security or data breach.3 This guidance was published in the form of Financial Institution Letters (FILs) and addressed to the CEOs of FDIC-supervised financial institutions.4 Eight years have passed since this guidance was first issued. In light of significant technological advancements and the increased activity and sophistication of bad actors that seek to access sensitive customer financial information, this article encourages your institution to reconsider its ‘response program.’ Additionally, this article prescribes necessary steps that FIs should take to develop and implement these programs.
If your response program is non-existent, or collecting dust on the corner of someone's desk, now is the time to revisit the FFICE guidance and refresh your institution’s plan of action. The 2005 guidance interprets Section 501(b) of the Gramm-Leach Bliley Act (GLBA),5 as well as the Interagency Guidelines Establishing Information Security Standards 6 and stipulates that "financial institutions should develop and implement a response program to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.” 7
In response to a data breach or security incident, the FFICE recommended procedures call for an assessment of the nature and scope of the incident, followed by an immediate notification of the primary federal regulator. Additionally, the FI must file a Suspicious Activity Report (SAR) and notify law enforcement authorities where criminal investigations are ongoing. But swift notice to regulators is not the only concern. FIs must also take steps to control the incident, prevent further unauthorized access to or use of customer information and notify customers in a clear and conspicuous manner. Specifically, the financial institution must provide a description of the incident, the type of information exposed to such unauthorized access and the measures taken by the institution to protect customers from further exposure. The required customer notice must provide a telephone number where customers can call in for information and assistance.
The guidance suggested by the FFICE is relatively simple, but the devil of course is in the details. Von Moltke, a renowned military strategist said that "[n]o plan of operations extends with certainty beyond the first encounter with the enemy." In other words, no plan is entirely effective until it is tested by opposition. The question for CEO's, General Counsel and Chief Risk Officers is a direct one: “How will you implement the plan?” In keeping with warfare analogies: who will be the battle field commander making decisions as that plan is executed and who will be responsible for making the necessary adjustments as the full scope of the "enemy's strength” is discovered?
These are questions that are best answered early, often and in practice, so that, once tested, the plan can be executed efficiently to sustain as few "casualties" as possible. Here are the top ten things you can do to prepare for a security crisis.
- Review Your Plan - If you have a plan, review it and, if necessary, update it immediately. The threats are constantly changing and relevant personnel should consider the current risks and risk tolerances within the institution. If you don't have a plan, your institution will need to develop one as soon as possible. The environment is volatile and your institution may face serious consequences for being unprepared
- Assemble Your Team - Your “battlefield commander” must be identified in advance of a crisis. Immediately following a breach or crisis situation, informed decisions affecting the entire institution will need to be made quickly to protect the institution as well as its customers. Data breach response can give rise to numerous conflicts of interest: what legal wants may not be what marketing wants. Swift decision-making will favor your institution.
- Secure Outside Counsel in Advance of a Breach or Data loss - In the event of a breach or data loss requiring notification, every step of the process should be subjected to the attorney-client privilege and hermetically sealed therein. Establish a relationship now with outside counsel that specializes in Information Security so that they can assist in developing your plan and become familiar with your institution. Your chosen counsel should be someone that can effectively marshal the internal team and provide leadership and guidance while the institution is under sustained fire.
- Prepare a Plan for Swift Investigation and Diagnostics - The sooner you understand what has happened, or is happening, the faster it can be remedied. Data breach investigations take place in real time and require a constant flow of information to the key decision makers. Here, the attorney client privilege is of utmost importance. Until you know the scope and seriousness of a breach or loss, information pertaining to the loss should be made available only on a need-to-know basis. An accompanying record of the investigation must be established to explain how decisions were made based upon the information known at the time. This record will become essential to your institution’s position and it should be protected by the attorney-client privilege.
- Be Prepared To Engage Outside Experts - Depending on the nature and scope of the data breach or data loss, you will need to engage outside experts and will be required describe the incident, identify the data that was exposed and explain your institution’s response. If the breach is the result of a network intrusion you will need to understand how the breach occurred and prepare your institution to articulate the incident and your response to the media and your customers. Depending on the complexities of the event, outside experts will need to help you answer these questions.
- Be Prepared to Explain Your Actions - At its core, a data breach or loss will be a crisis event. You will need to work closely with your team and most importantly your outside counsel to deal with negative impact to your brand, your customer's questions and any legal or regulatory fallout that may occur as a result of a breach. Soon after the data breach or loss you will be required to give your customers a telephone number they may call to address their questions and concerns. A well-developed script will be essential as your company engages customers and the media.
- Prepare a Strategy to Address the Problems - Consider your risk landscape and conduct a thorough and complete risk assessment. A comprehensive review of data security, IT governance and information governance is critical. A weakness in any of these areas or a lack of focused planning can create vulnerabilities that bad actors will exploit.
- Be Prepared to Brief Regulators on the Incident - Once a data breach or data loss occurs, you should immediately consider your institution to be "on the record." Your personnel must think in terms of hours, not days, as your institution will be required to notify the primary regulator immediately following the incident. Once a formal report is made, the regulator will follow up with an investigation of the institution’s processes and procedures in mitigating the incident. It is important to remember that, from the moment the breach is reported, the institution is making a record that could be reviewed by a regulator.
- Practice the Plan - Train your employees to execute the plan. Have your team work through practice scenarios and hypothetical crisis events. Practice makes perfect and frequent training exercises are a crucial aspect of any crisis response. Day one of the breach is not the time to introduce team members to one another.
- Act Now - The sooner you can review your plans and engage your team the better. Budgets matterand planning is important, but delaying a plan or re-prioritizing could be an expensive mistake. Data breach will confuse and frighten customers. The loss of a customer’s trust cannot be accounted for in next year's budget. The stakes are high and the risks are real.