Recent legal headlines have been filled with news about data breaches and lapses of information security across all sectors of the economy. Hospitals, colleges, and even major international retailers such as Target and Home Depot have all experienced breaches, some affecting tens of millions of customers and costing hundreds of millions of dollars.
Banks are no exception to this trend. As just one example, hackers recently gained access to banking giant JPMorgan Chase & Co.'s corporate network, potentially compromising sensitive customer and financial information. The attack was so sophisticated that security experts have suggested that it might have been sponsored by a foreign state. Often reported alongside the details of this attack is JPMorgan’s annual cybersecurity budget, which is approximately $250 million per year.
Smaller financial institutions may look at this situation and lose hope. If a quarter of a billion dollars isn’t enough to stop an attack, what hope does the little guy have?
This concern is understandable, but it overstates the problem. Perfect protection and total security are unattainable. The real goal is far more simple: be prepared. To this end, we often advise our clients to follow five basic steps: (1) Understand the risks; (2) Address your legal obligations; (3) Reduce incident risk; (4) Plan ahead; and (5) Stay vigilant.
By following these five steps, a financial institution can do the analyses and adopt the procedures necessary to help protect itself from the legal liability and reputational harm wrought by data breaches and other cybersecurity incidents.
Understand the Risks
The first thing an institution must do to protect itself is evaluate the risks specific to that institution. That includes understanding key parts of your IT infrastructure, including the kinds of data you keep, where it is obtained, who you send it to, who has access, and who your vendors are. Understanding how your company collects, uses, and discloses information is a critical first step toward effective governance.
Address Your Legal Obligations
Next, a financial institution must identify and ensure compliance with all applicable laws, regulations, and rules that implicate the information it keeps. Some familiar faces – such as the Gramm-Leach-Bliley Act and the Bank Secrecy Act – are already on the radar of most financial institutions. But don’t forget other sources. Your contracts with vendors create obligations. West Virginia state law requires a business to report when there is an unauthorized access and acquisition of personal information in certain circumstances. Under the Uniform Commercial Code, banks can be liable for certain fraudulent activity if they don’t maintain “commercially reasonable” security practices. Institutions with international ties may face additional obligations under foreign privacy laws, which tend to be stricter than those in the United States. And don’t forget about self-regulatory programs that you might be required to abide by because of industry standards or your participation in a trade group. There are numerous sources of law that establish minimum standards for your information practices, and you must be familiar with all of them.
Reduce Incident Risk
Once you understand your system architecture and the relevant law, it’s time to take concrete measures to reduce the risk of a cybersecurity incident. Often this starts with an audit of the procedures currently in place. From there, an institution can update existing information security, privacy, data breach and document retention policies. Your company can also increase the security of its day-to-day practices, which can include restricting data collection to only what is needed, controlling access to information, and segregating especially sensitive information. Don’t forget about your vendors during this process, either. You may be able to shift cybersecurity liability through your service contracts, and you may also be able to secure the right to audit your vendors’ security practices to ensure that they value protecting your customers’ information as much as you do. This is also the time to consider cybersecurity-specific vendors, such as services designed to detect and prevent attacks, as well as insurance policies that cover cybersecurity and data breaches. Finally, no matter how good your contracts and internal policies are, they are meaningless unless you implement, implement, implement. Make sure your employees understand the importance of the issue, and take measures to ensure that your new policies are being complied with.
Because perfect security is impossible, you must plan for the eventuality that your institution will someday experience a (hopefully minor!) data breach or other cybersecurity incident. If and when that happens, you will not have time to think . . . you must plan ahead. Who will be in charge of the response? How will your legal, human resources, public relations, information technology, and senior management teams work together to limit the damage, meet your legal obligations, and put your customers at ease? When and how will you communicate details of the breach to affected customers, and what services are you prepared to offer to them to help ease their minds and prevent additional damage? Thinking through these issues well in advance of an actual cybersecurity incident will help ensure that your organization is able to respond quickly, and give you the best chance to resolve the issue with as little damage to your bottom line and reputation as possible.
Finally, financial institutions must remember that this is a quickly developing area of law. Complacence is your enemy. Your institution must keep up-to-date and be prepared to change its practices whenever necessary. Keep in touch with legal counsel about your questions, conduct annual audits of your procedures and their implementation, and make sure everyone in your institution remains vigilant about security issues.
These five steps can help your financial institution boil down the complex world of cybersecurity governance into smaller, more manageable tasks. Your institution may not have the resources of JPMorgan, but you are still a conscientious steward of your customers’ assets and personal information. A thoughtful examination, performed when your institution is not in a security crisis, can help ensure that you have taken the steps necessary to protect your institution and your customers against the evolving threats to your business.