Bank Director asked legal experts to address a question that is top-of-mind in bank boardrooms lately: cyber security. What really is the role of the board in overseeing this potential threat? Big banks are getting hit with denial-of-service attacks that are taking down their web sites for hours. Even smaller banks are getting reports of constant attempts to hijack their online security. It seems time to address that question.
What are the three most important steps that banks should take to protect themselves from cyber attacks?
First, the board of directors must be well informed as to the risks of cyber attacks, the mitigating steps taken by the bank to address the risks, and very importantly, the results of any testing performed on the controls that the bank deployed. Second, the board must make sure that qualified management is in place with the appropriate level of competence, staffing and resources to address the ever-evolving risks of cyber attacks. Finally, the board should study all the enterprise’s insurance policies to make sure that there is in place insurance coverage and/or riders to protect the enterprise (this includes the holding company and all affiliates and subsidiaries) if it becomes the victim of a cyber attack.
—John Podvin, Haynes Boone LLP
In December 2012, the Office of the Comptroller of the Currency issued an alert about the recent cyber attacks. The OCC’s alert said that banks need to have a “heightened sense of awareness” about cyber attacks and take actions that include: Ensuring sufficient staffing for the duration of an attack; ensuring that the response effectively involves appropriate personnel across multiple lines of business and external partners; and, conducting due diligence on service providers to ensure that these providers have taken steps to identify and mitigate risks from attacks. The OCC also emphasized that banks should consider the recent attacks as a part of their ongoing risk management program, and should be prepared to provide timely and accurate communication to their customers. The OCC expects banks that are victims of attacks to report the information to law enforcement authorities, to notify their supervisory office, and file suspicious activity reports if appropriate.
—Don Lamson, Shearman & Sterling LLP
Banks should review current systems, physical facilities and processes for vulnerabilities, and adjust as needed. Some important changes might not be that difficult to implement. Consider hiring an outside specialist for this—someone who knows the latest threats and methods. Review the security practices of your vendors, and review vendor contracts to ensure appropriate representations and warranties (and indemnification) around security. Invest in regular training for employees, including what to look for and what to avoid. The bad guys are constantly changing their methods, and regular training helps address new threats and also keeps security top-of-mind. Bonus Answer: Maintain a top-down emphasis on security. Emphasis must come from the C-suite and not just from the technology department.
—Bobby Turnage, Venable LLP
The biggest threat to banks today is still the insider threat. Banks should be thoroughly checking the backgrounds of their employees before they are employed. Banks should continue to supervise and be alert to activities once employed. In parts of the world where background checking is not possible, banks should conduct extensive validation using personal local sources and social media sources. Access to systems should be carefully protected, taking into account the sensitivity of the systems and access should be provided only on a “need to know basis.” Data silos need to be broken down. Systems were originally designed to solve particular problems. Criminals have figured out that these silos prevent organizations from seeing the true picture of fraudulent activity. Big data tools are available in the market that can help organizations thwart potential problems without the massive data warehousing effort that was required just a few years ago.
—Vivian Maese, Dechert LLP
Earlier this year, the Australian Department of Defense, Intelligence and Security released a statement that 85 percent of targeted cyber intrusions that it responds to as an agency could be prevented if companies did the following: 1. Application whitelisting (or preapproving of mobile and traditional applications used by employees). 2. Operating system and application patching (ensuring that the software in use by your organization has the latest security fixes). 3. Administrative password management (minimizing the number of users in the organization with administrative privileges). However, in cyber security, we can't simply note the technical fixes required. We also ask organizations to become security-aware and foster a meaningful cross-expertise dialogue between business units, legal, IT and security. The technical fixes will only get organizations so far and do not fully protect against social engineering, rogue employees, or customer/employee phishing. At Ballard Spahr LLP, we created a helpful checklist for organizations to improve the cyber security dialogue within their organizations. An effective cyber security program and dialogue will not protect against all cyber theft, but it will help put your organization in a better position to detect, respond and control costs once events occur.
—Amy S. Mushahwar, Ballard Spahr LLP