Navigating the Age of Eternal Breach

This Viewpoint first appeared in Bank Director magazine’s fourth quarter 2023 issue.

Cyberattacks have become so ubiquitous that James Dever, the U.S. Army’s former senior cyber warfare judge advocate, has called our era “the age of eternal breach.” Whether through fraudulent wire transfers, business email compromise or distributed denial of service attacks, the banking industry is among the most targeted. History also demonstrates that well-known large banks are not the only institutions in the crosshairs; malign cyber actors of all kinds are targeting banks of all sizes.

Even if banks are confident in their own cybersecurity posture, they are reliant on, and vulnerable to, the third parties with which they partner and others in the broader financial ecosystem. This was clearly displayed by the recent MOVEit incident. News reports said that a foreign ransomware gang apparently exploited a previously unknown vulnerability in Progress Software’s managed file transfer solution, MOVEit Transfer, to steal information from databases using that product. When companies and authorities evaluated the extent of the problem, many banks discovered that they were indirect victims because their third-party vendors used MOVEit to send their sensitive information.

As counsel to banks around the country, we worked with boards, management and incident response teams to address the fallout from the MOVEit exploitation, including various regulatory, securities and customer notification issues. Below are some of the cyber-related issues banks faced in connection to that incident, and in similar cases, that can serve as best practices for all financial institutions.

Pre-Incident
Governance. Establish appropriate cyber-related governance structures, including board oversight mechanisms and incident response policies, that are tailored to the organization’s size and operations.

Cybersecurity Awareness. Institutions should consider joining the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a global cyber intelligence sharing community, as well as other comparable organizations and public-private partnerships, to enhance their overall cybersecurity awareness.

Effective Training. Conduct effective legal and other practical training to ensure that directors and employees understand their specific responsibilities and regulatory expectations, including those described in “Cybersecurity 101: A Resource Guide for Financial Sector Executives,” a publication from the Conference of State Bank Supervisors.

Third-Party Agreements. Review third-party agreements, including core processing agreements, to ensure that they mandate appropriate cyber expectations and describe responsibilities following any cyber incident.

Sheltered Harbor. Evaluate the need to join Sheltered Harbor, a not-for-profit data vaulting initiative that was established by the financial industry to enhance financial sector stability and resiliency.

During and Post-Incident
Cybersecurity Insurance. Appropriately notify cybersecurity insurance providers and maximize insurance coverage resources, such as breach coaches and forensic firms.

Internal Investigations. Conduct internal investigations through counsel to determine whether any corrective or disciplinary actions are warranted.

Regulators. Notify regulators of cyber incidents and any related corrective actions. Prepare for regulators to ask about cybersecurity issues in examinations and applications.

Law Enforcement. File suspicious activity reports and, as necessary, coordinate with law enforcement agencies to help reclaim lost funds.

Required Notifications and Disclosures. Provide any necessary customer notifications, which are fact-specific and dependent on the type of exfiltrated data and the location of impacted individuals. Also determine the extent to which cyber incident disclosures may be required for publicly-traded institutions, recognizing that the Securities and Exchange Commission will be requiring more detailed disclosures in that regard.

Public Relations. Develop internal and external public relations templates in advance, which can be tailored to unique circumstances, being sensitive to the rapidity of communications in the social media era.

As the MOVEit situation demonstrated, every cyber incident is unique and requires institutions to work with their counsel and other service providers to resolve the incident in a manner that comports with applicable federal and state law, as well as the expectations of customers, regulators and other stakeholders. Directors should help ensure that their banks always keep their “shields up,” as recommended by the Cybersecurity & Infrastructure Security Agency. Preparation and a speedy response are paramount for impacted institutions.