Heart bleed, DDoS, zero day, malware, NIST, phishing, FS-ISAC. The cybersecurity challenges that banks face today are new, complex, constantly evolving and often confusing to a bank’s board of directors. Tackling these challenges feels daunting. The role of the the directors in cybersecurity defense is not to get involved in technical controls and defenses, but one of oversight and certain calculated steps to comply with their fiduciary duties and to protect themselves, their customers and their employees from a cyberattack. Gary R. Bronstein, a partner, and Kevin M. Toomey, an associate, with Kilpatrick Townsend & Stockton LLP in Washington, D.C., explore the various steps that bank boards should take to protect themselves against a cyberattack.

What are the three things banks and their directors must know when it comes to cybersecurity?
From both a strategic and regulatory perspective, it is imperative that boards become educated on the topic of cybersecurity. How can you possibly ask the right questions and provide the necessary oversight if you don’t have a firm grasp of the underlying issues?

The board should establish a specialized cybersecurity risk committee. With the significant increase in data breach-related shareholder derivative suits, potential D&O liability, the growing threat of cyberattacks and an increase in scrutiny from the regulators, it is imperative that banks establish a board committee specifically designed to address and oversee cyber-related issues and developments.

The board must set the institution’s tone for cybersecurity compliance. Not unlike other areas of risk management, the board is expected to demonstrate attention to and compliance with the particular risk, serving as the example to the rest of the institution.

We do not have a board member with relevant cybersecurity or IT experience. Do we need a director with this particular skill set?
Although IT expertise is not yet required by the regulators, retaining a director with such experience is a prudent, developing corporate governance best practice that will aid the board in understanding this new, complex area. Moreover, for public companies, this topic is likely to receive increased interest from shareholders and proxy advisory firms.

Some banks are establishing cyberrisk committees at the board level. What should these committees look like and how should they structure the charter?
A cyberrisk committee should be structured similarly to your institution’s other committees. Importantly, the charter should: clearly define cyberrisk and the scope of the committee’s responsibilities; articulate the level of oversight required by the board and the committee; and establish reporting lines for cybersecurity issues and developments.

What other steps may a bank take to limit its liability? Does a cyber-specific insurance product exist for banks?
It is imperative that financial institutions review their cybersecurity insurance policies carefully to ensure that the scope, limits, and sublimits of the coverage are appropriate. Consistent with other areas of risk mitigation, the amounts of such cybersecurity insurance coverage should be commensurate with the level of risk involved with the bank’s operations and the type of activities the bank provides. Banks should also understand that not all cyber-insurance products are the same—the scope of coverage can vary dramatically among products offered by insurance carriers. We advise banks to work with their brokers, coverage attorneys and IT professionals to analyze their risks and whether they have sufficient insurance to cover them.

My bank just experienced a data breach–now what?
If your bank experiences a data breach, the board, senior management and employees must work together quickly and collectively in carrying out their response. Simultaneously, the institution must initiate an investigation, consult with counsel, contact law enforcement, hire consultants and determine required notice obligations; evaluate remedial options; comply with insurance coverage policies; and distribute notices and press releases.

Thinking about these questions before a breach occurs reduces compliance costs and headaches for companies and their boards. Establishing sufficient controls at the board level will help mitigate reputational and monetary damages to your bank, board, employees and customers. Do not wait until the breach occurs. Having sound policies and plans in place should help minimize risk.

WRITTEN BY

Gary Bronstein

Partner

Gary Bronstein is a partner and team leader of the financial services team at Kilpatrick Townsend & Stockton LLP.  Mr. Bronstein provides a broad spectrum of strategic advice to financial institutions and public company clients.  He concentrates on initial public offerings and other specialized capital raising transactions, mergers and acquisitions, proxy contests and a host of other corporate and securities law matters.  Mr. Bronstein has extensive experience with financial institution enforcement cases creating resolution strategies, negotiating settlements and leading internal investigations.  Mr. Bronstein advises on corporate governance for public company clients and clients that have been the subject of enforcement proceedings.  Mr. Bronstein was recognized in 2020 and the seven years immediately preceding as a Washington D.C. “Super Lawyer” in the area of securities and corporate finance by Super Lawyers magazine, and was also recommended by Legal 500 US for mergers and acquisitions in 2020 and the four years immediately preceding.

WRITTEN BY

Kevin Toomey

Partner

Kevin Toomey is a partner at Arnold & Porter. He represents banks and other financial services companies, along with their boards of directors and senior management, in a wide range of enforcement, regulatory and corporate governance matters. Mr. Toomey has deep and broad experience representing institutional and individual clients before the Federal Reserve, FDIC, OCC, Department of Justice, CFPB, FinCEN and OFAC. Many of those matters have involved complex, sensitive investigations involving multiple agencies and parties. As part of his public service and private practice, he has developed expertise in areas such as federal and state banking laws and regulations, consumer protection statutes, the Bank Secrecy Act and anti-money laundering requirements.

Chambers USA has recognized Mr. Toomey as a leading lawyer in the nationwide category of financial services regulation: banking (enforcement and investigations), and has highlighted that major financial institutions often seek his counsel to lead their response to investigative and enforcement proceedings involving multiple government agencies.