Wyndham Worldwide and Target Corp. (and their officers and directors) were recently hit with cyber-security derivative lawsuits related to data breaches. Allegations in the cases were that the companies failed to maintain reasonable and appropriate data security for consumers’ sensitive and personal information.
Until this week, when news broke that Russian data hackers apparently hit JPMorgan Chase & Co. and four other banks, banks have not suffered any significant data breaches, but regulators are concerned that more cyberattacks will be a threat to the safety and soundness of the financial system. Bank customers have great confidence that their personal financial data is highly protected by their banks. Bank management and directors must not let customer confidence in the banking system wane.
The Comptroller of the Currency, Thomas J. Curry, made a speech in Washington, D.C. on April 16, 2014, imploring banks, especially community banks, to shore up the industry’s defenses against cyberattacks. In his speech, Curry emphasized that banks are attractive targets for terrorists and criminals alike, because “that’s where the money is.” “[Banks are] attractive to terrorists because of the potential to inflict significant damage on our nation’s economic security and way of life.”
The OCC also has said bank executives and directors must monitor and oversee third-party risk management in all aspects of the bank, especially when the bank outsources internal bank functions (processing, internal audit, loan review, etc.) to third-party vendors. Outsourcing of mechanisms for bank’s customer products (remote deposit capture, mobile banking, bill payment, overdraft protection, etc.) require management to constantly monitor and test its systems to assess and protect customer accounts and information from cyberattacks by “hacktivists.” Senior management and the board must have measurable and verifiable goals to ensure that third-party vendors are competent and capable in building security walls, among other things, to protect customers from cyberattacks.
What Do You Need to Do?
- Perform extensive due diligence on all third-party vendors that provide services to your bank. Background checks are a must.
- Complete and thorough documentation of the due diligence process must be recorded and retained.
- Clearly understand the history of the third-party vendor’s performance and legal compliance.
- Review information security, business continuity and testing of the systems being sold to you.
- Understand the proposed contract between the third-party vendor and the bank. There should be a clear description of the services to be provided.
- Determine business resumption plans, continuity plans and contingencies of the system. In addition, review the vendor’s procedures in the event of a security breach.
- Require that the vendor permit the bank’s regulatory authorities to examine the vendor.
- Review your insurance coverage to be sure damages and losses from cyberattacks are fully covered.
- Finally, review carefully provisions in the contract dealing with allocation of losses and responsibility for complaints.
Other important contract provisions include indemnification obligations, ownership of customer information, restrictions on use of information, flexibility for loss/regulation changes and rights upon breach of contract, including termination rights.
Senior management and the board must oversee and monitor performance, fraud losses, suspicious activity and complaints. There must be control of marketing/consumer communications and complaints and monitoring of the processes to ensure information security contract compliance and financial ability of the vendor to perform.
Accordingly, a bank must have sufficient internal resources to ensure that the programs in high risk customer services (i.e., ACH) are operating as designed. This means that there must be adequate and qualified staff with subject matter expertise available. The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. have issued risk management guidance (i.e., OCC 2013-29 and FIL-3-2012). Your bank must carefully review this guidance and be sure that you are managing third-party risk appropriately.
As Comptroller Curry emphasized, “managing these vendor relationships is especially important in the realm of IT systems and information security, particularly with respect to smaller banks and thrifts.” As a result, the OCC is particularly focused on “controls and risk management practices employed by vendors that provide services to banks and thrifts.”
There can be nothing more damaging to the reputation of the banking industry than major security breaches at banks. As bank customers, we are all at risk of having our personal financial information stolen by hacktivists. Senior management and the board must ensure that IT systems are secure and continually updated to avoid security breaches.