Heart bleed, DDoS, zero day, malware, NIST, phishing, FS-ISAC. The cybersecurity challenges that banks face today are new, complex, constantly evolving and often confusing to a bank’s board of directors. Tackling these challenges feels daunting. The role of the the directors in cybersecurity defense is not to get involved in technical controls and defenses, but one of oversight and certain calculated steps to comply with their fiduciary duties and to protect themselves, their customers and their employees from a cyberattack. Gary R. Bronstein, a partner, and Kevin M. Toomey, an associate, with Kilpatrick Townsend & Stockton LLP in Washington, D.C., explore the various steps that bank boards should take to protect themselves against a cyberattack.
What are the three things banks and their directors must know when it comes to cybersecurity?
From both a strategic and regulatory perspective, it is imperative that boards become educated on the topic of cybersecurity. How can you possibly ask the right questions and provide the necessary oversight if you don’t have a firm grasp of the underlying issues?
The board should establish a specialized cybersecurity risk committee. With the significant increase in data breach-related shareholder derivative suits, potential D&O liability, the growing threat of cyberattacks and an increase in scrutiny from the regulators, it is imperative that banks establish a board committee specifically designed to address and oversee cyber-related issues and developments.
The board must set the institution’s tone for cybersecurity compliance. Not unlike other areas of risk management, the board is expected to demonstrate attention to and compliance with the particular risk, serving as the example to the rest of the institution.
We do not have a board member with relevant cybersecurity or IT experience. Do we need a director with this particular skill set?
Although IT expertise is not yet required by the regulators, retaining a director with such experience is a prudent, developing corporate governance best practice that will aid the board in understanding this new, complex area. Moreover, for public companies, this topic is likely to receive increased interest from shareholders and proxy advisory firms.
Some banks are establishing cyberrisk committees at the board level. What should these committees look like and how should they structure the charter?
A cyberrisk committee should be structured similarly to your institution’s other committees. Importantly, the charter should: clearly define cyberrisk and the scope of the committee’s responsibilities; articulate the level of oversight required by the board and the committee; and establish reporting lines for cybersecurity issues and developments.
What other steps may a bank take to limit its liability? Does a cyber-specific insurance product exist for banks?
It is imperative that financial institutions review their cybersecurity insurance policies carefully to ensure that the scope, limits, and sublimits of the coverage are appropriate. Consistent with other areas of risk mitigation, the amounts of such cybersecurity insurance coverage should be commensurate with the level of risk involved with the bank’s operations and the type of activities the bank provides. Banks should also understand that not all cyber-insurance products are the same—the scope of coverage can vary dramatically among products offered by insurance carriers. We advise banks to work with their brokers, coverage attorneys and IT professionals to analyze their risks and whether they have sufficient insurance to cover them.
My bank just experienced a data breach–now what?
If your bank experiences a data breach, the board, senior management and employees must work together quickly and collectively in carrying out their response. Simultaneously, the institution must initiate an investigation, consult with counsel, contact law enforcement, hire consultants and determine required notice obligations; evaluate remedial options; comply with insurance coverage policies; and distribute notices and press releases.
Thinking about these questions before a breach occurs reduces compliance costs and headaches for companies and their boards. Establishing sufficient controls at the board level will help mitigate reputational and monetary damages to your bank, board, employees and customers. Do not wait until the breach occurs. Having sound policies and plans in place should help minimize risk.