Online banking is under siege. Web sites at Wells Fargo & Co. and JPMorgan Chase & Co., among others, have been stalled or shut down under coordinated denial of service attacks. The Office of the Comptroller of the Currency issued an alert in December 2012 that some of these attacks may be cover for fraudulent activity, and suggested banks “appropriately consider new and evolving threats to online accounts” and adjust customer authentication, layered security and other controls as appropriate in response to changing levels of risk. Bank boards are evidence of this heightened awareness, where cyber security is a more frequent topic of discussion.
What are the bank’s cyber security policies and procedures and how do we make sure they’re followed?
The board’s required role in IT security is clear. The board must approve an information security plan and get a written report annually on the effectiveness of that plan, according to the Federal Financial Institutions Examination Council (FFIEC).
“The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution’s information security program, and making senior management accountable for its actions,” according to the FFIEC’s Information Technology Handbook.
So what are the details of this plan and how are they followed? What’s the security training procedure and does the bank perform drills to test security measures? Are the procedures easy for employees to follow? A U.S. Court of Appeals in Boston last year decided People’s United Bank (formerly Ocean Bank) was liable for a $588,000 commercial account online fraud (Patco Construction Co. v. People’s United Bank). The judges noted the bank had security policies in place that weren’t followed.
Also, it is important to understand how your information security function is staffed, the competency of that department and how employees are held accountable, says Murray Walton, senior vice president and chief risk officer for Brookfield, Wisconsin-based Fiserv, one of the dominant vendors providing online bill and mobile payment services for banks.
What are the practices and procedures of our vendors?
Most small and mid-sized banks outsource their online banking and mobile platforms and vendors handle much of their technology, including security. However, that doesn’t mean the board isn’t responsible for what the vendors do. It is. Find out how your vendors gather intelligence on new threats. How quickly does staff react to emerging threats? Assess the adequacy of the vendor’s security program regularly.
“The more significant the third party program, the more important it is that the institution conduct regular periodic reviews of the adequacy of its oversight and controls over third-party relationships,” according to the Federal Deposit Insurance Corp.
What is the quality and quantity of reporting to the board?
Regulators are specific about what kind of information needs to be addressed at the board level.
“The annual approval [of the information security program] should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls,” according to the FFIEC’s IT Examination Handbook.
If the security audits find weaknesses, boards should ensure these are addressed and tracked through completion, says Ray Strecker, a special adviser to the Washington, D.C.-based consulting firm Promontory Financial Group.
It’s important for all board members to be able to get past the jargon that is so heavy in the industry. IT security has its own subset of arcane lingo, so that even IT professionals can get stumped by it.
Walton frequently makes reports to Fiserv’s board as its chief risk officer. “My directors here don’t take the first answer,” he says. “They probe until they really know what I’m saying.”
Do we have adequate insurance?
It is important to have adequate business liability insurance and directors and officers liability insurance. Insurance companies also sell cyber security policies but it is important to read the policies carefully to make sure they actually cover the bank’s risk.
Have we established a plan for notifying customers of data breaches and providing remediation?
The Gramm-Leach-Bliley Act sets out requirements regarding notification of customers and others of breaches of confidential information. In addition, nearly every state has its own laws, Strecker says. The Securities and Exchange Commission (SEC) requires companies to disclose “material” breaches in public filings and to warn shareholders of the cyber risks affecting the company. On the other hand, most companies so far have chosen to remain vague on specific incidents in their SEC filings. The Financial Crimes Enforcement Network (FinCEN) has its own requirements for financial institutions to submit what’s called Suspicious Activity Reports when illegal activity is suspected in a transaction.