Banks and other financial institutions are prime targets for hackers because criminals can gain access to financial and personal information that leads them to additional sources of funds. For the same amount of effort, corporate accounts give hackers access to much more data. Criminals are working hard to stay a step ahead of security experts, who are trying their best to protect corporate accounts.
Hackers are looking at the interconnectivity of mobile devices and other systems to find ways to squeeze in viruses and capture information. IT experts are also looking at how they can use interconnectivity to incorporate security tools for banks and other industries.
No system is as secure as banks would like for it to be, which makes it difficult for them to know how much insurance would be sufficient in the event of a breach if they are considering the purchase of coverage.
Any way you approach it, protecting against cyberattacks is an expensive proposition.
Banks and other financial institutions stand to lose more than funds and data. Other potential costs include the loss of brand reputation and losses due to exposure for not complying with security regulations.
Several different things make corporate banking accounts difficult to protect. Corporations usually have multiple people listed on their accounts who need to be able to deposit, transfer and withdraw funds. Having different employees accessing the account on a regular basis, either in person or remotely, opens up opportunities for fraud. Transactions also tend to be larger on corporate accounts than on personal accounts, so there is more to lose.
Senior executives and directors don’t always understand the information that their tech departments provide about how they are protecting the bank’s various computer systems, so they have no way of assessing whether the security programs are effective. A 2017 report by MediaPro surveyed 809 employees working in the financial services industry and classified 80 percent of their employees as “risks” or “novices” relative to cybersecurity. Lack of awareness among financial services employees increases the risk of work practices that could lead to a security breach.
Cybersecurity expert Ariel Evans cautions managers at financial institutions to be aware of IT departments that take a “bottom-up approach” to cybersecurity, which only describes the implementation status of the control and stops at the system level, lacking the ability to detect vulnerabilities within the system. When these cybersecurity systems fail to tie in the business processes to the data assets and systems, the security essentially stops at the system level. A bank may have the most sophisticated, mature security system available, but its effectiveness is nil because it’s not being measured at all.
Evans recommends a top-down approach that ties the business impact of the assets and processes to cyber risk. This approach measures the risk posed to the assets and prioritizes remediation efforts. This information is also helpful to insurance providers since it provides them with more accurate information to offer cyber-risk insurance policies that cover adequate amounts in the event of a breach. (To learn more about why cybersecurity should be a concern for your organization, read this white paper written in conjunction with the NYSE to improve your cybersecurity practices.)
Financial institutions can protect their consumers with cyber risk insurance policies. Many experts question if banks are considering the full cost of what they would risk in the event of a cyberattack. Directors need to carefully assess if they have enough cyber risk insurance. Discussions will no doubt include weighing the cost of the insurance with the amount of protection it provides, due to the large amounts that could be lost in the event of a breach.
Having data about the effectiveness of cybersecurity systems is instrumental in keeping insurance premiums low enough to offset large liability limits.
Directors have a huge task in front of them as they make decisions about cybersecurity. They need to have assurance from the IT department that the security tools they use are mature and effective. They also need to understand all the layers of security, including making sure that they’ve taken steps to make employees aware of their responsibilities in keeping accounts secure. Finally, directors need to understand what their cyber risk insurance policies cover, as well as any limits, conditions and exclusions that apply.
For many bank chief executive officers and their boards, it could be one of their worst nightmares: Hackers have penetrated their bank’s computer systems and possibly made off with highly sensitive customer information, and a series of decisions will have to be made very quickly under a great deal of pressure. What remedial action should be taken, and by whom? Who else should be involved as the bank responds to the situation? And what should the bank tell its customers and its regulators?
The author J.R.R. Tolkien once mused in his popular novel “The Hobbit” that “It does not do to leave a live dragon out of your calculations if you live near him.” The metaphorical dragon that bankers need to include in their calculations is a global army of hackers—some representing nation states, some just crooks and some a combination of the two—that has emerged as one of the greatest threats facing the banking industry today. As even the smallest, most conservative banks in the country continue to adopt an increasing array of digital strategies, the industry’s cyber risk exposure has increased accordingly. And that’s why when the cyber dragon attacks, bankers need a remediation plan that they can activate quickly.
It doesn’t have to be an enormously complex plan—and in fact, the simpler the better. Jena Valdetero, a partner at the law firm Bryan Cave who has lots of experience working with companies, including banks, that have been the target of cyber attacks, says she has seen incident response plans that were 35 pages long that become an encumbrance when responders have to move quickly. “We always say that it’s better to have a three- to five-page incident response plan that hits the highlights and that your team can easily learn, remember, absorb and train on than to have a much larger plan,” she says.
Dave McKnight, a senior manager who leads consulting firm Crowe Horwath’s incident management services, says that he follows the National Institute of Standards and Technology’s Computer Security Incident Handling Guide, which was issued in 2012. “Basically, what this says is, the lifecycle of an incident response program should be preparation, detection and analysis, containment, recovery and then a post-incident review,” McKnight says.
How a bank responds to an incident often depends on its size. Large banks will probably rely on an in-house cybersecurity team, possibly augmented by resources from an outside consulting team that it has on retainer. Most smaller banks that lack the necessary funding to support an in-house response team will rely more on outside firms to handle any incidents that occur. Typically, the response team would operate from what McKnight calls a “playbook,” which is essentially a set of reference materials that would lay out the steps that the response team should take depending on what kind of incident has occurred—ransomware versus denial of service, for example—guiding the team through the various stages including containment, removal and recovery.
“Then there should be some type of look-back activity on how that was handled,” says McKnight. “Was there an opportunity for improvement in either our documentation or our skill set? How do we enrich the rest of our process so that next time around, we do it better, faster and more inclusively?”
If the bank does expect to rely on outside consultants to assist in the remediation effort, McKnight says it’s important to have those arrangements made well in advance, in part because the bank can’t necessarily count on having immediate access those firms when an incident occurs. “Without a retainer, you don’t have a guarantee that someone is going to be available because these aren’t scheduled events,” he says of an attempted or successful hack. But merely having an outside firm on retainer isn’t enough, adds McKnight. The outside firm also needs to be thoroughly familiar with the bank’s operations, networks and cybersecurity defenses before an incident occurs. “I want [them] to understand what our plan and program and capabilities are,” he says. “That way [they’re] addressing my problems… [they’re] doing so swiftly and accurately and you’re not asking for stuff that you should know I don’t have. You’re asking for things I do have as soon as you need them.”
For banks that have a chief information security officer (CISO), this individual would typically quarterback the remediation effort, or, in the absence of a CISO, that role might be assigned to the chief information officer. But in a situation where a hacker has gained access to a bank’s computer systems, the remediation effort entails more than simply kicking them out, assessing the damage (including any loss of data) and putting a recovery plan in place. There often are stakeholders and customers to inform, as well, and possible impacts on the bank’s business. This means that the incident response team should include a wide range of executives throughout the organization.
In addition to the data personnel, members of the remediation team would typically include the bank’s chief executive officer and possibly the chief operating and chief financial officers, as well as members of the public relations team since it will most likely be necessary to communicate with the media in the event of a serious incident. “It really depends on how your organization is set up, but you want key stakeholders in the room—people with senior-level decision-making ability,” Valdetero says.
The board of directors typically does not have a hands-on role in the remediation effort, although the non-executive chairman (or lead director if the CEO also serves as board chairman) should be kept apprised of the remediation efforts as they unfold. Serious data breaches that involve the loss of funds or significant amounts of customer data can pose both a financial and reputational risk to the bank, which is of primary concern to the board of directors.
“I think the role [of the board] is typically overseeing from a high level the management team and making sure they are responding adequately,” Valdetero says. This would include making sure the investigation is being conducted in a thorough manner, that the team has adequate resources and the bank is complying with all applicable laws.
Another important member of the team is the bank’s general counsel if it has one, or outside counsel if it doesn’t. This is critically important if the incident involves the loss of customer information. Valdetero says it’s desirable that banks conduct their investigation under the protection of attorney-client privilege, and a lawyer will provide that protection. “I approach these types of breaches… from my background as a litigator, and as a litigator you’re always thinking worst case scenario,” she explains. “If we are sued down the road as a result of this breach… what do you want to be able to protect from disclosure, if at all possible?” Valdetero adds that while underlying factual information cannot be protected from disclosure, “you can protect legal advice and specific communications that took place for the purpose of getting legal advice, and you need legal advice in these situations because there is a myriad of laws that might be implicated by a breach.”
The bank’s remediation team may also want to reach out to law enforcement agencies such as the Federal Bureau of Investigation or Secret Service in the event of a serious data breach. Phyllis Schneck, managing director and global leader of cyber solutions at Promontory Financial Group, advises banks to establish a relationship with these agencies in advance so a communication link already exists when an incident occurs. “Typically, you want your law enforcement relationships [established] ahead of time,” Schneck says. “You want to know who to call by first name, and they’ll do that for you. You do not want to be calling 1-800-law enforcement when your hair is on fire.”
Banks are required to inform their primary federal regulator when “the institution becomes aware of an incident involving unauthorized access or use of sensitive customer information…,” according to interagency guidance on data security issues. The guidance defines sensitive customer information as a customer’s name, address or telephone number, account number, credit or debit card number, or a personal identification number or password that would permit access to a customer’s account.
Banks also have a legal obligation under the guidance to inform their customers when a serious data breach has occurred. “Financial institutions have an affirmative duty to protect their customer’s data against unauthorized access or use,” the guidance states. “Notifying customers of a security incident involving the unauthorized access or use of the customer’s information… is a key part of that duty.”
What should customers be told and when should they be told it? “In my opinion, you should tell them exactly what’s going on and if you’ve run a good cybersecurity program that will be a good message,” Schneck says. “Everybody understands that these events will happen and that we can’t prevent them 100 percent. If you have a good program, you’ll be able to bounce back.” However, in the event of a serious data breach, the bank may find itself trying to balance the need to communicate to customers quickly that an incident has occurred that could negatively impact them, with the need to communicate the correct information.
When Target Corp. was hit with a massive data breach in December 2013, it originally estimated that approximately 40 million customers had been effected. But as Target dug deeper into the breach it was forced to announce later that approximately 70 million customers had been impacted, which suggested that the company was not in full control of the situation. Says Valdetero, “We usually advise clients, if they’re going to make public-facing statements, that generally you should not commit to a specific number of affected individuals.”
In the good old days, robbing a bank took some logistical planning. You needed enough gun-wielding associates to cover the lobby while the heist went down, and of course you needed a getaway car and a place to lay low. Today, all you need to rob a bank is a cheap laptop, some hacking skills and a high speed wireless connection. Talk to bankers and they’ll tell you that cybersecurity is their top concern. The reputational risk of a successful attack, let alone the potential financial exposure, is devastating.
Famed bank robber Willie Sutton once said he kept robbing banks because that’s where the money was. Of course, cyber thieves now steal identities and credit information instead of greenbacks, and their dogged persistence has turned cybersecurity into a growth industry. According to a recent report published by Homeland Security Research Corp., “Banking and Financial Services Cybersecurity: U.S. Market 2015-2020,” the financial services industry is the largest nongovernment cybersecurity market in the country. The industry is projected to spend $75 billion between 2016 and 2020 on cybersecurity measures.
Technology companies are well aware of the size and potential of the financial institutions marketplace for cybersecurity products and are rushing to develop products to meet the need. I doubt that many of the smaller ones will make much headway in financial services without partnering with a major tech firm. The career risk for a bank chief technology officer who hires Garage Genius Cyber Security is too great. Hiring a new young, innovative company gets you fired if an attack is successful. Hiring an old established well known company not only helps protect the bank from attack, it helps protect the CTO’s job if something goes wrong.
The older, more established companies are aware they have to keep up and are partnering with or acquiring new startups with promising cybersecurity products and services. This should allow them to offer cutting edge services to the financial community and still offer the peace of mind of a well-established and deep pocketed technology provider.
Already very active in the bank cybersecurity market, IBM has been buying up smaller cybersecurity companies and I expect that to continue as the company moves to counter new and developing threats. Vasco Data Security International–a world leader in two-factor authentication and transaction signing for financial institutions with more than half the world’s top 100 banks on their client roster — last year completed its acquisition of Silanis Technology Inc., a leading provider of electronic signature and digital transaction solutions that had a strong presence in the financial institutions marketplace.
Unisys’ new Stealth cybersecurity products can be used to protect your core data as well as mobile and cloud based platforms. And Cisco will continue to build its presence in the financial services cybersecurity market via acquisition. The company started down this path in 2013 by buying Sourcefire and have since added ThreatGRID, OpenDNS, and Lancope, and I expect it to make additional acquisitions as well.
Given their elevated concern about cybersecurity, most financial institutions are going to be reluctant to use smaller, younger companies—which means the established technology leaders should see the bulk of the money. And they, in turn, will have to be aggressive about buying and developing new technology to remain in front of the increasingly innovative and aggressive attacks that criminals will employ.
For 77 percent of the bank executives and board members responding to Bank Director’s 2016 Risk Practices Survey, sponsored by FIS, cybersecurity remains their top concern, for the second year in a row. More than half indicate that preparing for cyberattacks is one of their organization’s biggest risk management challenges. While these concerns aren’t new, respondents this year indicate a shift in how their boards and executives are addressing the threat. Unfortunately, the fact remains that many banks still aren’t doing enough to protect themselves—and their customers.
Just 18 percent indicate their bank has experienced a data breach, but it’s important to note that these breaches were almost as likely to occur at a smaller, $500 million asset institution as at a larger institution above $10 billion. Cybersecurity can no longer be dismissed as merely a “big bank” concern.
In addition to identifying cybersecurity practices within the industry, the online survey asked 161 independent directors and chairmen, chief risk officers, chief executive officers and other senior executives of U.S. banks above $500 million in assets to weigh in on their bank’s risk governance, culture and infrastructure. The survey was conducted in January.
Compared to last year’s survey results, more respondents indicate their board reviews cybersecurity at every board meeting, at 34 percent compared to 18 percent last year. While this shift represents a significant increase in board-level attention to cyberthreats compared to last year, these institutions remain the exception rather than the rule.
Many banks have yet to fully utilize the Cybersecurity Assessment Tool, developed by the Federal Financial Institutions Examination Council and made available to banks in 2015 “to help institutions identify their risks and determine their cybersecurity maturity.” Sixty-two percent of survey respondents indicate their bank has used the tool and completed an assessment. However, just 39 percent have validated the results, and 18 percent established board-approved triggers for update and reporting. All three prudential regulators—the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp.— now use the tool in exams, regardless of the bank’s size. Several states have mandated its use as well.
Other key findings:
Seventy-eight percent indicate that their bank employs a full-time chief information security officer, up from 64 percent in last year’s survey.
Almost half report that the bank has a chief risk officer exclusively focused on risk, while 37 percent have a risk officer that is also focused on other areas of the bank.
Fifty-four percent of respondents who indicate that the bank has a CRO also say the board never meets with that individual.
Responses indicate a low level of board engagement with the chief risk officer: Just 21 percent indicate the CRO’s performance is reviewed, and compensation determined by, the board or a board committee.
Forty-eight percent of respondents govern risk within a separate, board-level risk committee, and 65 percent have at least one director who is considered to be a risk expert.
Forty-five percent indicate that risk performance is not incorporated into their bank’s compensation programs.
Just 55 percent indicate their bank has a risk appetite statement, which defines the acceptable amount of risk for an organization.
To view the full results to the survey, click here.
Cybersecurity: Five Best Practices To Protect Your Bank
Cybersecurity remains a top concern for the bank executives and board members surveyed in Bank Director’s 2016 Risk Practices Survey, sponsored by FIS. What can bank boards do to combat this threat? In this video, Sai Huda of FIS reveals best practices that boards can implement, based on the survey results.
Unfortunately, despite the recent prevalence of cyberattacks and data breaches, many businesses neglect cybersecurity or, if they do pay attention, view cybersecurity as a technical issue for senior management. However commonplace lax oversight of cybersecurity may be in other sectors of the economy, bank directors cannot afford to neglect or delegate responsibility for cybersecurity—bank boards must be actively involved.
Regardless of size, no bank is completely safe from a cyberattack. Every bank should assume that a cyberattack will occur and, when it does, at least one defense will fail. Hackers constantly test cybersecurity defenses, transform their attack methodology, and exploit weaknesses, which, all too often, are the access points used by third-party vendors providing critical services.
Banks are expected to take steps to prevent intrusions, prepare for the possibility of cyberattack, and have processes in place to resume business continuity. Bank examiners look to see if a bank has an integrated system of technology, processes and practices employed to protect networks, computers and data from attack. Bank examiners also look to see whether the board, as the driver of governance controls, is actively involved with senior management in development of a robust approach to cyber risk. Poor cybersecurity measures and lax board oversight can result in a bad IT exam, which, in turn, can negatively affect a bank’s management component rating (even though cybersecurity falls under the IT component). Worse still, a poor cybersecurity review may also negatively affect a bank’s safety and soundness rating.
As with many complex issues facing banks, the board must take steps to ensure that it is well advised regarding technological issues and has a thorough understanding of the bank’s inherent risk environment. A good first step is to make the Federal Financial Institution Examination Council’s (FFIEC) Cybersecurity Assessment Tool a part of the bank’s governance framework. The assessment tool is a two-part repeatable process review that helps banks identify their risks and evaluate cybersecurity maturity. The first part gauges the bank’s inherent risk profile, which identifies risks and threats (both internal and external), corresponding to the activities, services and products offered by the bank. The second part – the cybersecurity Maturity review – tests the maturity of the bank’s cybersecurity program, including board involvement and oversight of that program.
The board is ultimately responsible for cybersecurity, but it is not necessary that each director have a detailed technical understanding of the underpinnings of cybersecurity safeguards. Many boards appoint a board-level IT committee to take the lead on cybersecurity. Regulators expect the IT committee to own primary responsibility for the bank’s IT strategic plan, including making the board comfortable that the IT strategic plan aligns with the bank’s business strategy. As part of that process, the IT committee can incorporate the FFIEC assessment tool into its review and approval of bank IT policies, management of information security systems, training of other board members and bank management, and approval of IT budgets. Most importantly, because the IT committee is responsible for running periodic independent testing to monitor compliance, the assessment tool can be used to aid the IT committee in holding management accountable for identifying, measuring, monitoring and mitigating IT risks. Boards lacking an IT committee must work closely with senior management to tackle all of the tasks normally delegated to the IT committee and may want to consider hiring an outside consultant to advise the board on cybersecurity technologies and best practices.
The regulators have indicated that cybersecurity is going to be a key topic for exams during 2016. Federal regulators have also directed examination staff to incorporate the assessment tool into their review of bank cybersecurity and risk management. While there have been no reported civil money penalties to date related to a bank’s failure to adequately ensure cybersecurity, it is only a matter of time before examiners resort to supervisory and enforcement powers to ensure that banks adequately address cybersecurity risk. Moreover, as the scope of liability for cybersecurity risk grows, banks can be sure that insurance companies, plaintiffs’ attorneys and activist shareholders will scrutinize bank boards’ oversight of cybersecurity.
Proactive integration of the assessment tool into a bank’s governance and risk oversight framework will put the board in a better position to demonstrate satisfactory compliance on these points during an exam, help avoid any downgrade to the institution’s exam rating, and mitigate exposure to the bank and its customers from inevitable cyberattacks.
The United States continues to experience an increase in the number and severity of high-profile cyberattacks, a trend that shows no signs of easing. From large financial institutions and brokerages to blue-chip retailers, hackers are gaining traction and notoriety as they breach systems with greater impact and severity—many of them stealing private customer data. The reality is that every organization—big and small—is susceptible to these attacks.
Banks, in particular, are challenged to protect proprietary information, client data and in many cases, shareholder value. Bank directors and board members equipped with the proper tools and information about cybersecurity are more prepared to keep their organization safe in the event of a cybersecurity breach. In order to ensure an organization is fully equipped to mitigate risks associated with hacks and other cyberattacks, there must be a clear understanding among all levels of the financial institution’s management team about who is responsible for managing this issue. When the senior management and the board ensure that cyber policies are up to date, understood by all and frequently tested, companies decrease their chance of exposure. For directors at financial institutions, here are five key strategies to improve cybersecurity defenses and awareness:
Secure communication: Companies must provide board members with a secure way to share and communicate critically sensitive information. This information should never be sent over email.
Collaboration is key: When directors have a clear understanding of cyber security and the associated risks, they are more equipped to work together to manage issues related to cybersecurity.
Have a strategy: Determine, in advance of a data breach or other cyber attack, who is responsible for managing cybersecurity, whether it be an audit committee, another committee, the organization’s IT department or the chief information officer.
Understand the cloud: Understand what cloud services your bank and your bank’s vendors are using, public or private, for file sharing or downloading sensitive information. While cloud solutions can offer easy uploading and downloading of files as well as security features like encryption and authentication, many have been successfully hacked, compromising private files and email addresses.
Education and preparation: Ensure board members educate themselves on cybersecurity to understand the risks and be prepared for whatever comes their way; this is where many vulnerabilities surface, not because a board lacks the appetite, but because directors are not provided with the proper tools and information.
Cybersecurity should be a topic on all bank directors’ radar, and they should continue to embrace new strategies as they grapple with ways to confront, manage and control issues around cybersecurity. Additionally, adopting technologies in order to ensure secure, fast and accessible communication is vital. This is especially true for a company’s board of directors, which is privy to sensitive, confidential and market-moving information. Throughout history, financial institutions have constantly evolved to reflect changes both in society and in the market. Cybersecurity presents a complicated challenge, but it is one that can be confronted successfully with the correct management strategy and tools.
Protecting their bank against cyberattacks is a core risk governance responsibility of every bank board of directors. But what are the best ways to implement a risk management process to focus specifically on the growing and costly issue of cybersecurity? Sai Huda of FIS discusses the seven best practices which boards should adopt to prevent a cyber disaster.
Wyndham Worldwide and Target Corp. (and their officers and directors) were recently hit with cyber-security derivative lawsuits related to data breaches. Allegations in the cases were that the companies failed to maintain reasonable and appropriate data security for consumers’ sensitive and personal information.
Until this week, when news broke that Russian data hackers apparently hit JPMorgan Chase & Co. and four other banks, banks have not suffered any significant data breaches, but regulators are concerned that more cyberattacks will be a threat to the safety and soundness of the financial system. Bank customers have great confidence that their personal financial data is highly protected by their banks. Bank management and directors must not let customer confidence in the banking system wane.
The Comptroller of the Currency, Thomas J. Curry, made a speech in Washington, D.C. on April 16, 2014, imploring banks, especially community banks, to shore up the industry’s defenses against cyberattacks. In his speech, Curry emphasized that banks are attractive targets for terrorists and criminals alike, because “that’s where the money is.” “[Banks are] attractive to terrorists because of the potential to inflict significant damage on our nation’s economic security and way of life.”
The OCC also has said bank executives and directors must monitor and oversee third-party risk management in all aspects of the bank, especially when the bank outsources internal bank functions (processing, internal audit, loan review, etc.) to third-party vendors. Outsourcing of mechanisms for bank’s customer products (remote deposit capture, mobile banking, bill payment, overdraft protection, etc.) require management to constantly monitor and test its systems to assess and protect customer accounts and information from cyberattacks by “hacktivists.” Senior management and the board must have measurable and verifiable goals to ensure that third-party vendors are competent and capable in building security walls, among other things, to protect customers from cyberattacks.
What Do You Need to Do?
Perform extensive due diligence on all third-party vendors that provide services to your bank. Background checks are a must.
Complete and thorough documentation of the due diligence process must be recorded and retained.
Clearly understand the history of the third-party vendor’s performance and legal compliance.
Review information security, business continuity and testing of the systems being sold to you.
Understand the proposed contract between the third-party vendor and the bank. There should be a clear description of the services to be provided.
Determine business resumption plans, continuity plans and contingencies of the system. In addition, review the vendor’s procedures in the event of a security breach.
Require that the vendor permit the bank’s regulatory authorities to examine the vendor.
Review your insurance coverage to be sure damages and losses from cyberattacks are fully covered.
Finally, review carefully provisions in the contract dealing with allocation of losses and responsibility for complaints.
Other important contract provisions include indemnification obligations, ownership of customer information, restrictions on use of information, flexibility for loss/regulation changes and rights upon breach of contract, including termination rights.
Senior management and the board must oversee and monitor performance, fraud losses, suspicious activity and complaints. There must be control of marketing/consumer communications and complaints and monitoring of the processes to ensure information security contract compliance and financial ability of the vendor to perform.
Accordingly, a bank must have sufficient internal resources to ensure that the programs in high risk customer services (i.e., ACH) are operating as designed. This means that there must be adequate and qualified staff with subject matter expertise available. The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. have issued risk management guidance (i.e., OCC 2013-29 and FIL-3-2012). Your bank must carefully review this guidance and be sure that you are managing third-party risk appropriately.
As Comptroller Curry emphasized, “managing these vendor relationships is especially important in the realm of IT systems and information security, particularly with respect to smaller banks and thrifts.” As a result, the OCC is particularly focused on “controls and risk management practices employed by vendors that provide services to banks and thrifts.”
There can be nothing more damaging to the reputation of the banking industry than major security breaches at banks. As bank customers, we are all at risk of having our personal financial information stolen by hacktivists. Senior management and the board must ensure that IT systems are secure and continually updated to avoid security breaches.
As cyber attacks against financial institutions have become more and more frequent, and the possibility of significant adverse consequences from a single attack have increased, financial institutions have been stepping up cyber security processes for some time. However, many institutions still grapple with the appropriate level of disclosure to shareholders regarding cyber security.
Cyber attacks can come from all directions and in all shapes and sizes—from the stolen employee laptop to a hacked computer system that allows fraudulent transfers from an account. Attacks where the criminals bypass both the computer systems of the bank and its customers and instead access the systems of the bank’s outside service providers can also leave the bank at risk. Which of these attacks or potential attacks merit disclosure?
In October of 2011, the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2, which described disclosure obligations for cyber security risks and cyber incidents for public companies. While there is no explicit disclosure requirement regarding cyber security risks or incidents, the guidance from the SEC highlights areas that may require disclosure of cyber security risks or incidents, including:
Risk Factors – Like other operational and financial risks, the risk of a cyber incident should be disclosed if it is among the most significant factors that make an investment in the company speculative or risky. The disclosure should be specific to the company and sufficient to allow investors to appreciate the nature of the risk without compromising the company’s cyber security.
Management Discussion & Analysis – MD&A disclosure should include any known incident or risk or potential incident that represents “a material event, trend or uncertainty that is reasonably likely to have a material effect on the [company’s] results of operations, liquidity, or financial condition” or cause reported information not to be indicative of future results.
Description of Business – Disclosure should be provided where a cyber incident may affect products, services, relationships with customers or suppliers or the company’s competitive position.
Legal Proceedings – Any material pending legal proceeding related to cyber incidents should be disclosed.
Financial Statements – Financial statement disclosure may include material costs of an incident or incurred to prevent cyber incidents or mitigate damages, including incentives to maintain business relationships related to an incident.
Disclosure Control and Procedures – Cyber risks should be disclosed to the extent there is a risk to the company’s ability to record, process, summarize and report information required in SEC filings.
For banks and financial institutions that are not subject to the reporting requirements of the Securities Act of 1934, there are no applicable federal banking regulations that require disclosure to shareholders regarding cyber attacks or incidents. However, shareholder requests for information regarding cyber security from both private and public companies could become more common as banks, large and small, use more smart phones, tablets and other technology to deliver products and services and as cyber attacks become more frequent with increasing sophistication in techniques. In responding to such shareholder requests, companies should review and ensure that the shareholder request complies with applicable state corporate laws regarding shareholder inspection of corporate records. These statutes often require, generally, that a request for such information be made in good faith for a proper purpose that is reasonably relevant to a legitimate interest of the shareholder.
In the end, the key to good disclosure is first understanding the company’s “cyber business” and where the company’s risks lie. This includes understanding the company’s cyber risks from third party vendors and any contractual obligations to reimburse vendors for losses related to an attack on the vendor’s or other third party systems. Often, even when the company has cyber insurance, the policy will only cover incidents where the attack is on the bank’s systems, which may leave the bank holding the bag if an attack occurs indirectly through a vendor’s or customer’s systems. We recommend a review of such policies by counsel or an insurance professional to ensure a good understanding of the risks covered by the policies.