Cybersecurity: Steps to Take Now


cybersecurity-7-1-16.pngThe Federal Financial Institutions Examination Council (FFIEC) and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Bank executives and board members should be aware of published guidelines that cover four key areas the FFIEC believes are most important:

  1. Governance: What are the bank’s policies and procedures? How does the bank establish and communicate expectations and conduct training? Is the entire organization, not just the IT department, involved in addressing cybersecurity risk? How would the institution react if something goes wrong?
  2. Threat intelligence: How does the institution monitor and remain aware of potential threats? What internal and external resources does the bank use to keep up-to-date on potential risks? What threat detection tools does the institution use? Does the bank participate in the FBI’s InfraGard and other intelligence sharing programs? How does the bank monitor and guard against unforeseen threats?
  3. Third-party relationships: As banks continue to outsource more non-core activities, the responsibility to manage cybersecurity with third party vendors is also increasing. Does the bank follow the Office of the Comptroller of the Currency (OCC) guidelines? Can the bank’s third parties pass the scrutiny of independent reviews (e.g., Service Organization Control (SOC 1, 2, 3) examinations)? It should be noted that the data breach at the retailer Target occurred a few years ago, at least in part, because of the activities of a third party vendor, and the FFIEC is focused on preventing that type of vulnerability within the banking system.
  4. Incident response: At last count, there were forty-six state laws and innumerable federal laws and regulations that address the reporting of data breaches of different types. Many of these laws and regulations differ in terms of when breaches must be reported and to whom. Determining if a breach actually occurred and how it occurred may add both time and complexity to the incident reporting process. A strong and effective incident response plan may help banks cut the time needed to manage and report the incident. It is critical that institutions have an incident response plan that can be successfully executed.

Federal legislation and additional regulatory scrutiny are surely on the horizon, as are state regulations that cover state-chartered institutions. For now, institutions should make these best practices a priority.

  • Begin at the top: Build a security culture that encompasses all departments and operations. Cybersecurity isn’t an IT issue, compliance issue, or audit committee issue. It is an organizational issue.
  • Be aware: Understand the recommendations and guidance from the FFIEC and the role that the OCC and other agencies play in safeguarding the banking industry. Become familiar with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).
  • Align strategies: Cybersecurity and risk management strategies shouldn’t be treated as stand-alone initiatives, but should be combined with general business practices as an integral part of an institution’s day-to-day operations.
  • Manage risks: Develop policies and procedures for monitoring, measuring, and mitigating risks—again, not just for IT employees, but for all departments and processes. Understand that risks can come from both inside (employees and vendors) and outside (hackers and cybercriminals). Also, understand, evaluate, and deploy the latest threat management tools.
  • Establish governance: Outline responsibilities for monitoring, evaluating, and reporting risks, both within the organization, especially to senior management, and to regulatory agencies and industry organizations. Establish clear procedures and actions that include accountability.
  • Participate: Take part in government and industry information-sharing groups and learn from other institutions and government officials.
  • Conduct ongoing training: As always, the three critical components of risk management are people, processes and technology. Ongoing education and training for all employees is critical to an overall risk management and cybersecurity strategy. Even lower-level employees with minimal network access can be a point of vulnerability that a hacker or third party can exploit.

Institutions that don’t have the internal resources to develop and implement a risk management and cybersecurity strategy can use outside specialists to manage all or part of the process.

Cybersecurity once focused on fraud (i.e., how banks can avoid losing money). Now, the federal government seeks to protect the integrity of the nation’s banking system, a much larger task. Institutions of all sizes will be expected to make cybersecurity an integral part of their operations going forward.

Getting Called Out on Cybersecurity


cybersecurity-6-15-16.pngSeventy-seven percent of respondents to Bank Director’s 2016 Risk Practices Survey identified cybersecurity as their number one risk concern—and yet the great majority of them discuss cybersecurity only infrequently during board meetings. This surprising result was confirmed during a presentation at Bank Director’s Bank Audit and Risk Committees Conference, when only 23 percent of the attendees said they discuss cybersecurity at every board meeting during an audience response survey.

The majority of boards still do not review cybersecurity at every board meeting and only a minority do,” said Sai Huda, senior vice president and general manager risk, information security and compliance solutions at FIS Global. “The majority of boards do not review their cybersecurity plan on a regular basis.”

The audit and risk conference was held June 14-15 in Chicago and attracted over 300 bank directors and risk management professionals.

Huda also questioned whether the attendees were spending enough money on cybersecurity. Over 29 percent of the audience said their bank had increased the cybersecurity budget from 10 percent to 25 percent, and roughly 15 percent had increased the cybersecurity budget more than 25 percent. But nearly 56 percent of the respondents had either increased their cybersecurity budgets by less than 10 percent, had made no increase at all or didn’t know what their budgeting practices were in this area.

The nature of cybersecurity spending is expected to change significantly over the next five years, according to Huda. Until recently most of the money has been spent on building secure defenses against intruders, and yet by Huda’s estimate more than 90 percent of all U.S. companies have been successfully penetrated. “A breach is going to happen,” he said. “It’s a questions of when, not if.” Going forward more of the cybersecurity budget will be spent on reacting to intrusions than preventing them. “Timely detection and response are the keys to success,” he said.

When asked during the audience survey which threats they thought their bank was the least prepared for, 40 percent said they were ill prepared to detect malicious insider activity, 21 percent felt they were not receiving the latest intelligence on cyber threats, 19 percent said they were ill prepared to detect anomalous or abnormal activity, 12 percent worried about their ability to block denial of service attacks and roughly 8 percent thought that detecting malware was a deficiency of their bank.

The nature of cyber security attacks has also changed in recent years, according to Huda. Today, the attacks are stealthier, more targeted in that the hackers are after something very specific, and persistent in that the hackers keep at it until they have broken through a bank’s defenses. Today’s threats also tend to be multi-pronged, in that hackers will attack bank systems at a variety of access points simultaneously, and the hackers themselves have evolved over time. Where once they were often individuals acting on their own, “today they tend to be well funded crime syndicates and nation states,” he said. “The whole cybersecurity ballgame has changed.”

Icebergs Ahead: Five Questions Every Board Should Ask the CISO


CISO-questions-5-30-16.pngPicture this: Your chief information security officer (CISO) has arrived at the board meeting to give a rundown on your bank’s latest efforts to mitigate cyber risk. You’d like to take an active role in data governance (kudos for that!), but what are you supposed to ask? You’re not a cyber security expert.

In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the bank’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the organization, as well as the costs of reducing the probability of a cyber-attack to an acceptable level.

Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the elevator. You should demand direct access to the CISO on a formal—and regular—basis.

But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:

1. What are the top information-security threats facing your bank? These are the “icebergs” that have the potential to severely damage the bank’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your bank from operating its business, as well as malware injection and phishing, to name just a few.

2. For each of these major threats, what are your bank’s mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.

3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team re-evaluates which icebergs are out there at least annually, and then examines whether its mitigation strategies are still effective.

4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your bank will experience some form of a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarize the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your bank and as well as at other banks in their efforts to aggressively manage the potential fallout from attacks.

5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.

Remember, you don’t have to be a cybersecurity expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.

Three Critical Steps to Launch a Data Breach Response


data-breach-1-8-16.pngAs we look back on 2015, it is easy to see the heightened stakes in data breach response.

The U.S. government’s Office of Personnel Management was hacked, with as many as 22 million Americans’ personal data stolen. This includes fingerprints and background checks. One hacker tapped into the director of the CIA’s personal emails and breached a portal that law enforcement, including the FBI, uses to share intelligence and book those arrested.

It’s not just government agencies that fall victim to attacks. Any company that collects sensitive data can become a target for hackers and nation-state actors.

The risks are getting higher for those whose data is breached, too. Javelin Research predicts that by 2018, some eight million people will experience a credit card breach and identity fraud within the same year. There is no doubt that criminals have become more sophisticated and better able to parlay one successful hack into another. Cyber criminals have crafted more elaborate “social engineering” methods—tricking people into compromising corporate security. Phishing schemes still deceive about one in four people, according to the Verizon 2015 Data Breach Investigations report.

This only reiterates that idea that a cyber attack is likely for almost every organization. There are steps that a smart company can take now to help mitigate the damage should a breach occur. Preparing for a cyber attack must become as ingrained in the company culture as a tornado evacuation plan or a fire drill

One of the key steps to prepare for an effective breach response is to build a data breach response team, which has created—and practiced—a response plan. Make sure that contact numbers for team members—including those for non-work hours and mobile phones—are readily available. A customer support and communication plan should be built into any response and should cover how customers and regulatory agencies will be notified and when, as well as what protections will be offered to those affected.

Proper preparation is only one piece of the puzzle, however. In the event of an actual breach, there are critical steps to take to ensure your organization is able to successfully launch your customer-facing response:

  1. Immediately assemble the breach response team. Your team should include internal experts as well as third-party partners such as communications and legal experts. A partner experienced in the customer-facing aspects—including responding to the surge in customer demand, answering identity theft-related questions, and providing identity protection services—should be part of the team.
  2. Review and update the plan. A plan that has been carefully honed in advance is certainly an advantage. But it may not have anticipated some of the nuances of the particular data breach your organization is facing. So, one of the first action steps for the crisis response team is to look at the documented plan and make any changes needed. If there is one guiding principle in any plan, it should be to keep the response focused on your customers.
  3. Launch the initial response. This includes informing customers, and in some cases, regulatory agencies, about what has happened and how you plan to minimize any damage that results from the event. One significant misstep to avoid: Don’t provide public information that may need to be corrected at some point. Instead, only release the information that is known and confirmed at the time. There is nothing that will breed a lack of confidence more than a constantly shifting explanation of what happened.

As for the customers, this is a good time to let them know exactly how you intend to protect them. Understand, though, that they may be hesitant to provide their information to a third-party service—especially if this data was not compromised in the breach. And they will be suspicious of anything that smacks of an attempt to upsell them. To combat these challenges, lead with the promise that you will repair any harm that comes to them as a result of the incident.

In 2014, there were nearly 80,000 security incidents, according to the Verizon Data Breach Investigations Report. And business news web site ZDNet reported that one billion personal records were illegally accessed in those breaches.

The time for asking “if” a data breach will occur has passed. It’s time to prepare as if one is inevitable.

Using SaaS to Run a Highly Efficient Board


SaaS-10-28-15.pngHistorically, the preparation of board meeting materials took hours. The organization of board documents was a labor intensive crunch involving several people sifting through, hand collating, binding and manually distributing stacked materials. This process took a tremendous amount of time, and resulted in a significant lag in getting materials to boards, thereby limiting the ability to review materials efficiently. Fortunately, technology has evolved to a point where such marathon sessions are no longer a necessity. By leveraging digital solutions, materials can now be distributed electronically with relative ease and fewer man hours. 

The Convenience
A variety of companies are offering digital board materials, usually as SaaS [Software as a Service], which means the software is delivered remotely via the Internet rather than being purchased and housed on a computer or set of computers. An efficient solution provides a level of convenience to sharing materials that is largely absent from many business processes. You will want to avoid services that pigeonhole technology with proprietary platforms and unnecessary red tape—this does not help the board, and can actually create more problems than it claims to solve.

There are instances where organizations will be sidelined to specific operating systems or specs, but effective offerings will provide wiggle room for platforms and accessibility. Some services are even offering a nearly platform agnostic setup, retrofitting the application to fit with any device worth supporting so directors can access materials from their phone or tablet, regardless of time or location. There are some applications that have circumvented the need for direct Internet access, enabling an access in almost every circumstance.

The implementation must actually save board members the time previously lost to binding and delivery. Any decent SaaS solution will add hours to the boards’ reading time, but some offer to save as much as 95 percent of the time materials once took to create. Simplifying the workflow while delivering a superior product will provide board members with more time to fully understand the materials—thereby translating to a better board meeting.

Of course, all of this is useless if the implementation of the technology opens up debilitating security gaps.

The Security
Banks are responsible for millions of dollars, so it’s understandable that many fear “the cloud,” especially since most news regarding the cloud is rife with breaches. It’s an additional concern that some SaaS products cause more security issues than they solve. As a result, partnering with a product that provides cybersecurity measures is a must.

It‘s immediately essential that data be stored on a dedicated server with thorough encryption. Many solutions will haphazardly toss all data into large servers, but the best products will ensure that data is separated from other clients and accounts. While dedicated servers ensure that information cannot be seen by another organization, encryption converts the data to gibberish, so in the event of a breach hackers would be left with nothing but a mess of letters and numbers.

Having the ability to control individual user access can also add an extra layer of security. In the past materials could be lost, forgotten and delivered to incorrect addresses, revealing materials to damaging elements. The option to digitally deliver materials to recipients eliminates that risk entirely.

Support and The Future
Customer support is key to running an efficient system. Selecting partners that respect your time and understand your business needs is an absolute imperative. A successful implementation must come with 24/7 support. Banks are complicated entities, and the value of having a human being answer the phone is immeasurable. It’s an added incentive if that person is assigned to your account, meaning you know that person and have worked with them in the past. As boards and providers work together, there needs to be mutual respect and consistent communication. Solutions can work with the boards that use their technologies to implement new features, satisfying needs as they arise, and creating bonds that serve to help both businesses thrive.

Technology can be a double-edged sword in modern business. Sometimes we find it opening up worlds of information with no cost to the user. But in some cases technology can expose sensitive data to thieves, or crash and eliminate months of work with no warning. As banks continue to become more dependent on technology to save time and money, it’s exponentially more important that boards have access to SaaS solutions that save time and money, while keeping information, and the business, safe.

EMV: What Bank Leaders Need To Know


EMV-10-9-15.pngMany U.S. retailers and banks have not made changes to accommodate new EMV standards (named after the organizations that developed it, Europay, Mastercard and Visa in the 1990s), despite an October 1 deadline that shifts liability from banks to merchants. The banks that fail to do so not only risk increased exposure to fraud, but could lose out on potential revenue and market share.

EMV technology uses encrypted microchip data on a customer’s credit or debit card. The card numbers and cards are much harder to counterfeit or steal than magnetic stripe cards. The card number isn’t transmitted on a point-of-sale system (POS), as a new code is generated for each transaction. Also, an EMV-enabled POS system recognizes cards that are supposed to have the encrypted chip data, even if a counterfeiter has stolen a card number and created a magnetic stripe card, says Deborah Baxley, principal at Capgemini Financial Services.

Magnetic stripe cards are still used by about 59 percent of U.S. consumers, according to a survey by ACI Worldwide, an electronic payments company headquartered in Naples, Florida. Boston-based Aite Group, a research and advisory firm, estimates that as many as 60 percent of POS systems will not be ready for EMV by the end of the year. Gas stations have until October 1, 2017, to comply.

But for most retailers, after October 1 of this year, the liability for card fraud shifted. Previously, banks were liable for any in-store fraud. But now, any retailer breached that hasn’t updated its POS system to accept EMV is on the hook to make the bank whole—as long as the bank has migrated its card portfolio to EMV. If both bank and retailer are on the same playing field, the liability shifts back to the bank. Retailers with an inadequate focus on cybersecurity will now pay the piper.

What about banks that missed the October 1 deadline? “If you don’t have a plan, and you’re not informed enough to know what you should do, then you’re probably lagging,” says Bob Legters, senior vice president, payment products at FIS. Many banks are making decisions on who gets the new EMV cards first, and typically prioritize lost, stolen and expiring cards.

Despite the much-ballyhooed shift in liability, most banks haven’t migrated all their customers to chip cards. Aite Group estimates that 70 percent of credit cards, and 40 percent of debit cards, will be replaced with chip cards by the end of the year. Debit cards have been more difficult to replace, due to merchant routing restrictions under the Durbin Amendment of the Dodd-Frank Act that mandated that retailers have a choice of at least two unaffiliated networks to authenticate a transaction made with a debit card. Until this year, EMV did not comply with that requirement, says Baxley.

Chip cards aren’t the magic bullet that will finally kill credit card fraud. Fraud is expected to shift online, where the retailer still bears the liability. More troublesome, crooks could target banks and merchants that haven’t yet shifted to safer standards, putting a target on the backs of community banks and mom-and-pop shops. Banks that issue their EMV cards sooner rather than later will have a competitive advantage, says Legters. “If you [the customer] have a chip card and a nonchip card in your wallet, [and] you perceive the chip card to be more secure, you’re going to tend to lean that direction with your spending,” he says.

The subtle shift to mobile wallets such as Apple Pay and the newer Samsung Pay is also working in consumers’ favor, as these wallets employ the EMV framework. As mobile wallet adoption increases, merchants have another reason to shift to EMV-enabled POS systems, as most are set up to accept these forms of payment.

Of course, new technology means that the average American needs to learn a new way to pay. Once banks have issued EMV cards, “the biggest thing they need to do is worry about communication, because from a customer perspective, all of the sudden you’re using a card that works a little bit differently,” says Gil Mermelstein, managing director in the banking practice at West Monroe Partners.

Most consumers that have received chip cards don’t really know why, according to the ACI survey. Sixty-seven percent have not received any information from their financial institution to explain why this card is safer.

Banks don’t have to replace every card in their portfolio this month, or even this year. But delaying implementation will only harm the bank in the long run due to a higher risk of fraud—and the reputational damage that comes along with it.

“I believe [issuers] need to wrap it up, and try to issue quickly. They are exposed to greater targeting of fraud from fraudsters that will migrate from more secure bank cards to ones that are less so,” says Mermelstein.

How Banks Can Improve Crisis Planning


We discovered last month that cyber risk was the thing most directors worried about when we informally polled members of our bank services program. This month, we decided to poll experts on what banks could do to improve crisis planning. Not surprisingly, cyber risk planning came up often as an area that could use some improvement. Several of the people polled think banks could benefit from role playing exercises that would walk employees and the board through possible scenarios. The Federal Deposit Insurance Corp. has a few videos that help banks imagine some scenarios. Although planning documents are widely recommended, one consultant says they are pretty useless in a real emergency. Below are their responses.

How Could Banks Improve Crisis Planning?

Mills-Scott.pngCrisis planning is getting more attention these days because we are constantly reminded of events that could not only impact our business, but have significant impact on our reputations. One data breach and we stand to lose faith in our ability to safeguard our clients’ money. While planning is expected, bankers could really get value from practice in two areas: 1) tabletop exercises and 2) media training. Tabletop exercises are role playing crisis scenarios whereby bank management gets on a conference call and develops responses, assigns roles, identifies tasks and develops timelines. Banks would benefit from doing this on a quarterly basis. Media training allows bank executives to learn how to look and respond appropriately to a tense situation only after they learn how to answer questions and the ground rules for working with the media. Turn on a video camera and see how well your team does. Crisis planning is better if treated as an ongoing discipline.

—Scott Mills is president of the William Mills Agency, a public relations and marketing firm specializing in financial services

Taylor-Nathan.pngTesting, testing and more testing! Banks typically have multiple plans that can be triggered in the event of a significant cyber-related “crisis,” including, for example, a business continuity plan, incident response plan and crisis communication plan. Multiple groups within a bank likely have responsibility for these plans. And, the plans may not be aligned from a response standpoint with respect to significant cyber events. In the event of such a crisis, it is critical for a bank to be able to respond in a uniform and effective way at the enterprise level. Bringing a bank’s various teams together to test or tabletop a significant cyber event can shed light on how the bank’s various plans (and teams) will work together. This will also provide a valuable opportunity for refinement and alignment of the bank’s related response plans.

—Nathan Taylor is an attorney and cybersecurity expert at Morrison Foerster LLP

Miller-RaeAnn.pngBusiness continuity and disaster recovery considerations are an important component of a bank’s business model. In addition to preparing for natural disasters and other physical threats, continuity also means preserving access to customer data and the integrity and security of that data in the face of cyberattacks. For this reason, the FDIC  encourages banks to practice responses to cyber risk as part of their regular disaster planning and business-continuity exercises. They can use the FDIC’s cyber challenge program, which is available on the FDIC website. Cyber challenge was designed to encourage community bank directors to discuss operational risk issues and the potential impact of information technology disruptions.

—Rae-Ann Miller is associate director of the FDIC’s Division of Risk Management Supervision

Sacks-Jeff.pngBanks can improve planning by developing a crisis plan ahead of a data breach or cybersecurity issue. These action plans should include:

  1. Determining data to be protected along with the protection level required.
  2. Classifying incidents or scenarios into categories.
  3. Understanding threats the bank may face, starting with known threats, then creating on-going monitoring for emerging threats.
  4. Determining the stakeholders and defining the incident response team.
  5. Setting up a command center and appointing a command center leader.
  6. Developing an incident plan, including a containment and investigation strategy.
  7. Executing a communication plan to customers, media and agencies.
  8. Testing and training end users in the application of the incident response plan.
  9. Conducting a “lessons learned” session and updating [Incident Response Plan] procedures.

—Jeff Sacks is a principal in Risk Consulting for Crowe Horwath LLP, specializing in technology risk

McBride-Neil.pngThough banks understand the risk of cyberattacks, many are unprepared to act quickly and effectively to mitigate damage when faced with a serious cyber breach. To improve crisis planning, banks should consider conducting simulated cybersecurity exercises involving key personnel. Moving quickly following a cyber breach is critical to limiting unauthorized access to sensitive data and the resulting harm. Such exercises demonstrate why an effective cybersecurity program is more than an “tech issue,” and requires coordinated institutional mobilization across business segments, with oversight from senior management. Most banks will eventually find themselves in a hacker’s crosshairs no matter how advanced their defenses, and a coordinated, rapid response will not only limit short-term data loss and legal exposure, but will also help preserve a bank’s reputation and customer relationships.

—Neil MacBride is a partner at Davis Polk & Wardwell

Carroll-Steve.pngPlanning activities generate lots of documents, which are fascinating to auditors but useless in an emergency. You don’t have to give planning reports to your response team. Your phone is a perfect emergency communications console. Social media, including Twitter, YouTube and even Facebook, are indispensable as communications tools. You can monitor events as they unfold or push messages out to staff and public. Cyber is the new disaster. Compare today’s threat assessment with one from 2010. Notice that blizzards and hurricanes have dropped out of the top ten, replaced by data breaches and identity theft.

—Steve Carroll is a director with Cornerstone Advisors, a consulting firm specializing in bank management, strategy and technology advisory services

Five Key Strategies for Bank Boards to Improve Cybersecurity Defense and Awareness


cyber-attack-9-17-15.pngThe United States continues to experience an increase in the number and severity of high-profile cyberattacks, a trend that shows no signs of easing. From large financial institutions and brokerages to blue-chip retailers, hackers are gaining traction and notoriety as they breach systems with greater impact and severity—many of them stealing private customer data. The reality is that every organization—big and small—is susceptible to these attacks.

Banks, in particular, are challenged to protect proprietary information, client data and in many cases, shareholder value. Bank directors and board members equipped with the proper tools and information about cybersecurity are more prepared to keep their organization safe in the event of a cybersecurity breach. In order to ensure an organization is fully equipped to mitigate risks associated with hacks and other cyberattacks, there must be a clear understanding among all levels of the financial institution’s management team about who is responsible for managing this issue. When the senior management and the board ensure that cyber policies are up to date, understood by all and frequently tested, companies decrease their chance of exposure. For directors at financial institutions, here are five key strategies to improve cybersecurity defenses and awareness:

  • Secure communication: Companies must provide board members with a secure way to share and communicate critically sensitive information. This information should never be sent over email.
  • Collaboration is key: When directors have a clear understanding of cyber security and the associated risks, they are more equipped to work together to manage issues related to cybersecurity.
  • Have a strategy: Determine, in advance of a data breach or other cyber attack, who is responsible for managing cybersecurity, whether it be an audit committee, another committee, the organization’s IT department or the chief information officer.
  • Understand the cloud: Understand what cloud services your bank and your bank’s vendors are using, public or private, for file sharing or downloading sensitive information. While cloud solutions can offer easy uploading and downloading of files as well as security features like encryption and authentication, many have been successfully hacked, compromising private files and email addresses.
  • Education and preparation: Ensure board members educate themselves on cybersecurity to understand the risks and be prepared for whatever comes their way; this is where many vulnerabilities surface, not because a board lacks the appetite, but because directors are not provided with the proper tools and information.

Cybersecurity should be a topic on all bank directors’ radar, and they should continue to embrace new strategies as they grapple with ways to confront, manage and control issues around cybersecurity. Additionally, adopting technologies in order to ensure secure, fast and accessible communication is vital. This is especially true for a company’s board of directors, which is privy to sensitive, confidential and market-moving information. Throughout history, financial institutions have constantly evolved to reflect changes both in society and in the market. Cybersecurity presents a complicated challenge, but it is one that can be confronted successfully with the correct management strategy and tools.

The New Regulatory Expectation for Cybersecurity Assessment: What Every Board Must Know & Should Do


cybersecurity-7-29-15.pngEarlier on June 11, 2015, while serving as a keynote speaker on cybersecurity at Bank Director’s Bank Audit and Risk Committees conference in Chicago, I predicted that the regulatory agencies would publish a new cybersecurity assessment methodology by the end of the month.

That prediction came true and the Federal Financial Institutions Examination Council (FFIEC) on June 30, 2015, released the cybersecurity assessment tool. Examiners will start to use the cybersecurity assessment later in the year and there is a regulatory expectation that every single financial institution, regardless of charter type, asset size or complexity, complete a self-assessment and keep it updated.

What Is the Cybersecurity Assessment?
The main purpose is to provide a financial institution with a self-assessment method that is measurable and repeatable to identify risk exposures and cybersecurity preparedness.

The first step is to identify the institution’s inherent risk level (least, minimal, moderate, significant or most) based on five categories of risk factors:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

The next step is to identify the cybersecurity maturity level (baseline, evolving, intermediate, advanced or innovative) for each of five domains:

  • Cyber risk management and oversight
  • Threat intelligence and collaboration
  • Cybersecurity controls
  • External dependency management 
  • Cyber incident management and resilience

FFIEC-image1.PNG Source: FFIEC

The next step is to identify the gaps and the target maturity level necessary for each of the five domains. The chart below depicts the risk/maturity relationship matrix and the “cybersecurity zone” in blue that each financial institution needs to attain and sustain in each domain:

FFIEC-image2.PNG Source: FFIEC

For example, if a financial institution with a moderate inherent risk level determines that its domain 3 or cybersecurity controls maturity level is baseline, then it will need to attain a target maturity level of evolving, intermediate or advanced  (i.e. it will need to get to the “cybersecurity zone”) and sustain it.  Staying at a baseline maturity level for the domain will be unacceptable given the moderate inherent risk level. In some cases, the institution may identify a maturity level below baseline, which will require immediate action.

The regulatory expectation is that once the initial cybersecurity assessment is completed, there will be an action plan identified to attain target maturity levels and to sustain it. Also the cybersecurity assessment will be updated and revaluated periodically as threats, vulnerabilities and operational environments change (e.g. launch of new products or services, new connections, etc.)

What Should the Board Do?
Examiners will be using the cybersecurity assessment to evaluate a financial institution’s risk level and cybersecurity preparedness and scoping examinations. Failing to complete the cybersecurity assessment and sustaining it may be deemed an unsafe and unsound practice and examiners will closely evaluate the board’s role and ultimately hold it accountable. Failing to complete an assessment may lead to unmitigated risks, a cyber disaster and a conclusion that the board failed to exercise its risk oversight and fiduciary duty.

Ultimately, the board is responsible for ensuring the organization completes the cybersecurity assessment and maintains a repeatable process to update it periodically. The cybersecurity assessment provides critical forward looking intelligence that the board should use to guide the organization to attain optimal cyber risk management performance, mitigate risks to a tolerable level and maximize shareholder value. The stakes are very high. Cybersecurity must remain top of mind and the board must lead.

Here are seven critical steps the board should take:

  1. Assign a target date for the completion of the cybersecurity assessment and reporting of results to the board, well in advance of the next examination. Provide necessary support to complete it properly and in a timely manner.
  2. Obtain independent review of cybersecurity assessment to validate results. Make sure there is proper support for inherent risk level and maturity level determinations. Pay extra attention to validation of baseline levels, because in reality, the bank may be below baseline.
  3. Review, approve and support action plan for addressing risk management and control weaknesses and attaining and sustaining target maturity levels.
  4. Make sure any levels below baseline are immediately addressed.
  5. Require that a repeatable and sustainable process be implemented so that the cybersecurity assessment is revaluated and updated periodically (based on board approved triggers) and results are reviewed with the board.
  6. Assign implementation of regular risk dashboard reporting to the board with leading, not lagging, key risk indicators mapped to the cybersecurity assessment.
  7. Require a cybersecurity assessment be completed as part of due diligence in a merger or acquisition and reviewed with the board.

A Customer Focused Response to Data Breach: the Key to Survival


security-breach-7-13-15.pngThe unthinkable has happened: Data security measures have failed and sensitive customer information was taken. The next steps your company takes to respond are crucial. A poorly executed response to a data breach event can further anger customers, increase regulatory scrutiny, generate a media storm and have a lasting impact on customer loyalty.

AllClear ID has been working with companies to effectively prepare for and respond to data breaches for over a decade. During that time, there has been a noticeable shift in consumer expectations after a breach. Today, consumers expect—if not demand—a well orchestrated response. And they expect it to begin soon after the breach is made public. Data breaches are constantly evolving: Already in 2015, financial institutions account for about 9 percent of all data breaches, according to the Identity Theft Resource Center. That compares to about 3.7 percent in 2013. Whether that figure will hold up throughout the year remains to be seen.

The demands placed on businesses to get a breach response right are more intense than ever, as is the scrutiny when a response is perceived as mismanaged.

Because of the high pressure to get it right, a customer-centric approach to preparation is paramount. If you fail your customers, one in four may leave, according to a study from Javelin Research & Strategy. So financial institutions cannot rest upon past great customer service and relationships with clients in the event of a data breach.

When a breach is discovered, what to do? Companies that keep the focus on customers before, during and after a data breach fare far better than those that do not.

Minimize Brand Damage: With customers at the forefront of any response, it is likely that both the institution and your brand will survive long-term. Granted, that doesn’t mean an institution won’t encounter a few negative headlines from the outset. But if the response is bungled, the damage will be far greater. Unhappy customers may speak out on social media. Some may leave. And the breach could tarnish your image for years to come and ultimately can affect your bottom line.

Plan in Advance: To successfully manage a breach with a customer focus, companies must first have a plan in place. The plan should incorporate elements of crisis and or incident management such as likely breach scenarios, key decision makers, and key partners who will assist in the response. This will help diminish delays and costly mistakes during the response, and facilitate a return to normal business operations more quickly. Now that we have witnessed multiple destructive cyberattacks against U.S. companies, it’s clear that having an incident response plan in place is no longer optional. A recent blog post discussed the need for preparation in advance of a breach.

Questions to consider when preparing for a breach response operation:

  • When and how will customers be notified?
  • How will we answer customer questions?
  • Do we have the customer service capacity to manage the calls we receive from angered or fearful customers? Will we be able to train them to address customers’ concerns and alleviate their fear?
  • What identity protection will we offer?
  • How will we make things right if a customer is negatively harmed?

Quality Customer Support During a Breach: As breaches increase in scale and complexity—and 2014 was a watershed year for that as well—consumers have seen a lot of breaches, but still may react in anger or fear. Their first stop for information is the hotline and webpage you publish. Clear, consistent communication and messaging is key in restoring customer confidence. Scripts and Q&As must be available to trained, expert call center partners immediately. Responsible and knowledgeable front-line employees can do much to diffuse the situation and lessen customer anxiety.

And make it easy for your customers to have access to the most important protection – identity repair. The 2015 Javelin Strategy & Research Identity Fraud Study found the link between data breaches and identity fraud has increased. In 2014, 12.7 million consumers lost $16 billion to fraud—and two-thirds of them had received a data breach notification within the same year.

As McKinsey & Company says, “Much of the damage results from an inadequate response to a breach rather than the breach itself.”

Put yourself in the customers’ shoes: They have trusted you with their most valuable information – their identity. Whether you keep their trust depends, in part, on how they rate your performance in the face of a crisis.