Icebergs Ahead: Five Questions Every Board Should Ask the CISO


CISO-questions-5-30-16.pngPicture this: Your chief information security officer (CISO) has arrived at the board meeting to give a rundown on your bank’s latest efforts to mitigate cyber risk. You’d like to take an active role in data governance (kudos for that!), but what are you supposed to ask? You’re not a cyber security expert.

In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the bank’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the organization, as well as the costs of reducing the probability of a cyber-attack to an acceptable level.

Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the elevator. You should demand direct access to the CISO on a formal—and regular—basis.

But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:

1. What are the top information-security threats facing your bank? These are the “icebergs” that have the potential to severely damage the bank’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your bank from operating its business, as well as malware injection and phishing, to name just a few.

2. For each of these major threats, what are your bank’s mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.

3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team re-evaluates which icebergs are out there at least annually, and then examines whether its mitigation strategies are still effective.

4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your bank will experience some form of a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarize the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your bank and as well as at other banks in their efforts to aggressively manage the potential fallout from attacks.

5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.

Remember, you don’t have to be a cybersecurity expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.

Data Breach Plans Must Account for Human Element


data-breach-10-5-15.pngAnother day, another data breach. Breaches have become so commonplace that most companies now realize it is a question of “when,” not “if.”

To successfully execute a response, every company must create a plan of action to guide the company through the crisis. But it’s important to remember that any plan will be executed by people—and regardless of who they are, those people bring human factors into an already stressful situation.

Research shows the impact that stress can have on an employee’s performance. One British study found that those experiencing short-term stress use decision-making techniques similar to small children. In other words, they may “react to problems they don’t quite understand with an emotional (snap) response, rather than a considered logical solution.”

Executing a successful breach response amid the chaos requires close attention to people and their stress, fatigue and other emotions.

Even the most seasoned executives may crack under pressure. Remember the BP executive who made an unscripted remark, wishing he could have his life back during the height of the BP oil disaster? Perhaps more than any recent example, that slip of the tongue showcases the peril in making one high-stakes decision after another for multiple days.  

Building the right crisis response team and incorporating safeguards that protect against human failings can prevent that kind of PR disaster and enable efficient and effective execution of the incident response plan.

Plan for Emotional Reactions
A few emotions likely will affect every member of the team at some point during the response. The first of these emotions is often denial, refusing to believe that this can happen to your institution. Moving the crisis team beyond this feeling quickly is key.

The team also may experience tunnel vision, an inability to consider outside viewpoints. Research shows that decision-making under stress causes people to focus on the positive and potentially ignore any downsides of decisions they make. This lopsided decision-making can bring about devastating consequences. That same research notes the difference in how men and women respond. Men are likely to take bigger risks when under stress, while women become more conservative.

All of these are important factors to weigh as you begin to build a team. But personalities aside, there are ways to blunt the impact of these emotions on executing a successful response. 

Tips to Minimize Mistakes
First, build the team and discuss strategies for how you will respond. How will you keep a customer-centric response at the forefront?

Then, practice by creating scenarios that mimic an actual data breach. This will give the crisis team an opportunity to practice decision-making when the stakes aren’t so high. 

The simulations also may point out where the team could use outside assistance. For example, your call center is used to dealing with specific customer requests and is not trained to handle calls about a data breach and identity theft. That’s where a customer response and notification provider proves invaluable. Other outside experts to consider include crisis communications, forensics and privacy counsel.

These outside experts should have plenty of experience in dealing with crises or data breaches. Look for partners, particularly in high-visibility areas like customer response, who have the expertise and capacity to handle the increased customer demand that a data breach announcement generates—a key bit of experience that your team likely does not have. 

It is important to design response plans that play to the strengths of your internal crisis team, then fill gaps with outside experts and begin to simulate actions you’ll take when—not if—a data breach occurs. 

Any crisis response plan that merely sits in a file cabinet won’t prove nearly as effective as one that is honed and practiced by the very people charged with executing it. While no breach is an easy event, your team can manage the human factor through practice.

Five Key Strategies for Bank Boards to Improve Cybersecurity Defense and Awareness


cyber-attack-9-17-15.pngThe United States continues to experience an increase in the number and severity of high-profile cyberattacks, a trend that shows no signs of easing. From large financial institutions and brokerages to blue-chip retailers, hackers are gaining traction and notoriety as they breach systems with greater impact and severity—many of them stealing private customer data. The reality is that every organization—big and small—is susceptible to these attacks.

Banks, in particular, are challenged to protect proprietary information, client data and in many cases, shareholder value. Bank directors and board members equipped with the proper tools and information about cybersecurity are more prepared to keep their organization safe in the event of a cybersecurity breach. In order to ensure an organization is fully equipped to mitigate risks associated with hacks and other cyberattacks, there must be a clear understanding among all levels of the financial institution’s management team about who is responsible for managing this issue. When the senior management and the board ensure that cyber policies are up to date, understood by all and frequently tested, companies decrease their chance of exposure. For directors at financial institutions, here are five key strategies to improve cybersecurity defenses and awareness:

  • Secure communication: Companies must provide board members with a secure way to share and communicate critically sensitive information. This information should never be sent over email.
  • Collaboration is key: When directors have a clear understanding of cyber security and the associated risks, they are more equipped to work together to manage issues related to cybersecurity.
  • Have a strategy: Determine, in advance of a data breach or other cyber attack, who is responsible for managing cybersecurity, whether it be an audit committee, another committee, the organization’s IT department or the chief information officer.
  • Understand the cloud: Understand what cloud services your bank and your bank’s vendors are using, public or private, for file sharing or downloading sensitive information. While cloud solutions can offer easy uploading and downloading of files as well as security features like encryption and authentication, many have been successfully hacked, compromising private files and email addresses.
  • Education and preparation: Ensure board members educate themselves on cybersecurity to understand the risks and be prepared for whatever comes their way; this is where many vulnerabilities surface, not because a board lacks the appetite, but because directors are not provided with the proper tools and information.

Cybersecurity should be a topic on all bank directors’ radar, and they should continue to embrace new strategies as they grapple with ways to confront, manage and control issues around cybersecurity. Additionally, adopting technologies in order to ensure secure, fast and accessible communication is vital. This is especially true for a company’s board of directors, which is privy to sensitive, confidential and market-moving information. Throughout history, financial institutions have constantly evolved to reflect changes both in society and in the market. Cybersecurity presents a complicated challenge, but it is one that can be confronted successfully with the correct management strategy and tools.

A Customer Focused Response to Data Breach: the Key to Survival


security-breach-7-13-15.pngThe unthinkable has happened: Data security measures have failed and sensitive customer information was taken. The next steps your company takes to respond are crucial. A poorly executed response to a data breach event can further anger customers, increase regulatory scrutiny, generate a media storm and have a lasting impact on customer loyalty.

AllClear ID has been working with companies to effectively prepare for and respond to data breaches for over a decade. During that time, there has been a noticeable shift in consumer expectations after a breach. Today, consumers expect—if not demand—a well orchestrated response. And they expect it to begin soon after the breach is made public. Data breaches are constantly evolving: Already in 2015, financial institutions account for about 9 percent of all data breaches, according to the Identity Theft Resource Center. That compares to about 3.7 percent in 2013. Whether that figure will hold up throughout the year remains to be seen.

The demands placed on businesses to get a breach response right are more intense than ever, as is the scrutiny when a response is perceived as mismanaged.

Because of the high pressure to get it right, a customer-centric approach to preparation is paramount. If you fail your customers, one in four may leave, according to a study from Javelin Research & Strategy. So financial institutions cannot rest upon past great customer service and relationships with clients in the event of a data breach.

When a breach is discovered, what to do? Companies that keep the focus on customers before, during and after a data breach fare far better than those that do not.

Minimize Brand Damage: With customers at the forefront of any response, it is likely that both the institution and your brand will survive long-term. Granted, that doesn’t mean an institution won’t encounter a few negative headlines from the outset. But if the response is bungled, the damage will be far greater. Unhappy customers may speak out on social media. Some may leave. And the breach could tarnish your image for years to come and ultimately can affect your bottom line.

Plan in Advance: To successfully manage a breach with a customer focus, companies must first have a plan in place. The plan should incorporate elements of crisis and or incident management such as likely breach scenarios, key decision makers, and key partners who will assist in the response. This will help diminish delays and costly mistakes during the response, and facilitate a return to normal business operations more quickly. Now that we have witnessed multiple destructive cyberattacks against U.S. companies, it’s clear that having an incident response plan in place is no longer optional. A recent blog post discussed the need for preparation in advance of a breach.

Questions to consider when preparing for a breach response operation:

  • When and how will customers be notified?
  • How will we answer customer questions?
  • Do we have the customer service capacity to manage the calls we receive from angered or fearful customers? Will we be able to train them to address customers’ concerns and alleviate their fear?
  • What identity protection will we offer?
  • How will we make things right if a customer is negatively harmed?

Quality Customer Support During a Breach: As breaches increase in scale and complexity—and 2014 was a watershed year for that as well—consumers have seen a lot of breaches, but still may react in anger or fear. Their first stop for information is the hotline and webpage you publish. Clear, consistent communication and messaging is key in restoring customer confidence. Scripts and Q&As must be available to trained, expert call center partners immediately. Responsible and knowledgeable front-line employees can do much to diffuse the situation and lessen customer anxiety.

And make it easy for your customers to have access to the most important protection – identity repair. The 2015 Javelin Strategy & Research Identity Fraud Study found the link between data breaches and identity fraud has increased. In 2014, 12.7 million consumers lost $16 billion to fraud—and two-thirds of them had received a data breach notification within the same year.

As McKinsey & Company says, “Much of the damage results from an inadequate response to a breach rather than the breach itself.”

Put yourself in the customers’ shoes: They have trusted you with their most valuable information – their identity. Whether you keep their trust depends, in part, on how they rate your performance in the face of a crisis.