In our initial article announcing our top 10 considerations for financial institutions in 2016, which can be found here, our third consideration was cybersecurity. Perhaps one of the biggest challenges facing financial instructions in the near future is the balancing of cybersecurity risks with normal business operations. Cybersecurity risk is frightening, but understanding the risks based on your specific institution is a critical starting point to appropriately address related concerns. Financial Institutions of all sizes need to face their fears in this area head on by making sure they have developed policies and procedures based on risk assessments, and drafting and practicing incident response plans, as was first enunciated in the FTC Safeguards Rule years ago.
From our perspective, the most important aspect of cybersecurity for financial institutions is preparedness. So much of the guidance on cybersecurity risk talks about awareness and the need to be prepared to deal with a cybersecurity incident so that the institution can “identify, protect, detect, respond to, and recover” from cybersecurity attacks. Therefore, in 2016, we are focusing efforts to assist clients do everything reasonable to prepare for a cybersecurity incident. Preparedness includes not only development, testing, and updating incident response plans, but also employee training and awareness – both as to cybersecurity risks as a general matter and as to the institution’s information security policies and incident response procedures. GLBA Interagency guidance on incident response plans, which can be found in connection with the breach response guidelines, advises that a response plan should be (i) risk-based, (ii) appropriate to the size and complexity and the nature and scope of its activities, (iii) developed with the understanding that the financial institution, and not its service providers (which must be obligated to notify of breaches), is ultimately responsible for notifying individuals and the institution’s primary regulator, when appropriate.
As an initial step, financial institutions need to know what they are responsible for. The teachings of regulations, enforcement actions, and best practices are clear that an institution cannot assess risk and implement controls if they aren’t fully aware of the internal and external uses of data, and the systems on which data resides. From a response perspective, many institutions have a network map, which can be invaluable when facing a threat or an intrusion into the system. These network maps are helpful and must be constantly updated so that the incident response plan (or, most likely, IT responsibility and/or an IT “playbook” under the incident response plan) accurately depicts what needs to be done from a systems perspective as part of the response.
In addition, financial institutions should be conducting enterprise-wide and more tailored cybersecurity risk assessments, including through engagement of an independent third party. To this end, the Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool in June of 2015 to be used by institutions to identify their risks and cybersecurity maturity. These assessments will identify gaps in an institution’s framework. Indeed, roughly 90 percent of attacks are successful against known vulnerabilities.
As mentioned, practicing the incident response plan has become even more engrained as a critical component of cybersecurity risk management. In many cases, outside experts are engaged to work with in-house and/or outside legal counsel in setting up scenarios and conducting exercises. The speed and effectiveness (not to mention legal compliance) of responding to an incident is of extreme importance for financial institutions.
A financial institution should also be cognizant of the importance of threat information sharing – through the Financial Institution ISAC or otherwise. Useful guidance on this topic was released last month by the Department of Homeland Security pursuant to the 2015 Cybersecurity Information Sharing Act. A particularly useful treatment of this and other important topics (such as the importance of adequate logging, multi-factor authentication for network access, and key components of service provider contracts) can be found in the detailed guidance of the “dynamic program” concept set forth in a memorandum from the New York Department of Financial Services to the federal financial regulators a few months ago.