On February 1, 2016, the Federal Deposit Insurance Corporation (“FDIC”) published the Winter 2015 issue of Supervisory Insights. Not surprisingly, the first article dealt with the most important issue facing the financial industry today – cybersecurity. In “A Framework for Cybersecurity,” the FDIC summarizes the present cyber threat landscape facing financial institutions, but more importantly describes how those institutions’ information security programs can (or should) be enhanced to address the increasing threat. Nothing can replace reading the piece oneself (and I encourage each of you to do this) but I have broken their article down below and provided my big take away from it, which is what every bank should implement regarding framework post haste.
Technology has caused a shift in the character of what makes up an institution’s primary security concerns. Valuable customer and borrower information have been digitized and accessible to third parties. Cyber criminals continue to use a variety of techniques to gain access to this valuable information. As I outlined in my article in October’s Community Banking Excellence “Cyber-Risks 2015, a Board Primer,” these tactics consist of malware (examples being Ransomware and wiper programs), Distributed Denial-of-Service, and compound attacks, which use a combination of attacks to maximize the damage done by the cyber incident.
Corporate Governance of Cybersecurity
It is the responsibility of the institution’s directors and executive management to be key proponents of its cyber-security. This risk should be managed and mitigated like any other risk that the institution encounters. Therefore, its ultimate supervision does not belong in the server room, but in the board room.
As I discussed in my last article, it is incumbent on the board to be proactive with cyber-security. The institution must be proactive in addressing rising cyber-risks and staying current on potential threats. Actionable intelligence can be gathered from numerous public and private sources, but each institution is encouraged to participate in the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) and/or become part of the U.S. Computer Emergency Readiness Team. It tellingly quotes the Federal Financial Institutions Examination Council's ("FFIEC") Cybersecurity Threat and Vulnerability Monitoring Statement “financial institution management is expected to monitor and maintain sufficient awareness of cybersecurity threats and vulnerability information so they may evaluate risk and respond accordingly.”
Security Awareness Training
No cybersecurity systems can protect an institution from the damage done by human error by all persons who are access points to the institution’s data system. The FDIC encourages mandatory cybersecurity programs for each of those groups to highlight the importance of guarding against cyber risks across all business lines and functions and from entry level to board members. Due to the different access and associated risks of the different job functions, these classes should be tailored to that employee’s access and risk potential. It cites as frequent targets security professionals, comptrollers, executives and cashiers.
The institution’s responsibility does not end where its payroll stops. Its responsibilities understandably extend to its vendors and contractors, but also to the institution’s customers and merchants. Each of these groups represents a different access point to the bank’s security system and therefore, proactive action must be taken to mitigate that risk.
Patch Management Programs
Patches are software updates pushed out to users by the developers. The patches are designed to fix known security vulnerabilities within applications or computer operating systems. Unfortunately, the absence of a patch management system has contributed to the increase of successful cyber-attacks. Therefore, each institution should have a written patch management program to ensure that all patches are identified, prioritized, tested, and then timely applied. Again, management’s and the board’s responsibilities do not stop when the policy is approved. It is incumbent on the board and senior management to receive regular standard reports on the status of the patch management program, and to have independent audits and reviews to confirm the efficacy of the same.
Cyber-risk is a critical issue for all financial institutions, and the institution must have a culture that understands that risk and is committed to mitigating it. “A bank’s board and senior management must understand the seriousness of the threat environment and create a cybersecurity culture throughout the organization.”
Cybersecurity is the paramount risk facing today’s financial institutions. It is already caused substantive financial losses for its victims and has the ingredients to be an existential threat to the banking system. The FDIC and other government agencies (i.e., the SEC, CFTC, CFPB, etc.) recognize this and are committed to ensuring this risk is mitigated. To that end, the FDIC has provided in its piece a blueprint for the makings of what it considers an acceptable cybersecurity framework. Bank senior management and its boards should waste no time in implementing the proposed framework and complying with the FDIC’s expectation. The FDIC makes it clear that it holds senior management and the board ultimately responsible for a proper framework and there being a vigilant cybersecurity culture at that institution; it will not be acceptable for the board to just say that “we don’t understand computers …we thought the IT people had it handled….” At some point soon, the FDIC, or another regulator, will make an example of an institution that has failed to heed its warnings. Do not be that example, understand cyber-risks, read and implement this framework.
Editor’s Note: The CFPB levied its first fine on March 2, 2016 based exclusively for data-security reasons. Per the Consent Order, online payment processor, Dwolla, Inc. will pay $100,000 because, among other deficiencies, it:
1) did not adopt or implement reasonable and appropriate data-security policies and procedures governing the collection, maintenance, or storage, of consumer’s personal information,
2) misrepresented to consumers’ that the it employed reasonable and appropriate measures to protect consumers’ personal information,
3) failed to conduct annual risk assessments,
4) failed to properly train its employees for handling consumers’ personal information, and
5) retained a vendor, which had access to consumers’ personal information, that failed to follow proper security procedure.
It is straightforward, one needs to implement proper procedures, accurately represent what one has implemented, conduct annual risk assessments, properly train employees and assess vendors.
If you have any questions about cybersecurity measures or community banking, please contact us.