The potential impact of cyber crime among financial institutions, and especially community banks, is considerable. Unless proactive steps are taken to implement cybersecurity programs, community banks will continue to be at risk. Increasingly sophisticated attacks exposing software and systems vulnerabilities have become commonplace for financial institutions focused on other, more traditional areas of compliance, such as mortgage and consumer lending and deposits. As a result of the number and sophistication of cyber attacks, a top-down approach to cyber security, a culture of compliance, and a culture of information security at financial institutions are all necessary to combat the evolving threat landscape.
There are effective processes and procedures that community banks can establish to manage cybersecurity risks. A helpful starting point for any financial institution is to conduct a comprehensive risk assessment that identifies categories of risk that apply to people, processes, systems, and vendor activities. These risk assessments should be based on the financial institutions’ products and services as well as the cybersecurity risks from the software and systems maintained, and should be reviewed and updated on a periodic basis. Significantly, the Federal Financial Institutions Examination Council (FFIEC) released a Cybersecurity Assessment Tool in 2015 that has been used by many financial institutions when working through such risk assessments. Finally, although these risk assessments could be conducted internally, they are generally assisted by outside advisors with specific expertise in identifying cybersecurity vulnerabilities.
Once the risk assessment is finalized and potential vulnerabilities are identified, financial institutions should be planning for the unfortunate inevitability of attacks on their people and systems. Many common attacks begin with simple phishing attacks but have included more sophisticated “spear-phishing” attacks tailored to the particular recipient or group of recipients at a financial institution. In addition to these types of traditional attacks targeting individual employees or vendors, malware, ransomware, and distributed denial-of-service attacks on institutions’ systems have become unfortunate realities. Adding insult to injury, many of these system-wide attacks have involved ransom requests to be paid in cryptocurrency—namely, Bitcoin—with which community banks are not yet generally involved.
In addition to training employees, executives, and board members to help prevent attacks where possible, financial institutions should have robust, written response plans developed and readily available to quickly and efficiently handle an attack. The response plan should include a step-by-step plan of action specifying the actions to be taken by institution employees, vendors, and other key stakeholders to determine the facts and circumstances of the breach or intrusion, which will quickly inform management on the proper course of action for notifying law enforcement, regulatory agencies, and customers, if applicable.
In addition to traditional regulatory expectations around risk management, information security, and training, financial institutions are expected to ensure that third-party relationships account for cybersecurity and other risks. Vendor management has become a hot topic at countless industry events as financial institutions work to conduct the proper level of due diligence on vendors and craft adequate policies, procedures, and especially contracts that establish and outline the relationship between the financial institution and the vendor.
Financial institutions begin the due diligence of vendors by understanding the vendor’s background and leadership, whether they have had prior regulatory or litigation proceedings, their use of subcontractors, and their compliance training. This can be effectively accomplished through the use of a comprehensive due diligence questionnaire sent to the vendor.
To effectively manage vendor risk, many financial institutions have created vendor databases in which due diligence information, risk ratings, and monitoring information are collected and stored. The database could also include current and past versions of contracts as well as exceptions to vendor policies and procedures. By constantly maintaining and updating records, financial institutions can further minimize cybersecurity risks.
As mentioned above, the contractual arrangements with vendors play a critical role in combating cybersecurity threats. Agreements with third parties providing services for the bank often contain provisions regarding what specific services are to be performed, the compensation structure, confidentiality, information security, representations and warranties, liability and indemnification, and auto-renewal and termination. These written agreements form the basis of the relationship and allow financial institutions to circle back to determine whether there are deviations and exceptions from standard agreements, or whether a contract must be updated to comply with new regulatory schemes and frameworks. Many of these arrangements with critical vendors also include provisions requiring evidence of regular audits and reporting by the vendor to the financial institution for ongoing maintenance of the relationship.
Boards of directors also have the ability to be key players in the relationship between banks and third parties and in fact should be engaged throughout the process of approving the use of such third parties. The board generally is responsible for ensuring that an effective process managing vendor risk is established and consistent with the institution’s goals, organizational objectives, and risk appetite. In addition, they serve an accountability function by ensuring that management takes appropriate actions to address dips in performance, changing risks, or material issues.
Insurance, and potentially a supplemental cyberinsurance policy, is another important factor influencing financial institutions’ cybersecurity preparedness. It is vital for institutions to assess whether they have adequate insurance and, even more critically, what that insurance actually covers. At the same time, when selecting an insurance policy, institutions should carefully consider the representations made to insurance companies. If contractual conditions are not fulfilled or representations are inaccurate, insurers will attempt to rescind coverage or deny claims in the event of a cyber incident.
With the attention to cyber security and the pressure on financial institutions to protect systems and customer information, these are just a few considerations to combat, prepare for, and respond to a cyber incident.
Joseph E. Silvia is senior counsel in the Chicago office of Chapman and Cutler LLP where he focuses his practice on representing financial institutions, financial technology companies, and marketplace lenders on corporate, transactional, and regulatory matters. Carla Potter is an associate in the Toronto office of Cassels Brock where she is a member of the Financial Services Group.