Cyber Risk Management
A Changing Landscape
We have all read about the numerous breaches of mega-companies like Orbitz, Panera Bread, Delta, Best Buy, and many others; and it’s not just the “Big Boys” getting hit. Increasing pressure is being applied by banking regulators to make sure community banks and other financial institutions are doing all they can to protect their customers.
What used to be the “industry standard” in cyber risk management, seems to change daily. However, making sure your bank complies with this “industry standard,” can make the difference in a favorable court decision in a customer class action suit against your bank.
What exactly is the Banking Industry Standard for Cyber Risk Management? While there is no set definition of what the industry standard should be, several federal regulators have defined the minimums through their rules and handbooks. The FTC vaguely mentions their minimums through the Red Flag Rules. The FFIAC is more specific and covers theirs through their Management Handbook, while the FDIC covers theirs through their Breach Report Requirements.
The bank’s regulation officer should at least be familiar with these regulatory minimums. These “regulations” to cover losses can be broken down into three (3) general categories; 1) Cyber Risk Controls, 2) Cyber Disaster Plans, and 3) Risk Financing Techniques (primarily insurance).
Cyber Risk Controls
Every bank should have a written Cyber Risk Management policy that addresses cyber and hacker attacks. While there are many good “out of the box” virus protection programs on the market, they are also available to hackers to study for weaknesses.
Therefore, since they are available to the public, they are more prone to be unsuccessful. Programs specifically designed for protecting a specific bank network from cyberattacks are preferable.
Some sort of security audit by a qualified outside cyber audit firm is almost a requirement now. Penetration audits may be required for larger financial institutions and/or those that rely heavily on cyber-generated information. Although they are preferred, a “review” audit is better than no audit.
“Callbacks” on EFT’s are essential as well as corporate policies on phishing and personal use of corporate email accounts.
Cyber Disaster Plans
The FDIC and state banking regulatory departments require all banks to have a disaster recovery plan. Until recently, the emphasis of this plan was mostly on natural disasters occurring in the bank’s area (i.e. floods, windstorms, earthquakes, etc.).
However, with the rise in bank’s dependencies on supercomputers, electronic money transfers, and the internet in general, protection of computer equipment and the services that depend on these cyber assets, has become essential. Unfortunately, it is not just money that is the concern, but the protection of the bank customers’ personal information.
To protect bank customers upon the discovery of a cyber breach, each state banking department has set protocols that a financial institution must follow. The FDIC has some influence in this area as well. Each bank Risk Manager should be familiar with these state protocols.
While it is not an insurance requirement as yet (as the Financial Institution Bond is), most FDIC and state banking regulators are requiring evidence of Computer Theft and Cyber Liability coverages for all banks.
Cyber Risk Financing
The FFIEC Management Handbook states one of a bank’s Risk Manager’s responsibilities is to know his/her’s cyber insurance policies and to be sure their bank’s cyber exposures are covered. The handbook also describes seven (7) areas that should be particularly addressed. Bahr Consultants is now including these seven (7) areas of standards regarding cyber risk as an addendum to all of our Insurance Audit Reports, effective June 1, 2018.
Please understand the list of standards in this newsletter is not meant to be definitive but should be used as a guide from current statements from these authorities, as well as personal experience. It is recommended this area of bank operations be given as much attention as is possible.