There is no doubt that cybersecurity is a constant topic no matter where you look these days. The reason for the constant emphasis on the subject is simple – RISK – no institution, no matter its size can overlook cybersecurity risk.
Oftentimes with such a complicated and often written about topic, it is good to step back and think on just a few of the key elements/factors. This article attempts to do just that in a summary form.
Core Business Services
In thinking through cybersecuity risk, the institution’s failure to maintain the integrity of core business services is unacceptable. Regulators focus on core business services in their exams. This focus is NOT limited to large, complex financial institutions. Expectations have risen for regional and community financial institutions as well, creating additional cost obstacles, thereby fanning the flames of financial institution consolidation.
Third party vendor interconnectivity increases cybersecurity risk as well. Multiple financial firms are dependent on and interconnected with varying vendors. Cloud computing, too, adds to interconnectivity risks.
There is no substitute for testing to evaluate, for example, core system recovery from a cyber event or recovery from an attack affecting service providers.
Reputation risk is a key consideration factor. The loss of public trust and confidence is a critical factor for consideration. Such trust and confidence is essential for large institutions and in some ways even more critical in smaller institutions, where public perception may be that cybersecurity risk is greater than in a larger institution. A key element of a Cybersecurity Incident Response Plan must involve public communication and efforts to alleviate damage to reputation risk to the extent possible.
Service Provider Contracts
Contracts with Service Providers should require the service provider should require the service provider to disclose to the institution any security breach into the institution’s customer information systems maintained by the service provider.
Incident Response Program
At a minimum, an institution’s response program should contain procedures for: (1) Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused; (2) notifying its primary Federal regulator as soon as possible when the institution becomes aware of an Incident involving unauthorized access to or use of sensitive customer information, as defined in the final Guidance; (3) immediately notifying law enforcement in situations involving Federal criminal violations requiring immediate attention; (4) taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, such as by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and (5) notifying customers when warranted.
Regulatory agencies believe that it is the responsibility of the financial institution and not the service provider to notify the institution’s regulator when a security incident involves an unauthorized intrusion into the institution’s customer information systems maintained by the Service Provider. Therefore, final Guidance states that a financial institution should notify its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information. Nonetheless, a security incident at a service provider could have an impact on multiple financial institutions that are supervised by different Federal regulators. The final Guidance makes clear that an institution may authorize or contract with its service provider to notify the institution’s regulator on the institution’s behalf when a security incident involves an unauthorized intrusion into the institution’s customer information systems maintained by the service provider.
Final guidance is an interpretation of existing provisions in Section 501(b) of GLBA and the Security Guidelines.