Magazine article Independent Banker

Primed for Action

Magazine article Independent Banker

Primed for Action

Article excerpt

Attention community banks: Now might be a good time to brush up on the details of your cyberbreach response plans. Indeed, over the past three exam cycles, regulators have emphasized that all banks have updated, written data breach response plans in place. They also want to see bank breach response plans reviewed and practiced regularly so that the board, management and employees are intimately aware of what to do in the event that a true breach occurs.

"I would fully anticipate that we're going to start seeing enforcement actions if banks don't have those kinds of things in place," says Kevin Petrasic, an attorney in the financial institutions advisory practice at the White & Case law firm in Washington, D.C.

Even if banks have a written response plan in place in line with the regulatory requirements, those plans might be lingering too long in a desk drawer, untouched. However, inactive breach response plans fly in the face of regulators' expectations that banks be fully prepared for, if not poised to respond to, a data breach that might occur. Community banks should periodically review their IT breach response plan at least once a quarter to make sure everything is still as it should be, several data security consultants say.

"Regulators want to know whether everyone understands how the plan is supposed to happen," Petrasic explains. "The best-laid plans are going to be for naught if nobody really understands what their role is and what they are supposed to do."

Map protocols

To make sure the right steps are taken swiftly and efficiently when the heat is on, consultants say, a robust employee education plan is also important to any complete data breach response preparation. A point person also should be prepared to ask the right questions and relay key information to other members of an internal response team, advises Andy Obuchowski, director of security and privacy consulting in the Boston office of McGladrey LLP. Knowing which regulator to call, which law enforcement agency to alert and when to bring in legal counsel are fundamental.

Paul Ferrillo, counsel in the cybersecurity, data privacy and information management group at the Weil, Gotshal & Manges LLP law firm in New York, points out that a routine cyberbreach step is notifying the FBI and U.S. Secret Service, because it's not always clear which agency might have jurisdiction. "Very often they'll decide who's in charge," he says.

It's almost always a good idea to call one because of all the various state laws and different rules and regulations around disclosure, Ferrillo adds. He says a considerable amount of cybersecurity events happen because of employee mistakes, so he likes to see banks run training sessions on a monthly basis.

"When there's such a huge majority of cyberattacks that are employeecaused, I always think it's better to overtrain than to undertrain," he says.

Training areas to address include how to recognize known threats such as spear-phishing and why using public Wi-Fi is not advisable. Banks also should have strict policies about the use of use of social media on work devices-and remind employees regularly about the rules. Sending employees reminders not to click on links that seem suspicious, even if it appears to be from someone they know, is a good practice.

Consider cyberinsurance

Banks also should strongly consider purchasing a cyberinsurance policy. In a speech last year, Sarah Raskin, the second-ranking official at the U.S. Department of Treasury, laid out the reasons why banking institutions should be investing in cyberinsurance. What's more, the Federal Financial Institutions Examination Council has strongly suggested that community banks purchase cybersecurity insurance as the way of transferring some of the risk to an insurance company. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.