How Will Your IT Practices Hold Up in Court?
A bank’s information security risks include not just regulatory risk, but also financial risk (from unauthorized transactions arising from data breaches), reputation risk (loss of customers’ trust and loss of business) and business continuity risk (system failure destruction or corruption of data, or unavailability of electronic information because of hackers, disasters or other business interruptions).
Most banks may not be considering that the condition of their information security systems and processes can also be a source of litigation risk: Banks could be sued by customers (and employees) for “negligence” if confidential information is stolen, these persons are seriously harmed thereby, and a bank’s inadequate information security protections are allegedly a major contributing factor. (If your bank was sued on this basis, would you lose — or would you win?) Both Target and Sony Pictures, victims of recent cyber-attacks, are facing multiple lawsuits related to the security breaches they have had.
Imagine yourself as a bank director on the witness stand: “Mr. /Ms. Director, does your bank follow industry-standard information security procedures?” (“Well, uh, I guess so.”) “Which standards do you follow?” (“Well . . . I don’t know.”) “For example, do you use any of the 462 pages of procedures for strengthening information security, set out in the “security and privacy controls” document provided by the National Institute of Standards and Technology?”* (“Uh . . . I don’t know what that’s about. I guess we must be doing some of it.”) “Are you aware of any other industry standards that your bank follows with respect to information security?” (“Uh . . . not specifically. We mainly just rely on the regulators to look over what we are doing.”) “Do you think it’s important for a bank to have good information security to protect its customers?” (“Uh . . . yes.”) “Then why aren’t you following any industry standards for good information security?” (“Uh . . .”)
Some banks view information security as primarily a regulatory risk. They take a “wait and see” approach to better compliance — responding in a reactive way to IT issues — whatever the regulators may list as exceptions at an exam. These banks often aren’t strongly focused on proactive steps (before a problem happens) that could decrease the risk of an information security breach — and they may not have any strong, ongoing process for review and management of IT issues. If examiners’ comments aren’t too harsh, these banks may assume they’re doing well, and will move on to other issues until regulators show up again.
Of course, it is not examiners, but rather cyber-attackers, who are the actual source of a bank’s risks related to information security. Banks should be focused on how to guard against and respond to information security events before an event occurs, not just on how to deal with listed examination exceptions. Information security attacks are getting worse. And that trend will continue. Doing only what the examiners may have emphasized at the last exam will not be enough to protect a bank until the next exam.
Many directors do not realize that there are extensive industry-standard procedures and guidelines for improving information security — ranging from a variety of bank regulatory agency pronouncements to technical practices outlined by the National Institute of Standards and Technology (NIST). (2) As these standards emphasize, a company should regularly consider new and better ways to strengthen information security in response to constantly evolving cyber threats.
It’s difficult for a community bank by itself to comply with so many technical standards. The best approach to information security involves using a combination of security strategies and layers of security; however, there are lots of moving parts in this puzzle and so much that should be happening simultaneously. How can a bank acting on its own be confident that all its bases are covered?
To better manage a community bank’s constantly changing cyber risks, the best option may be to outsource to a banking industry specific vendor that fully understands industry security standards and the proper combination of technology systems, board policies and personnel-related procedures needed for effectively meeting a bank’s security requirements.
Even though 100 percent of information security incidents may not be preventable, the best defense in a courtroom is to have a solid offense before you go to court. Strong information security allows a bank not only (1) to protect itself against information security risks, but also (2) to detect when an information security event is occurring, and (3) to respond to that event in real time, to limit the damage. Bank regulatory guidance and NIST’s standards include extensive information that supports each of these three important steps.*,**
(*) NIST, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
(**) NIST, Framework for Improving Critical Infrastructure Cybersecurity, www.nist.gov/cyberframework/index.cfm