FDIC Publishes Customer Cybersecurity Guide

Earlier this month the FDIC published a Winter 2016 special edition of its FDIC Consumer News entitled "A Bank Customer's Guide to Cybersecurity.”

The customer’s guide addresses issues such as:
• Simple Steps to Secure Computers and Mobile Devices
• Cybersecurity for Small Businesses
• Social Networking – Be Careful What You Share
• Protecting Your Child’s Personal Information
• Test Your Cybersecurity IQ

Regulatory authorities are very concerned about cybersecurity and have recognized it as the number one risk facing community banks today. The level of risk can be increased by your customers’ lack of understanding of cybersecurity issues.

Your bank should consider sharing the FDIC’s Winter 2016 guide not only with your customers but also with your employees. Providing this information to relevant groups helps give cybersecurity a top-of-the-mind level of awareness and can demonstrate for your customers and your regulators that your bank is remaining vigilant in an area of substantial, growing risk.

However, a bank sometimes must be careful in suggesting what a customer should do. For example, in the lender liability area, if a commercial loan officer tries to tell a company that it must or can’t make a particular business decision, and the company fails as a result of following the bank’s directions, the bank can be liable.

Similarly, in the area of information security there may be good reason to “tread lightly” in appearing to give advice to customers. Consider what could happen if a bank tells its customers, “Do this; and don’t do that.” The customer follows the advice but still experiences a cybersecurity incident. Can the customer then sue, arguing that “I did everything the bank said. I relied on their expertise. I trusted them completely and believed that what they said was adequate. But it wasn’t enough; I was damaged; and the bank should be liable!”

A possibly attractive way to side-step an issue of potential liability is simply to make customers aware of timely information prepared by an obviously trustworthy third party (in this case, the FDIC), without specifically recommending to customers that they should follow the information, or implying that doing so is adequate. For example, consider the following language: “The FDIC recently provided some important guidance for bank customers concerning cybersecurity. See the following link for the FDIC’s suggestions on what you can do to help prevent online fraud and theft: [link].” In providing this statement to customers the bank says nothing stronger than that the guidance is “important” (and even that word could be deleted)—without stating in so many words that the bank agrees with it or that customers should follow it. (Even the FDIC’s wording is carefully chosen. The subheading of the guidance says it is “to help prevent,” without promising to prevent, online fraud.)

The FDIC guidance may be a “found opportunity” for banks to communicate with customers about a very important subject. A bank can lean entirely on what the regulators have said—without the bank directly making any kind of comments or recommendations on its own that a naïve customer could somehow misinterpret or rely on too strongly.

The FDIC's Customer Cybersecurity Guide can be viewed here: https://www.fdic.gov/consumers/consumer/news/cnwin16/

Engineered specifically for banks, BankOnIT’s unique combination of systems, processes and people provides banks the capabilities to efficiently manage the risk and cost of information technology while also reducing the amount of time it takes to manage IT. Client banks can rest easy, knowing they have secure, efficient and reliable information technology systems combined with the help needed to assist with ever-changing regulatory requirements.

For more information, please contact BankOnIT at 800-498-8877, or solutions@bankonitusa.com.

---------
About the author: Charles Cheatham is senior vice president and general counsel at BankOnIT. He has more than 30 years of experience providing legal services and advice to bankers. Prior to joining BankOnIT he served as vice president and general counsel of the Oklahoma Bankers Association and was previously a partner at McAfee & Taft, the largest law firm in Oklahoma. Charles is a graduate of Harvard Law School