Pub. 2 2022 Issue 6

Legal Eagle Spotlight: Eight Steps to Handling a Cybersecurity Crisis at Your Bank

This story appears in the
The Show-Me Banker Pub 2 2022 Issue 6

Around the country, banks and other financial institutions are doubling down on cybersecurity efforts in order to protect against a recent spike in destructive attacks, ransomware, and “island hopping” – a type of hack that involves attackers exploiting the weaknesses of small businesses to move laterally to target larger organizations. Financial institutions cannot ignore this threat and must address it head-on; all banks, regardless of size, should have an operational cyber risk management program in place led by trusted cyber legal counsel.

According to a 2022 VMware report, “Modern Bank Heists 5.0,” 63% of financial institutions experienced an increase in destructive attacks. This is up 17% from 2021. In the same survey, 74% of respondents stated they experienced one or more ransomware attacks, and 63% of those victims paid the ransom. Lastly, 60% of financial institutions experienced a 58% increase in island hopping from last year. The report’s findings are based on a February 2022 survey of 130 chief information security officers and security leaders at financial institutions, 41% of which were headquartered in North America.

Combine this with the new requirements of the Cyber Incident Reporting Act, signed by President Biden in March 2022, that went into effect in May, and the value of effective cybersecurity programs becomes apparent, particularly when faced with a threat or active attack. The Act requires owners and operators of critical infrastructure to report cyber incidents to the U.S. Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours.

So, how do banks combat the ever-evolving threat of data breaches and cybersecurity attacks? Here are eight tips to help financial services leaders remain vigilant:

  1. Nobody thinks that this is going to happen to them. It is better to prepare for an event that never happens than to be unprepared when an incident occurs. Cyber issues affect everyone. Create a disaster recovery plan to help avoid data loss and minimize business downtime in the event of a security breach.
  2. Prepare your incident response team. Practice is key. If the chief decision-makers have never met before a data breach occurs, the response may not be executed with the highest degree of confidence.
  3. Save money by learning how to “speak” insurance. Understanding the intricacies of insurance can mean money in your pocket in the event of a disaster. Learning what the insurance companies require and getting the proper coverage will save time and money.
  4. Remain calm. Measure your response. Shutting down operations is often drastic and unnecessary. Determine what really happened before making any decisions or talking to third parties. You want to ensure that your entity is the true source of the data leakage before you respond.
  5. Be careful when using the term “data breach.” “Data breach” has a very significant legal meaning that requires immediate action and implicates various reporting requirements. Consider using the term “incident” or “event” until the breach is confirmed.
  6. Logistics are key. As General Omar Bradley famously said, “Amateurs talk strategy. Professionals study logistics.” Many cybersecurity issues businesses deal with today can be avoided with early planning, and logistics are the most important part of preparation.
  7. Attorney-client privilege does not always apply. Information communicated with outside professionals may fall under attorney-client privilege if attorneys hire them as consultants to the case. However, information disclosed to law enforcement or perhaps even an insurance carrier is likely not privileged.
  8. Encrypt your data. A bank’s data is one of its most important assets. It is critical to encrypt your data using a strong encryption algorithm such as Advanced Encryption Standard (AES) and protect the decryption keys. In the event of a security breach, your data will be inaccessible without the associated decryption keys.

From the relatively expected ransomware and phishing attacks to complex distributed denial of services (DDoS) and supply chain attacks, banks and other financial institutions are facing more cybersecurity challenges than ever. By creating a risk plan ahead of time, building a solid response team, and anticipating various types of attacks, financial institutions can mitigate risk and prevent the worst of cyberattacks.

Shawn Tuma,  Spencer Fane LLP

Andrea Perry, Spencer Fane LLP