Perspectives on Cyber Security & Digital Issues Gary R. Bronstein June 12, 2014 2014 Kilpatrick Townsend
Background Cyber security and prevention of data breaches are increasing in importance in the wake of the cyberattacks on Target, Neiman Marcus and other retailers. In the past, smaller community banks were not on the radar of these global cybergangs, but they are now, and because they have fewer resources to put into this area than their large commercial bank counterparts, they are deemed more attractive targets. The silver lining for banks is that the recent breaches have woken up their customer base to cybersecurity threats. 2
Cost on Community Banks Community banks have already reissued more than 4 million credit and debit cards at a total reissuance cost of more than $40 million following recent data breaches at major retailers (numbers are based on a sampling of community banks). Due to their quick action in reissuing affected cards, community banks initial fraud costs were relatively low, with less than 1 percent of community bank customers reporting fraud on their accounts following the breaches at Target and Neiman Marcus. 3
Best Practices Banks need to ensure that they implement holistic, risk-based programs that look beyond technology. Also consider the people and the process necessary for success. Banks need to focus on how to preserve their payments systems, insulating their organizations from credential theft and, most importantly, how to identify when a modern-day bank robber is already in the vault. Because the adversaries tend to have the advantage, banks should assume that the adversaries have gotten into their networks and establish active hunt capabilities to look for and mitigate attacks. 4
Gramm-Leach-Bliley Act Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act, 15 U.S.C. section 6801 (the GLBA ), established guidelines for information security. Codified by the FDIC in the Code of Federal Regulations at 12 C.F.R. Part 364 Appendix B: Interagency Guidelines Establishing Information Security Standards. 5
Interagency Guidelines Establishing Information Security Standards The Interagency Guidelines establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. The Interagency Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621 and 628 of the Fair Credit Reporting Act. The Guidelines apply to customer information maintained by or on behalf of, and to the disposal of consumer information by or on behalf of, entities over which the Federal Deposit Insurance Corporation (FDIC) has authority. 6
Mandatory Information Security Program Each bank is required to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. A bank s information security program must: Ensure the security and confidentiality of customer information Protect against any anticipated threats or hazards to the security or integrity of such information; Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and Ensure the proper disposal of customer information and consumer information. 7
Board Responsibilities under the GLBA In addition, the Interagency Guidelines require the board of directors or an appropriate committee of the board of each bank to: Approve the bank s written information security program; and Oversee the development, implementation, and maintenance of the bank's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. 8
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Supplement A to the Interagency Guidelines provides guidance on response programs for unauthorized access to customer information. Every bank should develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems. A response program should be a key part of an institution's information security program. The program should again be appropriate to the size and complexity of the institution and the nature and scope of its activities. 9
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice cont d At a minimum, an institution s response program should contain procedures for the following: Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused; Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information; Notifying appropriate law enforcement authorities; and Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and Notifying customers when warranted. 10
Existing State Legislation The Internet is profoundly lawless. Currently, there is no uniform federal legislation relating to data breach notification that preempts state law. Creates headaches for institutions as they try to navigate various state s requirements. 46 of 50 states maintain security breach notification laws: Alabama, Kentucky, New Mexico, and South Dakota do not. In 2003, California was the first state to pass legislation. Generally, state laws contain timing and content requirements for notification. 11
Developing Legislation and Regulations Congress recently held a series of high-profile hearings after the massive data breach at Target. Hearings resulted in little interest to create legislation on the subject. Many organizations, let alone legislators, have trouble agreeing on what type of cyber security regulation is necessary or even appropriate. However, currently in front of the Senate Banking Committee is a bill that would establish national standards for notifying customers about data breaches. The progress we are making is ultimately inadequate without Congressional action to enhance, facilitate, and protect threat information sharing across sectors and with government. - Doug Johnson, American Bankers Association 12
Developing Legislation and Regulations cont d Members of Congress are working on legislation that would preempt state data breach notification laws. Bill would likely include a role for state attorneys general to enforce violations of federal laws. Similar mechanism under the section 1042 of the Dodd-Frank Act Exercised by the New York Department of Financial Services in April 2014 for unfair, deceptive or abusive acts and practices claim 13
Developing Legislation and Regulations cont d California is once again leading the discussion on data security. Held hearings in late February on data security. No immediate signs of enacting legislation. California legislators are encouraging banks and other companies to take their own action. I kind of put the challenge out to the private sector, saying: If you guys don t want us to legislate a certain technology, if you don t want us to legislate a certain solution, then implement one immediately. - Sen. Lou Correa, California State Senate, Senate Banking Committee 14
Private Sector Developments Visa and MasterCard recently launched a crossindustry group to improve security for card transactions and press U.S. retailers and banks to meet a 2015 deadline to adopt technology that would make it safer to pay with plastic. 15
Private Sector Developments cont d The new group - which includes banks, credit unions, retailers and industry trade associations - will initially focus on the adoption of EMV chip technology. EMV cards, already used in Europe and Asia, store information on computer chips rather than on traditional magnetic strips, making them harder to counterfeit. The roadmap laid out by Visa and MasterCard would require banks to make certain upgrades by October 2015. 16
Private Sector Developments cont d Banks that make certain upgrades would face less liability for fraud losses than those that do not. Whichever company is the weakest link in the chain the card issuing bank, the retailer, or the retailer s bank would bear the responsibilities for the losses. 17
Private Sector Developments cont d MasterCard and Visa said the group would also address security issues with mobile and online transactions. One proposed solution is for traditional account numbers to be replaced by a unique digital payment code. In the aftermath of the Target breach, security is on the minds of executives in the way it hasn't been in a very long time. This is a classic example of trying to strike while the iron is hot. - David Robertson, The Nilson Report 18
Executive Order and NIST In February 2013, President Obama issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity. The Order called for the development of a voluntary, risk-based cybersecurity framework: a set of existing standards, guidelines and practices to help organizations manage cyber risks. In February 2014, the Commerce Department s National Institute of Standards and Technology ( NIST ) released a framework for improving critical infrastructure cybersecurity. Provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs. 19
NIST Framework The framework document is labeled Version 1.0 and is described as a living document that will need to be updated to keep pace with changes in cybersecurity. Organizations can use the framework to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment, and establish a plan for improving or maintaining their cybersecurity. The voluntary framework will help organizations apply principles and best practices of risk management to improving the security and resilience of critical infrastructure. 20
FFIEC Focus on Cybersecurity On May 7, 2014, the Federal Financial Institutions Examination Council ( FFIEC ) announced plans to conduct cybersecurity vulnerability and risk-mitigation assessments to help smaller banking institutions address potential weaknesses. The assessments will be conducted in 2014 and will help the FFIEC member agencies make informed decisions about the state of cybersecurity across community institutions and address gaps and prioritize necessary actions to strengthen supervisory programs. 21
FFIEC Focus on Cybersecurity cont d FFIEC highlighted key focus areas for senior management and boards of directors of community institutions as they assess cybersecurity risks: Setting the tone from the top and building a security culture; Identifying, measuring, mitigating, and monitoring risks; Developing risk management processes commensurate with the risks and complexity of the institutions; Aligning cybersecurity strategy with business strategy and accounting for how risks will be managed both now and in the future; Creating a governance process to ensure ongoing awareness and accountability; and Ensuring timely reports to senior management that include meaningful information addressing the institution s vulnerability to cyber risks. 22
New York Focus on Cybersecurity NY Governor Cuomo issued a report directing the NY Department of Financial Services ( NYDFS ) to conduct new, regular, targeted cybersecurity preparedness assessments of the banks NYDFS regulates. NYDFS will begin including a targeted assessment of each bank s cyber security preparedness as part of the regular examination process. 23
New York Focus on Cybersecurity cont d The revised examination procedures will include additional questions in the areas: IT management and governance; incident response and event management; access controls; network security; vendor management; and disaster recovery. NYDFS also recommended that all NY Statechartered depository institutions become members of the Financial Services-Information Sharing and Analysis Center. 24
Cyber-Insurance Nuts and Bolts Coverage for Breaches of Privacy and Security 3rd Party Coverage Claims by Individuals Injured by Privacy Breach Claims by Third Party Entities Injured by Privacy Breach Regulatory Claims Media Liability 1st Party Coverage (NOT Universal) Privacy Notification Forensic Investigation Data Restoration/Repair Cyber-extortion Business Interruption Crisis Management (PR) 25
Cyber-Insurance Where Found? Maybe... But Often Not: CGL "Personal Injury" Coverage D&O Bankers Professional Liability Fidelity Bond Property/BI Specialty Cyber Policies 26
Specialty Cyber Policies NO Standard T&C Gaps/Concurrencies Not All 1 st Party Coverages Offered By All Carriers Often Opt-in "Old School" Privacy Breaches? Coverage for Third Party Acts Limits, and Most Importantly Sublimits 27
Sample Bank Cyber Limits/Sublimits ~ Bank Asset Size Aggregate Limits Regulatory Claim Crisis Management Security Breach Remediation and Notification Data Restoration Business Interruption Cyber Extortion $608M $1,000,000 $500,000 $250,000 $250,000 $0 $250,000 $0 $1B $5,000,000 $500,000 $1,000,000 $0 $0 $3,000,000 $3,000,000 $2.3B $1,000,000 N/A $100,000 $100,000 $100,000 $100,000 $1,000,000 $2.4B $2,000,000 $1,000,000 $500,000 $500,000 $0 $0 $0 $4.5B $3,000,000 $500,000 $1,000,000 $1,000,000 $1,000,000 $1,000,000 $3,000,000 28
Gary R. Bronstein ATLANTA AUGUSTA CHARLOTTE DENVER LOS ANGELES NEW YORK RALEIGH SAN DIEGO SAN FRANCISCO SEATTLE SHANGHAI SILICON VALLEY STOCKHOLM TOKYO WALNUT CREEK WASHINGTON D.C. WINSTON-SALEM Kilpatrick Townsend & Stockton LLP (202) 508-5893 gbronstein@kilpatricktownsend.com www.kilpatricktownsend.com