Eastern Massachusetts Compliance Network Cybersecurity Issues for Community Banks Copyright 2014 by K&L Gates LLP. All rights reserved. Sean P. Mahoney sean.mahoney@klgates.com K&L Gates LLP State Street Financial Center One Lincoln Street Boston, MA 02111 (617) 261-3202
WHAT WE WILL COVER TODAY Cybersecurity threats Laws and guidance governing bank cybersecurity programs klgates.com 2
CYBERSECURITY THREATS Verizon 2014 Data Breach Investigations Report identifies the following threats POS Intrusions Cyber-espionage Web App Attacks Insider Misuse Crimeware Miscellaneous Errors Card Skimmers Physical Theft/Loss DoS Attacks Other klgates.com 3
CYBERSECURITY THREATS Web App attacks and POS intrusions appear to be on the rise Web App attack and DoS attacks are most prevalent cyber-attacks in financial services According to American Bankers Association, two-thirds of the instances of unauthorized access are the results of phishing attacks Success rate of phishing emails is approximately 18% according to Verizon klgates.com 4
CYBERSECURITY THREATS Motivation for attacks generally falls within three broad categories Financial gain Ideologically motivated attacks (social, political or sport/narcissism) State sponsored klgates.com 5
LEGAL STANDARDS The big picture risk based approach November 3, 2014 FFIEC cybersecurity guidance Laws that protect information Title V of Gramm-Leach-Bliley State laws Fair credit reporting act Regulatory data security standards FFIEC NIST Framework Regulatory business continuity standards
THE BIG PICTURE Risk approach of regulations is often based upon risk of violations or harm to individuals Businesses also need to look at risks of data security breach to the business itself In many ways, regulatory compliance is the least important aspect Reputational risk for many businesses can be severe Loss of accompanying sensitive business data can also cause competitive harm Risk-based compliance is the future
THIS WEEK S FFIEC GUIDANCE Expectation that all financial institutions maintain current awareness of cybersecurity threats FFIEC encourages all financial institutions to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) Other sources to monitor: FBI Infragard (www.infragard.org) U.S. Computer Emergency Readiness Team (www.uscert.gov) U.S. Secret Service Electronic Crimes Task Force (www.secretservice.gov/ectf.shtml) klgates.com 8
THIS WEEK S FFIEC GUIDANCE After assessing cybersecurity at 500 community banks, FFIEC commented on the following: Cybersecurity Inherent Risk Connection types Products and services Technologies used Cybersecurity Preparedness Risk management Threat intelligence and collaboration Cybersecurity controls External dependency management Cyber incident management and resilience klgates.com 9
LAWS THAT PROTECT INFORMATION Title V of the Gramm-Leach-Bliley Act Designed to restrict invasive marketing tactics Required privacy policies and disclosure thereof Provides consumers opportunities to opt-out of information sharing Also includes requirements to maintain policies and procedures to safeguard nonpublic personal information
LAWS THAT PROTECT INFORMATION Title V of the Gramm-Leach-Bliley Act Title V of the GLBA protects nonpublic personal information, which is defined as any personally identifiable financial information provided by a consumer to a financial institution resulting from a transaction by a consumer with a financial institution otherwise obtained from a financial institution NPI includes customer lists, as the fact that there is a customer relationship is deemed to constitute NPI
LAWS THAT PROTECT INFORMATION GLBA Safeguards Rule All financial institutions must develop a written information security plan that must: be appropriate to the financial institution's risk profile designate the employee or employees to coordinate identify and assess the risks evaluate the effectiveness of current safeguards for mitigating risks select appropriate service providers and require them to implement the safeguards evaluate the program
LAWS THAT PROTECT INFORMATION GLBA Identity Theft Provisions No person may obtain or attempt to obtain customer information by: making a false or fraudulent statement to a financial institution or a customer of a financial institution presenting a lost, stolen or forged document to a financial institution requesting information, the disclosure of which is known to be in violation of GLBA
LAWS THAT PROTECT INFORMATION State data security and breach reporting laws State laws enacted in response to data security breaches and growing concern of identity theft Most statutes impose data security breach notification requirements Some states, most notably Massachusetts, impose an obligation to adopt policies and procedures to protect information Compliance with Interagency Standards is often sufficient Information protected generally consists of a name plus another identifier that would enable a person to obtain credit or access an account
LAWS THAT PROTECT INFORMATION Massachusetts Data Security Law Legislature required data security regulations to meet the following design parameters: ensure the security and confidentiality of customer information in a manner fully consistent with industry standards protect against anticipated threats or hazards to the security or integrity of such information protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer take into account the person's size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of the information
LAWS THAT PROTECT INFORMATION Massachusetts Data Security Law Requires every person engaged in commerce to have a written information security program including, among other things: Employee training and compliance Vendor management Specific computer security to the extent technically feasible Note 128-bit encryption is still significant for purposes of statutory security breach notification
REGULATORY STANDARDS Promulgated by bank regulatory agencies either on an interagency basis or through FFIEC May form the basis for what constitutes commercially reasonable security procedures May be viewed as a potential source of best practices
REGULATORY STANDARDS Interagency Guidance on Authentication Requires risk assessments taking into account new and evolving threats Sets expectation of layered security Fraud detection and monitoring Dual authorization through different access devices Use of out-of-band verification for transactions IP reputation-based tools
REGULATORY STANDARDS FFIEC Information Security Handbook Serves as bank examination manual for compliance with GLB safeguards rule Establishes information security risk management process Information security risk assessment Information security strategy Security controls implementation Security monitoring Security process monitoring and updating
REGULATORY STANDARDS FFIEC Information Security Handbook Processes need to involve management and departments throughout organization Compliance Information systems Human resources Facilities management Business operations
REGULATORY STANDARDS FFIEC Business Continuity Handbook Business continuity planning process includes Policy by which firm manages identified risks Allocation of resources and knowledgeable personnel Independent review Training and awareness Regular, enterprise-wide testing Continuous updating to adapt to changing environment
REGULATORY STANDARDS FFIEC Business Continuity Handbook Policy should address Continuity planning process Prioritization of business objectives and critical operations essential for recovery Integration with financial markets Integration with vendors and outsourced services Regular updates in response to changes in business processes, audit recommendations and testing
REGULATORY STANDARDS FFIEC Business Continuity Handbook Principal tools in continuity planning Data synchronization tools Pre-established crisis management team Incident response procedures Remote access Employee training Clear notification standards Insurance
NIST FRAMEWORK Introduces core set of cybersecurity activities Identify Protect Detect Respond Recover klgates.com 24
NIST FRAMEWORK Implementation tiers based on risk Tier 1 partial Tier 2 risk informed Tier 3 repeatable Tier 4 adaptive Framework profile Current ( as is state) Target (desired state) klgates.com 25
TAKE-AWAYS An integrated approach to data security is key Involve human resources Humans are often the weak link in your data security infrastructure Training and progressive discipline can be key risk mitigation techniques Business managers need to be involved in technical solutions Secure environment has to be usable or people will find ways to work around it (e.g., shadow IT ) The only thing worse than a poorly crafted policies and procedures are great ones that are not followed klgates.com 26
TAKE-AWAYS Have incident response team in place to manage reputational risk Information technology Public relations/crisis management Lawyers Manage your data Do not ignore records management as key component of cybersecurity program Manage your vendors Review and catalogue agreements with any vendor that touches your data klgates.com 27