Our overview of the Top 10 Considerations for Financial Institutions in 2020 series noted that financial institutions will continue to face challenges in a number of corporate, compliance, and risk areas, especially in light of COVID-19 and a potentially slowing economy in 2020. Our fourth consideration is cybersecurity.
Financial institutions remain on high alert for cybersecurity incidents. Risks associated with cyber events continue to be a focus area for financial institution regulators as well. In fact, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation released a Joint Statement on Heightened Cybersecurity Risk on January 16, 2020. Among other things, the Joint Statement indicates that sound risk management for cybersecurity, especially in times of heightened risk, includes response and resilience capabilities, authentication, and system configuration.
Robust cybersecurity is obvious in theory but can be difficult to implement in practice. So, take the first step—review the 10,000-foot picture of your financial institution and your systems, controls, and capacity—and see where that leads. Where you find sensitive information, check the identity and access controls that protect those areas of the architecture to make sure there is limited access and multiple authentication checks.
In addition to the Joint Guidance from the OCC and FDIC, the Departments of State, Treasury, and Homeland Security, along with the Federal Bureau of Investigation issued a joint statement warning specifically of cyberattacks on financial companies by North Korean-linked hackers as a way to generate revenue for the North Korean regime that is grappling with financial sanctions. These attacks have included phishing attempts, ransomware attacks—where hackers lock their financial institution victims out of their networks and demand a ransom payment in digital currency in order to unlock the network—and extortion attempts by hackers posing as cybersecurity consultants.
Financial institution regulators have consistently asked that financial institutions share information about cybersecurity attacks through government and industry channels, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), the National Cyber-Forensics and Training Alliance (NCFTA), or even through the Section 314(b) information sharing protocols under the USA PATRIOT Act.
Risks of a cybersecurity incident are increasing as more financial institution employees are connecting to the network remotely. Cyber attackers are attempting to take advantage of employees distracted by the new working environment and IT staffs struggling to promote good cyber hygiene principles while protecting their network with security updates and system patches amidst a widespread network of employees logging in through home networks.
1. Financial institutions should be reviewing their cybersecurity architecture for controls and vulnerabilities and address them as quickly as possible.
2. Review applicable guidance and implement or update reasonable policies and procedures based on your financial institution’s size, complexity, and infrastructure.
3. Consider enhanced employee training focused on a remote working environment.
Howard & Howard has a dedicated team of financial services attorneys with deep experience handling complex transactional, regulatory, and litigation matters, as well as a talented team of cybersecurity attorneys to help you understand these regulations. Our attorneys regularly advise clients on M&A, strategic transactions, third-party engagement, enforcement matters, and regulatory compliance. For more information, or for questions related to this Financial Institutions Advisory, please contact the author(s), your Howard & Howard attorney, or visit us at https://howardandhoward.com/services/financial-banking/.