Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by:
(1) Providing an overview of the legal and regulatory framework;
(2) Examining the most likely real-world risks; and
(3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds).
Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
1. Spencer Fane LLP | spencerfane.com
Cybersecurity: Cyber Risk
Management for Banks &
Financial Institutions
Texas Association of Bank Counsel
42nd Annual Convention
Shawn Tuma
Co-Chair, Cybersecurity & Data Privacy
Spencer Fane LLP | @spencerfane
spencerfane.com | @shawnetuma
2. Spencer Fane LLP | spencerfane.com
The Problem for Law Firms
• Cybersecurity and privacy are issues that most
attorneys would prefer to ignore but are uniquely
obligated to address.
• Cybersecurity and privacy impact all lawyers and
law firms alike.
• Clients demanding adequate security (firms are
their third-party risk).
• Law firms are an increasingly popular target.
– Value and sensitivity of data.
– Data for multiple clients.
3. Spencer Fane LLP | spencerfane.com
The Ethics for Law Firms
“A lawyer should preserve the confidences
and secrets of a client.”
• Ethics Opinion 384 (Sept. 1975)
• Canon No. 4, Code of Professional
Responsibility
• Disciplinary Rule (DR) 4-101 (A) and (B)
• New duty of “technical competence” for lawyers
4. Spencer Fane LLP | spencerfane.com
Cybersecurity is no longer just an IT
issue—it is an overall business risk issue.
5. Spencer Fane LLP | spencerfane.com
“Security and IT protect companies’ data;
Legal protects companies from their data.”
Security and IT protect companies’ data;
Legal protects companies from their data.
9. Spencer Fane LLP | spencerfane.com
2 Themes to Remember
• Cyber law is an expedition
• The “issues” usually aren’t really that new
10. Spencer Fane LLP | spencerfane.com
The Real Threats
• 63% confirmed breaches from weak,
default, or stolen passwords
• Data is lost over 100x more than stolen
• Phishing used most to install malware
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
Easily Avoidable Incidents
91% in 2015
91% in 2016
93% in 2017
11. Spencer Fane LLP | spencerfane.com
Cybersecurity Best Practices
• Risk assessment
• Policies and procedures focused
on cybersecurity
– Culture
– Social engineering, password, security
questions
• Train workforce on P&P, security
• Phish all workforce
• Multi-factor authentication
• Internal controls / access controls
to restrict unnecessary data risk
• Data retention policy
• Signature based antivirus and
malware detection
• No outdated or unsupported
software
• Patch management process
• Backups segmented offline, cloud,
redundant
• Incident response plan
• Encrypt sensitive and air-gap
hypersensitive data
• Adequate logging and retention
• Third-party security risk
management program
• Firewall, intrusion detection and
prevention systems
• Managed services provider (MSP)
or managed security services
provider (MSSP)
• Cyber risk insurance
12. Spencer Fane LLP | spencerfane.com
Canary in the Coal Mine
• What is your role?
• How does your bank
handle:
– P&P + Training
– MFA
– Phishing
– Backups
– IR Team + IRP
– Cyber Insurance
15. Spencer Fane LLP | spencerfane.com
How mature is your bank’s cyber risk
management program?
“GMR Transcription Services, Inc. . . . Shall . . . establish and implement, and thereafter
maintain, a comprehensive information security program that is reasonably designed to protect
the security, confidentiality, and integrity of personal information collected from or about
consumers.” In re GMR Transcription Svcs, Inc., Consent Order (Aug. 14, 2014)
“We believe disclosures regarding a company’s cybersecurity risk management program and
how the board of directors engages with management on cybersecurity issues allow investors
to assess how a board of directors is discharging its risk oversight responsibility in this
increasingly important area.” SEC Statement and Guidance (Feb. 21, 2018)
“Institutions should maintain effective information security programs commensurate with their
operational complexities. Information security programs should have strong board and senior
management support, promote integration of security activities and controls throughout the
institution’s business processes, and establish clear accountability for carrying out security
responsibilities.” FFIEC Examination Handbook (Sept. 2016)
“Each Covered Entity shall maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the Covered Entity’s Information Systems.” NYDFS
Cybersecurity Regulations § 500.02
“Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the controller and the processor shall implement
appropriate technical and organizational measures to ensure a level of security appropriate to
the risk, including …” GDPR, Art. 32
16. Spencer Fane LLP | spencerfane.com
Too little –
“just check the
box”
Too much –
“boiling the
ocean”
What is reasonable
cybersecurity?
17. Spencer Fane LLP | spencerfane.com
Identify:
Assess Cyber
Risk
Identify &
Protect:
Strategic
Planning
Protect &
Detect:
Implement
Strategy &
Deploy Assets
Protect:
Develop,
Implement &
Train on P&P
Protect: Third
Party Risk
Protect &
Respond: Develop
IR Plan & Tabletop
Recover &
Identify:
Reassess,
Refine &
Mature
Cyber Risk
Management
Program Process
18. Spencer Fane LLP | spencerfane.com
What should your bank’s cyber risk
management program look like?
• Based on a risk assessment1,2,3,4,5,6
• Implemented and maintained (i.e.,
maturing)1,2,3,6
• Fully documented in writing for both
content and implementation1,2,3,6
• Comprehensive1,2,3,4,5,6
• Contain administrative, technical,
and physical safeguards1,2,3,6
• Reasonably designed to protect
against risks to network and
data1,2,3,4,5,6
• Identify and assess internal and
external risks2,6
• Use defensive infrastructure and
policies and procedures to protect
network and data1,2,3,4,5,6
• Workforce training2,3,6
• Detect events2,6
• Respond to events to mitigate
negative impact2,6
• Recover from events to restore
normalcy2,6
• Regularly review network activity
such as audit logs, access reports,
incident tracking reports3,6
• Assign responsibility for security to
an individual3,5,6
• Address third-party risk2,3,5,6
• Certify compliance by Chair of
Board or Senior Officer or Chief
Privacy Officer2
1. In re GMR Transcription Svcs, Inc., Consent Order (August 14, 2014)
2. NYDFS Cybersecurity Regulations Section 500.02
3. HIPAA Security Management Process, §164.308(a)(1)(ii)
4. SEC Statement and Guidance on 2/21/18
5. GDPR Art. 32
6. FFIEC IT Examination Handbook
19. Spencer Fane LLP | spencerfane.com
A few words about privilege
• Great sales pitch → the magic wand!
• Mature understanding → not so simple!
• Prepare by doing everything possible to ensure the applicability of
privileges but carry out the work as though there will be no privilege.
– Retain experienced cyber counsel to assess cyber risk, develop and lead
cyber risk management program.
– List role in engagement agreement.
– Develop communications protocol at the outset.
• i.e., “if it doesn’t need to be in writing …”
• Counsel must actively lead and stay engaged in the process.
• Counsel should hire, direct, and receive info from consultants.
• If incident, consider multiple tracks:
– proactive risk management;
– normal business investigation;
– Investigation in anticipation of litigation.
Photo credit: dave_7
Link: https://www.flickr.com/photos/daveseven/1910839183/in/photostream/
20. Spencer Fane LLP | spencerfane.com
A few words about privilege
• Great sales pitch → the magic wand!
• Mature understanding → not so simple!
• Prepare by doing everything possible to ensure the applicability of
privileges but carry out the work as though there will be no privilege.
– Retain experienced cyber counsel to assess cyber risk, develop and lead
cyber risk management program.
– List role in engagement agreement.
– Develop communications protocol at the outset.
• i.e., “if it doesn’t need to be in writing …”
• Counsel must actively lead and stay engaged in the process.
• Counsel should hire, direct, and receive info from consultants.
• If incident, consider multiple tracks:
– proactive risk management;
– normal business investigation;
– Investigation in anticipation of litigation.
21. Spencer Fane LLP | spencerfane.com
Without a magic wand, how does
cyber legal counsel help?
22. Spencer Fane LLP | spencerfane.com
Cyber Insurance
Key considerations about cyber insurance:
• If you don’t know you have it, you don’t!
• Does your broker really “get” cyber?
• Is your coverage based on your risk?
• Was security/IT involved in procurement?
• Does your coverage include social engineering?
• Does your coverage include contractual liability?
• Do you have first-party and third-party coverage?
• Do you understand your sublimits?
• Can you chose your counsel and vendors?
23. Spencer Fane LLP | spencerfane.com
Cyber Insurance
Key considerations about cyber insurance:
• If you don’t know you have it, you don’t!
• Does your broker really “get” cyber?
• Is your coverage based on your risk?
• Was security/IT involved in procurement?
• Does your coverage include social engineering?
• Does your coverage include contractual liability?
• Do you have first-party and third-party coverage?
• Do you understand your sublimits?
• Can you chose your counsel and vendors?
24. Spencer Fane LLP | spencerfane.com
Practitioner Editor, Bloomberg BNA – Texas Cybersecurity &
Data Privacy Law
Board of Directors & General Counsel, Cyber Future Foundation
Board of Advisors, North Texas Cyber Forensics Lab
Policy Council, National Technology Security Coalition
Cybersecurity & Data Privacy Law Trailblazers, National Law
Journal
SuperLawyers - Top 100 Lawyers in Dallas (2016)
SuperLawyers (2015-18)
D Magazine - Best Lawyers in Dallas (2014-18)
Officer, Computer & Technology Section, State Bar of Texas
Privacy and Data Security Committee, State Bar of Texas
College of the State Bar of Texas
Board of Directors, Collin County Bench Bar Conference
Past Chair, Civil Litigation Section, Collin County Bar Association
North Texas Crime Commission, Cybercrime Committee
Infragard (FBI)
International Association of Privacy Professionals (IAPP)
Shawn E. Tuma
Spencer Fane LLP
Partner & Co-Chair,
Cybersecurity & Data
Privacy Practice
O 972.324.0317
M 214.726.2808
stuma@spencerfane.com
web: spencerfane.com
blog: shawnetuma.com
@shawnetuma