Airtight breach prevention remains elusive in every industry. This makes a breach response plan your best bet to minimize your risks and mitigate damage.
By Karen Epper Hoffman
Reports of network compromise in the headlines nearly every day mean businesses and the general public have realized that when it comes to data breaches, the question is not if it will happen, but when.
Recognizing the fait accompli that is the eventual data breach, many community banks are writing and rewriting their breach playbooks to minimize the fallout for them and their customers when their bank falls victim to a breach.
“The old cliché ‘An ounce of prevention equals a pound of cure’ is certainly applicable to ensuring the safety and security of an organization’s digital and mobile platform,” says Juancarlos Martinez, vice president and information security manager for Columbia Bank, a $12.6 billion-asset community bank in Tacoma, Wash. “As such, the foundation of sound cybersecurity comes down to a bedrock of business operations: planning.”
Percentage of 2017 U.S. data breaches involving a financial sector company
Indeed, cyberattackers are increasingly targeting community banks (and small and medium-size businesses and agencies in general) as potentially easier targets for compromise, according to research from ITPAC Consulting. With fewer financial and personnel resources to dedicate to IT security, and a more welcoming and flexible attitude toward customers and prospects, community banks may indeed be opening themselves up. But bankers and IT security experts agree that community financial institutions need not sacrifice the elements that make them desirable to customers or spend a fortune to improve security posture.
“It is optimal to take the stance of ‘when, not if’ regarding the likelihood of a breach,” Martinez points out. “By developing and continually evaluating your community bank’s security plan, you stand a much better chance of minimizing negative impacts.”
With that in mind, how can a community bank minimize the impact of a cybersecurity breach before and after it happens?
Make a detailed response plan
For a community bank, “or any organization for that matter, the most important step to minimize the impact of a cybersecurity breach is to develop a robust breach response plan that provides a step-by-step guide to assessing the threat, containing the threat, communicating to all stakeholders and implementing solutions,” says Martinez. Each bank should tailor its breach response plan to its specific geography, customer base and risk tolerance, he adds. Key elements would typically include:
- the basic security framework evaluated and installed, such as firewalls, intrusion detection and other security measures
- a “detailed collaboration matrix,” as Martinez describes it, with all key internal stakeholders, “so every key department knows what to do and when … [including] your communications and legal teams”
- tools to evaluate and test the plan and its effectiveness
- tools to evaluate the bank’s response to a breach “so the entire company can benefit from lessons learned,” says Martinez.
“The more rapidly an incident is discovered and dealt with, the less damage the hackers can do.”
—Seth P. Berman, Nutter, McClennen & Fish LLP
Seth P. Berman, partner and lead of the privacy and data security practice at Nutter McClennen & Fish LLP, agrees. “The single best thing to minimize the impact of a cybersecurity incident is to have a comprehensive plan in place to respond to an incident quickly,” he says. “The more rapidly an incident is discovered and dealt with, the less damage the hackers can do.”
Support and reinforce security education and training
More often than not, cyberattacks exploit the human willingness to respond, to help, to click on the seemingly innocuous email attachment. ITPAC Consulting cites education of both customer-facing staff and the C-suite and board of directors as one of the two essential steps a community bank must take to be prepared and protected. For the average employee, regular and useful IT security training keeps these threats top-of-mind and easier to catch. For the top brass, risk education can help them better understand the enormity of the actual cybersecurity risk and ensure their buy-in.
Test the plan
Not only should a community bank create an incident response plan that details how it will respond to a potential incident from start to finish, it should also test it, says Thomas J. Curry, partner in the corporate and transactions department and a co-leader of the banking and financial services group at Nutter McClennen & Fish LLP. Curry, who served as comptroller of the currency until May 2017, adds that plan elements should be updated regularly to detail:
- how an incident should be escalated to senior management and the board
- who internally has overall responsibility for the investigation
- who else within the bank must be involved in the investigation
- who the outside technical and legal advisers are
- when and how customers and other affected outside parties are notified.
“Community banks should also adopt protocols for sharing cybersecurity incident information with regulators, law enforcement and industry information sharing groups promptly,” Curry adds, “and in a manner consistent with applicable legal requirements.”
Karen Epper Hoffman is a writer in Washington state.