The Conference of State Bank Supervisors has released “Cybersecurity 101: A Resource Guide for Bank Executives,” a document bank CEOs, senior executives, and board members can consult as they respond to cyber-security threats. It collects industry-recognized standards and best practices that are currently used within the financial services industry.
The guide is structured around the five core functions outlined in the National Institute of Standards and Technology’s cyber-security framework: indentify internal and external cyber risks; detect system intrusions, data breaches, and unauthorized access; protect organizational systems, assets, and data; respond to a potential event; and recover from an event by restoring normal operations and services.
Questions it suggests that bank CEOs ask:
Does my bank fully understand what information it manages, where the information is stored, how sensitive it is, and who has access to it?
What are my institution’s key business assets? Do I have adequate protection for them?
How is staff identifying risks, and providing accurate and timely information about those risks? What is our ability to mitigate those risks?
To adequately assess risk, a bank must first identify critical information assets that are regarded as highly sensitive, essential pieces of information to the organization, the guide suggests. These can be people (employees or customers), property (tangible and intangible), or information (databases, critical company records). All information assets should be classified based on a defined category of sensitivity. Documented policies and procedures regarding the classification of documents should be established.
Other advice offered in the guide:
Security controls should actively manage (inventory, track, and correct) all hardware devices and software on the network so that only authorized devices have access, and unauthorized, unmanaged devices are found and blocked.
Security measures should reliably authenticate customers accessing financial services via a bank’s website. An effective authentication system is necessary for compliance with requirements to safeguard customer information in the Gramm-Leach-Bliley Act to prevent money laundering and terrorist financing.
Identify and separate critical information assets from less sensitive assets and establish multiple layers of security. Attackers are often able to gain access to sensitive data stored on the same servers with the same level of access as far less important data.
When creating an incident response team, include the CEO, head of IT, legal personnel, human resources, and the head of communications.
The incident response plan should address the protocols for communicating a breach to customers, regulators, law enforcement, and other stakeholders.
Management should routinely audit and test its response plan, at least annually.
Third parties with access to bank data must also have appropriate security measures in place, the guide stresses. It suggests contractual obligations for maintaining sufficient data safeguards and an assessment of whether they are meeting these requirements on a regular basis. Banks can require that vendors maintain a written security program, provide prompt notification of any potential security incidents, and that they return or appropriately destroy company data at the end of the contract.