ARTICLE
28 April 2017

Banks Boards Of Directors Face New Cybersecurity Challenges

B
BakerHostetler

Contributor

BakerHostetler logo
Recognized as one of the top firms for client service, BakerHostetler is a leading national law firm that helps clients around the world address their most complex and critical business and regulatory issues. With five core national practice groups — Business, Labor and Employment, Intellectual Property, Litigation, and Tax — the firm has more than 970 lawyers located in 14 offices coast to coast. BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice and an industry-leading business practice. The firm is also recognized internationally for its groundbreaking work recovering more than $13 billion in the Madoff Recovery Initiative, representing the SIPA Trustee for the liquidation of Bernard L. Madoff Investment Securities LLC. Visit bakerlaw.com
Banks' boards of directors must, among other things, understand the risks associated with existing and planned IT operations, monitor risk management, and work with senior bank managers on strategic technology planning.
United States Finance and Banking

Banks' boards of directors must, among other things, understand the risks associated with existing and planned IT operations, monitor risk management, and work with senior bank managers on strategic technology planning. See the Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook InfoBase. Recent changes in the types of attacks perpetrated by cyber criminal groups and attackers' increased skill levels have changed how board members should approach these cybersecurity responsibilities.

The number of ransomware attacks against businesses in the U.S. quadrupled in 2016, according to Beazley, a leading cyber insurance carrier. The FBI estimates that U.S. businesses paid more than a billion dollars to ransomware attackers in 2016. The number of such attacks is projected to increase again in 2017.

The dramatic increase in ransomware attacks should cause banks' board members to ensure that their banks' information technology managers and the banks' critical vendors have stored backups of mission-critical data offline so that the data cannot be encrypted by a ransomware attack. Board members should also ensure that the backups can be quickly restored so that a ransomware attack will not significantly impact bank operations. Board members should review their banks' insurance coverage to determine whether existing policies will cover losses caused by interruptions related to ransomware attacks on their banks or on critical vendors.

The intensity of distributed denial of service (DDoS) attacks has also increased. Attackers now use Internet of Things (IoT) devices to launch and maintain the attacks. The use of an IoT botnet to disable Dyn, a large domain name service provider, in October 2016 illustrates that DDoS attacks of more than one terabits per second will be increasingly common. Board members should ensure that their banks' IT networks and those of their key vendors are protected against massive DDoS attacks by services that can absorb or divert the attacks.

Finally, the skills of attackers targeting banks' computer networks have improved to new levels. Mandiant's 2017 M-Trends report states on page 9: "The line between the level of sophistication of certain financial attackers and advanced state-sponsored attackers ... no longer exists." In other words, banks are being targeted by attackers with skills equivalent to those of attackers employed by Chinese and Russian intelligence agencies. How advanced are those skills? Extremely advanced, according to a February 2017 report by the Department of Defense (DoD), Defense Science Board, Task Force on Cyber Deterrence (page 4): "For at least the coming five to ten years, the offensive cyber capabilities of our most capable potential adversaries are likely to far exceed the United States' ability to defend and adequately strengthen the resilience of its critical infrastructures."

To ensure their banks are prepared for such attackers, board members should advocate that the banks engage the best security firms available to conduct "red team" tests of the banks' defenses, detection tools and incident response procedures. Board members should also work with senior managers to ensure the banks engage incident response vendors, such as forensic firms and knowledgeable counsel, to assist when cybersecurity incidents occur.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More