Financial institutions and securities market participants continue to face escalating cyber threats – in frequency, volume, and severity. The many reasons for the escalating risk include:
- Financial services companies are high-value targets. They aggregate large volumes of sensitive and valuable data, and they have and move large sums of money.
- The increased length of the software supply chain, including the use of third-party applications, has expanded the attack surface for bad actors.
- The interconnectedness of the modern financial services industry exposes companies to the risk of business disruption or data loss from third-party cyber incidents, such as incidents at other financial institutions' vendors and customers, exponentially expanding the impact of incidents.
- Threat actors continue to grow both in number and in sophistication. They are quick to adopt new technology, such as AI.
Enterprise risk management therefore requires considering a range of risks. A data breach of confidential information brings significant legal risk and reputational harm. Particularly severe outcomes include a costly disruption to business operations that can impair the functioning of the broader financial system or securities markets. Major incidents are complex, high-stakes, and stressful.
Planning Properly
Effective preparation before an incident is critical to reducing cyber risk and to ensuring that a company is not in a purely reactive mode when an incident happens.
Organizations often have good intentions but face many challenges when preparing a response plan, such as:
- Lack of involvement or buy-in from senior leaders.
- A list of action items without a clear road map connecting them or a responsible party for each.
- Inadequate practice and testing.
- Overlooking the importance of communicating with stakeholders during an incident.
The principles below can guide your organization in overcoming these challenges.
Apply an Enterprise Risk Mindset
An enterprise risk mindset approach to cybersecurity is:
Proactive
Address cybersecurity on an ongoing basis. Not only are threat actors constantly upgrading their tools and techniques, but the regulatory requirements are multiplying. If you are standing still, you will start to fall behind.
Holistic, enterprise-wide
Involve all decision-makers, including senior executives. Organizations cannot relegate cybersecurity risk to a technology issue; cyber-attacks can affect the entire organization, so mitigating the risks requires input, knowledge, and buy-in at all levels. Moreover, many regulators, from the Bank of England to Federal Reserve, now require boards and senior management to oversee the organization's operational resilience and cybersecurity programs.
Up-to-date
Stay abreast of what's changing, including how other organizations are handling these risks and how financial services regulators across the globe are increasing their scrutiny, regularly releasing regulatory guidance and writing new rules.
Practice
Identify the steps to take in the event of an incident, who will be responsible for each task, and practice executing the plan. Tabletop exercises are an excellent way to identify gaps, assign responsibilities for actions (such as communicating with stakeholders, making legal decisions, and notifying regulators), and practice response scenarios. Financial services regulators, such as the Bank of England, using scenarios that are "severe but plausible." Also, involve all senior leaders and the board of directors—don't have an actual incident be the first time a key decision-maker interacts with a cyber incident response plan.
Assemble A Toolkit
It should include:
Governance protocols
Develop internal protocols to help board members and senior leaders stay abreast of cyber risk. Cybersecurity risk is an enterprise risk, so senior leaders need this information to provide direction on how to balance cybersecurity risk against cost and business need.
Staffing and Technology
Take a thoughtful approach to hiring, developing, and retaining key employees of experienced cybersecurity professionals during a widespread shortage. And keep investing in the technical tools to keep up with threat actors' expanding capabilities.
Third-party advisors
Get third-party help with legal, technology, and communications, areas critical to navigating cyber risks. Select and onboard these third parties as part of the incident preparation process, which will save valuable time when third-party help is needed during an incident.
Guardrails
Apply risk-based approach to find guardrails that make sense for your sector, stakeholders, size, geographic location, and consumer and regulatory expectations, among others.
Get Set to Communicate
Delays in communications may give regulators, clients, and the public the impression that the organization is ill-prepared for a crisis, is not taking the issue seriously, and cannot comply with applicable regulations, particularly those involving public disclosure or operational resilience under SEC, NYDFS, and OCC rules. Before an incident:
- Assemble a clearly defined team of "first responders" who have authority to work with outside counsel and other advisors to serve as the voice of the institution, coordinating and approving communications.
- Ensure that all employees understand that during an incident only approved communications should be shared outside the company.
- Prepare alternative communications channels in case of technical outages.
It Starts at the Top
It's worth repeating that cyber risk management requires preparedness at every level, beginning at the board level. A well-prepared leadership team—educated in the risks and committed to enforcing high-quality mitigation programs—will help steer the company through a crisis.
Additional Authors from FTI Consulting
Meghan Milloy, Managing Director
Matt Saidel, Managing Director
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.