written by Blair Groves
Cyber crime has become one of the biggest threats to U.S. businesses in recent years, and banks aren’t immune to the risk. This became clear in 2014 when the personal information of approximately 83 million JP Morgan Chase customers was compromised in a major cyber attack that remains the biggest bank data breach in U.S. history.
To help lessen the risk of cyber crime at U.S. banks, the regulators have proposed a strict new set of cyber security regulations referred to as the Enhanced Cyber Risk Management Standards. These rules only apply to big banks with total assets of $50 billion or more, but community banks would benefit by adopting some of these best practices regarding cyber security.
Potential Systemic Consequences
Banking regulators are rightly concerned about the possible effects of another cyber-attack comparable in scale to the JPMorgan Chase could have on the U.S. financial system as a whole. It’s conceivable that a major attack at one large financial institution could spread to interconnected banks and threaten the entire system.
This major concern is why the new enhanced cyber security regulations have been proposed. The regulations are comprised of a set of resilience and risk management standards designed to help banks prepare for and respond to major cyber attacks.
The new cyber security regulations identify five categories of cyber standards:
- Cyber risk governance — Requires the creation of a broad cyber-risk management strategy.
- Cyber risk monitoring and management — Requires the level of cyber risk be maintained within board-approved risk appetite and tolerance levels.
- Cyber resilience — Requires that strategies be implemented to ensure business continuity should a cyber attack occur.
- Records storage — Requires that protocols be established for secure storage of critical bank records.
- Situational awareness and incident response — Requires banks to establish mandatory recovery times and strategies in the event of a cyber attack.
Go on the Offensive
The best defense against cyber attacks is a strong offense. But even the best-defended bank could be vulnerable to dedicated cyber thieves.
Therefore, you should draft a cyber attack incident response plan that spells out exactly how your bank will respond in the event of a cyber-attack. Your plan should detail backup and restoration procedures for your critical data, identify a bank spokesperson who will communicate with the media, and lay out a strategy for alerting and communicating with your customers.
Community banks should check out the Federal Financial Institutions Examination Council’s (FFIEC) Cyber security Assessment Tool. This tool will help your bank identify its cyber security risks and assess your preparedness level. Visit https://www.ffiec.gov/cyberassessmenttool.htm to learn more.