Mitigate Damage: The 4 Critical Steps For a Bank CISO’s Playbook
Financial institutions are one of the most vulnerable targets for cyberattacks — and today’s Bonnies and Clydes are after more than just cash. Social security numbers, credit card accounts, and sensitive financial data are all up for grabs when a bank is breached, creating perfect conditions for costly and time-consuming cyber nightmares — for clients and institutions alike.
Having a playbook in place in the event of a breach can help your financial institution avoid costly fines, reputational damage, and future attacks. Below are four critical steps CISOs in financial institutions need to take after a data breach.
Step 1: Know the Rules
Under the Gramm-Leach-Bliley (GLB) Act, financial institutions are legally required to ensure that their client’s details are safe and confidential: They must have a written plan that outlines how they protect customer data; use service providers with security safeguards in place; train their employees on cyber security best practices; and work with law enforcement in the event of a breach.
Sounds simple enough, but each state has its own set of rules and regulations for working with local and federal law enforcement when sensitive data is compromised. A new federal breach notification law proposal would create a universal set of regulations overwriting local laws, but, in the meantime, CISOs need to make sure they understand the scope of their responsibilities — as well as their power of authority — and be fluent in local legalese when devising their company’s own plan.
Step 2: Call the Feds
It might seem easier to quietly pay off cybercriminals rather than deal with an embarrassing public fallout and sky-high fines. Not only is it not easier, it is a spectacularly bad idea. Best practice is to follow protocol and alert the authorities, immediately.
Not convinced? Let’s entertain the idea of an institution responding to ransomware by quietly slipping Bitcoins to cybercriminals as payment. Bypassing lengthy investigations and the disruption of daily activities — not to mention neatly sidestepping loss of trust from customers and clients if the attack is exposed — may sound appealing, but the fallout could be worse than the breach itself. There’s no guarantee that the attackers would hold true to their word and relinquish control, or that they wouldn’t abuse the data to which they’d gained access. There is also zero guarantee that the group wouldn’t make their actions known — either by simply announcing it or by broadcasting the very data they stole. Just ask Joe Sullivan, former CISO at Uber, who faced charges from the FBI after taking matters into his own hands and paying a ransom.
Step 3: Own Up and Alert Your Customers
The fear of shouldering the blame for a breach is understandable, especially when 23% of companies report executive firings following cyberattacks. Banks are burdened with safeguarding their customers’ finances and their personal identifiable information, making a breach a particularly nasty pill to swallow. However, a careful and methodical response can help to protect and retrieve clients’ information — and help institutions save face.
In April of 2021, the Bank of Oak Ridge in North Carolina reported a data breach affecting an undisclosed number of accounts. Social Security numbers, bank account numbers, and driver’s license numbers were exposed.
In response, the bank closed all five of its branches for two days while the FBI assisted with the investigation. When they determined who was likely affected, the bank alerted its customers and offered free identity protection. By reporting the incident quickly, following protocol, and communicating with transparency, the bank dodged legal fines — and remained in business.
Never heard of this incident? Exactly.
Step 4: Conduct a Critical Vulnerability Scan
Bad things happen to even the best IT teams, but there’s no excuse for being hacked or attacked in the same way twice. Below are high-level practices all organizations should adopt in the aftermath of — and well before — an attack.
Prioritize security from the top down. For security measures to be effective, executive level buy-in is a must. It’s on CISOs and other C-suite execs to make cybersecurity and awareness a core part of organizational culture.
Know your risk profile. Clearly identifying your industry’s attack vectors, gaming out different cyberattack scenarios, and being aligned on your organization’s most valuable assets — and how to protect them — is crucial to creating and executing effective cyber security initiatives.
Take threats seriously. Prepare for the worst. Seriously. (Read more: Why Executives Should Play Cyber War Games)
Enforce your policies. Security policies should be baked into day-to-day operations — and outlined in terms that all employees (not just tech geeks) can understand. Document everything, automate whenever possible, and keep things simple.
Back it up. Data loss can be a death blow to an organization — many never fully recover. Keep a copy of critical data in a secure offsite location and regularly test your backups.
Keep up with security patches. Sounds like a no-brainer, but regularly applying legitimate security patches to software and hardware systems is often overlooked. Are there examples where a security patch created a vulnerability? A couple. Are there examples where the lack of a patch created a huge problem? A couple thousand.
If a bank wants to mitigate the damages from a cyberattack and maintain its customers’ trust, the CISO should get to know the applicable local and federal laws, create a plan, and communicate any data breaches without fail. An attack is all but inevitable, but how an institution reacts determines whether it will recover and move on, or keep on taking hits even after the ransom is paid.