Corner GENERAL COUNSEL FALL 2015 J B PRESENTED BY GEORGIA’S LAW FIRM: LEGAL NEWS AND UPDATES FOR CBA MEMBERS Financial instuons are the objects of frequent and sophiscated cyberaacks. The sources of potenal cyberaacks have mulplied over the past decade, with threats no longer limited to craſty internet hackers aempng to access customer account informaon through an instuon’s website. For example, sophiscated fraudsters recently have accessed confidenal customer informaon by loading malware onto point-of-sale card readers, by hacking into vendor computer networks and by accessing employee laptops. The implementaon of effecve controls to protect against cyberaacks should be a key component of every financial instuon’s enterprise risk management plan. A successful cyberaack can be costly, including the costs for customer reimbursement, card reissuances, ligaon and fraud monitoring services. Failure to prevent a cyberaack can also damage an instuon’s market reputaon, aract regulatory scruny and raise quesons about the board’s competence. THE FFIEC CYBERSECURITY ASSESSMENT TOOL Financial instuons are required by law to safeguard confidenal customer informaon. To assist in this endeavor, the Federal Financial Instuons Examinaon Council has developed a “Cybersecurity Assessment Tool” to be used by FDIC insured depository instuons (www.ffiec.gov/cyberassessmenool). The Cybersecurity Assessment Tool provides a repeatable and measurable process for instuons to measure their cybersecurity programs. The Cybersecurity Assessment Tool consists of two assessments: the “Inherent Risk Profile” assessment, and the “Cybersecurity Maturity” assessment. The Inherent Risk Profile assessment measures a financial instuon’s inherent vulnerability to cyberaacks. The Inherent Risk Profile incorporates the type, volume and complexity of the instuon’s operaons across five risk categories through which the instuon’s acvies, products and services are assessed according to risk levels ranging from least inherent risk to most inherent risk. The five categories are: technologies and connecon types; delivery channels; online/mobile products and technology services; organizaonal characteriscs; and external threats. Once the tool idenfies the instuon’s inherent risks and the threats associated with specific products, acvies or services, management will then perform the second assessment. The Cybersecurity Maturity Assessment helps management measure the instuon’s level of risk and corresponding controls. Under this assessment, the cybersecurity operaons of the financial instuon are categorized into five domains, which are evaluated through a series of “assessment factors.” For example, one domain, “Cyber Risk Management and Oversight”, is evaluated by examining the instuon’s governance processes, risk management procedures, employee training pracces and internal resource allocaons. Aſter compleng the Cybersecurity Maturity Assessment, management will assign one of the following maturity levels to each domain: 1. Baseline- the financial instuon adheres to the minimum expectaons required by law and includes primarily client-driven objecves. 2. Evolving- the financial instuon implements addional formalies and documented procedures or policies that are not already required by law. 3. Intermediate- the financial instuon’s cybersecurity system follows detailed, formal processes and the controls are both validated and consistent. Risk management pracces are integrated into a broad comprehensive strategy. 4. Advanced- the financial instuon’s cybersecurity pracces are well integrated across the business. Pracces are automated and connue to improve. 5. Innovave- the financial instuon is an industry leader in cybersecurity processes, development and technologies. For directors and officers, use of this self-assessment tool will assist in developing effecve safeguards to protect their instuons against cyberaacks. WHEN PREPARATION AND PROCESSES FAIL Unfortunately, not all cybersecurity risks can be idenfied and eliminated. In addion to developing effecve controls to protect against cyberaacks, directors and officers should also consider purchasing a specific cybersecurity liability insurance policy (“Cyberpolicy”). Cyberpolicies are not standard components of tradional corporate insurance programs, but such policies provide valuable protecon against financial losses inflicted by successful cyberaacks. Cyberpolicies are relave newcomers to the insurance market and should be tailored to an instuon’s risk profile. Cyberpolicy coverages typically include the following: liability expenses (i.e., defense costs, damages, loss of customer funds, credit monitoring costs, forensic invesgaons and regulatory fines) connected to network security failures, wrongful disclosure of confidenal informaon, regulatory invesgaons and aacks facilitated by a third party vendor; and losses suffered by the instuon as a result of a network related business interrupon. Directors should also review the instuon’s D&O insurance coverage to ensure that it provides appropriate protecons in the event that a cyberaack results in breach of fiduciary duty claims against directors and officers. CONCLUSION The risks posed by cyberaacks are an unfortunate reality in the financial services industry. Financial instuons should use a mulfaceted approach to shield themselves from such risks. Directors and officers should ensure that their instuons are using effecve cybersecurity risk assessment tools to idenfy potenal cybersecurity threats, implement effecve controls to migate such threats and ensure that appropriate insurance coverage is available to protect the instuon and management. OFFICES MACON + ATLANTA cbahotline @ jamesbatesllp.com “General Counsel Corner,” a recurring column featuring legal news and information of interest to CBA members, is brought to you by James-Bates-Brannan-Groover-LLP. Visit us at GeorgiasLawFirm.com Have a topic you would like to see covered in “General Counsel Corner?” Email us at generalcounselcorner @ jamesbatesllp.com FFIEC Assesment Tool Helps Officers and Directors Address Cybersecurity by omas A. Simpson Thomas A. Simpson ASSOCIATE (404) 997-7506 [email protected]