Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Cyber Attack

Main Content

Cyber Criminals Don’t Dig Mile Long Tunnels

Digging a tunnel for a mile so that El Chapo could slip into the shaft through his shower and disappear from a high security Mexican prison is something you might expect a Hollywood screenwriter to come up with. Is it any more remarkable though than a cyber-criminal reaching all of the way around the world to try and slip into a bank’s or a customer of the bank’s computer system in order to initiate a wire transfer?

We live at a time when individuals and criminal gangs can reach across oceans and national boundaries to try and initiate unauthorized transfers of funds. Bankers understand that this is a hot topic and that the risk of cyber-fraud is what is currently keeping  regulators awake at night. While a great deal of attention is now being focused on how to keep cyber criminals out of the bank, recent attacks on various public and private institutions illustrates the complexity of denying malefactors access.

In such an environment, bankers look to various risk management strategies including insurance coverage in the event a breach occurs. The first question many banks raise is about their existing insurance coverage Are we already covered under any of the myriad of existing policies we are required to maintain? For example, what about our general liability coverage? While there may be some exceptions, the typical general liability insurance policy that banks have traditionally purchased oftentimes contains an exclusion for losses incurred by data breaches or intrusions to bank networks. If your existing policy does not currently contain such an exclusion it is highly likely that on your next renewal the exclusion will be included. Thus, it is important for bankers to not only understand what their existing policy does or does not cover but also where industry trends are headed.

Read More

FDIC Examinations and Cyberattack Risk

FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).

The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and authorities; and providing guidance to institutions. The OIG report determined that the FDIC examination work focuses on security controls at a broad program level that, if operating effectively, help institutions protect against and respond to cyberattacks. The program-level controls include risk assessment, information security, audit, business continuity, and vendor management. The OIG noted, however, that the work programs do not explicitly address cyberattack risk.

Read More

When a Bank Should Disclose a Cyber Attack

As cyber attacks against financial institutions have become more and more frequent, and the possibility of significant adverse consequences from a single attack have increased, financial institutions have been stepping up cyber security processes for some time. However, many institutions still grapple with the appropriate level of disclosure to shareholders regarding cyber security.

Cyber attacks can come from all directions and in all shapes and sizes—from the stolen employee laptop to a hacked computer system that allows fraudulent transfers from an account. Attacks where the criminals bypass both the computer systems of the bank and its customers and instead access the systems of the bank’s outside service providers can also leave the bank at risk. Which of these attacks or potential attacks merit disclosure?

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.