Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Cybersecurity

Main Content

Snow, Cybersecurity and Data Breaches with Jena Valdetero

the-bank-accountOn the latest episode of The Bank Account, Jonathan and I were joined by our Chicago partner, Jena Valdetero, to discuss snow, cybersecurity and data breaches.  While Jena would normally be the one dealing with winter weather, it was Jonathan and myself watching the snow fall in Atlanta while Jena enjoyed a relatively warm, sunny day in Chicago.

Jena is part of Bryan Cave’s Data Privacy and Security Team, and joined us to discuss some of the current threats in cybersecurity and some of the steps that banks (and bank customers) should be taking, as well as offering some thoughts on how banks can assist their customers in minimizing the ever present cybersecurity risk.

Among the resources discussed by Jena were:

And I’m going to go change my passwords now….

Read More

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.

Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.

Read More

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”).  After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016.  If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document.  While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.

Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their jurisdiction some, or all, of the company’s security program must be reduced to writing; three states required that an employee be specifically designated to maintain a security program.  More importantly, the Federal Gramm Leach Bliley Act (“GLBA”) contains broad requirements that mimic many of the Proposals provisions.  This includes, for example, the requirement that a financial institution conduct a risk assessment and maintain data breach response procedures.

Read More

How Many Times Do We Have to Tell You Not to Open the Cat Video

Everyone has been in a movie theater when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door. Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

  • “Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”
  • “My good friend, the one who sends me those emails asking me to pass them along to three of my closet friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”
  • “Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”
  • “My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to doublecheck, I’m sure his email is legitimate.”

If you were in the movie theater you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit that keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the log in ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

Read More

Your Cybersecurity Expectations and Standards Have Just Gone Up

On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool and User’s Guide (“Guide”) intended “to help institutions identify their risks and assess their cybersecurity preparedness.” Financial institutions handling sensitive customer data should view this as a mixed blessing.

It is often said by technology and cybersecurity experts that the question is not whether a company will experience a security breach, but when. The important question then is how the company responds to that breach. One implication of these statements is that an institution should do the best that it can, but that no one should be punished too severely when the inevitable breach occurs. It was, after all, unavoidable.

The release of the Cybersecurity Assessment Tool arguably changes that analysis. Now there are more specific standards against which institutions may be judged. Those who fail to conduct an adequate cybersecurity risk assessment and implement appropriate controls can expect, when the inevitable security breach occurs, that plaintiffs and regulators will point to the Cybersecurity Assessment Tool as evidence that the institution failed to take appropriate steps to mitigate the risks.

Read More

FDIC Examinations and Cyberattack Risk

FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).

The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and authorities; and providing guidance to institutions. The OIG report determined that the FDIC examination work focuses on security controls at a broad program level that, if operating effectively, help institutions protect against and respond to cyberattacks. The program-level controls include risk assessment, information security, audit, business continuity, and vendor management. The OIG noted, however, that the work programs do not explicitly address cyberattack risk.

Read More

Negotiating a Mobile Banking Vendor Contract

Adding or upgrading mobile banking is a major project, as is simply changing a bank’s vendor or service provider for mobile banking. This article summarizes the steps involved in doing so.

The banking regulators have all issued guidance on outsourcing activities to third parties. By any measure, a mobile banking service provider is a significant or critical relationship for a bank. The data security demands are significant and the bank is subject to significant strategic, reputation, operational, transaction, and compliance risks, among other risks.

Time may be the single most important consideration. To get the best deal for your bank, start the process of evaluating potential providers, selecting a vendor and negotiation a services agreement 12-18 months before an existing contract is due to renew or before your bank needs to launch a new service.

Due to the significant and high risk nature of mobile banking services, a bank should engage in comprehensive due diligence of its proposed service providers. (And yes, it is recommended that the bank engage in due diligence with more than one service provider, both to ensure it understands the marketplace and also to ensure that it gets a “market” level of service and healthy competition for its business.) Comprehensive due diligence means reviewing financial statements, verifying the vendor’s relevant experience (success in implementing mobile banking for comparable banks) and reputation with comparable banks, the vendor’s regulatory relationships, results of past exams and audits, litigation history, performance issues, data security issues, and consumer complaint history. If the vendor will subcontract or outsource any part of the services, the bank should perform comprehensive due diligence on those subcontractors as well.

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.