Caught in the Crossfire: The Rising Threat of Cyberattacks on Financial Institutions and the Heightened Expectations of Financial Regulators
Within the last year, cyberattacks involving data breaches caused by hackers or unauthorized parties have grown in number and sophistication. While cyberattacks pose a threat to all organizations, financial institutions are particularly at risk, as they hold not only funds but also private data on consumers and commercial entities. In recent years, cyber criminals have used online banking and payment systems to transfer money directly from financial institutions’ accounts to their own accounts, and have even seized control of bank ATMs and caused cash to be dispensed at predetermined times to waiting recipients in complex and orchestrated cyber heists. The Moscow-based security firm Kaspersky Lab estimates that one coordinated cyberattack against banks and financial institutions initiated in late 2013 may have caused losses of up to USD$1 billion,
Given the real and rising threat of cyberattacks against financial institutions and the potential for significant impact to the global economy, financial regulators and law enforcement are becoming increasingly alert to such risks and heightening their scrutiny of cybersecurity programs. In the wake of heightened regulatory expectations, financial institutions may find themselves fighting a two-front war—preventing cybercriminals from gaining access to funds and private data, and satisfying the compliance requirements and requests of their regulators and law enforcement. In combatting cybercrime and cyberterrorism, financial institutions are finding it more important than ever to work with their regulators and law enforcement, while recognizing that the institutions’ goals and the goals of regulatory and law enforcement authorities may not always neatly align.
The Rising Threat of Cyberattacks
Cyberattacks generally take two forms—untargeted and targeted attacks. In an untargeted attack, criminals do not focus on a particular victim but target as many devices, users or services as possible through cyberattacks such as phishing (sending mass emails requesting sensitive information or directing users to visit fake websites), water holing (creating fake websites or compromising legitimate websites in order to exploit visitors), ransomware (locking out and holding files hostage via encryption or other means until the owner of the system pays a ransom to have the files unlocked, which often does not happen even after the ransom is paid), and scanning (attacking wide sections of the internet randomly).
Cyberattacks—Increasingly Sophisticated Strategies
In the series of coordinated bank cyberattacks that was initiated in late 2013, an unknown group of criminals has already stolen as much as USD$1 billion from banks and financial institutions,
This is just one example of the wave of recent cyberattacks targeting banks and other financial institutions, and it indicates a clear trend toward more sophisticated attacks by cybercriminals familiar with the financial industry. Understandably, the increase in the number and sophistication of cyberattacks has alarmed financial regulators and law enforcement officials. The White House and Congress have also taken notice.
Recent Attacks on Financial Institutions
In 2014, cybercriminals waged what appears to be an expanding offensive of cyberattacks on financial institutions. Among the more notable cyberattacks was a July 2014 attack involving a large regional bank network that was accessed by an unknown third party, and placed over 72,000 customer accounts at risk of exposure. Following an investigation, it was determined that the unauthorized third party may have obtained access to customer information, including names, addresses, account numbers, account balances, and personal identification numbers.
A particular aspect of cyberattacks that complicates the ability of banks effectively to monitor and maintain adequate cybersecurity protocols is that sometimes an attack may come from very conventional means that exploit a network system or process vulnerability that may not be evident or obvious to an institution. This was the case when a highly publicized mobile payment platform was unveiled and cybercriminals seized upon a method employing identity theft, rather than hack into the payment system, to exploit the customer sign-up process to validate credit cards for use on the new payment system.
Policymakers, Regulators and Law Enforcement on High Alert
The federal government has recognized and taken various steps to respond to the growing threat of cyberterrorism, including two recent Executive Orders (“EOs”) from the White House and legislative efforts from Capitol Hill. On February 13, 2015, President Obama signed EO 13691, “Promoting Private Sector Cybersecurity Information Sharing.”
On April 1, 2015, the President signed another Executive Order, EO 13694, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”
Policymakers on Capitol Hill have also been busy addressing concerns from cybersecurity risks. Lawmakers have been grappling with cybersecurity legislation since 2012, when the Senate twice failed to pass a bill due to business concerns that new legislation would put too heavy a burden on the private sector. This year, however, these concerns may give way to greater concerns of national security. On April 22, 2015, the U.S. House of Representatives passed H.R. 1560, the Protecting Cyber Networks Act,
In addition to these policy initiatives, U.S. and U.K. law enforcement agencies are jointly preparing to develop their defenses against cyberattacks. This year, the U.S. Federal Bureau of Investigation (“FBI”) and the U.K.’s MI5 plan to stage war game cyberattacks to test the City of London and Wall Street’s cybersecurity infrastructure and response capabilities as both countries’ financial institutions and law enforcement work to enhance defenses against cyberterrorism.
State and federal bank regulators are also at full alert. As Benjamin Lawsky, head of New York’s Department of Financial Services (“NYDFS”), has observed, a large enough cyberattack on Wall Street firms could “spill over into the broader economy.” As noted by Lawsky, regulators “are concerned that within the next decade, or perhaps sooner, we will experience an Armageddon-type cyber event that causes a significant disruption in the financial system for a period of time.”
Finally, as most banks know by now, the federal banking agencies (“FBAs”)
Heightened Regulatory Expectations
In connection with the FBA’s increasing concerns regarding cyberattacks, over the past few years the FBAs have issued various cybersecurity and data breach guidance. In 2014, the FFIEC piloted a cybersecurity examination work program involving over 500 community institutions “to evaluate their preparedness to mitigate cyber risks.”
this dependence, coupled with increasing sector interconnectedness and rapidly evolving cyber threats, reinforces the need for engagement by the board of directors and senior management, including understanding the institution’s cybersecurity inherent risk; routinely discussing cybersecurity issues in meetings; monitoring and maintaining sufficient awareness of threats and vulnerabilities; establishing and maintaining a dynamic control environment; managing connections to third parties; and developing and testing business continuity and disaster recovery plans that incorporate cyber incident scenarios.
Based on the findings from the 2014 pilot program, the FFIEC describes cybersecurity preparedness as requiring risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience.
Risk management and oversight involves governance, allocation of resources, and training of employees. The FFIEC recommends that directors and senior management routinely discuss cybersecurity issues to create a security culture at the institution, and that the institution clearly defines the roles and responsibility for identifying, assessing, and managing cybersecurity risks across the institution. Training programs should be updated to respond to changing circumstances and provided routinely.
Threat intelligence and collaboration requires the analysis of information to identify, track and predict cyberattacks, and includes monitoring and sharing information from multiple sources. According to the FFIEC, institutions should participate in information sharing forums, like the Financial Services Information Sharing and Analysis Center (“FS‑ISAC”),and identify relevant points of contact with law enforcement and regulators. Additionally, the FFIEC recommends maintaining event logs to understand cyber events after they occur to broaden the institution’s understanding of trends and potential vulnerabilities.
Cybersecurity controls should include preventative controls to impede unauthorized access to systems, detective controls to identify attacks, and corrective controls to address identified vulnerabilities. Financial institutions should incorporate measures that impede unauthorized access to their internal systems and consumer data, such as by encrypting consumer information. Institutions should also invest in and implement anti-virus and anti-malware detection tools, routinely scan information technology networks for vulnerabilities and suspicious activity, and test systems for exposure. Furthermore, institutions should develop and test processes for shutting down unauthorized access and remediating damage to IT systems.
External dependency management involves connectivity to third party providers and customers and the financial institutions’ oversight of these relationships. The FFIEC recommends that institutions consider the risks of each relationship and evaluate a third party’s cybersecurity controls before entering into third party contracts.
Cyber incident management and resilience involves incident detection, response, mitigation and reporting. According to the FFIEC, financial institutions should have procedures for notifying customers, regulators and law enforcement when incidents occur. Institutions should also develop business continuity and disaster recovery plans, and test such plans across business functions to identify gaps before cyberattacks occur.
On March 17, 2015, the FFIEC announced that it plans to develop a cybersecurity self-assessment tool this year to assist institutions in evaluating their cybersecurity risks and risk management capabilities. It is expected that the self-assessment tool will track the core cyber risk management components noted above. The FFIEC also noted that it plans to improve its collaboration with other regulators and law enforcement, and enhance incident analysis, crisis management, training, policy development, and technology service provider strategies. Two weeks later, on March 30, 2015, the FFIEC issued two joint statements—a Joint Statement on Cyberattacks Compromising Credentials
In the Joint Statement on Cyberattacks Compromising Credentials, the FFIEC agencies recommend fighting the threat of cyberattacks compromising credentials by having banks review their risk management practices and controls related to information technology networks and authentication, authorization, fraud detection, and response management systems and processes. In particular, the Joint Statement recommends some familiar themes, including:
Conducting ongoing information security risk assessments;
Performing security monitoring, prevention, and risk mitigation;
Protecting against unauthorized access;
Implementing and testing controls around critical systems regularly;
Enhancing information security awareness and training programs; and
Participating in industry information-sharing forums.
The companion Joint Statement on Destructive Malware provides that financial institutions and technology service providers serving the financial sector should enhance their information security programs to ensure they are able to identify, mitigate, and respond to a destructive malware attack. The Joint Statement further notes that, in addressing destructive malware issues, “business continuity planning and testing activities should incorporate response and recovery capabilities and test resilience against cyber-attacks involving destructive malware.”
Securely configure their systems and services; and
Review, update, and periodically test their incident response and business continuity plans.
In addition to the various FFIEC guidance applicable to national banks and federal thrifts, the OCC has promulgated guidance regarding its expectation that “banks [and thrifts] should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.”
In addition to the promulgation of guidance specific to cybersecurity programs, FBAs are increasingly considering a financial institution’s cybersecurity measures as part of the institution’s BSA/AML compliance obligations. In a recent speech on March 2, 2015 before the Institute of International Bankers, OCC Comptroller Curry stated that “the goals of BSA/AML and cybersecurity are increasingly converging. Terrorists, drug cartels, and cybercriminals all have a need to generate cash and move money, and it would seem that many of them would share some of the same goals. There are lessons to be learned from our decades-long experience in BSA enforcement that can be applied to the cybersecurity area, and vice versa.”
Risks and Consequences
Clearly, depository institutions of all sizes must make a significant commitment of resources, time and money to address the growing threat of cyber risks, and some institutions are experiencing adverse examination ratings on areas such as earnings, management and potentially even capital as a result of the inability to control and contain escalating compliance costs related to cybersecurity issues. In addition to this regulatory/supervisory “catch 22” of trying to balance heightened compliance demands requiring additional resources versus the financial impact on an institution from the cost of such resources, are the following issues of which banks and other depository institutions must be mindful:
Consumer Litigation – ACH and wire-related fraud incidents continue to grow at an alarming pace. Identity theft and breaches of consumer privacy expose financial institutions to a significant risk of consumer litigation. For example, in 2014, a county hospital sued a large national bank to recoup losses from a cyber-heist in which cyber thieves broke into the hospital’s payroll accounts and put through three unauthorized ACH payments, siphoning over $1 million. The hospital sued the national bank for processing an unauthorized transfer request, arguing breach of a contractual provision incorporating the NACHA rules, which require the bank to implement a risk management program. The case is currently pending.
Compliance Risks – The pace of new regulatory requirements can challenge the change-management capabilities of some financial institutions and lead to increased operational and compliance risks if banks do not adequately invest in control processes, systems, or staff. Institutions may be cited for weak cybersecurity systems and inadequate controls as part of an overall operational risk review. Of particular concern is the likelihood that the industry will see increased enforcement actions given increased regulatory concerns over data privacy and cyberterrorism.
Operating Risks – Data breaches arising from a cyberattack can also lead to the loss of critical confidential commercial or financial information, significant operational dysfunction, and the theft of sensitive internal documents such as technical papers, R&D reports, and other communications.
Conflicting Obligations – In some cases, law enforcement authorities may request financial institutions to not take action to stop a cyber-breach in order to provide an opportunity for law enforcement officials to catch the cyber criminals. In fact, financial institutions regularly cooperate with law enforcement agencies to facilitate law enforcement’s “sting” type operations. In some cases, however, a risk-averse financial institution may prefer immediately to shut down access to systems and assess the damage to protect consumers and thereby limit the institution’s own liability. Because governmental entities’ ability to indemnify a financial institution is often limited, financial institutions could also find themselves on the hook for potential damages in cases where law enforcement investigations go awry.
Reputational Risk – Data breaches expose customers to an increased risk of identity theft and loss of privacy, which will result in loss of confidence in a financial institution’s security systems and in the financial institution itself. Not only can a cyberattack damage an institution’s relationship with its customers, but the negative publicity surrounding a breach can have long-term impacts. A successful cyberattack not only can lead to loss of business, but can expose the financial institution to consumer litigation, regulatory enforcement actions, and even criminal investigations, all of which will further exacerbate damage to the institution’s reputation.
Fines and Penalties – Another significant concern is the possibility that a cyberattack could lead to the imposition of regulatory, civil and/or criminal fines and penalties arising from the failure of a depository institution to maintain an adequate cybersecurity program, which thereby results in a customer data breach.
Cyber Costs and Benefits – There are numerous additional costs and benefits that institutions must consider in the new world of cyber risks and vulnerabilities. One cost that many institutions are now taking on involves cyber insurance policies that can help to mitigate some of the costs and liabilities created by cyberattacks and data breaches. Where traditional insurance policies are insufficient, specialized cyber insurance policies now cover data breaches, identity theft, loss of data, business interruption, cyber extortion, crisis management, and other cyber-risk areas. As with any other significant cost decision, institutions must carefully weigh the extent of the additional insurance and whether the cost is justified based on the additional insurance protection provided under a particular cyber insurance policy.
Third-Party Risk Management – An area of particular concern to bank regulators is the exposure and vulnerability of banks to third party service providers that may not be adequately prepared or equipped to address their own cyber-security vulnerabilities and, thus, may wittingly or unwittingly act as a Trojan horse to expose banks to new cyber-risks. This is a critical compliance issue for all institutions in today’s complex information technology environment. In a report released earlier this month, NYDFS noted that vendors may sometimes provide a “backdoor entrance” for hackers seeking to steal sensitive bank customer data. Key report findings include:
Nearly 30% of banks surveyed by the NYDFS did not require third-party vendors to notify them of cybersecurity breaches;
Over half of the banks surveyed did not conduct on-site assessments of their third party vendors;
One in five banks surveyed by the NYDFS did not require third-party vendors to represent that they have established minimum information security requirements; and
Nearly half of the banks surveyed did not require a warranty of the integrity of a vendor’s data or products.
Impact on Smaller Institutions – Larger banks generally have sophisticated IT systems to guard against cyberattacks. By contrast, smaller community-based banks generally lack such systems and, therefore, are often a prime target for cyber thieves. Understanding this vulnerability, the FBAs are seeking to make sure that bankers have integrated cybersecurity systems into their operations. However, many institutions, particularly smaller community-based institutions, have yet to face a full-blown cyberattack and, thus, may not fully appreciate the extent of the risk. This remains a significant industry challenge.
Maintain an Effective Data Breach Response Program
At minimum, an institution’s data breach response program should include procedures for:
Identification Procedures – Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused.
Notification Procedures –
Notifying the primary federal (and state) regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;
Notifying customers when warranted in a manner designed to ensure that a customer can reasonably be expected to receive it; and
File a timely Suspicious Activity Report (“SAR”), and in situations involving federal criminal violations requiring immediate attention, e.g., an active event, promptly notify law enforcement authorities; and
When an incident of unauthorized access to sensitive customer information involves customer information systems maintained by an institution’s third party service provider, it is important to remember that it is the financial institution’s responsibility to notify its customers and regulator.
Remediation Procedures – Taking appropriate steps to contain and control a cyberattack involving a breach incident to prevent further unauthorized access to or use of customer information.
Best Practices to Prevent and Mitigate Attacks and Data Breaches
At minimum, a financial institution’s data breach response program should contain procedures for:
Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;
Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;
Consistent with the financial institution’s obligation to file a SAR, filing a timely SAR, and considering voluntarily filing a SAR when circumstances warrant;
In situations involving federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing, promptly notifying appropriate law enforcement authorities;
Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and
Notifying customers when warranted in a manner designed to ensure that a customer can reasonably be expected to receive it, and providing support services—such as free credit monitoring—to consumers affected by a breach.
Additionally, financial institutions should consider implementing the following best practices:
Create and/or review your plan periodically – If your financial institution does not already have a plan in place to deal with data breaches and/or other cybercrime, evaluate the institution’s priorities and prepare a plan to initiate if an event occurs. Because of the high levels of risk associated with cybercrime, it is critical to identify and neutralize threats immediately, as well as take appropriate steps to mitigate damage.
Assemble an internal team – Your financial institution should also identify a team with security expertise and designate decision making authority to the team in the event an attack occurs. The team should be led by a single individual, who can act as a point of contact for directors, officers, employees, and third parties and streamline the process of dealing with the ramifications of an attack.
Secure outside counsel – If your financial institution has not already done so, seek and retain outside counsel with expertise in dealing with cyberattacks and related issues, including regulatory compliance, privacy, and consumer protection issues. Additionally, your institution should identify and be prepared to engage other industry experts to provide advice and expertise in the event of a cyberattack.
Monitor and update information security systems – Recent cyberattacks have demonstrated the ability of cybercriminals to rapidly evolve and shift cyberattack methods. You should anticipate that protection software that is currently effective may not remain effective for long. To protect your financial institution, you should monitor and periodically test your software and other preventative measures to ensure continued effectiveness.
Train employees – Your financial institution should provide cybersecurity awareness training to its employees, including training employees on safe internet and internal system practices, as well as training to recognize and not open suspicious emails, and to identify and report unusual customer transactions. Strong employee training can reduce risk of cyberattacks, as inadvertent downloads by employees is one of the main ways cybercriminals gain access to financial institution’s internal systems.
Prepare a strategy to address the problems – Even with a thorough action plan in place prior to an incident, financial institutions must be prepared to respond appropriately to a specific incident once it occurs. For example, your financial institution may have various iterations of its action plan for different levels of cybercrime events (i.e., a single database breach vs. institution-wide infiltration of IT systems). Your institution should be prepared to amend its action plan as necessary to deal with specific threats.
Be prepared to brief regulators and law enforcement on the incident – In connection with your legal team and other experts, your financial institution should obtain as much information as possible in the wake of a cybercrime event. This includes information about the crime itself, as well as the steps the institution has taken and plans to take to mitigate damage.
Practice the plan and engage the plan immediately in the event of an incident – Your financial institution and its employees should be well-rehearsed in putting the institution’s response and action plan into effect once a cybercrime has occurred. In responding to a cyberattack, time is of the essence, both in terms of mitigating damage to the financial institution, and in dealing with potential backlash from customers and/or the public. Because a delay in responding to an attack may be viewed as the result of lack of preparation or indecisiveness—or worse, incompetence—on the part of an institution’s directors and officers, it is critical that your institution be prepared to respond swiftly and decisively in the event of a cyberattack.
Paul Hastings lawyers regularly advise clients regarding cybersecurity issues.
Common Cyber Attacks: Reducing the Impact (2015), available at
Common Cyber Attacks: Reducing the Impact (2015), available at