Pub. 4 2015 Issue 9

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 6 KBA LEADERS LEDGER WHO ARE YOU GOING TO CALL? GET TO KNOW THE “CYBER-BUSTERS!” By Kathleen Taylor, SVP General Counsel O NE OF THE primary goals of the KBA’s recent seminar entitled, “Executive Briefing on Cybersecurity for All Bank CEOs, Presidents and Board Members”, was to help bankers know what steps to take in the case of a cyber attack. To that end, the KBA invited both the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) to participate in a session focusing on incident response. Although law enforcement notification is just one step in planning an effective response strategy, it is an important step as a well-organized response is essential to the investigation of the breach. The first step is something each bank should do immediately – before an incident occurs – and that is to designate a leadership team to be responsible for coordinating and communicating with law enforcement. There should be no question that this team has the authority to act in response to an attack, and have access to technical and legal support. After a breach occurs, the next step is containment. This includes an immediate notification to law enforcement. In Kansas, the response team can contact either the FBI or the USSS in their Kansas City offices: Both agencies urged the bankers in attendance, to build a relationship with one of these local offices ahead of time, as they are very committed to developing partnerships with the financial services sector. Be prepared to answer questions about the breach including: 1. What is the nature of the incident (what happened)? 2. Is the attack ongoing or is it hours or days old? 3. What is your understanding of the bank’s network and flow of data? 4. What is the security setup and configuration (detection systems, log servers, router configurations, etc.) 5. Provide an overview of inventory of computer systems and network components. 6. Who has access to systems and by what means? Finally, the response team will be instrumental in collecting and reporting the facts. The team must: 1. Control physical access to computers and network components; 2. Log and report the sequence of events or incidents; and 3. Preserve all evidence and maintain a chain of custody. Both agencies stressed the importance of maintaining a log showing all activity leading up to the breach. If you would like more detail on how you can best aide in the investigation of a cyber attack, please contact either gentleman listed above. Bankers should assume it is not a matter of “if,” but “when” will your system be compromised. Kansas City FBI 1300 Summit Kansas City, MO 64105 816.512.8200 Chris Lamb Christopher.Lamb@ic.fbi.gov U.S. Secret Service Kansas City Electronic Crimes Task Force 1150 Grand Blvd, Suite 510 Kansas City, MO 64106 816.460.0600 Jeff Rinehart, ATSAIC Jeff.rinehart@usss.dhs.gov or kcectf@usss.dhs.gov