Pub. 5 2016 Issue 4
l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 16 A BANK’S INFORMATIONSECURITY RISKS include regulatory risk, financial risk (unauthorized transactions), reputation risk (loss of customer confidence) and business continuity risk (loss of data or operations). But here’s an important risk that may be overlooked — litigation risk. Banks can be sued for “negligence” by customers and employees if confidential information is stolen, those individuals are harmed, and the bank’s inadequate information security is allegedly a major factor. Imagine you are a bank director or officer on the witness stand: “Mr. /Ms. Director, does your bank follow industry standards for information security?” (“Well, uh, I guess so.”) “Which standards do you follow?” (“Well . . . I don’t know.”) “Do you use any of the 462 pages of information security procedures that the National Institute of Standards and Technology provides?” (“Uh . . . I don’t know what that is.”) “Do you know of any other industry standards your bank follows for information security?” (“Uh . . . I’m sure we must be doing something. We mainly wait for comments from the examiners.”) “Do you believe a bank needs good information security to protect customers?” (“Uh . . . yes.”) “Then why don’t you follow any industry standards for good information security?” (“Uh . . .”). Many banks see information security as a regulatory risk. They take a “wait and see” approach to better security — responding to IT issues only after examiners or auditors raise them. These banks are not strongly focused on advanced protection (before a problem happens) to avoid the risk of an information security breach — and they may not have strong, ongoing procedures for review and management of IT issues. When examiners’ comments aren’t too harsh, these banks may assume they’re doing fine — and they move on to other issues until regulators show up again. But it’s cyber-attackers, not examiners, who are the actual source of a bank’s risks related to information security. Banks should be guarding against information security events before an event occurs, not just answering examiners’ list of exception items. Information security attacks are steadily increasing — and doing only what the examiners emphasized at the last exam may not be enough to protect a bank until the next exam. Most bankers and bank directors know little about industrystandard guidelines for improving information security. It’s hard for a community bank on its own to comply with so many technical standards. Often, the best approach is to rely on a vendor that fully understands industry security standards, banking regulations and the bank’s operational needs. A bank’s best defense in a courtroom is to have solid information security planning, documentation and execution in place, before an information security attack occurs. About the author: Charles Cheatham is general counsel at BankOnIT, and previously served as general counsel for the Oklahoma Bankers Association. Charles is a graduate of Harvard Law School. For more information, visit www. bankonitusa.com , or contact solutions@bankonitusa.com. HOW WILL YOUR IT HOLD UP IN COURT? By Charles Cheatham, SVP and General Counsel, BankOnIT
Made with FlippingBook
RkJQdWJsaXNoZXIy OTM0Njg2