Pub. 5 2015-2016 Issue 6

O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S May • June 2016 13 Economic Forum in Davos, Switzerland, Bank of America CEO BrianMoynihan announced that the bank’s cybersecurity unit would have a “blank check budget” for 2015. Similarly, in late 2015, J.P. Morgan Chase and Co. announced that it expected its 2016 budget for cybersecurity spending to be approximately $500 million. Despite these headlines, cybersecurity is not just a large bank issue. The Federal Financial Institutions Examination Council (the “FFIEC”) and its member agencies including the FDIC, Federal Reserve, and OCC, and several state banking regulators including the Massachusetts Division of Banks and the New York Department of Financial Services, are pushing for more stringent rules and examination procedures for com- munity banks under their oversight. Recognizing the need for guidance, the increased cost of compliance, and the fact that not every bank has half a billion dollars to spend on their cyber- security efforts, these regulators have also provided numerous resources for community banks to utilize in assessing their readiness to handle a cybersecurity incident. Online Resources for Community Banks In June of 2015, the FFIEC released on its website the Cy- bersecurity Assessment Tool (the “Assessment”), a two part exercise designed to “help institutions identify their risks and determine their cybersecurity preparedness.” In the materials accompanying the Assessment, the FFIEC notes the follow- ing benefits to an institution from using the Assessment: l Identifying factors contributing to and determining the institution’s overall cyber risk; l Assessing the institution’s cybersecurity preparedness; l Evaluating whether the institution’s cybersecurity pre- paredness is aligned with its risks; l Determining risk management pactices and controls that are needed or need enhancement and actions to be taken to achieve the desired state; and l Informing risk management strategies. The Assessment incorporates principles from the FFIEC Information Technology Examination Handbook, regula- tory guidance, and concepts from industry standards in- cluding the National Institute of Standards and Technology (the “NIST”) Cybersecurity Framework. The Assessment and other cybersecurity resources prepared by the FFIEC are available at www.ffiec.gov/cybersecurity.htm. The FDIC recently addressed the issue of cybersecurity in an article titled “A Framework for Cybersecurity” in the Winter 2015 issue of its Supervisory Insights Journal, released on February 1, 2016 (available on the Financial Institution Letters page of the FDIC’s website, www.fdic. gov). The article addresses some common cyber-attack strategies, the critical components of information security programs (corporate governance, threat intelligence, secu- rity awareness training, and patch-management programs), and actions taken by federal bank regulators to respond to cybersecurity threats. The article stresses that everyone within a financial institution, from entry-level staff to the board of directors, is responsible for prioritizing cyber- security. The article includes information about several resources available to help educate and inform employees and directors on cybersecurity. One such resource is the Financial Services Information Sharing and Analysis Cen- ter (the “FS-ISAC”), a public-private information-sharing forum. The FS-ISAC operates a community bank working group that sends weekly “cyber updates” to community bank executives. Financial institutions with less than $1 billion in assets or less than $10 million in revenue can access these updates, and other helpful resources, by purchasing a basic membership at a cost of $250 per year. More information is available at www.fsisac.com . Finally, the Conference of State Bank Supervisors (the “CSBS”), through its Executive Leadership of Cybersecurity initiative, has published the CSBS Executive Leadership of Cybersecurity Resource Guide (the “CSBS Guide”), to provide community bank CEOs and executive management with a “non-technical, easy-to-read resource on cybersecu- rity.” The CSBS Guide is intended to “put in one document industry recognized standards for cyber security, best prac- tices currently used within the financial services industry, and an organizational approach used by the NIST.” The CSBS Guide addresses the five core cybersecurity functions of the NIST’s Cybersecurity Framework, including: l Identify internal and external cyber risks; l Protect organizational systems, assets and data; l Detect system intrusions, data breaches, and unautho- rized access; l Respond to a potential cybersecurity event; and l Recover from a cybersecurity event by restoring normal operations and services. The CSBS Guide, and other informational materials prepared by the CSBS on cybersecurity preparedness are available at www.csbs.org/cybersecurity. While all of these online resources are valuable guides for protecting customer data and your institution, none is a substitute for the exercise of common sense and prudent, consistently applied internal policies and procedures. Your institution’s Chief Technology Officer or Information Se- curity Officer, or those in analogous roles, should be given authority to develop and implement such policies and pro- cedures based on recognized best practices such as those promulgated by the NIST, with involvement from the board of directors and executive management. Furthermore, it is crucial that your institution’s board of directors and executive management be focused on and well-informed about the threats posed by cybersecurity attacks; therefore, they should receive reports on these issues from members of your institution’s information technology team on a regular basis. n Christopher R. Johnson is an Associate Attorney in Jones & Keller’s Banking, Lending and Financial Institutions practice group. Christopher specializes in the representation of financial institutions with regard to regulatory matters, mergers and acquisitions, commercial and consumer lending transactions, as well as bank operations and general corporate matters. If you have questions about the regulatory landscape with respect to cybersecurity and its impact on your institution, or if your institution has experienced a cybersecu- rity threat, please contact Jones & Keller’s Banking, Lending & Financial Institutions practice group at (303) 573-1600.