Pub. 4 2024 Issue 3

Cybersecurity is hard. The odds are against you from the beginning, requiring the defenders to get everything right 100% of the time and the attackers needing only one lucky shot. Cybersecurity in banking is even harder. Cybercrime is a business, and cybercriminals are usually motivated by money. This brings us back to notorious bank robber Willie Sutton who, when asked why he robbed banks, simply replied, “Because that’s where the money is.” The criminals will try to steal money directly and through fraud. They will try to extort money by encrypting critical parts of your network, holding it hostage, stealing sensitive data — such as employee or customer data — and threatening to publish and sell the data if you do not pay a ransom. Smaller and mid-size banks are as much of a target as any because the criminals know they usually have fewer resources for cyber defense. Even worse, cybersecurity is not a static problem that can be fixed, like a technical glitch such as Y2K; instead, it is more like warfare where an active adversary is continuously attacking and every time you implement new defenses, they counter by adapting, changing tactics and finding another way to circumvent those defenses. This means there is no such thing as being completely secure — ever. Even really good security is not permanent because what is effective today will likely not be effective in a month, six months or a year from now. I apologize that this is not a pleasant “feel good” message, but it is the reality, and the only way we can fulfill our responsibilities to our customers, employees and organizations is by having a realistic understanding of the challenges we face because there are many things that can be done to become much harder and resilient targets. In my role as breach counsel, I have advised on thousands of cyber incidents and hundreds of ransomware attacks over my career. Being in that detached role, seeing the overall process from a strategic vantage point, that perspective has shown me several things that organizations could have done differently to have avoided those situations. These observations are not a regurgitation of a standard “Top 10” list of security controls and, because those are readily available, will try to avoid those typically included. Nor are they intended to replace or minimize the importance of those controls or other technical processes and tools because they are absolutely essential. On the contrary, they are intended to augment or restate those from a different perspective than sometimes comes from the more technical-focused security professionals. 1. Cybersecurity requires an ongoing and continuous process. Cybercriminals are continuously adapting and changing their tactics. The only way to defend is to have an ongoing process that is evolving and maturing with them. 2. Risk assessments are essential. All organization’s risks are unique and depend on a multitude of different factors. Because you cannot protect against what you do not know, you must have an understanding of your unique risks, not only from a technical standpoint but also from an overall organizational risk perspective. This risk assessment is essential for prioritizing mitigation efforts. 3. Data governance is critical. Your objective includes protecting customer data. This means you must know what customer data you have, not collect or maintain more than is needed, and when you no longer need it, securely archive or dispose of it. Data equals risk. If you want to reduce that risk, reduce the data you have available to criminals. The same principles apply to employee data and other forms of sensitive data. Cybersecurity in Banking Protecting Customer Data in the Digital Age By Shawn Tuma, Partner, Spencer Fane LLP LEGAL EAGLE SPOTLIGHT 16 | The Show-Me Banker Magazine

RkJQdWJsaXNoZXIy MTg3NDExNQ==