© Copyright 2014 by K&L Gates LLP. All rights reserved.
Eastern Massachusetts Compliance Network
Sean P. Mahoney sean.mahoney@klgates.com
K&L Gates LLP State Street Financial Center One Lincoln Street Boston, MA 02111 (617) 261-3202

WHAT WE WILL COVER TODAY
 Cybersecurity threats  Laws and guidance governing bank cybersecurity programs klgates.com
2

CYBERSECURITY THREATS
 Verizon 2014 Data Breach Investigations Report identifies the following threats      POS Intrusions Cyber-espionage Web App Attacks Insider Misuse Crimeware      Miscellaneous Errors Card Skimmers Physical Theft/Loss DoS Attacks Other klgates.com
3

CYBERSECURITY THREATS
 Web App attacks and POS intrusions appear to be on the rise  Web App attack and DoS attacks are most prevalent cyber-attacks in financial services  According to American Bankers Association, two-thirds of the instances of unauthorized access are the results of phishing attacks  Success rate of phishing emails is approximately 18% according to Verizon klgates.com
4

CYBERSECURITY THREATS
 Motivation for attacks generally falls within three broad categories   Financial gain Ideologically motivated attacks (social, political or sport/narcissism)  State sponsored klgates.com
5

 The big picture – risk based approach  November 3, 2014 FFIEC cybersecurity guidance  Laws that protect information    Title V of Gramm-Leach-Bliley State laws Fair credit reporting act  Regulatory data security standards   FFIEC NIST Framework  Regulatory business continuity standards

THE BIG PICTURE
 Risk approach of regulations is often based upon risk of violations or harm to individuals  Businesses also need to look at risks of data security breach to the business itself  In many ways, regulatory compliance is the least important aspect   Reputational risk for many businesses can be severe Loss of accompanying sensitive business data can also cause competitive harm  Risk-based compliance is the future

THIS WEEK’S FFIEC GUIDANCE
 Expectation that all financial institutions maintain current awareness of cybersecurity threats  FFIEC “encourages” all financial institutions to participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC)  Other sources to monitor:   FBI Infragard (www.infragard.org) U.S. Computer Emergency Readiness Team (www.us cert.gov)  U.S. Secret Service Electronic Crimes Task Force (www.secretservice.gov/ectf.shtml) klgates.com
8

THIS WEEK’S FFIEC GUIDANCE
 After assessing cybersecurity at 500 community banks, FFIEC commented on the following:  Cybersecurity Inherent Risk  Connection types   Products and services Technologies used  Cybersecurity Preparedness      Risk management Threat intelligence and collaboration Cybersecurity controls External dependency management Cyber incident management and resilience klgates.com
9

LAWS THAT PROTECT INFORMATION
 Title V of the Gramm-Leach-Bliley Act  Designed to restrict invasive marketing tactics   Required privacy policies and disclosure thereof Provides consumers opportunities to opt-out of information sharing  Also includes requirements to maintain policies and procedures to safeguard nonpublic personal information

LAWS THAT PROTECT INFORMATION
 Title V of the Gramm-Leach-Bliley Act  Title V of the GLBA protects “nonpublic personal information,” which is defined as any personally identifiable financial information  provided by a consumer to a financial institution  resulting from a transaction by a consumer with a financial institution  otherwise obtained from a financial institution  NPI includes customer lists, as the fact that there is a customer relationship is deemed to constitute NPI

LAWS THAT PROTECT INFORMATION
 GLBA Safeguards Rule  All financial institutions must develop a written information security plan that must:  be appropriate to the financial institution's risk profile  designate the employee or employees to coordinate  identify and assess the risks  evaluate the effectiveness of current safeguards for mitigating risks  select appropriate service providers and require them to implement the safeguards  evaluate the program

LAWS THAT PROTECT INFORMATION
 GLBA Identity Theft Provisions  No person may obtain or attempt to obtain customer information by:  making a false or fraudulent statement to a financial institution or a customer of a financial institution  presenting a lost, stolen or forged document to a financial institution  requesting information, the disclosure of which is known to be in violation of GLBA

LAWS THAT PROTECT INFORMATION
 State data security and breach reporting laws  State laws enacted in response to data security breaches and growing concern of identity theft  Most statutes impose data security breach notification requirements  Some states, most notably Massachusetts, impose an obligation to adopt policies and procedures to protect information  Compliance with Interagency Standards is often sufficient  Information protected generally consists of a name plus another identifier that would enable a person to obtain credit or access an account

LAWS THAT PROTECT INFORMATION
 Massachusetts Data Security Law  Legislature required data security regulations to meet the following design parameters:  ensure the security and confidentiality of customer information in a manner fully consistent with industry standards  protect against anticipated threats or hazards to the security or integrity of such information  protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer  take into account the person's size, scope and type of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of the information

LAWS THAT PROTECT INFORMATION
 Massachusetts Data Security Law  Requires every person engaged in commerce to have a written information security program including, among other things:    Employee training and compliance Vendor management Specific computer security “to the extent technically feasible”  Note 128-bit encryption is still significant for purposes of statutory security breach notification

REGULATORY STANDARDS
 Promulgated by bank regulatory agencies either on an interagency basis or through FFIEC  May form the basis for what constitutes commercially reasonable security procedures  May be viewed as a potential source of “best practices”

REGULATORY STANDARDS
 Interagency Guidance on Authentication  Requires risk assessments taking into account new and evolving threats  Sets expectation of layered security   Fraud detection and monitoring Dual authorization through different access devices   Use of out-of-band verification for transactions IP reputation-based tools

REGULATORY STANDARDS
 FFIEC Information Security Handbook  Serves as bank examination manual for compliance with GLB safeguards rule  Establishes information security risk management process  Information security risk assessment  Information security strategy    Security controls implementation Security monitoring Security process monitoring and updating

REGULATORY STANDARDS
 FFIEC Information Security Handbook  Processes need to involve management and departments throughout organization   Compliance Information systems    Human resources Facilities management Business operations

REGULATORY STANDARDS
 FFIEC Business Continuity Handbook  Business continuity planning process includes    Policy by which firm manages identified risks Allocation of resources and knowledgeable personnel Independent review    Training and awareness Regular, enterprise-wide testing Continuous updating to adapt to changing environment

REGULATORY STANDARDS
 FFIEC Business Continuity Handbook  Policy should address   Continuity planning process Prioritization of business objectives and critical operations essential for recovery  Integration with financial markets   Integration with vendors and outsourced services Regular updates in response to changes in business processes, audit recommendations and testing

REGULATORY STANDARDS
 FFIEC Business Continuity Handbook  Principal tools in continuity planning    Data synchronization tools Pre-established crisis management team Incident response procedures     Remote access Employee training Clear notification standards Insurance

NIST FRAMEWORK
 Introduces “core” set of cybersecurity activities  Identify     Protect Detect Respond Recover klgates.com
24

NIST FRAMEWORK
 Implementation tiers based on risk  Tier 1 – partial    Tier 2 – risk informed Tier 3 – repeatable Tier 4 – adaptive  Framework profile   Current (“as is” state) Target (desired state) klgates.com
25

TAKE-AWAYS
 An integrated approach to data security is key  Involve human resources  Humans are often the weak link in your data security infrastructure  Training and progressive discipline can be key risk mitigation techniques  Business managers need to be involved in technical solutions  Secure environment has to be usable or people will find ways to work around it (e.g., “shadow IT”)  The only thing worse than a poorly crafted policies and procedures are great ones that are not followed klgates.com
26

TAKE-AWAYS
 Have incident response team in place to manage reputational risk    Information technology Public relations/crisis management Lawyers  Manage your data  Do not ignore records management as key component of cybersecurity program  Manage your vendors  Review and catalogue agreements with any vendor that touches your data klgates.com
27