You’ve been hacked! Now what? As the list of cyber-attacks against the financial services industry continues to grow, many institutions are likely to face this scenario. Of course the best way to prepare for a cybersecurity breach is to simulate one, which is what FHLBank Atlanta did for shareholders at its Annual Member Conference.
FHLBank Atlanta’s Chief Operations Officer, Chief Information Officer, Chief Marketing Officer, and General Counsel enacted a tabletop exercise to walk shareholders through the process of developing a crisis management response plan.
Cybersecurity Breach Scenario
In the simulated scenario, a community bank is alerted by the FBI that its IT service provider has been hacked.
Robert Bennett, FHLBank Atlanta’s Chief Information Officer, says the first actions an institution can take upon learning of a security incident include:
• Activating your existing Cybersecurity Incident Response Plan, a framework for responding to security incidents.
• Determining the severity level of the compromise, which will indicate the best path to follow to ensure that there is no additional data loss and that forensic evidence is preserved.
• Informing Corporate Communications and Legal of progress.
Once the initial system assessments are complete, Sharon Cook, FHLBank Atlanta’s Chief Marketing Officer, says it’s important to ask the right questions and to begin formulating responses that effectively communicate the issue and remediation plan to customers. “Transparency and sincerity are key to successful communication in a crisis,” she says.
Cook says although planning sounds simple, it’s not. “It’s important to put a plan in place, even if it’s a skeleton, that outlines who your key stakeholders are, who’s on your internal team, and who’s going to make decisions about communications.”
FHLBank Atlanta General Counsel Reggie O’Shields says it’s good to loop in legal counsel early because that maintains privilege throughout the incident in the event there is future litigation. O’Shields adds that it’s important to consult with the right legal expert. “This is a very complicated area and no one can really be an expert in it,” he says. “If you have in-house counsel, it’s probably unlikely that they are going to be a cyber-expert. If you don’t have an in-house counsel, your outside counsel is probably going to be a bank regulatory person, so it’s important for them to bring in the right expert so they can get a better understanding of what’s happening.”
After a crisis, it’s important to meet with your response team for a structured debrief so you can walk through and assess all of the processes. Review the statements and responses you released, as well as the questions, comments, and concerns you have received.
• Develop and practice your IT security incident response plan.
• Continuously monitor for suspicious behavior.
• Implement a robust program to apply regular security patches to servers and desktop computers so all systems are up-to-date on software and vulnerability protection.
• Install a sophisticated intrusion detection-monitoring program that looks for and reports suspicious traffic.
• Prepare an escalation plan and think through the best timing around when you communicate with your key stakeholders.
• Conduct regular media trainings for your spokespeople. It is important for spokespeople to practice in high-pressure scenarios.
• Monitor your brand online and across the digital platform. Be proactive in protecting your brand, not reactive. Know your key influencers in the digital space.
• Understand your third-party relationships and what your contracts say.
• Be aware of all the legal and regulatory obligations and share the information internally.
• Evaluate your insurance policies and determine if you have or need cyber insurance.
Cybersecurity: How to Avoid the Worst Mistakes
• Don’t ignore cyber risks inside of your organization.
• Ensure strong controls around password security.
• Train and educate employees, contractors, and vendors on cybersecurity.
• Don’t release information and numbers too quickly to ensure information accuracy.