The Federal Financial Institutional Examination Counsel (FFIEC) recently developed and released a Cybersecurity Assessment Tool in light of the growing number and sophistication of threats to financial institutions from cyber attacks. The tool is consistent with principles set forth in the now-familiar Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) as well as FFIEC’s IT Handbook.
The tool assists management of financial institutions with analyzing the firm’s inherent risk for cybersecurity threats based on a number of factors, including the quantity and types of technologies and internet connections deployed, the role of online and mobile products and services offered, and what organizational characteristics demonstrate the firm’s security awareness and care or, conversely, vulnerability to cyber intrusion.
Each institution will rate differently based on its own threat profile and levels of inherent risk. Financial institutions have long taken security seriously due to the obvious liability concerns with loss or destruction of financial assets. But cyber risks present a unique vulnerability and financial institutions can no longer claim surprise or lack of awareness to the threat. Systematic and continuous risk management strategies are key to reducing risk and ultimately reducing liability should the firm suffer a breach.
How can lawyers help? Attorneys specializing in information security and risk management should be involved at every stage of risk assessment and mitigation, as well as crisis response. Cyber and information security responsibility should not rest exclusively with the IT department because it inherently involves issues of liability risk and standards of care.
Lawyers can help with integrating information security, privacy and employment policies with cybersecurity protocols and policies; establishing and maintaining incident response programs; analyzing the reasonableness of cybersecurity investments – or lack thereof – against the legal standards of care; reviewing and negotiating insurance policies; establishing and maintaining active third party vendor risk management systems including contract review; and ultimately responding immediately and effectively in the event of an information or cybersecurity incident to help manage the crisis and mitigate the damages.
Rita Heimes, Counsel
Co-chair, Information Security & Risk Management Group
Verrill Dana LLP