Enter your email address to receive new posts in your inbox:

Delivered by FeedBurner


Like what you see? Share!

Our Attorneys

Entries in risk management (7)


Upcoming Event: Hot Compliance Topics in a Cyber World

On May 3, Susan Bryant of Verrill Dana, LLP will present a session entitled "Hot Compliance Topics in a Cyber World" at the Maine Bankers Association Trust & Wealth Management Conference at the Harraseeket Inn in Freeport, Maine.  

In this presentation, Susan will cover issues that currently concern regulators and how to build a compliance program to address such issues as cybersecurity, risk management, working with third parties, privacy/confidentiality, the Volcker Rule, fraud prevention, and the new anti-money laundering rule. Susan will also cover the requirements of an adequate compliance program, from adopting written policies and procedures to establishing controls and reporting to senior management.

Susan Bryant is a member of Verrill Dana’s Securities Law Group and the firm’s Business Law Group.  Susan is based in Portland, Maine and Westport, CT.

Learn more and register for the conference online here.


FFIEC Responds to Increased Cyber Threats With New Cybersecurity Assessment Tool 

The Federal Financial Institutional Examination Counsel (FFIEC) recently developed and released a Cybersecurity Assessment Tool in light of the growing number and sophistication of threats to financial institutions from cyber attacks. The tool is consistent with principles set forth in the now-familiar Cybersecurity Framework published by the National Institute of Standards and Technology (NIST) as well as FFIEC’s IT Handbook.

The tool assists management of financial institutions with analyzing the firm’s inherent risk for cybersecurity threats based on a number of factors, including the quantity and types of technologies and internet connections deployed, the role of online and mobile products and services offered, and what organizational characteristics demonstrate the firm’s security awareness and care or, conversely, vulnerability to cyber intrusion.

Each institution will rate differently based on its own threat profile and levels of inherent risk. Financial institutions have long taken security seriously due to the obvious liability concerns with loss or destruction of financial assets. But cyber risks present a unique vulnerability and financial institutions can no longer claim surprise or lack of awareness to the threat. Systematic and continuous risk management strategies are key to reducing risk and ultimately reducing liability should the firm suffer a breach.

How can lawyers help? Attorneys specializing in information security and risk management should be involved at every stage of risk assessment and mitigation, as well as crisis response. Cyber and information security responsibility should not rest exclusively with the IT department because it inherently involves issues of liability risk and standards of care.

Lawyers can help with integrating information security, privacy and employment policies with cybersecurity protocols and policies; establishing and maintaining incident response programs; analyzing the reasonableness of cybersecurity investments – or lack thereof – against the legal standards of care; reviewing and negotiating insurance policies; establishing and maintaining active third party vendor risk management systems including contract review; and ultimately responding immediately and effectively in the event of an information or cybersecurity incident to help manage the crisis and mitigate the damages.

Rita Heimes, Counsel
Co-chair, Information Security & Risk Management Group
Verrill Dana LLP


New England Financial Institutions Face Increased Cybersecurity Risks

Noted cyber security blogger and journalist Brian Krebs recently gained an exclusive interview with a New England bank that reported a sharp rise in fraudulent charges on debit cards. The scammers were making purchases on stolen card numbers from plain-old magnetic strip cards but making them look like they were made on EMV (“chip”) cards, although the bank had not yet issued such cards. This “EMV-spoofing” technique had been picked up by Canadian banks earlier this year and traced to Brazil.

“The recent EMV-spoofing cases point to the continued need for fraud detection mechanisms that even small banks and credit unions must implement to protect themselves,” said Ande Smith, a principal at the forensics and data security firm Deer-Brook, with whom Verrill Dana works closely in data breach cases. “During the transition phase, which may take years, the mish-mash of magnetic and chip/pin point-of-sale systems in the US will create opportunities to mask fraudulent activity.”

A recent report by the Federal Financial Institutions Examination Council (FFIEC) supports this call for improved risk management at regional banks and other financial Institutions.  The results of the FFIEC’s 2014 survey of 500 community financial institutions indicate that these institutions have room to improve in terms of employee education and training on cyber risks; improving cybersecurity controls; understanding their vendors’ cybersecurity risks; and establishing incident management procedures, among other things.

Rita Heimes is a privacy and cybersecurity attorney in Verrill Dana’s Intellectual Property & Technology practice group. She and her team help companies with comprehensive information risk management programs including privacy policies, incident response plans, third-party contracts, employee training, and breach response.


Financial Institutions May Now Post Annual Privacy Policies Online

Under the Gramm-Leach-Bliley Act and regulations promulgated by the Bureau of Consumer Financial Protection (Bureau), financial institutions are required to provide customers with an annual disclosure of their privacy policies. The cost of mailing paper copies to consumers is significant. The Bureau therefore promulgated a new rule effective October 28, 2014, that allows financial institutions to post their notices via alternative delivery means, including on their websites, provided certain conditions are met.

Financial institutions can avoid considerable compliance costs by using this alternative notice method.
Among the qualifications: (1) the privacy notice must not trigger any opt-out rights and the institution must have previously provided opt-out notices as required; (2) information included in the privacy notice must not have changed since the prior notice; and (3) the financial institution must use the Bureau’s model form as its annual privacy notice. Other qualifications also apply, including (but not limited to) notification to customers that the privacy policy is located online at least annually through a statement mailed to them.

For more complete information about qualifying for the alternative annual privacy policy delivery option, view the final rule here or contact Verrill Dana’s Banking Law group.


FFIEC Proposes Compliance and Risk Management Guidance for Social Media Use

The Federal Financial Institutions Examination Council (“FFIEC”) has issued proposed guidance on compliance issues and risk management in the use of social media (the "Proposed Guidance"). The term "social media" as used in the Proposed Guidance applies to "interactive online communication" where users "generate and share content." (i.e., Facebook, Yelp, LinkedIn, YouTube, etc.) Financial institutions are increasingly using social media to generate new business and develop stronger relationships with customers. The Proposed Guidance is intended to assist financial institutions in identifying and addressing potential areas of risk, including compliance, legal, operational and reputational risk...

Click to read more ...