Group of professionals discuss finance

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Banking and Finance Law Daily, July 15, 2015

Treasury’s Raskin: 10 more cybersecurity questions bank executives should ask

By Lisa M. Goolik, J.D.

At the American Bankers Association Summer Leadership Meeting in Baltimore, Md., Sarah Bloom Raskin, Deputy Secretary at the Treasury Department, presented 10 questions bank executives should be asking to better prepare their financial institutions for cyberattacks. The 10 questions “add greater depth and detail” to an initial list she introduced in December 2014 in remarks to the Texas Bankers’ Association.

Background. Over six months ago, Raskin presented a checklist of 10 questions on cybersecurity for banks at the Executive Leadership Cybersecurity Conference sponsored by the Texas Bankers’ Association (see Banking and Finance Law Daily, Dec. 4, 2014). The questions, which covered baseline protections, information sharing, and response and recovery, were intended to help executives better understand where their institutions stood in addressing their cybersecurity and cyber resiliency.

However, said Raskin, “A lot has happened since then.” After highlighting some of the more prominent cyberattacks and cybersecurity issues since she last spoke, Raskin suggested 10 follow-up questions to those she presented to the Texas Bankers’ Association.

“These ten additional questions reflect what we have learned in the last six months from our cyber experiences and expand on the initial steps banks can take to enhance cyber resiliency; what I want to do for you today is add greater depth and detail to the 1.0 checklist,” said Raskin.

2.0 checklist. Building upon the 10 questions she presented in her “1.0 checklist,” Raskin introduced the following 10 questions that are intended to dive deeper into those initial topics:

  1. Does our bank embed cybersecurity into our governance, control, and risk management systems? “To excel—really succeed—cybersecurity must become one of the fundamental building blocks of a bank’s processes and activities so that security cannot be circumvented, removed, or defeated,” said Raskin.
  2. Have we remained vigilant about systematically identifying our key assets, that is, those that provide high-value targets for malicious cyber actors? Identifying key assets is one of the first steps to ensuring that cybersecurity is embedded in systems, explained Raskin.
  3. Have we tailored our security controls to the specific cyber risks presented by each key network, system, or set of sensitive data? Raskin cautioned attendees that “one-size does not fit all” and banks must find the appropriate way to protect their key assets.
  4. How do we prioritize the implementing of enhanced controls around key networks, systems, and sensitive data? Because resources are not limitless, “the most effective banks systemically prioritize their cybersecurity controls so that the most significant exposures are addressed first, with the remaining exposures tackled in an order that considers factors like importance, degree of difficulty, and cost,” said Raskin.
  5. Have we reviewed the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool and appropriately incorporated it into our approach to cyber risk management? The FFIEC tool can help banks better inform their cybersecurity controls and priorities, Raskin explained.
  6. Have we designated specific professionals to be responsible for our cybersecurity strategy and provided them with the authority, resources, and access they need to effectively perform their work? “Designating specific individuals responsible for a bank’s overall cybersecurity strategy is important,” said Raskin, “because it establishes responsibility and accountability.”
  7. Have we trained our personnel on our cybersecurity policies? “People are the weakest link to cybersecurity,” Raskin believes. As a result, she contended that a culture of cybersecurity is more important than any single technology or process improvement.
  8. How do we ensure that our insurance coverage matches our cyber-related risks? Raskin noted that the market for cyber risk insurance has been growing. “Ask yourself what the range of losses you may face could be; and seek out coverage for them.”
  9. Does our cyber risk insurance impose “minimum required practices,” which may lead to denial of coverage if not followed? Some cyber insurance policies have “minimum required practices” exclusions that require policyholders to maintain certain cybersecurity procedures and controls as a condition for coverage, Raskin explained. She recommended that banks understand the entirety of their insurance program, including the conditions and exclusions of their insurance policy.
  10. As part of cyber hygiene: (1) Do we require multi-step identity checks—known as “multi-factor authentication”—before allowing access to our networks, systems, and data? (2) Have we restricted special, high-level access to only those who need it? (3) Are we doing regular maintenance and consistently patching our software? (4) And are we effectively scanning our systems for malicious activity? Raskin believes this question was the most important of the 10 because “basic cyber hygiene may prevent 80 percent of all known incidents.”

In closing, Raskin noted that there is no simple, single solution to cybersecurity. “Perhaps one day we will see such a single solution emerge. But for now, we are where we are. Fortunately, I’m reminded that extraordinary things can, and often do, happen through perseverance, in small, consistent increments.”

Companies: American Bankers Association; Texas Bankers’ Association

MainStory: TopStory BankingOperations Privacy

Banking and Finance Law Daily

Introducing Wolters Kluwer Banking and Finance Law Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.

A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.