discu 3
PAYMENTS TECHNOLOGY OPERATIONS
Nuts & Bolts
Is your incident response plan ready? As community banks come to grips with the new environment of data
breaches, ransomware and other cyberattacks, developing a strategy for
responding to these types of incidents has become a requirement.
By Karen Epper Hoffman
CYBERSECURITY WORLD
T oday, information security is less about if your organization will be breached, and more about when, as information security professionals find cybercriminals outpacing their own ability to prevent attacks.
Community banks, like businesses in all sectors, are dealing with the reality of an inevitable breach by developing incident response plans for the weeks, days or hours after a breach has been spotted.
“Incident response is critical to defend institutional assets and customer information,” says Jeff Julig, vice president and chief information security officer at financial services company SWBC in San Antonio, Texas. “When you have a dynamic and complex threat, it is prudent to prepare a plan against it,” just as a bank
independentbanker.org ICBA IndependentBanker 69
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R
Nuts & Bolts
frequent. “The threat landscape has changed dramatically over the years,” Kunnen says. “The days of hackers trying to prove to themselves and others they can do something is long gone. … Every one of these bad actors is after your data, intelligence, anything that will make or save them money or push their agenda.”
Jackie Marshall, senior manager of consulting services at ProfitStars, agrees that cyber-resiliency among banks partially depends on an established arsenal of response and recovery plans. “Cyberattackers’ goals may be financially motivated. Bank and bank customers’ data are some of the most desirable targets for cyber- criminals,” she says.
Preparing a plan
The first step in planning for a breach is clarifying what exactly constitutes an incident “so that employees are able to recognize a potential incident and get incident responders involved promptly,” says Timothy P. Ryan, prin- cipal for EY Fraud Investigation and Dispute Services. Ryan advises that every incident response plan include “well-defined escalation procedures detailing the steps the company will go through to escalate potential inci- dents for analysis and response.”
Next, a response plan will detail who will do what, and when. “A robust incident response plan outlines a variety of policies and processes for security teams to remediate, recover and quickly get back to business,” explains Itzik Kotler, chief technology officer and cofounder of SafeBreach, which has developed a simulated breach and attack platform. “Because community banks and other financial institutions are subject to a number of compliance laws, an incident response plan is critical to ensure that they can rebound quickly and are not subject to regulatory fines.”
Ryan agrees. “Like almost any type of crisis, the more you can anticipate and prepare, the better the outcome will be,” he says, adding that each employee’s understanding of his or
especially need to be well-prepared so that their customers don’t feel they need to go to a big bank with a big security budget to be protected.”
Kyle Kunnen, senior vice president and information security officer for $3.14 billion-asset Mercantile Bank of Michigan, says having an incident response plan is as important as having a recovery plan for natural disasters, especially since cybersecurity incidents are far more
would have a plan in place for poten- tial branch robberies.
Jason Malo, senior executive advi- sor at research and advisory firm CEB, now Gartner, believes all finan- cial institutions need a response plan for incidents that affect them—both internal and external.
“Incident response is not just a technology role,” Malo says. “Cus- tomers need to feel their bank is protecting them. Community banks
What is Sheltered Harbor?
Launched last year, the Sheltered Harbor initiative allows financial institu-
tions to store their critical account data in an encrypted, secure vault,
keeping it safe in the event of a data breach. Should a bank experience a
breach, it would work with a “restoring institution”—another member—to
access its vault and the secured customer data within, and maintain cus-
tomer account access. ICBA is one of the US financial services industry
participants that have worked to make Sheltered Harbor a reality.
“We have been involved since the start, and we are members of the board,”
says Jeremy Dalpiaz, ICBA assistant vice president for cyber and data secu-
rity policy. “Because this is an industry-led initiative, that is the benefit. It is
very focused on the customer.”
Dalpiaz highly recommends that community banks invest in this kind of
resiliency. “Community banks are a trusted financial resource, and there is
trust in relationship banking,” he says. “It is pivotal to secure customer data
to keep that trust should a breach happen.”
To learn more about Sheltered Harbor or sign up, visit shelteredharbor.org.
70 ICBA IndependentBanker September 2017
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R
_____________
her role in the incident response plan is crucial. Ryan says a solid plan “lays out the escalation process to keep management informed and involved, and details the methodologies and preapproved vendors so they can be mobilized quickly.”
An incident response plan should consider the most common poten- tial IT security threats and how to deal with them, experts say. For community banks, Marshall says this includes plans for dealing with ransomware, commercial account takeover and distributed denial-of- service (DDoS) attacks.
Kunnen adds that any plan should also be easily adaptable to the situa- tion at hand. “Firefi ghters spend much more time preparing for when the alarm goes off, so when it does, they are in their gear and on the way in record time to fi ght a fi re which they have prepared to battle,” he says.
With that idea in mind, Kunnen and other industry experts encourage
community banks to make sure their incident response plan isn’t just a doc- ument to appease the regulators. “It needs to be a tabletop exercise that should lead to a functional exercise, making sure you are able to truly do what you claim is possible and adjust where necessary,” he advises.
Similarly, Richard Roscher, sales manager in the fi ntech space at
First Data Corp., points out that “a data breach can not only hurt your customer, it hurts your fi nancial institution as a whole due to cus- tomer confi dence.” He recommends researching the latest fraud security products for fi nancial institutions, since they improve every year.
All hands on deck
Julig believes the main tenet of any incident response plan is teamwork, usually led by the chief information security offi cer. “The fi rst time [IT security] meets the bank counsel should not be during an actual inci- dent response,” he says.
Steve Sanders, vice president of internal audit for Computer Services, Inc., believes an often- overlooked plan component is communication. “How will the bank communicate with their customers, vendors, regulators and the media?” Sanders asks. “What is the message, and how is that message vetted before distribution? Who delivers the mes- sage, and are all other employees well-trained to know they are not to speak to anyone about the incident without clear instructions from an authorized party within the bank?”
Fortunately, community banks have affordable options for assistance in developing their own incident response plans. Cybersecurity train- ing company SANS Institute has a number of free resources, says DJ Landreneau, vice president of customer success for DefenseStorm, which offers a cloud-based cyber- security solution. For example, the SANS Incident Handler’s Handbook lists items that bankers should incor- porate into their plan, among them a written policy, a cross-disciplined team, training and practice.
While cyberattacks can sometimes feel like a “future” problem, the threat is real right now, so a clear and practical plan is a business imperative for community banks.
Karen Epper Hoffman is a writer in
Washington state.
“Customers need
to feel their bank
is protecting them.
Community banks
especially need to be
well-prepared so that
their customers don’t
feel they need to go
to a big bank with a
big security budget
to be protected.” —JASON MALO, GARTNER
Incident response in four steps
Itzik Kotler, SafeBreach CTO and
cofounder, off ers his tips:
1 Diagnose the issue. Secu-
rity teams need to determine
if this task will be performed by
an internal team or outsourced
to a managed service provider.
2 Collect forensics data.
Just like with crime scenes,
the most important thing to do is
ensure all information related to
the incident is collected. This not
only determines the right reme-
diation activities, it also prevents
future incidents.
3 Communicate the
incident. A communication
plan must be defi ned to notify
aff ected customers and legal
entities. Security teams will
need to work with their PR and
legal fi rms to brief all the proper
stakeholders, including the CEO
and board.
4 Conduct a post-breach
analysis. This measures
metrics such as time to detect,
time to recover and time to
respond in order to improve
performance during future
incidents.
independentbanker.org ICBA IndependentBanker 71
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R
Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R
Copyright of Independent Banker is the property of Independent Community Bankers of America and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.