discu 3

PAYMENTS TECHNOLOGY OPERATIONS

Nuts & Bolts

Is your incident response plan ready? As community banks come to grips with the new environment of data

breaches, ransomware and other cyberattacks, developing a strategy for

responding to these types of incidents has become a requirement.

By Karen Epper Hoffman

CYBERSECURITY WORLD

T oday, information security is less about if your organization will be breached, and more about when, as information security professionals find cybercriminals outpacing their own ability to prevent attacks.

Community banks, like businesses in all sectors, are dealing with the reality of an inevitable breach by developing incident response plans for the weeks, days or hours after a breach has been spotted.

“Incident response is critical to defend institutional assets and customer information,” says Jeff Julig, vice president and chief information security officer at financial services company SWBC in San Antonio, Texas. “When you have a dynamic and complex threat, it is prudent to prepare a plan against it,” just as a bank

independentbanker.org ICBA IndependentBanker 69

Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R

Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R

Nuts & Bolts

frequent. “The threat landscape has changed dramatically over the years,” Kunnen says. “The days of hackers trying to prove to themselves and others they can do something is long gone. … Every one of these bad actors is after your data, intelligence, anything that will make or save them money or push their agenda.”

Jackie Marshall, senior manager of consulting services at ProfitStars, agrees that cyber-resiliency among banks partially depends on an established arsenal of response and recovery plans. “Cyberattackers’ goals may be financially motivated. Bank and bank customers’ data are some of the most desirable targets for cyber- criminals,” she says.

Preparing a plan

The first step in planning for a breach is clarifying what exactly constitutes an incident “so that employees are able to recognize a potential incident and get incident responders involved promptly,” says Timothy P. Ryan, prin- cipal for EY Fraud Investigation and Dispute Services. Ryan advises that every incident response plan include “well-defined escalation procedures detailing the steps the company will go through to escalate potential inci- dents for analysis and response.”

Next, a response plan will detail who will do what, and when. “A robust incident response plan outlines a variety of policies and processes for security teams to remediate, recover and quickly get back to business,” explains Itzik Kotler, chief technology officer and cofounder of SafeBreach, which has developed a simulated breach and attack platform. “Because community banks and other financial institutions are subject to a number of compliance laws, an incident response plan is critical to ensure that they can rebound quickly and are not subject to regulatory fines.”

Ryan agrees. “Like almost any type of crisis, the more you can anticipate and prepare, the better the outcome will be,” he says, adding that each employee’s understanding of his or

especially need to be well-prepared so that their customers don’t feel they need to go to a big bank with a big security budget to be protected.”

Kyle Kunnen, senior vice president and information security officer for $3.14 billion-asset Mercantile Bank of Michigan, says having an incident response plan is as important as having a recovery plan for natural disasters, especially since cybersecurity incidents are far more

would have a plan in place for poten- tial branch robberies.

Jason Malo, senior executive advi- sor at research and advisory firm CEB, now Gartner, believes all finan- cial institutions need a response plan for incidents that affect them—both internal and external.

“Incident response is not just a technology role,” Malo says. “Cus- tomers need to feel their bank is protecting them. Community banks

What is Sheltered Harbor?

Launched last year, the Sheltered Harbor initiative allows financial institu-

tions to store their critical account data in an encrypted, secure vault,

keeping it safe in the event of a data breach. Should a bank experience a

breach, it would work with a “restoring institution”—another member—to

access its vault and the secured customer data within, and maintain cus-

tomer account access. ICBA is one of the US financial services industry

participants that have worked to make Sheltered Harbor a reality.

“We have been involved since the start, and we are members of the board,”

says Jeremy Dalpiaz, ICBA assistant vice president for cyber and data secu-

rity policy. “Because this is an industry-led initiative, that is the benefit. It is

very focused on the customer.”

Dalpiaz highly recommends that community banks invest in this kind of

resiliency. “Community banks are a trusted financial resource, and there is

trust in relationship banking,” he says. “It is pivotal to secure customer data

to keep that trust should a breach happen.”

To learn more about Sheltered Harbor or sign up, visit shelteredharbor.org.

70 ICBA IndependentBanker September 2017

Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R

Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R

_____________

her role in the incident response plan is crucial. Ryan says a solid plan “lays out the escalation process to keep management informed and involved, and details the methodologies and preapproved vendors so they can be mobilized quickly.”

An incident response plan should consider the most common poten- tial IT security threats and how to deal with them, experts say. For community banks, Marshall says this includes plans for dealing with ransomware, commercial account takeover and distributed denial-of- service (DDoS) attacks.

Kunnen adds that any plan should also be easily adaptable to the situa- tion at hand. “Firefi ghters spend much more time preparing for when the alarm goes off, so when it does, they are in their gear and on the way in record time to fi ght a fi re which they have prepared to battle,” he says.

With that idea in mind, Kunnen and other industry experts encourage

community banks to make sure their incident response plan isn’t just a doc- ument to appease the regulators. “It needs to be a tabletop exercise that should lead to a functional exercise, making sure you are able to truly do what you claim is possible and adjust where necessary,” he advises.

Similarly, Richard Roscher, sales manager in the fi ntech space at

First Data Corp., points out that “a data breach can not only hurt your customer, it hurts your fi nancial institution as a whole due to cus- tomer confi dence.” He recommends researching the latest fraud security products for fi nancial institutions, since they improve every year.

All hands on deck

Julig believes the main tenet of any incident response plan is teamwork, usually led by the chief information security offi cer. “The fi rst time [IT security] meets the bank counsel should not be during an actual inci- dent response,” he says.

Steve Sanders, vice president of internal audit for Computer Services, Inc., believes an often- overlooked plan component is communication. “How will the bank communicate with their customers, vendors, regulators and the media?” Sanders asks. “What is the message, and how is that message vetted before distribution? Who delivers the mes- sage, and are all other employees well-trained to know they are not to speak to anyone about the incident without clear instructions from an authorized party within the bank?”

Fortunately, community banks have affordable options for assistance in developing their own incident response plans. Cybersecurity train- ing company SANS Institute has a number of free resources, says DJ Landreneau, vice president of customer success for DefenseStorm, which offers a cloud-based cyber- security solution. For example, the SANS Incident Handler’s Handbook lists items that bankers should incor- porate into their plan, among them a written policy, a cross-disciplined team, training and practice.

While cyberattacks can sometimes feel like a “future” problem, the threat is real right now, so a clear and practical plan is a business imperative for community banks.

Karen Epper Hoffman is a writer in

Washington state.

“Customers need

to feel their bank

is protecting them.

Community banks

especially need to be

well-prepared so that

their customers don’t

feel they need to go

to a big bank with a

big security budget

to be protected.” —JASON MALO, GARTNER

Incident response in four steps

Itzik Kotler, SafeBreach CTO and

cofounder, off ers his tips:

1  Diagnose the issue. Secu-

rity teams need to determine

if this task will be performed by

an internal team or outsourced

to a managed service provider.

2  Collect forensics data.

Just like with crime scenes,

the most important thing to do is

ensure all information related to

the incident is collected. This not

only determines the right reme-

diation activities, it also prevents

future incidents.

3  Communicate the

incident. A communication

plan must be defi ned to notify

aff ected customers and legal

entities. Security teams will

need to work with their PR and

legal fi rms to brief all the proper

stakeholders, including the CEO

and board.

4  Conduct a post-breach

analysis. This measures

metrics such as time to detect,

time to recover and time to

respond in order to improve

performance during future

incidents.

independentbanker.org ICBA IndependentBanker 71

Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R

Previous Page | Contents | Zoom in | Zoom out | Front Cover | Search Issue | Next PageIB I N D E P E N D E N T B A N K E R

Copyright of Independent Banker is the property of Independent Community Bankers of America and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.