Client Alert: Cybersecurity - "The Best Defense is a Good Offense"
Identify and address your vulnerabilities to help minimize your cyber risk and mitigate the damage to your organization should you become the victim of a cyber-attack.
Vince Lombardi's astute assessment of football, "The best defense is a good offense," also rings true in today's world of cybersecurity. In the wake of the highly publicized cyber-attacks on large corporations such as Target Corporation and Home Depot, and numerous banks throughout the country, attention to cybersecurity issues has increased drastically in recent years. Cyber-attacks are occurring more frequently and are becoming increasingly more sophisticated. The reality is — you are vulnerable. But identifying and addressing your vulnerabilities can help minimize your cyber risk and mitigate the damage to your organization should you become the victim of a cyber-attack. Waiting until after a cyber-attack to take action would be like attempting a pass from the 1-yard line instead of handing it off to your star running back with less than a minute left in the game and victory hanging in the balance. You know what we're talking about...
Offensive Playbook: Assess & Manage Your Cybersecurity
Bank regulators have been urging executives and boards of directors to become more involved — to proactively engage in managing cybersecurity — and with cybersecurity in the spotlight, the time to act is now. To effectively oversee cybersecurity issues, executives and boards of directors should consider the following actions:
- Identify your cybersecurity risks and network vulnerabilities, then allocate resources to those vulnerabilities to strengthen your defense
- Determine what cybersecurity threats exist with respect to your third-party service providers
- Review all major data breaches and data breach attempts
- Examine current risks, issues, strategies and roadblocks for cybersecurity periodically with your information security officer and chief risk officer
- Verify insurance coverage for cyber incidents is sufficient
- Designate an executive officer as the point person to report, monitor and review your cybersecurity information and risks
- Consult with legal, compliance, human resources and communications departments for contributions to your cybersecurity risk management
- Implement a cyber-attack rapid response plan
Defensive Formation: Disclosure Guidelines & Risk Factors
Cybersecurity refers to the technology, processes and practices designed to protect computers, networks and data from attacks, damage and unauthorized access. The SEC issued guidance relating to cybersecurity risks and cyber incidents, suggesting organizations disclose the risk of cyber incidents if the risk is significant. Such cybersecurity risk factors include:
- Aspects of your organization that place you at risk, with the potential costs and consequences
- Outsourced functions of your organization subject to risks
- A description of any material cyber incidents or attempts on your organization
- The risk that cyber incidents may go undetected for a period of time
- A description of your insurance coverage for cybersecurity breaches
Item of Interest
Disclosure, risk assessment, compliance with SEC and regulatory guidelines, as well as the immediate and appropriate response to breaches, should help protect your organization from intrusions, negative publicity, enforcement actions and litigation.
You may also need to disclose cybersecurity risks and incidents in the following sections of your Form 10-Ks, if applicable:
- Management’s Discussion and Analysis
- Description of Business
- Legal Proceedings
- Financial Statement Disclosures
- Disclosure Controls and Procedures
On the Field: Cybersecurity & The Financial Industry
The threat of cyber-attacks is real and widespread, with the potential to severely impact the entire financial industry. As a result, financial institutions may have the added burden of covering the risk factors related to cyber-attacks on third parties that may result in losses to their organization, in addition to the risks to their own systems. In light of the SEC’s increased attention to cybersecurity, we recommend including a cybersecurity risk factor, or reviewing and updating your current cybersecurity risk factor, in your filings with the SEC to highlight the risks of a cyber-attack on your organization, if applicable.
- FFIEC, Executive Leadership of Cybersecurity
- FFIEC, Cybersecurity Assessment General Observations
- CSBS, Cybersecurity 101: A Resource Guide for Bank Executives
- SEC, CF Disclosure Guidance: Cybersecurity
For assistance regarding how to disclose cybersecurity risks or guidance for your board of directors and executives regarding their roles in monitoring cybersecurity risks, please contact one of our attorneys.