IB
Previous Page | Contents
| Zoom in | Zoom out | Front Cover | Search Issue | Next Page
I N D E P E N D E N T B A N K E R
Nuts & Bolts
PAYMENTS
TECHNOLOGY
OPERATIONS
CYBERSECURITY WORLD
Is your incident response
plan ready?
As community banks come to grips with the new environment of data
breaches, ransomware and other cyberattacks, developing a strategy for
responding to these types of incidents has become a requirement.
By Karen Epper Hoffman
T
oday, information security is less about if your organization will be breached, and more about when, as
information security professionals find cybercriminals outpacing their own ability to prevent attacks.
Community banks, like businesses in all sectors, are dealing with the reality of an inevitable breach
by developing incident response plans for the weeks, days or hours after a breach has been spotted.
“Incident response is critical to defend institutional assets and customer information,” says Jeff
Julig, vice president and chief information security officer at financial services company SWBC in San Antonio,
Texas. “When you have a dynamic and complex threat, it is prudent to prepare a plan against it,” just as a bank
independentbanker.org
IB
I N D E P E N D E N T B A N K E R
Previous Page | Contents
ICBA IndependentBanker
69
| Zoom in | Zoom out | Front Cover | Search Issue | Next Page
IB
Previous Page | Contents
| Zoom in | Zoom out | Front Cover | Search Issue | Next Page
I N D E P E N D E N T B A N K E R
Nuts & Bolts
frequent. “The threat landscape
has changed dramatically over the
years,” Kunnen says. “The days of
hackers trying to prove to themselves
and others they can do something is
long gone. … Every one of these bad
actors is after your data, intelligence,
anything that will make or save them
money or push their agenda.”
Jackie Marshall, senior manager
of consulting services at ProfitStars,
agrees that cyber-resiliency among
banks partially depends on an
established arsenal of response and
recovery plans. “Cyberattackers’ goals
may be financially motivated. Bank
and bank customers’ data are some of
the most desirable targets for cybercriminals,” she says.
would have a plan in place for potential branch robberies.
Jason Malo, senior executive advisor at research and advisory firm
CEB, now Gartner, believes all financial institutions need a response plan
for incidents that affect them—both
internal and external.
“Incident response is not just a
technology role,” Malo says. “Customers need to feel their bank is
protecting them. Community banks
especially need to be well-prepared
so that their customers don’t feel they
need to go to a big bank with a big
security budget to be protected.”
Kyle Kunnen, senior vice president
and information security officer
for $3.14 billion-asset Mercantile
Bank of Michigan, says having
an incident response plan is as
important as having a recovery plan
for natural disasters, especially since
cybersecurity incidents are far more
What is Sheltered Harbor?
Launched last year, the Sheltered Harbor initiative allows financial institutions to store their critical account data in an encrypted, secure vault,
keeping it safe in the event of a data breach. Should a bank experience a
breach, it would work with a “restoring institution”—another member—to
access its vault and the secured customer data within, and maintain customer account access. ICBA is one of the US financial services industry
participants that have worked to make Sheltered Harbor a reality.
“We have been involved since the start, and we are members of the board,”
says Jeremy Dalpiaz, ICBA assistant vice president for cyber and data security policy. “Because this is an industry-led initiative, that is the benefit. It is
very focused on the customer.”
Dalpiaz highly recommends that community banks invest in this kind of
resiliency. “Community banks are a trusted financial resource, and there is
trust in relationship banking,” he says. “It is pivotal to secure customer data
to keep that trust should a breach happen.”
To learn more about Sheltered Harbor or sign up, visit _____________
shelteredharbor.org.
70
IB
I N D E P E N D E N T B A N K E R
ICBA IndependentBanker
Previous Page | Contents
Preparing a plan
The first step in planning for a breach
is clarifying what exactly constitutes
an incident “so that employees are
able to recognize a potential incident
and get incident responders involved
promptly,” says Timothy P. Ryan, principal for EY Fraud Investigation and
Dispute Services. Ryan advises that
every incident response plan include
“well-defined escalation procedures
detailing the steps the company will
go through to escalate potential incidents for analysis and response.”
Next, a response plan will detail
who will do what, and when. “A
robust incident response plan outlines
a variety of policies and processes for
security teams to remediate, recover
and quickly get back to business,”
explains Itzik Kotler, chief technology
officer and cofounder of SafeBreach,
which has developed a simulated
breach and attack platform. “Because
community banks and other financial
institutions are subject to a number of
compliance laws, an incident response
plan is critical to ensure that they can
rebound quickly and are not subject to
regulatory fines.”
Ryan agrees. “Like almost any type
of crisis, the more you can anticipate
and prepare, the better the outcome
will be,” he says, adding that each
employee’s understanding of his or
September 2017
| Zoom in | Zoom out | Front Cover | Search Issue | Next Page
IB
Previous Page | Contents
| Zoom in | Zoom out | Front Cover | Search Issue | Next Page
I N D E P E N D E N T B A N K E R
her role in the incident response plan
is crucial. Ryan says a solid plan “lays
out the escalation process to keep
management informed and involved,
and details the methodologies and
preapproved vendors so they can be
mobilized quickly.”
An incident response plan should
consider the most common potential IT security threats and how to
deal with them, experts say. For
community banks, Marshall says
this includes plans for dealing with
ransomware, commercial account
takeover and distributed denial-ofservice (DDoS) attacks.
Kunnen adds that any plan should
also be easily adaptable to the situation at hand. “Firefighters spend much
more time preparing for when the
alarm goes off, so when it does, they
are in their gear and on the way in
record time to fight a fire which they
have prepared to battle,” he says.
With that idea in mind, Kunnen
and other industry experts encourage
“Customers need
to feel their bank
is protecting them.
Community banks
especially need to be
well-prepared so that
their customers don’t
feel they need to go
to a big bank with a
big security budget
to be protected.”
—JASON MALO, GARTNER
community banks to make sure their
incident response plan isn’t just a document to appease the regulators. “It
needs to be a tabletop exercise that
should lead to a functional exercise,
making sure you are able to truly do
what you claim is possible and adjust
where necessary,” he advises.
Similarly, Richard Roscher, sales
manager in the fintech space at
First Data Corp., points out that “a
data breach can not only hurt your
customer, it hurts your financial
institution as a whole due to customer confidence.” He recommends
researching the latest fraud security
products for financial institutions,
since they improve every year.
All hands on deck
Julig believes the main tenet of any
incident response plan is teamwork,
usually led by the chief information
security officer. “The first time [IT
security] meets the bank counsel
should not be during an actual incident response,” he says.
Steve Sanders, vice president
of internal audit for Computer
Services, Inc., believes an oftenoverlooked plan component is
communication. “How will the bank
communicate with their customers,
vendors, regulators and the media?”
Sanders asks. “What is the message,
and how is that message vetted before
distribution? Who delivers the message, and are all other employees
well-trained to know they are not to
speak to anyone about the incident
without clear instructions from an
authorized party within the bank?”
Fortunately, community banks
have affordable options for assistance
in developing their own incident
response plans. Cybersecurity training company SANS Institute has
a number of free resources, says
DJ Landreneau, vice president of
customer success for DefenseStorm,
which offers a cloud-based cybersecurity solution. For example, the
SANS Incident Handler’s Handbook
lists items that bankers should incorporate into their plan, among them
a written policy, a cross-disciplined
team, training and practice.
While cyberattacks can sometimes
feel like a “future” problem, the
threat is real right now, so a clear and
practical plan is a business imperative
for community banks.
Karen Epper Hoffman is a writer in
Washington state.
Incident response
in four steps
Itzik Kotler, SafeBreach CTO and
cofounder, offers his tips:
1
Diagnose the issue. Security teams need to determine
if this task will be performed by
an internal team or outsourced
to a managed service provider.
2
Collect forensics data.
Just like with crime scenes,
the most important thing to do is
ensure all information related to
the incident is collected. This not
only determines the right remediation activities, it also prevents
future incidents.
3
Communicate the
incident. A communication
plan must be defined to notify
affected customers and legal
entities. Security teams will
need to work with their PR and
legal firms to brief all the proper
stakeholders, including the CEO
and board.
4
Conduct a post-breach
analysis. This measures
metrics such as time to detect,
time to recover and time to
respond in order to improve
performance during future
incidents.
independentbanker.org
IB
I N D E P E N D E N T B A N K E R
Previous Page | Contents
ICBA IndependentBanker
71
| Zoom in | Zoom out | Front Cover | Search Issue | Next Page
Copyright of Independent Banker is the property of Independent Community Bankers of
America and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder's express written permission. However, users may print,
download, or email articles for individual use.
Purchase answer to see full
attachment