Financial regulators continue to sound the alarm about cybersecurity. The Federal Financial Institutions Examination Council (“FFIEC”) conducted a cybersecurity webinar on May 7, 2014, targeted at senior management of community banks. The FFIEC noted that attacks on smaller institutions are escalating in number and sophistication. The presenters noted that too many banks regard cybersecurity as the sole responsibility of either their IT team or a third party vendor. While community banks recognize the fraud threat of account takeover and wire fraud, the FFIEC says few recognize the end of life of a third party software product is a critical threat as well. As a software tool reaches the end of its life, internal and external oversight diminishes. The resulting decline in care is targeted by fraudsters who are well aware of the trend and ramp up efforts to exploit weaknesses which the software vendor has little incentive to identify and correct. The risk is enhanced by the strong consolidation in the industry, leaving just a handful of commonly used platforms.
In a speech delivered on May 16, 2014, the Comptroller of the Currency, Thomas Curry, also sounded the alarm about consolidation in the world of third party service providers. He also expressed concern about banks’ increasing reliance on foreign vendors or foreign-based subcontractors of U.S. vendors. Curry reminded the audience that bank regulators have long-standing guidance on both vendor selection and country risk.
On March 26, 2014, the SEC convened a roundtable on cybersecurity. In a discussion about risks to broker-dealers and investment advisers, roundtable participants sounded common themes. First, the hijacking of consumer e-mail accounts is rampant but asset managers continue to interact in e-mail because of customer preference for ease in communications. They also identified a significant data breach as being able to “bring down an IA.” Notwithstanding this, they acknowledged that most investment advisors are small businesses and that it is unrealistic to expect them to have an incident response infrastructure. Instead, participants recommend that firms focus on where sensitive data is housed and all the ways in which it can be accessed. With limited resources, firms should be focused on protecting the most important information 110 percent rather than spreading resources firm-wide for only 75 percent protection. The panelists agreed that protection against cybercrime has to be holistic and cannot be relegated to IT.
Katharine Musso is a partner in Jones Walker’s Banking & Financial Services Practice Group and is head of the firm’s Birmingham office. She has over 25 years of experience representing banks and financial institutions before state and federal regulators, and regularly advises clients on compliance issues relating to risk management. She is a Certified Fraud Examiner and a Certified Anti-Money Laundering Specialist.