BankBryanCave.com

Bank Bryan Cave

Cybersecurity

Main Content

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

April 17, 2017

Authors

Jerry Blanchard and David Zetoony

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

April 17, 2017

by: Jerry Blanchard and David Zetoony

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and

Read More

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

January 23, 2017

Authors

David Zetoony

What Will The Proposed New York Cybersecurity Requirements For Financial Institutions Really Make Companies Do?

January 23, 2017

by: David Zetoony

In early September 2016, the New York Department of Financial Services (“DFS”) proposed a set of data security regulations (the “Proposal”) that would govern financial institutions, banks, and insurance companies subject to the jurisdiction of the agency (“covered entities”).  After receiving public comments, DFS revised and resubmitted the Proposal on December 28, 2016.  If the Proposal ultimately goes into effect it would require that covered entities have a written information security policy (“WISP”) and outline specific provisions (substantive and procedural) that must be contained in that document.  While the Proposal has garnered a great deal of public attention, the majority of the provisions in the latest version are not unique.

Prior to the Proposal at least four states already required that if a company collected financial information about consumers within their

Read More

How Many Times Do We Have to Tell You Not to Open the Cat Video

April 11, 2016

Authors

Jerry Blanchard

How Many Times Do We Have to Tell You Not to Open the Cat Video

April 11, 2016

by: Jerry Blanchard

Everyone has been in a movie theater when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door. Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

  • “Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home
    Read More

Your Cybersecurity Expectations and Standards Have Just Gone Up

July 29, 2015

Authors

David Zetoony

Your Cybersecurity Expectations and Standards Have Just Gone Up

July 29, 2015

by: David Zetoony

On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool and User’s Guide (“Guide”) intended “to help institutions identify their risks and assess their cybersecurity preparedness.” Financial institutions handling sensitive customer data should view this as a mixed blessing.

It is often said by technology and cybersecurity experts that the question is not whether a company will experience a security breach, but when. The important question then is how the company responds to that breach. One implication of these statements is that an institution should do the best that it can, but that no one should be punished too severely when the inevitable breach occurs. It was, after all, unavoidable.

The release of the Cybersecurity Assessment Tool arguably changes that analysis. Now there are more specific standards against which institutions may be judged. Those who fail to conduct an adequate cybersecurity risk

Read More

FDIC Examinations and Cyberattack Risk

May 7, 2015

Authors

Jerry Blanchard and David Zetoony

FDIC Examinations and Cyberattack Risk

May 7, 2015

by: Jerry Blanchard and David Zetoony

FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).

The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and

Read More

Negotiating a Mobile Banking Vendor Contract

October 8, 2014

Authors

Dan Wheeler

Negotiating a Mobile Banking Vendor Contract

October 8, 2014

by: Dan Wheeler

Adding or upgrading mobile banking is a major project, as is simply changing a bank’s vendor or service provider for mobile banking. This article summarizes the steps involved in doing so.

The banking regulators have all issued guidance on outsourcing activities to third parties. By any measure, a mobile banking service provider is a significant or critical relationship for a bank. The data security demands are significant and the bank is subject to significant strategic, reputation, operational, transaction, and compliance risks, among other risks.

Time may be the single most important consideration. To get the best deal for your bank, start the process of evaluating potential providers, selecting a vendor and negotiation a services agreement 12-18 months before an existing contract is due to renew or before your bank needs to launch a new service.

Due to the significant and high risk nature of mobile banking services, a bank should

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.