Pub. 5 2014 Issue 3

www.wvbankers.org 22 West Virginia Banker Recent legal headlines have been filled with news about data breaches and lapses of information security across all sectors of the economy. Hospitals, colleges, and even major international retailers such as Target and Home Depot have all experienced breaches, some affecting tens of millions of customers and costing hundreds of millions of dollars. B anks are no exception to this trend. As just one example, hackers recent- ly gained access to banking giant JPMorgan Chase & Co.’s corporate net- work, potentially compromising sensitive customer and financial information. The attack was so sophisticated that security experts have suggested that it might have been sponsored by a foreign state. Of- ten reported alongside the details of this attack is JPMorgan’s annual cybersecurity budget, which is approximately $250 million per year. Smaller financial institutions may look at this situation and lose hope. If a quarter of a billion dollars isn’t enough to stop an attack, what hope does the little guy have? This concern is understandable, but it overstates the problem. Perfect protection and total security are unattainable. The real goal is far more simple: be prepared. To this end, we often advise our clients to follow five basic steps: (1) Understand the risks; (2) Address your legal obligations; (3) Reduce incident risk; (4) Plan ahead; and (5) Stay vigilant. By following these five steps, a financial institution can do the analyses and adopt the procedures necessary to help protect itself from the legal liability and reputa- tional harm wrought by data breaches and other cybersecurity incidents. Understand the Risks The first thing an institution must do to protect itself is evaluate the risks specific to that institution. That includes under- standing key parts of your IT infrastruc- ture, including the kinds of data you keep, where it is obtained, who you send it to, who has access, and who your vendors are. Understanding how your company collects, uses, and discloses information is a critical first step toward effective gover- nance. Five Basic Steps for Dealing with Cybersecurity Threats By Kurt R. Hunt,member of Dinsmore & Shohl, LLP’s Corporate Department