Pub. 7 2016 Issue 1

www.wvbankers.org 18 West Virginia Banker C yber-risk is a witch’s brew of reputa- tional, operational, legal and financial dangers. It is a statistical certainty that your financial institution will suffer a cyber-intrusion at some point. Albeit such an incident may pose an existential hazard to a financial institution, each incident need not be disastrous. There are several factors that weigh into determining how damaging any intrusion will be, but board preparedness is oftentimes determinative. If the board is educated and prepared, then the attack’s af- fect will be blunted. If not, then the intrusion may be devastating to the bank, its sharehold- ers and its customers. Therefore, the seminal question for your board becomes whether it is truly committed to leading in cyber-pre- paredness. The first step to cyber-preparedness is educa- tion. It is incumbent on each member of the board to be proactive in learning about the current cyber risks and appreciating the risks posed by each. A board needs to understand the basics of who, why and how it is to be prepared. Who are the hackers? a. Organized crime b. Hacktivists c. Insiders d. Nation States What motivates the hackers of today? a. Espionage b. Fraud c. Disruption d. Destruction e. Social or political message (Hacktivists) f. Undermining reputation or overall confi- dence (Hacktivists and Insiders) g. Building reputation/recruiting (Hacktiv- ists) h. War What are their strengths? a. Technical expertise b. International reach c. Anonymity d. Financial sponsors e. Weak legal reach What are the threats? a. Malicious software (or malware) – In- cludes viruses, worms, trojans, spyware, botnets, logic bombs, phishing and spear phishing. b. Distributed Denial of Service (“DDoS”) – A DDoS attack is when a hacker utilizes hijacked computers (usually via malware) frommany disparate locations to send simultaneous requests to a target. The purpose is to cause a shutdown of the site. c. Automated Clearinghouse (“ACH”)/ payment account takeover – A type of identity theft in which hackers gain control of a business account by stealing its online business credentials. d. Data leakage – Unauthorized transmission of information to someone outside the company. e. Third party/cloud or vendor risks – The risks inherent in having vendor relationships. Albeit the institution may not have direct control over the risks, those risks may be mitigated by proper due diligence and monitoring of the vendors. f. Mobile/web application vulnerabilities – Weaknesses in mobile applications or internet-facing web servers. Hack- ers use tools to gain control of the consumer’s mobile platform to gather information or control the payment web server. g. Weakness in project management or change management – These weak- nesses undermine the institution’s procedures and policies, delay vulner- ability discovery and mitigation, and expose systems and sensitive data to intruders. In other words, an institu- tion can have the best plan in the world, and it will not be effective, if it does not have the right people and talent in charge of the plan’s implementation. Cyber Risks – A Board Primer By Timothy R. Moore, Spilman Thomas & Battle