According to the American Bankers Association’s 2013 Deposit Account Fraud Survey, banks stopped $13 billion in fraud attempts in 2012. Still, with the expansion of financial institutions’ use of electronic data and increased trends in cybercrime, it’s only a matter of time before the next data breach occurs. And when it does, banks again will absorb the cost of reissuing cards to their customers to prevent further loss or identity theft.
But the way an institution responds to a breach can determine the severity of its impact. Regulatory guidance dictates that every financial institution develop and implement an incident response program (IRP) designed to address unauthorized access to sensitive customer information.
At a minimum, an institution’s IRP should contain procedures for:
- Assessing the nature and scope of an incident and identifying the customer information systems and types that have been accessed or misused
- Promptly notifying the primary federal regulator when the institution becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information
- Filing a timely Suspicious Activity Report (SAR). And in situations involving federal criminal violations requiring immediate attention, including that a reportable violation is ongoing and promptly notifying appropriate law enforcement
- Taking appropriate steps to contain and control the incident to prevent further misuse of customer information
- Notifying customers, when warranted, in a manner that they can reasonably be expected to receive
Keep in mind that, if a breach does occur, an institution will inevitably receive inquiries from the general public. So, within the IRP—and similar to disaster recovery plans—an incident response team should be identified, and may perhaps consist of the same individuals pinpointed for the disaster recovery team. This team can help determine how communication will be shared, and develop necessary talking points.
Moreover, an accomplished public relations firm can be invaluable in supplying informative and beneficial assistance. Knowing what to say, and what not to say, could save an institution unwanted legal risk, and is well worth the time and cost involved. Banks also should consider placing a public relations firm on retainer, before an incident occurs.
Financial institutions also must train all employees identified within their IRPs just as they would their disaster recovery plans. Tabletop exercises, for instance, cannot be emphasized enough.
So, being prepared to respond quickly—and effectively—to instances of cybercrime puts your institution in a stronger position to recover from any damages, either monetary or reputational, you may encounter.
Check back next week as we explore how to plan for customer and regulator breach notifications.
Keith Monson is vice president of application compliance for Computer Services, Inc. (CSI). In this role, Keith maintains focus on CSI’s compliance initiatives to establish and build out an enterprise-wide compliance framework for risk assessment and reporting, issue management and other key components of CSI’s corporate compliance program.