Increasing digitization and rapid advancements in technology such as machine-learning and artificial intelligence for trading and advisory-services in the banking sector have led to an increased threat level for cyberattacks on financial institutions. Not only in view of the conflict in Ukraine and the sanctions imposed on Russia, but also because those technologies may be a potential avenue for attack, experts and authorities such as the U.S. Federal Bureau of Investigation have issued warnings of an increased risk of cyberattacks from Russian-linked actors that could have a significant, destructive impact on the financial sector.
Risks, response, and remediation
Cyber criminals typically target personal information held and processed by firms. In the financial sector, an obvious risk is to account details or other financial data of account holders. Failure to take appropriate steps to prevent cyberattacks in the financial sector can lead to a variety of consequences, including loss of reputation, claims for damages by customers and affected individuals, as well as fines and other official sanctions. These risks significantly increase if the firm fails to properly mitigate the impact of the incident.
As these consequences can be very far reaching, firms should do well to take timely active precautions and measures to prevent a cyberattack and possible data breach and to be able to address and mitigate these risks.
Crisis response team
In the event of a cyberattack, especially if there is a risk that customer personal or financial data have been accessed or even exfiltrated, a rapid and uncompromising response is crucial. In order to be able to respond quickly, firms should regularly update and stress-test their incident response processes, involving all relevant internal functions, including IT-Security/CISO, Legal, Compliance/Risk/Audit, PR as well as external legal counsel and cyber forensic experts.
Technical and organizational measures
Firms will at some point be required to demonstrate compliance not only with data protection but also specific IT security expectations applicable to the banking sector. For example, under German law, companies in the banking sector may be obliged to provide the German information security regulator, the Federal Institute for IT Security, with appropriate evidence of steps taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of their IT systems, components or processes that are essential to the functioning of the infrastructures they operate. Financial institutions have similar obligations in the United States pursuant to the Gramm-Leach-Bliley Act and in the UK, the PRA, FCA and Bank of England have broad requirements in relation to operational resilience, which encompass cyber-security.
Communication strategy and document clearance
In the aftermath of a cyberattack, firms should, to the extent possible, ensure that all communications are approved by dedicated members of the crisis response team through a clearance process before being shared with third parties. Moreover, consideration should be given to protecting privileged materials by understanding varying privilege standards across the globe, and the way managing documents in one jurisdiction can impact their accessibility in others.
An appropriate communications strategy, which can be both proactive or reactive, should be prepared in relation to customers, authorities and the media. This should be done as a priority to enable the organization to respond to urgent requests for information and provide necessary transparency, as well as confidently demonstrating the organization’s ability to deal with the incident. Ideally, a firm prepares basic scripts in advance, since public communications may be required immediately upon learning of an incident, and the way a company communicates is influential in brand management, litigation strategy and public relations more generally.
Reporting and notification requirements
Importantly, in the event of a cyberattack that results in a data breach, care must be taken to comply with all relevant notification requirements under applicable legislation. Such notification obligations exist, in particular, under the General Data Protection Regulation (EU or UK GDPR) but also under the European Union’s Directive on security of network and information systems (NIS Directive), a kaleidoscope of federal and specific state law requirements in the U.S., financial services regulators in the UK and other relevant national laws.
In addition, reporting obligations towards financial regulators (such as the FCA or BaFIN), investors or other public or private bodies should be assessed and complied with. In certain jurisdictions, firms may also need to engage with other bodies regarding customer complaints (eg the Financial Ombudsman Service in the UK) exist.
At the same time, the (potentially) affected customers may also need to be informed in accordance with relevant legislation. Depending on factors such as the type and severity of the data breach and the nature of the customer’s personally identifiable information, notifications may take the form of a website notice, or individual communications to each affected customer.
Joint Cybersecurity Advisory
From a technical cyber security perspective, providers of financial services should take note of and observe the information and recommendations very recently laid out by the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom in a joint Cybersecurity Advisory (CSA). This joint CSA was directed at operators of critical infrastructure in face of the current high risk of Russia-related cyberattacks.
The CSA recommends patching known exploited vulnerabilities, enforcing multifactor authentication, securing and monitoring remote desktop protocol, and ensuring end-user awareness.
Even the best protective measures can never fully eliminate the risks associated with cyberattacks. Nevertheless, the following preparatory measures can help to mitigate many of the risks associated with such incidents in particular:
- assessing applicable notification requirements under relevant laws (data protection, critical infrastructure, banking regulation, etc.) in applicable jurisdictions (considering the potential extraterritorial scope of some relevant laws);
- maintaining necessary infrastructure and agreeing on standard processes, especially for handling mass requests from data subjects;
- defining roles and responsibilities in a dedicated and well-trained crisis response team including specialized legal and IT forensic consultants as well as crisis communication experts;
- having IT-infrastructure and protocols ready for emergency scenarios (especially separate backup systems and a choice of cleaning and recovery tools); and
- establishing, properly documenting and continuously reviewing and adapting a holistic data security approach with suitable technical and organisational measures.