U.S. Treasury Deputy Secretary Raskin Provides Recommendations for Executives and Boards Regarding Cybersecurity (with Isajiw Comment)

U.S. Treasury Deputy Secretary Sarah Bloom Raskin spoke at the Texas Bankers' Association Executive Leadership Cybersecurity Conference, providing a "roadmap" for CEOs of information regarding cybersecurity and cyberattacks.

Ms. Raskin provided a series of questions and answers regarding steps CEOs and their firms can take before and after a cyberattack.

In her first set of recommendations, Ms. Raskin focused on "baseline protection," or the policies and controls that firms can adopt to "prevent penetration of their networks and systems" and minimize damage. Ms. Raskin stated that cybersecurity should be an integral part of a firm's "enterprise risk management framework," which should include policies, procedures, and other controls that address, identify, and anticipate cyber threats that technology solutions cannot control. According to Ms. Raskin, the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity" provides a "well-considered" risk-based approach to strengthening critical cybersecurity infrastructure.

Ms. Raskin further explained that while vendors and third-party service providers expose certain companies to risk, that risk can be reduced by (i) knowing who has access to the bank's system, (ii) ensuring that those parties have robust safeguards in place, and (iii) monitoring third parties to guarantee that everyone is adhering to protections and protocols. Ms. Raskin recommended that banks engage in "basic cyber hygiene," which includes knowing what runs on the firm's network, who has access to it and fixing bugs and vulnerabilities in a timely manner.

Next, Ms. Raskin addressed sharing "timely, actionable information" regarding cyber vulnerabilities and incidents among institutions, which she said allows firms to "benefit from the experience of others." She mentioned that the Financial Services Information Sharing and Analysis Center provides declassified threat and vulnerability information to the information-sharing center, which disseminates information to member firms.

Lastly, Ms. Raskin made recommendations about response and recovery from cyberattacks, encouraging firms to create a detailed "cyber incident playbook" that, among other things, designates a "point person" for managing response and recovery. With regard to senior leaders and the board, Ms. Raskin explained that leaders should be well informed of their role during a cyber incident, including which matters should be reported to the CEO. Ms. Raskin advised leaders of firms to cultivate relationships with the U.S. Secret Service and FBI field offices, which have personnel dedicated to cybersecurity. Lastly Ms. Raskin recommended that when communicating with customers and the general public, firms provide clear consistent information while avoiding technical jargon and legalese.

Isajiw Comment: With these comments, Treasury joins the SEC and other regulators in saying that cybersecurity must be a high priority in the c-suite of financial services intuitions. Arguably, cyber threats are a greater risk to the economy than terrorism. Even one serious breach could cause a customer confidence crisis that cripples a financial services firm.

Ms. Raskin's 10 questions, and her detailed analysis of issues potentially involved in the answering of each, provide financial institutions with an excellent road map for evaluating the strengths and weaknesses of their cybersecurity protocols. Those 10 questions are:

1. Is cyber risk part of our current risk management framework?
2. Do we follow the NIST Cybersecurity Framework?
3. Do we know the cyber risks that our vendors and third-party service providers expose us to, and do we know the rigor of their cybersecurity controls?
4. Do we have cyber risk insurance?
5. Do we engage in basic cyber hygiene?
6. Do we share incident information with industry groups? If so, when and how does this occur?
7. Do we have a cyber-incident playbook and who is the point person for managing response and recovery?
8. What roles do senior leaders and the board play in managing and overseeing the cyber incident response?
9. When and how do we engage with law enforcement after a breach?
10. After a cyber incident, when and how do we inform our customers, investors and the general public?

Here, Treasury is giving firms an outline to prepare in advance for what is likely to be significant regulatory scrutiny of cybersecurity concerns. Firms are well advised to use this information to proactively assess and, where appropriate, remediate any cybersecurity weaknesses. Adherence to these best practices will likely benefit firms in connection with both responding to regulatory scrutiny, and defending civil lawsuits that will follow any high-profile breach.

See: Deputy Secretary Raskin's Remarks.
Related news: Comptroller Curry Discusses Cybersecurity at Community Banks (November 7, 2014); NIST Issues "Framework for Improving Critical Infrastructure Cybersecurity"; SIFMA Event to Follow (with Wainstein and Clearfield Comment) (February 12, 2014); FFIEC Releases Cybersecurity Assessment Observations (November 4, 2014); Cybersecurity Insight (Peter Isajiw and John Vazquez) (July 28, 2014); Cadwalader C&F Alert: DOJ and FTC Release Joint Antitrust Policy Statement Regarding Sharing of Cybersecurity Information (April 15, 2014).