COVER STORY Four Key Cybersecurity Questions


FINANCIAL INSTITUTION MANAGEMENT SHOULD BE ASKING Daniel Nelson, Jeffrey Schultz, and Paul Cambridge, Armstrong Teasdale


Cybersecurity can seem like a black box, the contents of which are known only to a highly-skilled few. Unfortunately, statutes, regulations, juries, bank examiners, and investors increasingly expect non-technical senior executives and boards to understand enough about cybersecurity requirements to be able to adequately manage one of the largest risk areas facing financial institutions. Understanding the key basics of cybersecurity can help a


financial institution and its senior management put effective policies and procedures in place to help proactively protect against a breach and to help address a breach once a financial institution’s IT systems have been compromised. Generally, every financial institution must maintain at least “reasonable” cybersecurity. Of course, the term “reasonable” provides little meaningful guidance for senior management, but more specific standards are beginning to emerge. These standards support a more informed conversation between senior management and a financial institution’s IT/information security team.


Jeffrey Schultz is a St. Louis-based litigation partner and co-leader of Armstrong Teasdale’s Privacy and Data Security practice. He is a Certified Information Privacy Professional (CIPP/US) and routinely advises clients on implementing strategies to control and remedy data breaches. Jeff may be emailed at jschultz@armstrongteasdale.com.


In particular, the New York Department of Financial


Services’ (the “NYDFS”) recently promulgated Cybersecurity Requirements for Financial Services Companies1


(the “NYDFS


Regulations”), provide one key regulator’s views on mandatory requirements for good financial institution cybersecurity. Some in the financial services industry may downplay the importance of the NYDFS Regulations because they are not directly subject to the NYDFS’s jurisdiction. This, we think, would be a mistake. “Reasonable” security will ultimately be defined by expert witnesses in courtrooms and by regulators across the country. Because New York was first to implement a comprehensive cybersecurity regulation for the financial services industry, other states’ banking regulators may look to the NYDFS as setting the standard in financial institution cybersecurity policies and procedures. The NYDFS Regulations will likely play an increasingly prominent role in the definition of “reasonable” security and all financial institutions will be well-served by looking to the NYDFS Regulations as standard practices.


Daniel Nelson is a litigation partner in the Denver office of Armstrong Teasdale where he is co- leader of the firm’s Privacy and Data Security practice. He is a Certified Ethical Hacker (C|EH) and a Certified Information Privacy Professional (CIPP/US), offering clients a unique perspective on vulnerability and data protection. Dan may be emailed at dnelson@armstrongteasdale.com.


Paul Cambridge is a partner in the St. Louis office of Armstrong Teasdale where he is co-leader of the firm’s Financial Services and Banking practice. Paul’s practice focuses on all aspects of the legal and regulatory matters faced by financial institutions. Paul may be emailed at pcambridge@armstrongteasdale.com.


Understanding the key basics of cybersecurity can help a financial institution and its senior management put effective policies and procedures in place to help proactively protect against a breach and to help address a breach once a financial institution’s IT systems have been compromised.


8


MIDWEST INDEPENDENT BANK MIBANC.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16