CYBERSECURITY 101

A Resource Guide for Financial Sector Executives

THE PERSISTENT THREAT OF INTERNET ATTACKS IS A SOCIETAL

ISSUE FACING ALL INDUSTRIES, ESPECIALLY THE FINANCIAL

SERVICES INDUSTRY. ONCE LARGELY CONSIDERED AN IT

PROBLEM, THE RISE IN FREQUENCY AND SOPHISTICATION OF

CYBER-ATTACKS NOW REQUIRES A SHIFT IN THINKING ON THE

PART OF FINANCIAL SECTOR EXECUTIVES THAT MANAGEMENT

OF AN INSTITUTION’S CYBERSECURITY RISK IS NOT SIMPLY AN

IT ISSUE, BUT A CEO AND BOARD OF DIRECTORS’ ISSUE.

CYBERSECURITY:

The ability to protect or defend the use of cyberspace from cyber-attacks.

– National Institute of Standards and Technology, NIST

 A Letter From the
President and CEO
Colleagues,

I am proud to present to you the revised Conference of State Bank Supervisors (CSBS) Executive Leadership
of Cybersecurity (ELOC) Resource Guide, or “Cybersecurity 101.”

The number of cyber-attacks directed at financial institutions of all sizes continues to grow. Addressing new
threats requires a concerted effort by Chief Executive Officers (CEOs), Presidents, and Board Members.
Several years ago CSBS, on behalf of state regulators, launched the ELOC Initiative to engage bank
executives and provide them with the tools to address cybersecurity threats.

Since its initial publication, “Cybersecurity 101” has served as a valuable resource for countless bank
executives. In this update, however, you will notice several changes. Most notably, we removed previously
included technical information, such as detailed instructions for activities performed by your IT and
information security personnel. They will be incorporated into appendices and made available separately.
The guide has also been updated to address both bank and nonbank institutions. We intend this document
as a reference for both the banks that have formed the cornerstone of our economy for hundreds of years,
as well as the emerging technologies shifting our industry in exciting and challenging ways.

This guide is tailored to furnish Executives with the necessary tools to better understand and prepare for
the threats faced by their institutions.

Thank you for taking the initiative to make your institutions, your customers, and your communities safer
while online. Your leadership, determination, and willingness to adapt are instrumental to maintaining a
robust, secure financial system.

Sincerely,

John W. Ryan
President & CEO, Conference of State Bank Supervisors
 CONTENTS
Introduction.................................................................................................................. 3

What Do We Mean When We Talk About Risk?........................................................... 4

Common Threats.............................................................................................. 5

Questions Every CEO Should Ask................................................................................ 6

How to Structure Your Information Security Program.............................................. 7

Identify.............................................................................................................. 8

Identifying Threats............................................................................... 8

Measuring Risk................................................................................... 10

Communicating Risk.......................................................................... 10

Protect............................................................................................................. 12

Detect.............................................................................................................. 17

Respond.......................................................................................................... 18

Recover........................................................................................................... 21

Glossary....................................................................................................................... 22

Resources.................................................................................................................... 23

2 CYBERSECURITY 101
INTRODUCTION

Financial institutions collect and protect highly sensitive information every day. The financial
services industry is a vital component of the nation’s critical infrastructure—banks and
nonbank financial institutions are the cornerstones of local communities, intrastate
commerce, and the U.S. economy.

As CEOs, Executives, and/or Board Members, you This guide addresses challenges faced by both
have the responsibility to adequately protect the bank and nonbank (also referred to as “non-
money and information entrusted to you by your depository”) institutions. It is intended as an
consumers; losing the trust of your employees and easily digestible, non-technical reference guide
customers puts your institution at risk. to help executives develop a comprehensive,
responsive cybersecurity program in line with
Cyber risks, like reputational and financial risks, best practices. As each institution is different, the
threaten an institution’s bottom line. Attacks advice in this guide can be easily customized to
can be costly and compromising to customer meet your organization’s unique threats, priorities,
confidence, and the institution may even be and challenges. While this resource guide does
held legally responsible. Beyond the impact to not guarantee prevention, it attempts to identify
an individual organization, though, cyber-attacks various resources—people, processes, and tools
also have far-reaching economic consequences. and technologies—that, when properly leveraged,
Due to the inherent interconnectedness of work to reduce your cybersecurity risk.
the internet, a security breach at one financial
institution can pose a significant threat to market It is our hope that this guide serves as a starting
confidence and the nation’s financial stability, point to sustained collaboration between financial
as well as to other financial institutions. But in institutions and regulators. Together we can
this time of technological advancement and safeguard against new, persistent cybersecurity
interconnectedness, it can be challenging to know threats and contribute to a stable, prosperous
how to best defend your institutions. With limited economy.
resources, how can risks be prioritized?

CYBERSECURITY 101 3
 What Do We Mean
When We Talk About Risk?
Risk is the likelihood and potential magnitude of harm. It lies at the nexus of two
important information security concepts: threats and vulnerabilities.

A threat is a force, organization, or person It is impossible to protect against all

with the potential to obtain, compromise, or vulnerabilities. Every organization maintains
destroy an information asset. Threats can some level of risk—it is the cost of doing
be physical, like an employee accidentally business. Fortunately, implementing a robust
deleting critical information; natural, like a cybersecurity program will reduce your
tornado or earthquake; or internet-based, organization’s level of risk to an acceptable one.
such as malicious software or viruses. It is As an executive, it is your role to determine the
important to remember your organization is level of risk—in accordance with the Board—
not only threatened by bad actors, criminals, palatable to your institution.
or acts of nature; insider threats, such as
human error or disgruntled employees, must
also be defended against. A vulnerability, or
weakness, is a gap in information or physical
security protections that can be exploited to
cause harm or accident.

4 CYBERSECURITY 101
IT IS IMPOSSIBLE TO PROTECT AGAINST
ALL VULNERABILITIES.

Common Threats
Phishing Attacks prey on a user’s sense of
responsibility, empathy, or urgency to trick
him or her into sharing credentials with
an unauthorized user, usually via email or
telephone.

Insider Threats are threats posed by

employees, vendors, and people close to the
business, either on purpose or by accident.

Denial of Service Attacks are an attempt to

overwhelm a website or tool with requests so
that it becomes useless.

Ransomware Attacks encrypt valuable

computer resources and hold them hostage
until a ransom—often demanded in
cryptocurrency—is paid.

Natural Disasters, like hurricanes, interrupt

business operations and can deprive
communities of access to financial resources.

CYBERSECURITY 101 5
 Questions Every CEO Should Ask
Although cybersecurity was once considered solely an information technology (IT) concern,
the increase in frequency and sophistication of cyber-attacks demands a shift in thinking.
For a cyber program to be truly effective, it must involve the CEO, Board Members, and other
senior executives in addition to information security and IT professionals.

CEOs should ask themselves several questions to

determine their organizations’ risk appetites.

1. What internal and external threats do

we face?

2. What are my organization’s critical assets

and information? Can I prioritize what’s
most important to continued business KNOW WHO TO ASK
operations?
Identify the cybersecurity professionals
3. What information does my institution
manage and where is it stored? Who has
who work for you and their areas of
access to it? expertise. They should be able to answer
4. Does my organization have a Chief your questions and provide feedback on
Information Security Officer (CISO)? If the efficacy of your cybersecurity program.
not, who is responsible for cybersecurity?

5. Who is providing services to my

organization? How do we ensure our
vendors take care of their own You may not be able to answer all these questions
information and ours? on your own, so it is important to know who
carries out cybersecurity activities at your
6. Am I receiving the cybersecurity organization and to communicate with them.
information I need to make active risk
management decisions?

7. Am I routinely communicating relevant

risk environment and risk management
decisions to the Board?

8. How can my budget be optimized to

address cybersecurity concerns?

6 CYBERSECURITY 101
HOW TO STRUCTURE YOUR
INFORMATION SECURITY PROGRAM
Your information security program will be shaped by your organization’s unique
needs and business processes. There is no one-size-fits-all solution. The Cybersecurity
Framework (CSF), published by the National Institute for Standards and Technology
(NIST), is a flexible, adaptable tool for organizing any information security program,
regardless of size and resources. Although an institution will never be completely
invulnerable, organizing your bank or non-bank cybersecurity program around the
NIST CSF supports a comprehensive level of risk management.

The Framework organizes cybersecurity into five core “Functions,” each of which
represents a collection of behaviors: Identify, Protect, Detect, Respond, and Recover.

FIGURE 1: NIST Cybersecurity Framework Functions

IDENTIFY PROTECT DETECT RESPOND RECOVER

internal and organizational active threats to cybersecurity and restore
external risks. systems, assets, to your systems, events normal
and data. including operations
intrusions, data and services
breaches, and
unauthorized
access

Please note the Federal Financial Institutions Examination Council (FFIEC) provides a mapping
of the FFIEC Cybersecurity Assessment Tool (CAT) to the NIST CSF for ease of coordination and
communication. Find out more at https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_App_B_
Map_to_NIST_CSF_June_2015_PDF4.pdf.

CYBERSECURITY 101 7
 IDENTIFY

The Identify function helps establish what your organization must protect. Identify activities
include determining what assets—both physical and informational—are present within your
institution; how they fit in within the business environment; and the governance in place to
manage your organization’s regulatory, legal, and operational environments.

All of these activities make up your risk IDENTIFYING THREATS

assessment, an evaluation of the threats faced
To identify potential cybersecurity threats, your
by your institution, the likelihood they will happen,
financial institution may use internal resources,
and the magnitude of harm should they occur. The
such as audit reports, vulnerability scans, and
results of your risk assessment will influence the
fraud detection tools; or external resources,
overall risk management strategy, or how you plan
such as information sharing networks like the
to conduct business operations in such a way to
Financial Services – Information Sharing
limit risk to an acceptable level.
and Analysis Center (FS-ISAC) and the United
A risk assessment should be performed at least States Computer Emergency Readiness Team
annually to confirm if an organization’s resources, (US-CERT). A tool like a vulnerability scanner is
priorities, or business operations have changed also commonly used to identify weaknesses by
significantly enough to warrant a strategy scanning your business environment against well-
modification. known and previously identified vulnerabilities.
You can also test to determine if an identified
A cybersecurity risk assessment should classify vulnerability is actually exploitable.
critical information assets, identify threats and
vulnerabilities, and communicate that risk to In November 2014, the Federal Financial
necessary personnel, including the Board. Before Institutions Examination Council (FFIEC)
you can adequately assess risk to your institution, issued a statement recommending that financial
though, you must first identify your Crown Jewels, institutions of all sizes participate in the FS-ISAC as
or your most critical information assets. “Crown part of their process to identify, respond to, and
jewels” are often highly sensitive and guarded mitigate cybersecurity threats and vulnerabilities.
and their loss, destruction, or theft could severely Additionally, two publicly available reports that can
impact your institution. provide current threat intelligence are Verizon’s

8 CYBERSECURITY 101
FS-ISAC FOR FINANCIAL INSTITUTIONS
FS-ISAC offers a basic membership for community banks with less than $1 billion
in assets which includes the “must-have” services shown below. Non-banks can
also obtain FS-ISAC membership. To receive only the most critical public alerts,
the smallest community-based institutions may elect to register as a Critical
Notification Only Participant (CNOP). This service is offered free-of-charge but
only provides notification of public urgent and crisis alerts. Learn more at
https://www.fsisac.com/join.

FS-ISAC’S SERVICES FOR COMMUNITY BANKS:

• FS-ISAC established the Community Institution Council (CIC) to provide a forum

for community banks to share information. All new community banks/credit
union members are added to this group.

• FS-ISAC distributes weekly Risk Summary Reports to all community bank

members. These reports help explain how the latest risks affect banks and their
customers, and how these risks can be mitigated.

• Community Bank FS-ISAC members have access to the FS-ISAC Security Tool
Kit, a 72-page document developed collaboratively with community institutions
designed to provide a set of security practices to help strengthen banks’
information security programs in light of increasing threats.

• FS-ISAC disseminates actionable threat, vulnerability and incident data to

all members.

CYBERSECURITY 101 9
 Data Breach Investigations Report and Symantec’s
Internet Security Threat Report. Both reports are
updated annually.

Threat identification should occur continuously

throughout the year and not only during the
annual risk assessment. When news of a fraud, INFORMATION SECURITY TRIAD
breach, or other incident emerges, consider
whether your organization is also vulnerable. Confidentiality, Integrity, and Availability
Could the same thing happen to your institution?
What controls are in place to help protect against (CIA) form the information security
the threat? triad. Information security programs
should be set up to ensure the CIA of
MEASURING RISK all information assets, from data to
To effectively measure your organization’s level hardware to networks.
of risk, a method for measuring risk must be
developed. One approach is to give each asset a
• Confidentiality means information is
value of high, medium, or low. The rating can be
financial but should also factor in how critical the protected from unauthorized access
asset is to your business. The risk level of those
or disclosure.
information assets is also given a rating of high,
medium, or low. The final level of risk depends
on remediation actions taken by your institution; • Integrity confirms information is
mitigating controls can reduce the overall level trustworthy, accurate, and protected
of risk. For example, if backups are routinely
performed, the risk posed by the loss of an from unauthorized modifications.
electronic file may be low.
• Availability guarantees reliable
COMMUNICATING RISK access to and use of information and

It is vital to establish a process that informs information systems.

senior management and the Board of Directors
about cyber risks to your organization, how your
organization currently manages and mitigates
those risks, and who is accountable for doing
so. Once the risk assessment is developed, strive to create and implement an effective
adopted, and approved, it should be reviewed and and resilient risk-management process that
updated at least annually, or when changes to the enables proper oversight and ensures effective
environment are made, to ensure new risks are management of cybersecurity risk. Key elements
identified. of a risk management process include the initial
assessment of new threats; identifying and
The risk assessment is one element of a larger prioritizing gaps in current policies, procedures,
cyber risk management process that each and controls; and updating and testing policies,
organization should have in place. CEOs should procedures, and controls as necessary.

10 CYBERSECURITY 101
KEY “IDENTIFY” POINTS

IDENTIFY THE KEY DETERMINE YOUR IDENTIFY AND DETERMINE THE

PERSONNEL ORGANIZATION’S DOCUMENT BIGGEST THREATS
responsible for your RISK TOLERANCE your assets. Know facing your
information security by assessing business what you have, what organization.
program. priorities and it is used for, and These could be
regulatory and legal to whom it belongs. physical, natural, or
requirements. Your most critical technology-based.
assets require the
most protection.

ESTABLISH ACTIVELY MANAGE REEVALUATE YOUR ESTABLISH A

GOVERNANCE, AND REPORT RISK TOLERANCE FREQUENCY
including operating the status of and risk management with which the Board
procedures and the remediation plans strategy at least will be updated on
identification of key to the Board. annually. your organization’s
personnel, to guide cybersecurity stature.
your information
security program.

CYBERSECURITY 101 11
 PROTECT

Once institutional threats are identified, the next step is to ensure your financial institution has
safeguards commensurate with your risk profile. The Protect function includes establishing
physical and information security controls, employee training programs, and operational
processes that work to ensure your information and assets remain safe. Protection activities can
be physical, such as behavioral processes, or technical, like automated tools.

Incorporate cybersecurity into your human Another common threat vector is less secured
resources and IT acquisition processes. Planning vendors that are given access to your systems.
ahead reduces the likelihood of a catastrophic Vendor management should include security
event occurring, as well as associated mitigation reviews of vendors with system access and specify
costs. Do not store all crown jewels in one place contractual requirements that vendors protect your
and ensure backup copies of data are stored in a information at least as well as you do.
secure, separate location. For more information
on information and business recovery planning, as
well as to explore backup agreements with other
institutions, please visit Sheltered Harbor at
SHELTERED HARBOR:
https://shelteredharbor.org.
RECOVERY OF LAST RESORT
Malicious actors often gain access to valuable
resources due to avoidable human error, so Sheltered Harbor is an organization
ensure your employee training program includes dedicated to protecting financial
cybersecurity best practices and social engineering information from permanent loss through
exercises. All attempts should be made to enact
the same safeguards and protections at all work
the establishment of best practices and
locations, including telework and remote locations. a secure backup program for critical
Your protection processes should be regularly institutional customer account data. In
updated, whenever your business environment
the event of a cyber-attack, Sheltered
changes or if a vendor informs you of an identified
weakness. Test the effectiveness of protection Harbor can transmit a victim institution’s
tools and processes, whether by internal audits critical data to a partner organization, who
and scanning and/or by engaging the services of a will temporarily resume critical financial
penetration tester.
services until the original provider’s
functions are restored.
12 CYBERSECURITY 101
FIGURE 2: CIS Top 20 Controls

The Center for Internet Security (CIS) publishes an annual list of the 20 controls most vital to
a robust cybersecurity program. Institutions that effectively incorporate these controls are
taking important steps to protect themselves and their consumers. CIS also makes available
a Controls Self-Assessment Tool (CSAT) to help institutions determine how effectively the
controls are applied. Learn more at https://www.cisecurity.org/cybersecurity-tools.

BASIC CIS CONTROLS

1| Inventory and Control of Hardware Assets

2| Inventory and Control of Software Assets
3|  Continuous Vulnerability Management
4| Controlled Use of Administrative Privileges
5| Secure Configuration for Hardware and Software on Mobile
Devices, Laptops, Workstations and Servers
6| Maintenance, Monitoring and Analysis of Audit Logs

FOUNDATIONAL CIS CONTROLS

7| 
Email and Web Browser Protections
8| Malware Defenses
9| Limitation and Control of Network Ports, Protocols and Services
10| Data Recovery Capabilities
11| 
Secure Configuration for Network Devices, such as Firewalls,
Routers and Switches
12|  Boundary Defense
13| Data Protection
14| Controlled Access Based on the Need to Know
15| Wireless Access Control
16| Account Monitoring and Control

ORGANIZATIONAL CIS CONTROLS

17| Implement a Security Awareness and Training Program
18| Application Software Security
19| Incident Response and Management
20| Penetration Tests and Red Team Exercises

CYBERSECURITY 101 13
 CYBERSECURITY STAFF TRAINING RESOURCES

Start a conversation! The Federal Deposit Insurance Corporation’s (FDIC)

“Cyber Challenge” encourages community banks to run through and practice their
responses to hypothetical cyber scenarios. Find it at:
https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html.

The National Cyber Security Alliance (NCSA) website covers safety basics at:
https://www.staysafeonline.org.

Check the security of your devices using free tools, made available by the NCSA at:
https://staysafeonline.org/stay-safe-online/free-online-security-checkups-tools.

Use National Cybersecurity Awareness Month every October to reemphasize your

organization’s commitment to proper cyber hygiene. Details available at:
https://www.dhs.gov/national-cyber-security-awareness-month.

The Small Business Association (SBA) provides a free training course on

cybersecurity for small businesses. It can be accessed at:

https://www.sba.gov/course/cybersecurity-small-businesses.

14 CYBERSECURITY 101
CYBERSECURITY AND HUMAN RESOURCES

It is vital to include cybersecurity in your human resources processes.

New hires should learn Track who possesses

their data protection what assets, like
responsibilities on computers, telephones,
day one. and printers, and
have a plan to collect
them from departing
Maintain and review employees.
records of which
employees are
permitted to access Create a notification
sensitive information. process so the IT
department knows
to modify, restrict, or
delete access when
an employee is hired,
transferred, out of the
office for an extended
period of time, or fired.

IT IS VITAL TO INCLUDE CYBERSECURITY IN

YOUR HUMAN RESOURCES PROCESSES.

CYBERSECURITY 101 15
 USEFUL PROTECTION TOOLS

• Vulnerability Scanners assess your

environment for known vulnerabilities.
Many are available for purchase; there
are also free tools available online.

• Security Information and Event

Management (SIEM) tools log and
register activities performed on your
systems.

• Intrusion Detection Systems/

Intrusion Prevention Systems (IDS/
IPS) alert your IT Team to potential
intrusions. Some may even prevent
attacks from successfully occurring.

KEY “PROTECT” POINTS

MAKE SURE PERSONNEL ENSURE THE RESOURCES CREATE A PLAN

in IT and information security ARE ALLOCATED to collect IT resources and
can answer your questions for data protection are information from departing or
about how data is protected. sufficient. transferred employees.

16 CYBERSECURITY 101
DETECT

Hackers will exploit any vulnerability they KEY “DETECT” POINTS

can find, and it’s up to your IT staff
information security staff, and employees
to detect such intrusions. To effectively
do this, you must first have a thorough
understanding of what is in your asset
MAKE SURE YOUR EMPLOYEES
inventory (see IDENTIFY Section) and how
KNOW WHAT TO LOOK FOR.
assets are protected (see PROTECT Section).
Set a baseline of normal behaviors
so anomalies can be detected.
Your IT and information security staff can then
monitor and assess normal business behaviors
and look for anomalies. The process is called
continuous monitoring, which just means at any
point your staff can know what is occurring on
your network.

A few common ways to detect intrusions are CONFIRM YOUR

by using automated tools, like an intrusion THIRD-PARTY VENDORS
detection system (IDS), malware detection tools,  actively scan for anomalous
data loss prevention tools (DLP) and big data behavior and notify you.
analytics. Other detection methods include
independently reviewing records of who accessed
what information or facility and following up on
anomalies reported by internal users. Engaging the
services of a penetration tester, a hacker who tries
to gain access to your system (with your advance
knowledge) by exploiting unknown vulnerabilities,
will also help you determine possible system access TEST YOUR
points for intruders. ORGANIZATION’S ABILITY
to detect events at least annually.

CYBERSECURITY 101 17
 RESPOND

Detecting an incident is less useful if your organization does not know how to respond.
An incident response plan is an organized approach to addressing and managing a security
breach or attack. The incident response plan should include a policy that defines what
constitutes an incident, and it should provide a step-by-step process that should be followed
when an incident occurs.

An incident response plan will help your institution

successfully understand, manage, and recover from
a cyber-attack. Without it, an organization may not
even discover an attack in the first place; or, if the
attack is discovered, the institution may not follow
good procedures to contain damage, eradicate the
attacker’s presence, or recover in a secure fashion.
BREACH NOTIFICATION
An incident response plan should address:
Reporting requirements vary state-
• The official incident response team, or by-state and may include federal and
personnel with response obligations (often
international laws in addition to state
includes high-level executives and the CEO,
legal representation, information security laws. Please refer to your applicable
and IT personnel, and public relations and breach notification law(s), which are
communications experts);
available at http://www.ncsl.org/
• Scenarios your organization considers worthy research/telecommunications-and-
of investigation and the threshold for declaring
an incident;
information-technology/security-
breach-notification-laws.aspx.
• The chain of command, including who has the
authority to declare an official incident; and

• The severity levels that an incident may be

sorted (usually low, moderate, or high).

18 CYBERSECURITY 101
INCIDENT RESPONSE GUIDE
A comprehensive guide on forming and executing an incident response plan is available from
NIST at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

An incident response plan should include: For incident response best practices
information on how to form and execute a
• Steps that may be taken to address
plan, please refer to:
potential damage and to limit the loss
of resources, including any required • NIST Computer Security Incident
timelines or Service Level Agreements Handling Guide at:
(SLAs); https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-61r2.
• Contractual or regulatory reporting
pdf; and
requirements;
• “Cyber Incident Response Guide”
• Projected time and resources required to
published by the Multi-State Information
implement the response strategy; and
Sharing & Analysis Center at:
• A communications plan that incorporates: https://msisac.cisecurity.org/resources/
– w
 hen and if you should report a breach guides/documents/Incident-Response-
to the media and/or notify affected Guide.pdf.
individuals;
– the preferred medium for notification;
– basic guidelines for tracking and
analyzing media coverage; and
–a process for notifying employees of
the incident and instructing them about
immediate containment steps.

“UNDERSTANDING THREATS AND

IDENTIFYING MODERN ATTACKS IN THEIR
EARLY STAGES IS KEY TO PREVENTING
SUBSEQUENT COMPROMISES [...]”
– NIST Computer Security Incident Handling Guide
CYBERSECURITY 101 19
 THE FIRST 24 HOURS CHECKLIST
It’s been discovered that your bank has been
KEY “RESPOND” POINTS hacked or attacked. What should you do? Once
you have detected a cyber-incident, immediately
contact your legal counsel for guidance on
initiating these ten steps:

1. R
 ecord the date and time when the breach
was discovered, as well as the current date
and time when response efforts begin, i.e.
when someone on the response team is
ESTABLISH LEGAL KNOW YOUR LEGAL alerted to the breach.
REPRESENTATION AND CONTRACTUAL
AHEAD OF TIME. REPORTING 2. A
 lert and activate everyone on the response
RESPONSIBILITIES. team, including external resources, to begin
Breach counsel will executing your preparedness plan.
help your organization Determine if any
navigate response internal, external, or 3. S
 ecure the premises around the area where
activities, liabilities, agency stakeholders the data breach occurred to help preserve
and legalities, all while must be notified within evidence, if necessary.
maintaining attorney- a specified timeframe.
client privilege. 4. S
 top additional data loss. Take affected
machines or servers offline.

5. D
 ocument everything known about the
breach. Who discovered it? Who reported it?
To whom was it reported? Who else knows
about it? What type of breach occurred? What
was stolen? How was it stolen? What systems
are affected? What devices are missing?
PRACTICE MAKES ESTABLISH AND
PERFECT! MAINTAIN KEY LAW 6. I nterview those involved in discovering the
ENFORCEMENT breach and anyone else who may know about
Run through your
POINTS OF it. Document your investigation.
incident response plan
at least annually with CONTACT,
7. R
 eview protocols regarding disseminating
all team personnel. including local police,
information about the breach for everyone
Adjust your plan for the Federal Bureau
involved in this early stage.
different types of cyber of Investigation (FBI),
incidents. and the United States
8. A
 ssess priorities and risks based on what
Secret Service (USSS).
you know about the breach.

9. I nform the proper authorities, including your

banking regulator, the U.S. Secret Service or
the Federal Bureau of Investigation.

10. N
 otify law enforcement, if needed, to begin
an in-depth investigation.

20 CYBERSECURITY 101
RECOVER

After your institution has taken steps to respond to a cyber incident, the next step is the
Recover phase.

Recovery includes public relations activities By the end of the recovery period, your
undertaken to mitigate reputational risk, infrastructure, data, and services should all be
the resolution of internal and stakeholder restored. This may take anywhere from hours to
communications, and the updating of your weeks, but with proper planning it should occur
recovery plans with lessons learned. within the predicted timeline.

KEY “RECOVER” POINTS

MAKE SURE YOU CONFIRM TAKE STEPS TAKE NOTES

HAVE A PLAN that each of your TO MITIGATE ABOUT WHAT
to restore all business third-party vendors reputational risk WORKED
operations, including maintains its own resulting from the and what didn’t so
a communications recovery plan. incident. you can update your
plan. recovery plan.

CYBERSECURITY 101 21
 Glossary
Crown Jewels – An organization’s most critical information assets

Cybersecurity – The ability to protect or defend the use of cyberspace from cyberattacks

Denial of Service – An attempt to overwhelm a website or tool with requests so it becomes useless

Information Availability – Information and information systems are accessible and reliable

Information Confidentiality – Information is protected from unauthorized access or disclosure

Information Integrity – Information is trustworthy, accurate, and protected from unauthorized

modifications

Insider Threat – A threat posed by employees, vendors, and people close to the business, either on
purpose or by accident

Phishing – An attempt to prey on a user’s sense of responsibility, empathy, or urgency to trick him or her
into sharing credentials with an unauthorized user

Ransomware – An attack that encrypts valuable computer resources and holds them hostage until a
ransom is paid

Risk – The likelihood and potential magnitude of harm

Risk Assessment – An evaluation of the threats faced by an institution, the likelihood they will happen, and
the magnitude of harm should they occur

Threat – A force, organization, or person with the potential to obtain, compromise, or destroy an
information asset

Vulnerability — A weakness

22 CYBERSECURITY 101
 BY THE END OF THE RECOVERY PERIOD,
YOUR INFRASTRUCTURE, DATA, AND SERVICES
SHOULD ALL BE RESTORED.

Resources
DISASTER RECOVERY
Sheltered Harbor
https://www.shelteredharbor.org/

FRAMEWORKS
The Center for Internet Security’s (CIS) 20 Critical Security Controls
https://www.cisecurity.org

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
https://www.nist.gov/cyberframework

INFORMATION SHARING
The Center for Internet Security (CIS) Controls Self-Assessment Tool (CSAT)
https://www.cisecurity.org/blog/cis-csat-free-tool-assessing-implementation-of-cis-controls/

The Financial Services Information Sharing and Analysis Center (FS-ISAC)

https://www.fsisac.com/about

Federal Financial Institutions Examination Council (FFIEC)

https://www.ffiec.gov/about.htm

The National Cybersecurity Alliance

https://staysafeonline.org/

CYBERSECURITY 101 23
 Symantec 2019 Internet Security Threat Report 2019
https://www.symantec.com/security-center/threat-report

United States Computer Emergency Readiness Team (US-CERT)

https://www.us-cert.gov/

United States Department of Homeland Security (DHS) Stop. Think. Connect TM

https://www.dhs.gov/stopthinkconnect

Verizon 2019 Data Breach Investigations Report

https://enterprise.verizon.com/resources/reports/dbir/2019/introduction/

PENETRATION TESTING
Department of Homeland Security – Free
https://krebsonsecurity.com/2015/12/dhs-giving-firms-free-penetration-tests/

24 CYBERSECURITY 101
THE CONFERENCE OF STATE BANK SUPERVISORS
www.csbs.org / @csbsnews