The document outlines evolving cybersecurity policies for financial institutions, highlighting the significant rise in cyber threats and the associated costs faced by the industry. It discusses new legislation aimed at enhancing cybersecurity measures, including rapid data breach notification rules and compliance requirements for fintechs, as well as the growing need for effective vendor management strategies. Key trends include an increasing focus on social engineering threats and the necessity for greater cybersecurity training within institutions to address vulnerabilities in a rapidly changing digital landscape.

1. A Look At Evolving Cybersecurity Policy
for Financial Institutions
Dawn Yankeelov, President, Aspectx &
Executive Director, Technology Association of
Louisville Kentucky
July 16, 2021

2. Looking Back to 2016…
Statistics May Not Surprise You
• Cybercrime Jumped to the Most Reported Economic Crime in
PWC’s Global Economic Crime Survey in 2016.
• The US Commercial Bank with the lowest security posture
was one of the top 10 largest financial service
organizations in the US by revenue.
• Only one of the top 10 largest banks, Bank of America,
received an overall “A” grade in the PWC Security Scorecard
• Nearly 1 out of 5 financial institutions used an email
service provider in 2016 with severe security
vulnerabilities.
• Best performing in IT Security in 2016: Goldman Sachs,
Exchange Bank, BNP Paribase Fortis, and Banco Popolare
--PricewaterhouseCoopers Scorecard 2016

3. Big Banks Are Paying Attention
2021 — The financial services industry faced unprecedented
cybersecurity costs and ... New legislation is on the horizon in
several states…
At a Congressional hearing in May this year, the chief executives of
Wall Street’s six largest banks were asked to name the greatest threat to their
companies and the wider financial system. They did not mention the global
pandemic, climate change or factors that contributed to the 2008 financial crisis.
The most popular answer instead was “cybersecurity.” – NYT, July 3, 2021

4. Manpower: On It in IT
JPMorgan Chase alone spends about $600 million
each year on cybersecurity efforts and has “more
than 3,000 employees” working on the issue in
some way.
July 8, 2021 1:23 PM EDT Finance
Morgan Stanley faces data breach,
corporate client info stolen in vendor hack
The bank said attackers accessed information by exploiting a vulnerability in the vendor's
server, Accellion FTA. While the exposure was patched within five days, the attackers obtained
a decryption key even though the files were encrypted.

5. Us Cyberspace Solarium Commission
Puts Financial Sector at Top of Critical
Infrastructure
Solarium.gov

6. Public Policy: New Standards
Coming
• More Information-Sharing In Your Future
• More Protections for Personal Information
• More Players Onboard with “Ideas” from NIST to State Finance-
Specific boards, to ABA to the Federal Reserve Board, the Office of
the Comptroller of the Currency and the Financial Institutions
Examination Council.
• New York Leading the Way
• State Governors Pushing
• Mega-Bank Group Has Formed
• A Push to Adherence to Federal Guidelines
• More and More Risk Management
• Training for Staff

7. Influencers
*Mobile Banking
*Internet of Things (IoT)
*Life in “the Cloud”
*Cybersecurity Workforce Gap

8. Social Engineering Fears
Predominate
According to CSI recent survey data, the overwhelming majority (81%)
of bankers view social engineering as the greatest cybersecurity threat
in 2021.
• Customer-targeted phishing: The topmost cybersecurity threat identified
by bankers was social engineering aimed at customers via phishing (34%).
This coincides with recent reports of large scale email impersonation
attacks, pretending to be from the recipient’s personal bank and trying to
trick them into providing sensitive information about their accounts.
 Employee-targeted phishing: Almost as many bankers (32%) are most
worried about phishing aimed at internal targets that let attackers into
internal systems. This concern is well-founded. Employees working from
home and burdened by new financial and family challenges due to the
pandemic are ripe targets for cybercriminals.

9. Anticipation.…. Implications to
Follow
The Financial Stability Board (FSB) has published responses to its consultation on regulatory and
supervisory issues relating to outsourcing and third-party relationships.
Recommended:
•the development of global standards on outsourcing and third-party risk management;
•the adoption of consistent definitions and terminology;
•pooled audits, certificates and reports.
A rise in the use of mobile finance apps was noticed by two other parties: hackers and
regulators. Hackers increased attacks intended to steal personal information or cardholder
data, while regulators became increasingly concerned with financial data security compliance.
The developers of financial services apps need to ensure data security compliance to operate
in various markets, reassure their customers that they are handling their data with care, and
importantly, reduce risk and exposure associated with regulatory censure.
--https://securityboulevard.com/2021/02/top-2021-banking-and-fintech-security-
regulations/

10. Global Legislation Impacts…Anti-Money
Laundering, Cybersecurity Requirements,
etc.
Financial Transactions and Reports Analysis Centre of Canada
(FINTRAC)
Canada’s anti-money laundering legislation introduced significant changes
in June 2021. The expanded ruleset will change how politically-exposed
persons are reported on, and will bring cryptocurrencies under the remit of
reporting obligations.
One of the most significant of these changes is that foreign Money Services
Businesses (MSBs), which had not previously been obligated to report
under the FINTRAC legislation, will now do so. This will significantly
increase reporting obligations and associated risks for foreign fintech firms
operating in the Canadian market.
--https://www.fintrac-canafe.gc.ca/covid19/flexible-measures-eng

11. Mobile Apps Under Surveillance
Financial data security compliance is critical for all fintech and mobile banking
app developers for a number of reasons, including:
 Reducing costs of data breaches
 Avoiding regulatory fines
 Maintaining customer trust and loyalty
 Capacity to operate in multiple jurisdictions
 https://www.intertrust.com/blog/top-2021-banking-and-fintech-
security-regulations/

12. Ante Upped--Financial Data
Security Compliance
California Consumer Privacy Act (CCPA)
--The new changes introduced to the CCPA on January 1 will demand
data compliance. It will also widen the net.
The act’s core provisions already grant consumers the rights to access
held about them, demand its deletion, and opt-out from future
these only previously applied to “for-profit” businesses, such as those
in excess of $25 million.
For finance and mobile banking developers doing business in
layer of financial data security compliance that they need to fulfill.
--https://www.jdsupra.com/legalnews/ab-713-ccpa-requirements-take-effect-
42027/

13. Critical Infrastructure & Supply
Chain Language in Legislation
The Cyber Incident Notification Act of 2021 places its primary focus on the federal supply chain.
However, the CINA expands this coverage to “covered entities” that includes owners and
operators of critical infrastructure.
The full definition of covered entities has not been drafted yet, and the bill tasks
the Cybersecurity & Infrastructure Security Agency (CISA) with drafting a definition that will
include “at a minimum, Federal contractors, owners or operators of critical infrastructure, and
nongovernmental entities that provide cybersecurity incident response services.”
--https://www.agileit.com/news/cyber-incident-notification-act/
--Led by Mark Warner, Senate Intelligence Chair, Marco Rubio, and Susan Collins

14. 36-Hour Data Breach Reporting
Rules for Significant Incidents
Specifically, the Proposed Rule would require banking organizations to notify
their primary federal regulators within 36 hours of becoming aware of a
“computer-security incident” that rises to the level of a “notification incident.” In
addition to covering incidents involving unauthorized access to customer
information, it would apply to some events where data was rendered
temporarily unavailable, such as ransomware and distributed denial-of-
service attacks.
The rule would also require bank service providers to notify “at least two
individuals” at an affected banking organization-customer immediately after
experiencing a computer-security incident that it believes “in good faith could
disrupt, degrade, or impair services provided for four or more hours.” A 36-hour
deadline appears to be one of the most rigorous timeframes of any U.S.
breach reporting scheme.
--Banking Law Committee Journal, April 28, 2021

15. The Circle Widens…Proposed Banking Cyber-Incident
Notification Rules Could Apply to Fintech Players
The rule was issued Jan. 12, 2021, by the Office of the Comptroller of the Currency
(OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit
Insurance Corporation (FDIC). The rule’s comment period concluded April 12.
Three Key Takeaways
1. Fintechs should confirm whether their existing banking organization clients have
designated them as bank service providers under the BSCA.
2. Fintechs should review existing commercial agreements and standard forms to
incorporate provisions requiring a banking organization client to notify the fintech should
the client designate the fintech as a bank service company.
3. Fintechs (and their banking organization clients) should proactively ensure that these
agreements and forms also adequately provide for notification procedures (including
timing and contact information) to facilitate compliance with the proposed rules.
--https://www.jonesday.com/en/insights/2021/01/fintech-proposed-banking-cyberincident-notification-rules-could-apply-to-you-too
--https://www.reedsmith.com/en/perspectives/2021/04/proposed-rule-would-require-faster-reporting-of-cyber-incidents-by-banks

16. American Bankers Association
Weighs in
--https://www.fdic.gov/resources/regulations/federal-register-
publications/2021/2021-computer-security-incident-notification-3064-af59-c-
016.pdf
A common source of concern is the misperception that the Proposal intends to replace
existing notice requirements with a short, fixed, prescriptive timeline. There also is
concern that the Proposal is overbroad, and would create burdensome overreporting
contrary to the spirit of its articulated intent to provide “early awareness” of severe and
operationally debilitating occurrences. This concern lies in the belief that the Proposal
as written would attach prescriptive mandatory reporting to an array of events, both the
actual, materially harmful and extraordinary, as well as the merely possible or
mundane. In practice, this would compel banks to overreport nondisruptive events to
their primary federal regulator as well as use limited resources to review voluminous
overreports from bank service providers.
…..there remains cautious concern as to how the Proposal will be implemented and
enforced.
--

17. FinCEN announces eight areas of focus and advises preparation for
issuance of new regulations
On June 30, 2021, the U.S. Department of Treasury’s Financial Crimes
Enforcement Network (“FinCEN”) issued the first government-wide priorities for
anti-money laundering (“AML”) and countering the financing of terrorism
(“CFT”) policy (the “Priorities”).
FinCEN has not yet issued the regulations governing how the Priorities must be
incorporated into Covered Institutions’ AML programs.
Cybercrime, including Relevant Cybersecurity and Virtual Currency Considerations:
FinCEN states that it is particularly concerned about three types of cybercrime: (1) cyber-
enabled financial crime, such as phishing campaigns or other fraudulent schemes against
financial institutions; (2) ransomware attacks; and (3) “the misuse of virtual assets that
exploits and undermines their innovative potential, including through laundering of illicit
proceeds.” FinCEN notes that it issued an advisory in 2016 describing the typologies and
red flags related to cybercrime to assist Covered Institutions compliance and cybersecurity
units.
--https://www.jdsupra.com/legalnews/fincen-issues-anti-money-laundering-and-3281702/

18. So What About the States…
• All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have
enacted security breach notification laws that require businesses or governments to notify
consumers or citizens if their personal information is breached.
• Lawmakers continue to review existing laws, however. At least 22 states, introduced or
considered measures in 2021 that would amend existing security breach laws. Bills were
enacted in three states—Georgia, North Dakota and Utah so far in 2021.

19. Summary of Legislation
The most common trends in legislation this year include proposals that would:
 Establish or shorten the time frame within which an entity must
report a breach.
 Require state or local government entities to
report data breaches.
 Provide an affirmative defense for entities that had reasonable
security practices in place at the time of a breach.
 Expand definitions of "personal information" (e.g., to include
biometric information, health information, etc.).
 Require private sector entities to report breaches to the state
attorney general or other state entity.
--https://www.ncsl.org/research/telecommunications-and-information-technology/2021-
security-breach-legislation.aspx

20. State Cybersecurity Safe Harbor
Legislation
2021 has already been a big year for state cybersecurity
safe harbor legislation.
--Two states, Utah and Connecticut, have recently enacted or introduced a breach litigation safe
harbor to incentivize businesses to protect personal information by adopting industry-
recognized cybersecurity frameworks such as the National Institute of Standards and
Technology's (NIST) Cybersecurity Framework and the Center for Internet Security's (CIS)
Critical Security Controls.
--In March 2021, Utah became the second state, after Ohio, to adopt a cybersecurity safe harbor
statute for businesses impacted by a data breach. Specifically, an entity that "creates, maintains, and
reasonably complies" with a written cybersecurity program modeled after one of several named
cybersecurity frameworks may have an affirmative defense to certain claims if the program is in
place at the time it experiences a breach of its system security.
--"Breach of system security" is defined under the law to mean an unauthorized acquisition of
computerized data maintained by a person that compromises the security, confidentiality, or integrity
of personal information.
--https://www.mondaq.com/unitedstates/security/1067364/2021-developments-in-state-cybersecurity-safe-harbor-
laws

21. Vendor Management
--Effective vendor management (for both compliance and certainty) requires
more than a sales demonstration.
--It requires a thorough analysis of vendor financials, SOC reports, security,
and confidentiality.
--Having legal counsel review vendor contracts for regulatory compliance and
effective security can provide significant assurances that the chosen vendors
are protecting customer assets and minimizing legal exposure.
----https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-
2021/

22. Vendor Management
With virtual banking replacing the retail branch, financial institutions are not
immune from this phenomenon, despite the sensitivity of data under their
management. They are faced with the challenge of finding a WFH environment
that is as safe and secure as an in-office environment.
To reach that goal, financial institutions will need to revisit, update and
implement stronger technology policies into their employee handbooks.
Those policies should incorporate not only cyber protection but also
institutional protection for potential employee breaches.
--https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-2021/

23. Vendor Management
****To summarize, it is important to take inventory of (1) vendor agreements, (2)
privacy policies, (3) employee technology policies, and (4) incident response
plans.***
--Analyze those relative to regulatory and insurance requirements and
determine what steps need to be made for maximum protection.
----https://www.fmjlaw.com/financial-institutions-banks-cybersecurity-2021/

24. Resources
https://www.fdic.gov/resources/bankers/information-technology/
 Cybersecurity
o FFIEC Cybersecurity Assessment Tool assists institutions with identifying cybersecurity risks and determining
preparedness
o FrequentlyAsked Questions provide information related to the FFIEC CybersecurityAssessment Tool
 Technology Outsourcing: Informational Tools for Community Bankers provides resources for selecting service providers,
drafting contract terms, and providing oversight for multiple service providers
 FDIC Technical Assistance Videos
o CybersecurityAwareness, a video series designed to assist bank directors with understanding cybersecurity risks and
related risk management programs
o Cyber Challenge: A Community Bank Cyber Exercise designed to encourage community financial institutions to
discuss operational risk issues and the potential impact of information technology disruptions on common banking
functions

25. Voluntary Resource Opportunity
On June 30, 2015, the Federal Financial Institutions
Examination Council (FFIEC),1 on behalf of its members,
issued a Cybersecurity Assessment Tool (Assessment)
that financial institutions may use to evaluate their risks
and cybersecurity preparedness.
Noted for Community Banks as incorporating NIST
Framework ideas, FFIEC Information Technology
Examination Handbook, and others.
https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT%
20FAQs.pdf

26. FFIEC Cyber Tool Link
https://www.ffiec.gov/cyberassessmenttool.htm

27. Board Level Resources
The 2020 Edition of the NACD Director’s Handbook on
Cyber-Risk Oversight
(National Association of Corporate Directors)
The Handbook was the first non-government resource to be
featured on the U.S. Department of Homeland Security’s US-
CERT C3 Voluntary Program website.
(United States Computer Emergency Readiness Team)
Links:
https://www.nacdonline.org/insights/publications.cfm?Item
Number=67298

28. STAKEHOLDER ENGAGEMENT AND CYBER
INFRASTRUCTURE RESILIENCE
The Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division within
Cybersecurity and Infrastructure Security Agency (CISA) streamlines strategic outreach to
government and industry partners, by leveraging capabilities, information and intelligence, and
subject matter experts in order to meet stakeholder requirements. SECIR programs and initiatives
build public, private and international partnerships and capacity for resilience across the Nation’s
critical infrastructure and the cybersecurity community. For more information, email
SECIRFrontOffice@hq.dhs.gov.
Vision
An engaged and informed customer base driven to achieve a resilient and secure cyber space
ecosystem.
Mission
•Initiate and sustain strategic Critical Infrastructure (CI) & State, Local, Tribal and Territorial (SLTT)
partnerships to develop approaches for longer cyber risk management.
•Engage SLTT and CI partners to implement comprehensive but specific cyber preparedness and
protective activities
•Perform outreach and education activities and advocate for DHS cyber capabilities

29. Cybersecurity & The Public Trust
Equation
But resilience against a cyber run doesn’t preclude damage to the economy, Mr.
Duffie and Mr. Younger noted. Financial markets, probably more than any other
critical infrastructure except elections, require public trust to operate. This can
quickly erode, even if an attack isn’t widespread.
Darrell Duffie, a professor at Stanford’s business school, examined the potential
impact of a “cyber run” in a paper published with Joshua Younger, a managing
director at JPMorgan.
--https://www.nytimes.com/2021/07/03/business/dealbook/hacking-wall-
street.html

30. Self-Assessment from BECTF
Bankers Electronic Crimes Task Force (BECTF) with state
bank regulators & US Secret Services—Ransomware
Self-Assessment Tool
https://www.csbs.org/sites/default/files/2020-10/R-
SAT_0.pdf

31. Around the World – Less Prep
“In terms of cyber maturity, Latin America still needs significant
advances. The recent OECD study, Digital Security Risk Management,
highlights that only three of the 21 countries in Latin America have a
defined national digital security strategy, indicating that the region is not
yet sufficiently prepared. This is largely due to gaps in legal and
regulatory structures. Other aspects that corroborate the criticality of the
situation involve the limited investment in cybersecurity technology and
the deficit of talent in cybersecurity.”-- Homero Valiatti has been working at Itaú
Unibanco since 2018 and is currently Information Security Superintendent. In this role, Homero is
responsible for the evolution of the institution's cybersecurity.

32. FS-ISAC
(c) Dawn Yankeelov, 2017.

33. Reality of Compliance—Test,
Test, Not Just Annually
One-quarter of the organizations who do execute testing
usually uncover problems or gaps, which begs the question:
how many untested environments are operating with glitches?
--Peak 10 data study

34. Get Involved: Public Policy
• Participate in organizations like CompTIA
• Join Your Local Technology Council – 60+ Across the US
• Give Comments During Comment Periods for Banking
Regulation
• Participate at the State Level in local fusion centers and other
Cybersecurity Centers of Excellence at Universities and New
Initiatives
• Attend Flyins to DC
• Following proposed banking legislations
• NIST Cyber Working Groups

35. At the Office: Cyber Workforce
Gap
Every year in the U.S. there are 128,000 openings for
Information Security Analysts, but only 88,000 workers
currently employed in those positions – a talent shortfall of
40,000 workers for cybersecurity’s largest job.
http://cyberseek.org/heatmap.html

36. Federal Partners in Cyber
NIST -- National Institute of Standards and Technology
NIST is the federal technology agency that works with industry to
develop and apply technology, measurements, and standards.
NICE -- The National Initiative for Cybersecurity
Education
NICERC now Cyber.org -- Cyber Literacy Curriculum,
Computer Science Curriculum, STEM Curriculum, and Teacher
Resources from National Integrated Cyber Education Research.

37. A Banking Cybersecurity Profile to Enhance and
Simplify Your Risk Assessment
DOWNLOAD CRI CYBERSECURITY PROFILE V1.1,
NOVEMBER 12, 2020
The CRI Cyber Profile v1.1 includes:
1.User Guide,
2.Mappings to National Association of Insurance
Commissioners (NAIC) IT handbook,
3.V.1.1 Frequently Asked Questions (FAQ),
4.Summary of v1.1 updates and revisions,
5.Mapping to NIST Cyber Security Framework (CSF),
and
6.Mapping between NIST CSF/ISO IEC 27001
•The Roadmap Forward
•Impact Tiering Questionnaire
•Industry Press Release: CRI Cyber Profile v1.1, November 12, 2020
--

38. Explanation of Banking
Cybersecurity Profile
The banking industry saw a need for a more harmonized approach to
cybersecurity that supports strong oversight while conserving talent and
resources, and ensuring safety and soundness. The Financial Services Sector
Cybersecurity Profile acts as a shared baseline for examination across
federal regulators—in a way that makes the most sense for the individual
institution.
•developed by the Financial Services Sector Coordinating Council (global, regional,
midsize and community banks, along with representatives from other key agencies)
•designed to deploy resources more effectively
•reduces time spent on reconciling exam issues
•integrates widely used standards and supervisory expectations
•compliments the NIST cybersecurity framework

39. Back in the Spotlight: Financial
Services Sector Coordinating
Council

40. For the Bank Teller:
In Walks Awareness Training
 Your biggest security risk works in-house
 Empower your workforce to reduce that risk
 95% of all security breaches involve
human error
95% of

41. Simplicity: Mimecast (ATAATA)

42. Final Takeaways
• Make Data Driven Decisions
• Take a Proactive Stance
• Take Broad View of Risk Management
• Have Governance and Designate a CISO role
• Strengthen Cyber Practices Around Compliance
• Test, Test and Mitigate
• Have Governance and Designate a CISO role
• Be Willing to Collaborate with Peers and Industry
• Attend to the Human Factor Internally- Train and Develop
Workforce

43. Questions?

44. Aspectx
Your Communications and Public Policy Firm
*Competitive Intelligence & Industry Analysis*Public
Policy*Joint Application Design*Marketing*Public Relations &
Social Media*Business Development*Web Development &
Content Marketing Founder and President Dawn Yankeelov
www.aspectx.com
dawny@aspectx.com Twitter: @dawnyaspectx 502-292-2351
TALK—Technology Association of Louisville Kentucky
www.talklou.com
And TECNA www.tecna.org @talklou