Are You Prepared?

• Crisis
• April 23, 2015
• by Merrie Spaeth

Impersonating reporters on panels has become one of my favorite past times. After the annual American Bankers Association meeting, where I played a reporter on a panel examining how to handle a computer hack/cyber-attack, the ABA invited me to recreate my performance at their annual meeting for Risk Managers. The panel was titled: “Incidence Response and Recovery: Is the Response Worse than the Attack?” The scenario was similar:  your bank has been hacked. In this mock scenario, the institution in the hot seat was a billion dollar bank in the South named Lucky Bank, and the media outlet I represented was “UOMe” TV.

The first news of the hack came from credit card companies reporting that customers were complaining en masse about unauthorized charges and cancelled charges. Updates from the annual meeting panel included a plaintiffs law firm, Dewey Cheatum & How (borrowed from NPR’s Car Talk) trolling the internet looking for bank customers for a class action suit, and a well-connected, disgruntled blogger, Bankerbabe. In addition, Lucky Bank received word that the hackers were selling information allowing criminals to access ATMs so bank personnel were physically reprogramming ATMs outside their branches. Internet savvy customers noted the workmen and posted pictures of them on Instagram. Bankerbabe called them to my attention at the television station.

My role was to ask the questions the media would ask and to illustrate how social media platforms such as Facebook and Twitter complicate the communication challenge.

Experts speaking at the conference were virtually unanimous: it’s not if you’ll experience a hack, it’s when; so it’s wise to prepare. The conference covered the technical, legal and operational issues–and there were many. Although bank executives may feel they have quite enough to contend with in those areas, don’t forget that communication, both internal and external, is needed across the entire enterprise. And, you will undoubtedly have to communicate with key audiences before you have all the facts. Typically, you will not have any of the key facts confirmed when you get word through third parties or social media.

Are you prepared? Create a timeline beginning with taking the first phone call or reading the first tweet. How would you handle the questions below after the first hour? day? week? Hint: we’re not advising you be able to “answer” the questions, but you must have credible responses which convey confidence and inspire trust. And, you’ll have to deal with these questions from reporters, customers and the general public. If you’re lucky, the reporter or customer will call customer service, but they may also be trading rumors on social media.

• I have heard that your bank has been hacked. Can you confirm or deny this?
• How many customers have been affected?
• What information did the hackers get? Social security numbers? What other kinds of customer data?
• What have you told customers?
• Who’s to blame?
• Are you going to change your IT/security providers?
• When did you detect the problem?
• Did you have any warning signs?
• How long were you exposed before discovering it?
• Why did you wait to announce it?
• What are you trying to cover up?
• What kind of liability do you have?
• Will you pay for credit counseling for customers?
• Has this happened before?
• Have you notified your regulators?
• Are you confident you have identified and blocked all the intrusions?
• Do you have insurance to cover this?
• Are you going to apologize?
• What if you do not find out who’s responsible?
• Is this a criminal event, hackers displaying their abilities or terrorism or sabotage?  
• Can you guarantee this will never happen again?

Our reporter in this scenario had recently read a lengthy article about security procedures so she had some specific technical questions:

• Did you have Intrusions Detection Systems (IDS) implemented?
• What about sandboxing as a preventive technique?
• Does your IT department regularly send fake emails to employees to see if they open unauthorized emails, a primary way that hackers gain access? (The technique is controversial as an invasion of privacy and because so many scam emails look so realistic, lots of employees inevitably get caught.)
• Critics say that Security Event Management systems (SEMS) are ineffective architecture with a high false positive ratio. Are you using SEMS?
• Experts say that hackers are increasingly gaining access to financial institutions through third party vendors or smaller financial institutions that may not have adequate security measures. What have you done to audit the security provisions of the enterprises you do business with? Can you guarantee they all have the proper security in place?

The panel’s scope did not encompass formulating the responses. That’s a topic for another conference, but grappling with the question will give you a snapshot of your preparedness.

So, are you prepared to respond? Ready, set, go!