Under Pressure but Not Underprepared: Key Considerations for Financial Institutions to Prepare for Increasing Cyber Risk Disclosures
Financial institutions and securities market participants continue to face communications challenges from an escalating cyber risk exposure. At the same time, U.S. state and federal regulators have introduced sweeping new requirements for disclosure and risk controls.[1], [2], [3] They have also shown their willingness to hold organizations accountable for allegedly improper controls and have gone on offense to enforce previous gray areas where cybersecurity communications and securities laws intertwine.[4]
This year alone, the federal government has taken significant steps to bolster disclosure requirements, notably in July when the SEC adopted rules for public companies,[5] and in October when the FTC amended rules for non-bank financial institutions.[6] The latest effort came down this month when the New York State Department of Financial Services (NYDFS) – often a model for securities industry regulation nationally – introduced significant updates to its rules requiring greater oversight, disclosures, among others, for financial institutions under the department’s regulatory purview.[7]
The NYDFS rules effectively target some of the thorniest issues facing financial institutions when preparing for, and managing through, the reputational impact of a cyber attack. The consequences for stakeholder engagement and crisis communications efforts are significant. These institutions, whose trials and tribulations can have dire consequences in securities markets and the broader economy, must effectively confront these escalations. Communications excellence, operational preparedness, and informed decision making are invaluable, and they must be invested in for companies to effectively manage through the new regulatory regime.
The Clock’s Ticking
NYDFS’s requirements indicate that incidents must be reported within 72 hours of determining an incident has occurred.[8] This subtle change ups the ante for institutions whose reputation and operational capabilities are critical to the functioning of securities and financial markets, credit markets, and the health of the broader economy. This update requires organizations to alter the framework of their decision making, leaves little room for error, and notably, will likely result in early publicity around a cybersecurity incident.
Key Considerations for Organizations to Prepare for Rule Change
Prepare: Prior to confronting a cyber attack, organizations should have clearly defined communications protocols, well understand stakeholder universes, and an effective team of communications first responders with executive buy-in, who have authority to serve as the voice of the institution. When time is of the essence, approval processes must be carefully spelled out to reduce reputation harming delays, which may give regulators, clients, and the public the impression that the organization is ill prepared for a crisis and not taking the issue seriously. All of these consequences imply business and market risks that must be avoided.
Engage: A large financial institution will have a dispersed and decentralized universe of stakeholders with whom to communicate. Any institution must understand who they must inform, and who they should inform, in the event of a cyber attack. The latter category, not under the purview of regulatory requirements, leaves significant room for judgement and debate. This category could include business partners whose own operational security is considered to be at risk, investors with elevated expectations of transparency, and clients that represent a significant and reputationally sensitive deposit base or share of revenue. With publicity around the corner, a well-orchestrated “heads up” will provide cover and goodwill during the long road ahead.
Respond: With the knowledge of an incident now public, organizations should expect a high volume of incoming questions, recriminations, and demands from a wide-ranging audience. While satisfactory answers may not be forthcoming, an organization must put itself in a position to respond, or risk having its voice lost in the rancor. Organizations should set expectations with their audiences by responding to inquiries from partners, investors, and clients in a timely and serious fashion. Media should be engaged reactively, quickly, and with information that is currently known. The temptation to get ahead of the investigation and reassure the market and clients will be compelling, however, getting ahead of the facts is rarely the right move.
To Pay or Not to Pay?
Addressing a ransom demand will likely involve one of the more difficult decisions an organization will need to make through the incident response process. While not banning ransom payments, the NYDFS now requires regulated entities to report payments within 24 hours of a payment being made, along with the decision-making process behind the payment.[9] The risk of this information becoming public must be considered thoroughly, and organizations must think through their approach to, and appetite for making ransom payments prior to being confronted with this decision.
Whatever the decision may be, it will not be popular. The reaction from the market, clients, politicians, and partners can be severe, and split between support, or not. When making this decision, consider the following:
Operational risk tolerance: Under an encryption scenario leading to significant business disruption, non-payment can extend service and operational outages. The business and reputation risk are apparent. Clients, investors, and partners may look for the exits if access to funds is unavailable, if credit cannot be extended, or if trades are delayed, among other risks.
Reputational risk tolerance: Typically, payment decisions are closely guarded for a host of legal and reputational reasons. Under the new rules, a tight-lipped approach may be more difficult to execute. Public knowledge of payment decisions, and the considerations behind those decisions, exposes an organization to elevated public scrutiny and media attention.
Oversight and Governance - A Good Story to Tell
NYDFS’ focus on the role of the Chief Information Security Officer as well as board oversight put the risks outlined above into perspective. Large financial institutions play an outsized role – both culturally and economically. The consequences of a cyber attack – in the media, in the minds of the public, and in the market – may be outsized as a result.
Going a step further than the SEC, the NYDFS rules require significant responsibility and accountability from CISOs and boards.[10] Ensuring that these individuals are adequately prepared to manage day-to-day risk, as well as manage through a difficult and public conversation during and after a cyber attack, may be considered costly and intrusive. On the other hand, a well-prepared leadership team, educated in the most relevant risks will lighten the load when the worst comes to pass.
A comprehensive approach to crisis communications can solve problems before they arise. At worst, these technical and reputation focused programs can help an organization tell a good story, respond quickly, and play adequate defense with stakeholders during the lifecycle of a cyber attack.
[1] “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” U.S. Securities and Exchange Commission (Nov. 14, 2023), https://www.sec.gov/corpfin/secg-cybersecurity.
[2] “FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches,” Federal Trade Commission (Oct. 27, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.
[3] “Governor Hochul Announces Updates to New York’s Nation-Leading Cybersecurity Regulations as Part of Sweeping Effort to Protect Businesses and Consumers from Cyber Threats,” New York State (Nov. 1, 2023), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311011.
[4] Chris Prentice, Jonathan Stempel and Raphael Satter, “US SEC sues SolarWinds for concealing cyber risks before massive hacking,” Reuters (Oct. 30, 2023), https://www.reuters.com/legal/us-sues-solarwinds-court-records-2023-10-30/.
[5] See supra note i.
[6] See supra note ii.
[7] See supra note iii.
[8] “New York State Department of Financial Services Second Amendment to 23 NYCRR 500,” page 15, The New York State Department of Financial Services (Oct. 16, 2023), https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf.
[9] Ibid., page 17.
[10] Ibid., pages 6-7.
The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.
©2023 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com
