News & Resources

Publications & Media

Banks Face Increased Regulatory Scrutiny for Cybersecurity Issues

Financial Institutions Law Update James I. Kaplan, Adam J. Falkof

Federal Banking Regulators are placing banks and other financial institutions under greater scrutiny for their IT risk management practices in light of increased cyberattacks against banks, in addition to the civil litigation exposure that may result from a data breach.

The Comptroller of the Currency recently discussed the importance of cybersecurity for banks. His remarks can be found here. The OCC is extremely concerned about cyberattacks and is placing a greater emphasis on banks’ risk management procedures and day-to-day IT management, both internally and with third-party vendors.

Recent reports of cyberattacks substantiate the OCC’s concerns. Online theft of valuable customer data from banks and other financial service companies substantially increased during 2013, according to a recent report from Verizon. The Verizon report states that financial service companies faced over 850 data breach attacks during 2013 alone. A copy of the report can be found here.

Banks and financial service companies also face growing vulnerabilities from their interactions with third-party networks, such as heating and cooling systems, vending machines, and elevator systems. The New York Times recently reported that roughly 23% of the past year’s data breaches, including the Target breach in December, can be traced to third-party networks with access behind the client company’s firewall.

Banks and financial institutions should have their counsel review their own internal procedures as well as their agreements with third-party vendors to ensure they survive regulatory scrutiny and limit their litigation exposure in case of a cyberattack or a data breach. However, it is not enough to provide for contractual allocation of risk. Banks and financial institutions need to perform regular assessments of vendors to ensure that they are delivering on their contractual obligations to maintain appropriate security measures.

For more information, please contact the authors of this alert: stanley.orszula@quarles.com, James Kaplan at (312) 715-5028 / james.kaplan@quarles.com, or Adam Falkof at (312) 715-5082 / adam.falkof@quarles.com. You may also contact any of the following Quarles & Brady attorneys: Jim Friedman at (414) 277-5735 / jim.friedman@quarles.com, Kate Kronquist at (202) 372-9519 / kathryn.kronquist@quarles.com, Maggie Utterback at (608) 283-2443 / margaret.utterback@quarles.com, Jen Rathburn at (414) 277-5256 / jennifer.rathburn@quarles.com, or your Quarles & Brady attorney.