Over the past 20 years, cybercriminals successfully launched 20,000 attacks against financial institutions, according to the International Monetary Fund. These attacks carry a heavy financial toll as well as reputational and operational risks.
Even so, the pace of growth in cybersecurity staff across all industries has slowed over the past couple of years. Last year, law firm Jones Walker conducted a survey of 125 executives at community and mid-size banks with $50 billion in assets about their cybersecurity practices.
Partner Jason M. Loring spoke to Scotsman Guide about the survey. He shared his thoughts on how the financial industry is prepared for both cybercrime, the use of artificial intelligence in prevention and regulatory fallout from these attacks.
What surprised you about the survey’s findings?
One of the most surprising insights was the kind of relative lack of prevention and preparedness, particularly against the backdrop of this complicated regulatory scheme in the banking sector and, as a result, substantial potential exposure. Being prepared is so critical, because that’s a way the banks can mitigate risk.
Why do you think that is — the relative lack of preparation?
There’s a tendency to focus on post-incident regulatory compliance. Think about breach reporting and notification-related obligations rather than to proactively investing in pre-incident preparedness and prevention activities. They are critical. They can help prevent data breaches.
Why has the growth in the number of cybersecurity personnel at financial institutions slowed over the past few years?
One reason is automation, adoption of emerging technologies. Generative AI is certainly becoming, if it’s not already, ubiquitous. They’re leveraging AI- and generative AI-powered tools to handle routine security tasks. Frankly, there are practical considerations. You can’t ignore budgets. Maintenance of security is critical, but we must acknowledge that many financial institutions face pressure to control costs. That’s likely led to more selective, more specialized hiring.
While bank executives felt very or somewhat prepared for cyberattack, the majority also felt that more needed to be done. Why is that?
Cyberthreats are constantly evolving so the banks have to continually enhance their cybersecurity so the customers’ assets, etc., are protected. It really makes sense that although it’s a top priority, it’s not static — there’s always going to be something that needs to be done in this space. I don’t think it’s necessarily inconsistent for bank executives to say, ‘We feel OK about it, but more needs to be done.’
What risks could financial institutions face, relying too much on third-party vendors?
Significant vulnerabilities, frankly. Regulators have really focused on the level of scrutiny that banks are applying to their own third-party vendors and the security controls that are deployed. There’s a substantial reliance by banks on these vendors to provide, perhaps more often augment, security controls. They really need to be thoughtful about what that means, because the ultimate responsibility for compliance is on the banks themselves.
Why should banks and other financial institutions involve law firms in cybersecurity, either before or after an attack?
The banks themselves can’t necessarily be expected to maintain an expert level of insight into all of these rapidly developing, highly complex cybersecurity regulations, the emerging technologies and the state of best practices. When they have the opportunity to work with outside legal counsel who are familiar with these issues, they can help the banks develop their programs.
Frankly, it can be less costly than trying to implement solutions themselves on a piecemeal basis because outside counsel can advise them on the whole every aspect of their cybersecurity program, and so that includes who else needs to be involved — insurers, consultants — focusing on incident response, what does robust, brief preparedness look like.
Could you tell me a question that I should be asking you and then answer it?
What might enforcement look like going forward in the banking sector? You have the incoming Trump administration, which is likely to shift enforcement priorities and reduce federal oversight, perhaps materially.
There’s a Supreme Court decision in Loper Bright Enterprises v. Raimondo and what that did was overturn this decade-long practice of federal courts deferring to a federal agency’s reasonable interpretation of the law in the face of statutory ambiguity. That really could result in a substantially weakened federal enforcement landscape, where the agencies do not get the benefit of that deference and have a harder time with enforcement actions. What is that kind of regulatory and enforcement landscape going to look like?
