Deputy Treasury Secretary Sarah Raskin, who recently spoke at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference, provided bank executives and boards some guidance on preventing, preparing for and responding to cyberattacks.

Citing recent attacks against Target, Home Depot and JP Morgan Chase as evidence of the growing cybersecurity threat, Raskin offered a checklist of 10 questions to guide bank CEOs and their boards. The questions encompass three broad areas—baseline protection, information sharing and response and recovery—and aim to provide a roadmap for banks before an attack occurs.   

The questions covered areas such as: whether the bank follows the National Institute of Standards and Technology’s Cybersecurity Framework; what cyber risks do the bank’s vendors and other third parties expose it to; whether the bank has cyber risk insurance; when and how the bank engages with law enforcement after a cyber incident; and when the bank informs customers, investors and the general public about cyber incidents. 

One point Raskin emphasized is exercising “basic cyber hygiene,” meaning knowing all the systems on your network, knowing who has what administrative privileges and routinely patching software and assessing security weaknesses. According to her estimate, such activities could prevent 80 percent of all known attacks. Another important point of emphasis was the preparedness of a bank’s leadership for an attack, including having a cyber-incident “playbook,” which details who is responsible for coordinating the bank’s response and what their first course of action should be. Additionally, Raskin recommends that banks engage in cyber exercises that simulate a cyber intrusion in order for the leadership to be prepared for the organizational challenges such an attack would pose. The Department of the Treasury is currently in the process of developing such an exercise regime, with input from both the financial sector and other federal departments and agencies. 

Remarks are available here.