You’ve Been Hacked: How Will You Respond?

By Merrie Spaeth

Impersonating reporters on panels has become one of my favorite pastimes. After ABA’s Annual Convention last year, where I played a reporter on a panel examining how to handle a cyber attack, ABA invited me to return for its Risk Management Forum. The scenario was similar: Your bank has been hacked. In this mock scenario, the institution in the hot seat was a billion-dollar bank in the South named Lucky Bank, and the media outlet I represented was “UOMe” TV.

The first news of the hack came from credit card companies reporting that customers were complaining en masse about unauthorized charges and cancelled charges. A plaintiffs’ law firm—Dewey, Cheatham & Howe, borrowed from NPR’s “Car Talk”—trolled the Internet looking for bank customers for a class action suit, as did a well-connected, disgruntled blogger called Bankerbabe.

Lucky Bank also received word that the hackers were selling information allowing criminals to access ATMs, so bank personnel were physically reprogramming ATMs outside their branches. Internet-savvy customers noted the workmen and posted pictures of them on Instagram. Bankerbabe called them to my attention at the television station.

My role was to ask the questions the media would ask and to illustrate how social media platforms such as Facebook and Twitter complicate the communication challenge. Although bank executives may feel they have quite enough legal, technical and operational issues to contend with, communication—both internal and external—is needed across the entire enterprise. You will undoubtedly have to communicate with key audiences before you have all the facts. Typically, you will not have any of the key facts confirmed when you get word through third parties or social media.

Create a timeline beginning with taking the first phone call or reading the first tweet. Consider how you would handle the questions below after the first hour, day or week. On social media, you must have credible responses that convey confidence and inspire trust. And you’ll have to deal with these questions from reporters, customers and the general public. If you’re lucky, the reporter or customer will call customer service, but they may also be trading rumors on social media.

How and when you respond to these kinds of questions will undoubtedly depend on your own bank, the nature and scope of an attack and other considerations, but grappling with the questions will give you a snapshot of your preparedness.

Think about how you’ll handle questions like this:

• 
I have heard that your bank has been hacked. Can you confirm or deny this?
• 
How many customers have been affected?
• 
What information did the hackers get? Social security numbers? What other kinds of customer data?
• 
What have you told customers?
• 
Who’s to blame?
• 
Are you going to change your IT or security providers?
• 
When did you detect the problem?
• 
Did you have any warning signs?
• 
How long were you exposed before discovering it?
• 
Why did you wait to announce it?
• 
What are you trying to cover up?
• 
What kind of liability do you have?
• 
Will you pay for credit counseling for customers?
• 
Has this happened before?
• 
Have you notified your regulators?
• 
Are you confident you have identified and blocked all the intrusions?
• 
Do you have insurance to cover this?
• 
Are you going to apologize?
• 
What if you do not find out who’s responsible?
• 
Is this a criminal event, hackers displaying their abilities, terrorism or sabotage?
• 
Can you guarantee this will never happen again?

Some reporters and bloggers better versed in information security may ask more in-depth questions:

• 
Did you have Intrusions Detection Systems (IDS) implemented?
• 
What about sandboxing as a preventive technique?
• 
Does your IT department regularly send fake emails to employees to see if they open unauthorized emails, a primary way that hackers gain access? (The technique is controversial as an invasion of privacy, and because so many scam emails look so realistic, lots of employees inevitably get caught.)
• 
Critics say that Security Event Management systems (SEMs) are ineffective architecture with a high false positive ratio. Are you using SEMs?
• 
Experts say that hackers are increasingly gaining access to financial institutions through third party vendors or smaller financial institutions that may not have adequate security measures. What have you done to audit the security provisions of the enterprises you do business with? 
Can you guarantee they all have the proper security in place?

Merrie Spaeth is founder and president of Spaeth Communications.