Pub. 8 2018 Issue 3

19 ISSUE 3. 2018 recovery plans, at least every one or two years, and they are conducting periodic tabletop exercises to make sure that the right people respond when an incident does occur. Staying up-to-date on cyber insurance coverage is another important part of being prepared. The tough thing about cyber security is that defenders have to be vigilant at all times, while attackers only have to get through the defense once to create havoc. For that reason, it’s important to have well-designed change control procedures in place to ensure that changes to network configurations and controls do not inadvertently introduce security vulnerabilities. Many network compromises can be traced back to change control procedures that either did not exist or were not properly followed. Implementing – and diligently following – es- tablished change control procedures can help prevent the mistakes that may lead to a data breach. How can banks best prepare for a potential cyber inci- dent? There are many “best practices” for cyber security, but let’s highlight one that is particularly valuable for preventing complacency. Banks – all industries, really – should rotate their cyber-security assessment and testing providers. If the same team is used for penetration testing year after year, they will like- ly find the same kinds of vulnera- bilities year after year. Sometimes a new set of eyes can be beneficial. If a rotating group of trusted cyber-se- curity assess- ment and testing providers consis- tently reports that a bank’s networks and systems are clean, the bank can feel more confi - dent that nothing important has been overlooked. Being proactive is key – educating employees and putting proper risk management systems in place should be a high priority. Banks should work with an independent insurance agent to identify coverage to manage poten- tial cyber expo- sures and ensure that employees are exhibiting be- haviors that limit cyber risks. Final- ly, banks should utilize resources such as Travelers. com/cyber to help understand and navigate the grow- ing threat of cyber risks. w