Is Your Financial Institution the Next Target of a Cyber-Attack?

In This Presentation:

– Regulatory expectations for financial institutions

– Risks for financial institutions

– Planning to reduce risks

– The Breach

– Duties and responsibilities

– Consequences of breach

– The Litigation/Regulatory Action

– High-Profile Lessons Learned

– Final Take-aways?

– Excerpt from Regulatory expectations for financial institutions:

What expectations does the FFIEC have for financial institutions as it relates to data security?

– 1) Information Security Risk Assessment;

– 2) Information Security Strategy;

– 3) Security Controls Implementation;

– 4) Security Monitoring; and

– 5) Security Process Monitoring and Updating.

Please see full Presentation below for more information.

 Download PDF

• 2
Audio should stream
automatically on entry
through your computer

If you cannot stream audio, click
phone icon and a phone number
will be sent to you

• 4
Send us questions

Download PPT Slides
• 5
Click ‘File’

Download PPT Slides
• 6
Select ‘Save As’ and Select .PDF
as type

CLE credit available in CA, NY, PA, VA
(pending), NJ (credit available
through reciprocity).

Contact Brian Dolan at for CLE form

Richard P. Eckman
• Partner in the Wilmington office of Pepper
Hamilton LLP
• A finance and transactional lawyer and from
2003 to 2015 was chairman of the firm’s
Financial Services Practice Group
• Transactional practice focuses on representing
financial institutions, corporations and other
entities in complex financing transactions,
including mergers and acquisitions, asset
securitizations and other lending and venture
• An active speaker on new Consumer Financial
Protection Bureau and its implications for the
Partner, Financial Services

Walter B. Donaldson, II
• Managing Director with Freeh Group
International Solutions (FGIS)
• Has over thirty years of experience in areas of
Risk Management, Audit & Compliance,
Regulatory Reviews, Corporate Investigations,
Data Breach Response & Investigation,
Intellectual Property Investigations, Executive
Protection, Computer Forensics and Law
• Prior to joining FGIS, served as the Global
Special Investigations Executive and Senior
Vice President of Bank of America / Merrill

Managing Director

Sharon R. Klein
• Partner in the Corporate and Securities Practice
Group of Pepper Hamilton and the partner in
charge of the firm’s Orange County office and
chair of the Privacy, Security and Data
Protection practice.
• Handles a variety of corporate and intellectual
property matters, in particular, helping
technology and outsourcing clients grow and
• Practice includes providing breach response
and breach coaching to assist in mitigating
cyber-risk and advising companies on data
governance and privacy regulations in
acquisitions and product launches.

Partner, Privacy, Security and Data Protection

Angelo A. Stio, III
• Partner in the Litigation and Dispute Resolution
Department of Pepper Hamilton, and a member
of the firm’s Privacy, Security and Data
Protection group.
• Regularly counsels health care, financial
services and educational institution clients on
data privacy and security issues
• An experienced trial attorney who litigates
matters in state and federal courts throughout
the country. Mr. Stio handles complex
commercial disputes, class actions and
derivative suits, corporate governance disputes,
and college and university litigations.

Partner, Litigation and Dispute Resolution

Welcome and Introduction

• What expectations does the FFIEC have for financial
institutions as it relates to data security?
– 1) Information Security Risk Assessment;
– 2) Information Security Strategy;
– 3) Security Controls Implementation;
– 4) Security Monitoring; and
– 5) Security Process Monitoring and Updating.

Regulatory expectations for financial

• Are there any other resources from the FFIEC that financial
institutions can look to when seeking guidance on data
– The FFIEC IT HandBook is available on the FFIEC website.
– The FFIEC has an appendix to the IT booklet which provides a
list and links to all of the Laws, Regulations, and Guidance
provided by the FFIEC member agencies.

Regulatory expectations for financial

• What are the various risks out there with respect to IT
infrastructure and data security…and how does one prioritize
those risks?
• How can your IT infrastructure be accessed and/or disrupted?
• We all seem focused on the threats and risks external to the
company. What are some of the risks internal to the

Risks for financial institutions

• How can a company plan for, prepare and mitigate threats and
risks, including the risks that arise out of a company’s
relationship with its partners and suppliers?
– External risks
– Internal risks
– Third-party risks
• What are best practices in a planning process and a plan?
– Administrative
– Technical
– Physical
• What are the elements and how should the plan adjust for
variables of size, complexity, industry and other factors?

Planning to reduce risks

• What do you do once you know there has been a breach of
your network and data?
• When do you call a law enforcement or government agency
and what do you do when they show-up?

The Breach

• What are the responsibilities of the other company personnel,
such as directors, officers and employees?
• What different organizations impose these duties and
Duties and responsibilities

• What are the various consequences associated with an
infrastructure and/or data breach?
• Can I transfer the risks and consequences?
Consequences of breach

• Who are the possible plaintiffs (action bringers)…private
parties, FTC, other government agencies, State Attorneys
• Can you give us some examples of the actions taken or the
lawsuits brought?
• How do government and private actions usually proceed and
play-out? What should I know?

The Litigation/Regulatory Action

• Give us an example of a high profile incident and what are the
lessons learned there?

High-Profile Lessons Learned

Final Take-aways?

Download PDF[930KB]

Note close

Firefox recommends the PDF Plugin for Mac OS X for viewing PDF documents in your browser.

We can also show you Legal Updates using the Google Viewer; however, you will need to be logged into Google Docs to view them.

Please choose one of the above to proceed!

LOADING PDF: If there are any problems, click here to download the file.