view of mitigating the insurance company’s risk, which may not
be the same as the institution’s risk. Depending upon the severity
of the incident, consideration may be necessary to obtain counsel
to ensure the institution’s own interests are covered. Nevertheless,
an institution should negotiate for this coverage when obtaining
its cyber risk insurance policy.
When the risk assessment occurs, the institution’s evaluation of
the incident’s inherent risk to the institution should be considered,
including both the reasonable impact and the likelihood of the
institution suffering the impact. The strength of the institution’s
controls should also be reassessed. Compliance’s expertise in root
cause identification can also help management identify the root
causes of any control failures, as well as opportunities to improve.
Compliance can guide management in a thoughtful reassessment
of whether controls functioned as expected, by asking the same
questions as it would in a typical compliance risk discussion.
Compliance should ask:
■ ■ ■ Did the institution’s policies and procedures adequately guide
the institution in addressing the situation timely?
■ ■ ■ Did the institution follow its process? (e.g. Was the breach reported through correct channels? Was management informed
timely? Was the institution’s reaction responsive to the risk
■ ■ ■ Were the right people in the room to evaluate and address the
breach? Is the institution’s incident response team appropriate?
■ ■ ■ Did other controls function as expected?
■ ■ ■ Were affected vendors responsive and accountable?
In the event of a vendor breach, Compliance should help assess
both the bank’s response and the vendor’s response. Questions
■ ■ ■ Did the vendor report the breach to the bank in a timely manner?
■ ■ ■ Was the vendor transparent about the cause of the breach and
was their incident response plan executed satisfactorily?
■ ■ ■ Did the bank suffer unexpected consequences, such as reputational damage or financial losses?
■ ■ ■ Should the vendor risk (or choice of vendor) be reassessed
based on the incident?
■ ■ ■ Review the contract with the vendor, are there service-level
agreements (SLAs) or other warranties available taken advantage of?
Consider reassessing the risk of vendors if an incident uncovers
additional unexpected risks. For example, you may want to reassess
vendor risk if you discover that the vendor’s vendor suffered the
breach, the vendor had more PII data than originally contemplated,
or the vendor had fewer controls than expected. Further, if the
bank is retaining the vendor following an incident, Compliance
may lead discussions with the vendor to ensure that the bank’s
expectations regarding future incidents are clear.
Finally, if relying on cybersecurity insurance to mitigate its
risk, the bank should also evaluate whether both the company
and the policy functioned as expected. (Note that while the insur-
ance company may also perform a post mortem on the incident,
the bank should be mindful that the company’s focus is likely on
mitigating their risk rather than the bank’s risk.) Compliance can
contribute to this discussion by asking the following questions:
■ If the incident was covered by the policy, was coverage adequate
for the incident? If not, evaluate where the bank’s risk appetite
falls as far as obtaining additional coverage versus the risk of
another incident of that type.
■ If the insurance company promised guidance and/or incident
response assistance, did it deliver? Was the assistance useful
Use your post mortem to assess whether your coverage is adequate; policies are negotiable and can cover data privacy, liability
coverage for data breaches/losses, remediation costs and regulatory penalties as well as other coverage for other cybersecurity
incidents, business interruptions, and media liability.
Compliance could be the difference between a correct comprehensive response to an incident, or one that falls short and
results in additional reputational harm to the institution. As such,
Compliance must work on a regular basis to assure all stakeholders in a potential breach understand the value Compliance may
provide, as well as continue to inform all parties of any evolving
legal and regulatory developments. Compliance could make the
difference between an adequate and comprehensive response
to an incident, or one that falls short and results in additional
reputational harm to the institution. So, pull up your chair at the
table, and get comfortable–with all the pending legislative efforts
in this space, you will be there a while. ■
ABOUT THE AUTHORS
MARGARET “MAGGIE” WEIR WESTBY, ESQ., CRCM, Adjunct
Professor, Boston University School of Law, is an experienced regulatory compliance and legal professional with more than 25 years
of experience in leadership roles with multiple financial institutions and consulting groups.
Maggie is a graduate of the Boston University School of Law
where she earned a J.D. and subsequently a LL.M. in Banking and
Financial Law. She holds an M.B.A. from the University of Denver
and a B.A. in Political Science from the University of Houston.
Maggie is an Attorney in the Boston metro area, and serves as
adjunct faculty within the J.D. and LL.M. programs at Boston University
School of Law. She is a faculty member for ABA’s National Compliance
School. She is a frequent regional and national speaker on legal and
business topics. Reach her at email@example.com.
LISA WOLF, JD, CRCM is Vice President and Chief Compliance
Officer at 1st Source Bank in South Bend, Indiana, overseeing
compliance and fair lending for the $6.4 billion community bank.
She began her career as a state Deputy Attorney General, litigating
consumer protection cases and participating in joint investigations
with other federal and state authorities, including the CFPB and
FTC. She left litigation to pursue a career in financial institution
compliance, gaining experience as a compliance consultant and
compliance officer prior to her current position. She has a bachelor’s degree in Political Science from Aquinas College in Grand
Rapids, MI and her J.D. from Notre Dame Law School. In her free
time, she runs marathons. Reach her at firstname.lastname@example.org.