Cybersecurity is a buzz word in the business and technology world today. Many organizations are facing the reality that their customers and relationships can be threatened by a few keystrokes from cyber threats. The VL Bank Case is an example of just how dangerous both a lack of preparation and a lack of response can be in today’s society. Companies can quickly find their customers ready to revolt against them when their personal information is compromised and made available to people with negative intentions to heart. There are a number of different factors of importance within the VL Bank Case that must be recognized before developing a potential solution to the problem at hand.
The recent breach at the bank resulted in, among other things, fraudulent transfers of funds after infiltrating certain customers’ accounts vis-à-vis computers affected with a keystroke logger virus set up to collect bank customers’ personal information. These were not bank-owned or bank-overseen computers, but personal computers or computers accessed off bank premises. The persons responsible for the breaches violated several subsections of the Computer Fraud and Abuse Act: 18 U.S.C. 1030(a)(2) – computer trespassing; 18 U.S.C. 1030(a)(5) – damaging a bank computer; 18 U.S.C. 1030(a)(4) – committing fraud where an integral part of that fraud consisted of illegally accessing a bank computer. The Computer Fraud and Abuse Act protects computers where the federal government has an interest. Two additional laws that apply to this scenario and should be considered in the examination are the Gramm-Leach-Bliley Act (GLBA), which specifically addresses financial services, and the Federal Information Security Management Act of 2002 (FISMA), which addresses the role of information security in the protection of a global enterprise and the nation’s economic interests.
As the chief information security officer, there are a number of questions that have to be recognized immediately when the problem comes to ahead. Looking at these questions is the first step in developing a sound solution to the problem that best fits the company’s needs and those of their customers. Cybersecurity is becoming an important aspect to security across the board, beyond just the financial sector. The VL Bank situation falls within the standards that have been established when it comes to enforcing criminal law on the Internet and the regulations that the public expects when it comes to access to their information online.
The first priority in response thereto was to preserve evidence. In essence, a snapshot was taken of the entirety of the bank’s system, including, but not limited to, copying the hard drives, capturing network data and operating system logs. At the same time, law enforcement was contacted to report the breach. In addition, the FBI was contacted since it appears that a portion of the activity involved international activities and banks (Farhat, 2011).
At that point, mitigating the damage was next addressed. At this point, it was crucial to maintain open communication and full disclosure of the incident to VL Bank’s attorneys. While the corporate counsel team was notified immediately upon uncovering the breach, because of legal obligations, potential damages, and customer relations, VL Bank will cooperate to the nth degree with whatever counsel requires protecting the bank. VL Bank managers are fully aware of how important counsel is to the sustainability of the bank post incident (Kannan et al., 2011).
Sustainability is next considered. After all, there are multiple, if not all, bank stakeholders that are affected when a cyber-attack hits a major organization such as this. As seen with the Sony hack that occurred in 2014, the ramifications are felt beyond just the organization (Macri, 2014). In this case, there are groups that have to be considered when looking at how to remedy and prevent these types of situations.
First and foremost, there are the customers. These individuals have the right to be angered when their personal information has been stolen and used to create fraudulent accounts. This shows that the bank may not have done the best to protect these individuals from the very start. In this case, these individuals found that their information was used to open up false accounts and then send transfers to foreign countries. The question is immediately raised whether or not VL Bank has the capabilities to protect these people and the funds they have trusted to that organization. Right now the answer to that question seems to be no and there is very little that the powers can be to prove otherwise (Kannan et al., 2011).
Shareholders, the FDIC, and employees must be tended to. The more transparent the bank remains during this type of fiasco, the better. It is important that customers, potential customers, the community, etc., all have access to information relevant to them. If nothing else, all the stakeholders must be assured that the matter is under control and that the risk of it happening again in the future is at the bare minimum.
To reduce future breaches, the bank should consider an on-call cybercrime advisor. That person would be responsible, along with the CISO to maintain the security procedures such that the bank maintains compliance under Article 4A of the Uniform Commercial Code which provides that the bank has in place security that is commercially reasonable. To that end, the Cyber Incident Response Plan will be reviewed semi-annually with reasonable edits as required. Consideration should be given to new technology developed and being developed to monitor for and filter activity indicating these and other types of cyber crimes.
Coordination between all the other departments and branches are also critical to identifying and then responding to cyber attacks. A response plan to that end includes a specific team identified to respond to cyber attacks; reporting the attack; the initial response; investigation; recovery and follow up; and public relations. These different elements will be delineated in the response plan and disseminated to every employee, manager, shareholder and bank lawyers.
The Office of Legal Education has created a document that outlines the laws that are in place for handling issues such as this matter. This document outlines the law named “Accessing a Computer and Obtaining Information” which include the standards banks would have to use in attempting to prosecute individuals that have hacked into their systems to use this information within their scam (OLE, 2015). In addition, it is the cybersecurity schematic that the bank regulatory authorities require that banks have in place to protect against and/or respond to cyber attacks.
When strengthening the cybersecurity aspects of their organization, VL Bank must work within the specific standards that are available via the law. Seeing how this is a case that stretches not only across the border of different states, but beyond to different countries, the organization and their legal team must ensure they have their standards in place to pursue the criminals legally within a court of law. The understanding of borders and jurisdictions are two factors that need to be recognized when developing the legal case against these criminals. The potential, if not probability, that these types of intrusions will not only cross state lines but international lines demands that enforcement agencies relevant to the jurisdiction are involved. For instance, in this case, some money was transferred to Thailand. This means that authorities in Thailand will need to be contacted and, hopefully, cooperation will ensue in investigating this crime. The same is true for the other countries and even the states where other banks were affected. This is a glaring reason to maintain close communication with bank counsel. This is the sort of information crucial to convey to the bank’s attorney who, in turn, supports a thorough investigation and the bank’s compliance with international and local regulations. “Globalization, technological innovation, and heightened security concerns have complicated traditional understanding of borders” (Finklea, 2013). As technology has continued to advance, law enforcement organizations have slowly caught up to the standard to outline what jurisdictions are in place for handling matters such as this within VL Bank.
VL Bank will obviously not survive this unscathed. Stockholders are also affected by this situation. The value of their financial backing of VL Bank is going to drop because the overall level of customer trust is going to fall. This still causes the value of shares in VL Bank to lower which may cause some to sell their assets. This is a typical response in the business world when major companies are hit with negative situations that are pushed into the media’s eye (Perumal, n.d.).
What is interesting is that this situation could, in turn, be a positive for VL Bank if it finds a way to rebound from the disaster. Doing so would help instill new confidence that would help the organization rebuild from this situation and help more people become interested in working with the company. However, the first step of doing so would be developing a strategy that is presented to the public as to how VL Bank will reinforce its security, but also ensure customers, investors, and investigators that this situation will not occur again in the future.
Regulatory requirements and standards mandate specific requirements for cyber-security in today’s society. Many organizations, such as Target, have been at the center of cybercrimes (Riley, 2014). During the investigation, it is often revealed whether or not these companies upheld the regulations that are in place to ensure safety to their users. VL Bank will have to ensure that they fall within these requirements and if it is revealed that they have not then there is an opportunity for this controversy to grow even larger than it currently is. Either way, these regulations are put into place to not only protect the customer but to protect the organization as well (Anderson, Connolly, & Rainie, 2014).
Cyber-security is a hot buzzword within the business world today. As millions of dollars are moved around electronically every day, these dollars have become the treasure of those with the technological know-how to attack the firms in question. This example with VL Bank represents not only how companies can be attacked, but the steps that firms need to implement, and the response needed to defend against these situations.
References
Anderson, J. Connolly, J., & Rainie, L. (2014). Cyber attacks likely to increase. Pew Research Institute. Retrieved from http://www.pewinternet.org/2014/10/29/cyber-attacks-likely-to-increase/
CBS News. (2015). Hack my network – please. CBS. Retrieved from http://www.cbsnews.com/news/companies-hire-hackers-to-break-into-their-systems/
Farhat, V. McCarthy, B. & Raysman, R. (2011). Cyber attacks: prevention and proactive responses. Holland & Knight, LLP. Retrieved from http://www.hklaw.com/files/Publication/bd9553c5-284f-4175-87d2-849aa07920d3/Presentation/PublicationAttachment/1880b6d6-eae2-4b57-8a97-9f4fb1f58b36/CyberAttacksPreventionandProactiveResponses.pdf
Finklea, K. (January 17, 2013). The interplay of boarders, turf, cyberspace, and jurisdiction: Issues confronting U.S. law enforcement. Congressional Research Service. Retrieved from https://www.fas.org/sgp/crs/misc/R41927.pdf
Kannan, S., Maragatham, T., Karthik, S., & Arunachala, V. (2011). A study of attacks, attack detection and prevention methods in proactive and reactive routing protocols. International Business Management, 5(3), 178-183. doi:10.3923/ibm.2011.178.183
Macri, G. (2014). More evidence from Sony hack leads away from North Korea. Daily Caller. Retrieved from http://dailycaller.com/2014/12/26/more-evidence-from-sony-hack-leads-away-from-north-korea-suggests-insider/
Office of Legal Education. (2015). Prosecuting computer crimes. Office of Legal Education. Retrieved from http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ccmanual.pdf
Perumal, S. (n.d.) Impact of Cyber Crime on Virtual Banking. SSRN Electronic Journal. doi:10.2139/ssrn.1289190
Riley, M. (March 13, 2014). Missed alarms and 40 million stolen credit card numbers: How Target blew it. Bloomberg Business. Retrieved from http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Capital Punishment and Vigilantism: A Historical Comparison
Pancreatic Cancer in the United States
The Long-term Effects of Environmental Toxicity
Audism: Occurrences within the Deaf Community
DSS Models in the Airline Industry
The Porter Diamond: A Study of the Silicon Valley
The Studied Microeconomics of Converting Farmland from Conventional to Organic Production
© 2024 WRITERTOOLS