Pub. 6 2011-2012 Issue 5

January/February 2012 15 Extraordinary Service for Extraordinary Members. For more information, contact Jeff Makovicka at Husch Blackwell LLP at (402) 964-5000 or jeff.makovicka@ huschblackwell.com . Makovicka is a member of Husch Blackwell LLP’s Banking & Finance practice where he concentrates on bank regulatory matters. As discussed above, courts have considered compliance with the guidance in determining whether a bank adopted commercially reasonable methods of providing security against online fraud. Because of this past treatment by the courts, the guidance, as updated by the supplement, may create a new standard of care against which a bank’s actions will be measured in litigation involving cyber fraud losses. What This Means to You In light of the supplement, banks should assess or reas- sess customer cyber risk, implement any additional layered security measures currently available under the bank’s technology service contracts, and review with vendors or in- house technology departments any needed security upgrades (and costs of upgrades) to current technology contracts to cover the new requirements. Going forward, it is essential that banks review their current controls against the prin- ciples outlined in the guidance and the supplement and, if necessary, develop and implement appropriate action plans to strengthen and enhance their controls. Even if the bank implements the appropriate controls, banks will likely find it difficult convincing all customers to agree to use some form of security. Allowing transactions without the recommended security procedures, however, presents unnecessary risk to the bank. Banks might use the topic of their security measures as a positive market differ- entiator as customers who use online banking likely choose banks that offer superior security measures. To mitigate any potential risk in the event a customer declines the bank’s security measures, the bank should obtain a signed waiver by such customer. Z 1 See www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20( FFIEC%20Formated).pdf (last visited Dec. 30, 2011). 2 See www.ffiec.gov/pdf/authentication_guidance.pdf (last visited Dec. 30, 2011). 3 The FFIEC has directed examiners to formally assess banks under the enhanced expectations outlined in the supplement beginning in January 2012. 4 “Cyber Security: Threats to the Financial Sector,” Testimony before the House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit by Gordon M. Snow, Federal Bureau of Investigation, Sept. 14, 2011. 5 Please note that other regulations and guidelines also specifically address banks’ responsibilities to protect customer information and prevent identity theft. See Interagency Final Regulation and Guidelines on Identity Theft Red Flags, 12 CFR parts 41, 222, 334, 571, and 717; Interagency Guidelines Establishing Information Security Standards, 12 CFR parts 30, 208, 225, 364, and 570, Appendix B. 6 “Out-of-wallet” questions are ones that do not rely on information that is often publicly available. 7 677 F. Supp. 2d 994 (ND Ill. 2009). 8 Patco Construction Company, Inc., v. People’s United Bank d/b/a Ocean Bank , 2011 WL 217450 (D. Maine May 27, 2011), aff’d., No. 09503PH (D. Maine Aug. 4, 2011). nebraskablue.com MEMBERS FREMONT We’re here where you are... and we’re working for you. Blue Cross and Blue Shield of Nebraska is an Independent Licensee of the Blue Cross and Blue Shield Association.