Shelter From the Cyber Storm


cybersecurity-11-16-17.pngIn 2014, the Federal Financial Institutions Examination Council issued a statement on behalf of its members—including the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Consumer Financial Protection Bureau—recommending that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC), an organization focused on threat intelligence analysis and sharing. Cybersecurity has been a growing issue for the U.S. economy and the banking industry, and cyber intelligence is a significant focus of the organization, as well as natural disasters, such as the recent hurricanes that hit Texas, Florida and Puerto Rico. “Participating in information-sharing forums is an important element of an institution’s risk management processes and its ability to identify, respond to, and mitigate cybersecurity threats and incidents,” the FFIEC said in the statement. “Financial institutions participating in information-sharing forums have improved their ability to identify attack tactics and successfully mitigate cyberattacks on their systems. Additionally, these institutions have gained deeper insight into specific vulnerabilities and collected methods for identifying vulnerabilities on their systems and enhancing controls.”

Resources like FS-ISAC help banks learn from each other about the cybersecurity threats facing the industry. But what happens when hackers hit your bank, and customers’ data is compromised?

Sheltered Harbor, an affiliate of FS-ISAC based in Reston, Virginia, was established following a series of cybersecurity simulation exercises, called the Hamilton Series, which were conducted by the Financial Services Coordinating Council, in coordination with the U.S. Dept. of the Treasury and with support from FS-ISAC. “These exercises are tabletop simulations of possible events with the goal to exercise, in the classic sense of practice, and to identify vulnerabilities that should be addressed by the industry,” says Steven Silberstein, the chief executive of Sheltered Harbor. “Sheltered Harbor is the industry’s response for one of these vulnerabilities: to ensure business continuity for retail banking customers if an attack happens, and all defenses fail.” The organization partners with member banks to ensure their customers’ accounts are safe should a cyberattack damage the bank’s data. If a bank is unable to recover from such an attack in a timely manner, the bank’s customers would still be able to access their accounts through another member financial institution. The data is encrypted and remains private, and there is no disruption in service for the customer.

Much like its parent organization, FS-ISAC, Sheltered Harbor helps banks work together to ensure the safety of consumer data. Regulators don’t require that banks join, but Sheltered Harbor already represents 63 percent of U.S. retail bank and brokerage accounts, according to the organization. Membership fees are based on a sliding scale and are determined by the size of the financial institution.

In this interview, Bank Director Director of Research Emily McCormick asks Silberstein about lessons learned from recent cyberattacks, and the policies and procedures that institutions should have in place to protect customers if a cyberattack damages account data.

BD: What are some lessons that bank boards should take to heart following recent cyberattacks, including the Equifax data breach?

Silberstein: Bank boards should have a tight pulse on the organization’s cybersecurity preparedness and cyber hygiene. Many corporations have cybersecurity scorecards that are updated and shared with the board of directors. These scorecards enable the board to assess the security of the enterprise and make appropriate decisions about strategy, staffing and internal standards.

In this rapidly evolving cyber environment, it’s important to use the most advanced technology to protect all of the “doors” to your company. Utilize scorecards as living and evolving tools to maintain a pulse on preparedness, and always ask what could happen from a business point of view, not just a cyber point of view. I call this healthy paranoia.

BD: What information should be included on those cybersecurity scorecards?

Silberstein: Each organization needs a consistent framework to continually assess risks, report on them, and respond to current and future risks. These include internal and external risks, existing vulnerabilities and remediation programs underway, recent events and lessons learned, organizational challenges, and third-party risk. Additionally, an organization can measure its cybersecurity implementation using frameworks like the Integrated Adaptive Cyber Defense, or IACD, framework and/or the National Institute of Standards and Technology [NIST] cybersecurity framework. Using the IACD framework, financial institutions can quickly prevent, detect and respond to attacks that may impact customers using technical guidelines for application of commercially available automation technology tools and systems. The NIST framework is about assessing risk and developing a risk management plan. The two frameworks complement each other.

BD: What does it mean when a financial institution becomes Sheltered Harbor ready?

Silberstein: When a financial institution becomes Sheltered Harbor ready, it means that it has implemented the additional resiliency prescribed by the Sheltered Harbor specification. At a high level, the model empowers financial institutions to securely store and rapidly restore customer account information using an industry standard format. Consumers would then benefit by having access to their accounts and basic transactions rapidly restored after a major incident at an institution.

BD: What policies, systems and personnel does the bank need to have in place in order to make this work?

Silberstein: First, most institutions are using a service provider for core banking services. Most large service providers are already implementing Sheltered Harbor capability, so for these institutions the focus is mainly on the business continuity planning that is specific to the Sheltered Harbor Model.

For institutions running their own core processing, an additional process of extracting customer account data, then putting the data into a standard format, encrypting it and finally storing the data in a very secure fashion per the specification encompasses most of the work. The institution must do some resiliency planning and organize a backup core service provider. The Sheltered Harbor specifications provide the controls and processes needed to ensure interoperability.

BD: The initiative helps member financial institutions store secure customer data above and beyond existing practices. Why should banks, particularly community banks, invest in putting this into in place?

Silberstein: Our industry’s investment in protecting everyone connected to financial institutions is second to none. Nevertheless, we cannot guarantee 100 percent protection. So if a financial institution is severely disabled, we need a safety net like Sheltered Harbor to protect consumers, allowing them to continue to manage daily financial transactions in their lives.

Protecting Customers Through a Cybersecurity Control Tower


cybersecurity.png

Citizens National Bank of Texas, the third-oldest independent financial institution in the state, has remained deeply committed to its local community since its founding in 1868. The bank’s hometown, personalized approach to serving customers in the Dallas-Fort Worth area has played an integral role in its success. It was this focus on the surrounding community that led CNB to provide its customers with an extra layer of security by working with DefenseStorm, a Seattle-based provider of cloud based cybersecurity solutions.

As a full-service community bank with $859 million in assets, CNB aims to offer its customers the same service they would receive at any major, nationwide financial institution. This includes technology-driven services like online banking, mobile banking and bill pay. To offer these digital banking capabilities without exposing its network to new security vulnerabilities, CNB invested in security infrastructure and additional safeguards to protect customers and their financial information from potential cyber attacks. Although it had a solid system of security measures in place, the bank needed help monitoring its overall network activity and sought to increase the visibility of security threats.

This is where DefenseStorm comes in.

Heightened Visibility with a Cybersecurity Control Tower
DefenseStorm acts as security control tower for CNB to detect intrusions, investigate threats, take action to stop attacks and report on cybersecurity to regulators and the bank’s board of directors. Additionally, DefenseStorm’s team of security experts provides the bank with 24/7 monitoring support, triaging alerts and working alongside the bank to ensure the strongest security possible.

By constantly monitoring network activity and working with the bank to improve its security posture and quickly resolve incidents, DefenseStorm has helped CNB discover and neutralize at least 10 cyber threats in the past year.

Previously, the bank’s internal team would have to review and analyze all security event data. Now, the bank receives alerts in real time, which allows for a more efficient response and remediation process. Additionally, the bank uses DefenseStorm’s support ticketing feature to provide a clear, documented way to track events and how they are being handled.

Wade Jones, CNB’s senior vice president and chief information officer, values the extra support DefenseStorm provides. “It’s nice, the guardianship—having a security team sitting behind me watching the front line and letting me know if there’s something we need to work on,” says Jones.

Genuine Threat or False Alert?
CNB also leverages DefenseStorm’s search and reporting features, which enable the bank to transform complex and unstructured security event data from separate systems into meaningful, actionable insight. Oftentimes, systems will produce a constant stream of security alerts, many of which are not genuine threats, but which analysts must still review. With only eight hours in the workday, it can be difficult to assess each alert—and that can desensitize employees toward alerts, potentially resulting in a genuine threat being ignored. CNB has overcome this challenge and enacted a more proactive security response by sharpening its ability to interpret large sets of event data, so the bank is only notified if a threat is genuine. Now, the bank can quickly determine the scope of a threat and escalate the event into the remediation process with a click of a button.

The ability to provide a unified, comprehensive view of the bank’s network and systems is vital. “In our journey with DefenseStorm, we’ve brought everything together, log-wise, for all systems in the bank so we can take a more holistic approach,” says Mark Singleton, chief executive officer at CNB.

Enhancing Security without Expanding Staff
Furthermore, DefenseStorm brings a level of cybersecurity expertise that would be difficult for CNB to recruit in its own market. Given the shortage of cybersecurity talent across industries, hiring qualified candidates is challenging, especially for a small community bank, as professionals with advanced security credentials are typically hired by larger corporations. To make it worse, cyber criminals realize this, often assuming that a smaller bank has less sophisticated technology and fewer defenses. However, with DefenseStorm, CNB is able to provide an enhanced level of security, comparable to larger financial institutions, without hiring an extra security expert.

For community banks, business is personal. CNB realizes this and has invested in the infrastructure needed to safeguard its customers’ financial assets.

“Unlike big banks that never see their customers outside of work, we run into ours all the time—at church or at the grocery store,” says Singleton. “If we mess up, it’s our communities, our friends and our grandmothers who are ultimately affected. It’s our job to protect them and DefenseStorm helps us do that.”

ClickSWITCH: Friend or Foe


clickswitch.png

Transferring accounts has long been considered a cumbersome process. Now with a simple click, the company ClickSWITCH has created an easy system that will allow its users the ability to transfer their accounts from one bank to another. ClickSWITCH further eliminates the need to contact each individual biller to transfer bill pay services. The process isn’t 100 percent automated yet (currently about 60 percent of deposits can be digitally transferred without paper documents), and it isn’t instantaneous. However, it does dramatically reduce the effort the consumer must make to switch accounts or open new ones.

THE GOOD
The automated account transfer solution is a white label service that banks can use to offer new account holders the ease and speed of digital onboarding. When the transfer is complete, it gives the consumer the option to close the previous account. It takes 5 to 15 days to complete the transfer, although bill pay and automatic deposit data transfer immediately.

The company touts its product as a way to increase customer engagement, a retention tool for banks that have acquired another bank, and as a way to reduce the amount of time that employees spend onboarding new customers manually in the branch.

ClickSWITCH gets paid a fee of approximately $30 for every account onboarded. By speeding up the transfer of direct deposits, the banks get a profitable new customer faster. The company is using resellers instead of creating a large sales team. Most banks using ClickSWITCH range between $500 million to $10 billion in assets, with some larger institutions also using the product.

THE BAD
Banks inevitably will be concerned about data and security issues. That said, over 300 financial institutions in the U.S. and Canada have found a way to get comfortable enough to use the platform. ClickSWITCH is SSAE16 SOC1 certified. (SSAE16, or Statement on Standards for Attestation Engagements No. 16, is a new internal controls standard put forth by the American Institute of CPAs). The company is bullish about its security practices.

The bigger and broader question: If this works, why wouldn’t every bank have ClickSWITCH or ClickSWITCH-like capabilities? If seamless transfer becomes an industry standard like bill pay, how will banks retain their assets? Deposit flows could become far more volatile, and competition for consumer and business deposits would push banks to create better user experiences. Nontraditional banks and nonbanks that are pouring resources into user interfaces and customer engagement would have a better chance to win the hearts and wallets of customers.

OUR VERDICT: FRIEND
ClickSWITCH is a friend that wants to change how you compete if you’re ready to compete on the strength of your products and customer service. However, for those preferring to rely on the tedious process of changing accounts as a disincentive to prevent your customers from going elsewhere, clickSWITCH is clearly a foe.