5 Considerations When Vetting Fintech Partnerships

Fintech collaborations are an increasingly critical component of a bank’s strategy.

So much so that Bank Director launched FinXTech, committed to bridging the gap between financial institutions and financial technology companies. Identifying and establishing the right partner enables banks to remain competitive among peers and non-bank competitors by allowing them to access modern and scalable solutions. With over 10,000 fintechs operating in the U.S. alone, finding and vetting the right solution can seem like an arduous task for banks.

The most successful partnerships are prioritized at the board and executive level. Ideally, each partnership has an owner — one that is senior enough to make decisions that dictate the direction of the partnership. With prioritization and owners in place, banks can consider fintech companies at all stages of maturity as potential partners. While early-stage companies inherently carry more risk, the trade-off often comes in the form of enhanced customization or pricing discounts. These earlier-stage partnerships may require the bank to be more involved during the implementation, compliance or regulatory processes, compared to working with a more-mature company.

There is no one-size-fits-all approach, and it’s important for banks to evaluate potential partners based on their own strategic plan and risk tolerance. When conducting diligence on fintechs of any stage or category, banks should place emphasis on the following aspects of a potential partner:

1. Analyze Business Health. This starts with understanding the fintech’s ability to scale while remaining in viable financial conditions. Banks should evaluate financial statements, internal key performance indicator reports, and information on sources of funding, including major investors.

Banks should also research the company’s competitive environment, strength of its client base and potential expansion plans. This information can help determine the fintech’s capability to sustain operations and satisfy any financial commitments, allowing for a long-term, prosperous partnership. This analysis is even more important in the current economic environment, where fresh capital may be harder to come by.

2. Determine Legal and Compliance. Banks need to assess a fintech’s compliance policies to determine if their partner will be able to comply with the bank’s own legal and regulatory standards. Executives should include quarterly and annual reports, litigation or enforcement action records, and other relevant public materials, such as patents or licenses, in this evaluation.

Banks may also want to consider reviewing the fintech’s relationship with other financial institutions, as well as the firm’s risk management controls and regulatory compliance processes in areas relevant to the operations. This can give bank executives greater insight into the fintech’s familiarity with the regulatory environment and ability to comply with important laws and regulations.

3. Evaluate Data Security. Banks must understand a fintech’s information and security framework and procedures, including how the company plans to leverage customer or other potentially sensitive, proprietary information.

Executives should review the fintech’s policies and procedures, information security control assessments, incident management and response policies, and information security and privacy awareness training materials. In addition, external reports, such as SOC 2 audits, can be key documents to aid in the assessment. This due diligence can help banks understand the fintech’s approach to data security, while upholding the regulator’s expectations.

4. Ask for References. When considering a potential fintech partnership, executives should consult with multiple references. References can provide the bank with insight into the company’s history, conflict resolution, strengths and weakness, renewal plans and more, allowing for a deeper understanding of the fintech’s past and current relationships. If possible, choose the reference you speak with, rather than allowing the fintech to choose.

5. Ensure Cultural Alignment. The fintech’s culture plays an important role in a partnership, which is why on-site visits to see the operations and team in action can help executives with their assessment. Have conversations with the founders about their goals and speak with other members of the team to get a better idea of who you will be working with. Partners should be confident in the people and technology — both will create a mutually successful and meaningful relationship.

Despite the best intentions, not all partnerships are successful. Common mistakes include lack of ownership and strategy, project fatigue, risk aversion and unreasonable expectations. Too often, banks are looking for a silver bullet, but meaningful outcomes take time. Setting expectations and continuing to re-evaluate the success and performance of these partnerships frequently will ensure that both parties are achieving optimal results.

Once banks establish partnerships, they must also nurture the relationship. Again, this is best accomplished by having a dedicated partner owner who is responsible for meeting objectives. As someone who analyzes hundreds of fintechs to determine quality, viability and partner value, I am encouraged by the vast number of technology solutions available to financial institutions today. Keeping a focused, analytical approach to partnering with fintechs will put your bank well on its way to implementing innovative new technology for all stakeholders.

4 Key Risks Facing Banks

Cybersecurity continues to be the top risk identified in Bank Director’s 2022 Risk Survey, sponsored by Moss Adams. But other risk areas have also grown increasingly prominent for the bank executives and board members responding to the survey, particularly interest rate risk. In this video, Moss Adams Partner Craig Sanders shares areas where banks can strengthen their weaknesses on cybersecurity. He also addresses the impact of fintechs on bank strategies and the rising prominence of environmental, social and governance (ESG) matters.

Topics addressed include:

  • Cyber Preparedness
  • Proactive Vendor Risk Management
  • Strategic Risks to Consider
  • Rising Interest Rates
  • Focusing on ESG

The 2022 Risk Survey explores several important risk areas, including credit risk, cybersecurity and emerging issues such as ESG. The survey results are also explored in the 2nd quarter 2022 issue of Bank Director magazine.

Getting Proactive About Third-Party Cyber Risk

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, finds most bank executives and board members (65%) report that at least one vendor experienced a data breach or ransomware attack in 2020-21. While most weren’t directly affected by these incidents, 60% of respondents whose vendor experienced an attack took the opportunity to update third-party management policies, processes and/or risk oversight in response.

Cyberattacks on U.S. financial institutions are rarely impactful, according to the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) “Navigating Cyber 2022” report. However, the cyber-focused industry consortium added that “several high-profile third-party incidents have impacted the security and availability of products and services used by many financial firms.” Banks have responded by devoting resources to assessing exposure, patching and mitigating, as well as increasing compliance mandates for third-party operational resilience.

Regulators are taking note of the threat. An interagency rule approved by the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. in November 2021 mandates that banks must notify their primary regulator of a cyber incident within 36 hours; this rule went into effect on April 1, 2022. Service providers must notify affected bank clients “as soon as possible” when they determine that a cyber incident has or will cause a “material service disruption or degradation” for four hours or more. From there, banks must assess whether the incident will have a material impact on the organization and its customers, and whether that will trigger a notification by the bank to its regulator.

In March 2022, the Securities and Exchange Commission proposed new rules around cybersecurity disclosure that would include how companies select and monitor third-party providers. And guidance is still pending from the primary financial regulators around risks related to third-party relationships. That guidance would include an assessment of the vendor’s information security program, including if the vendor has “sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities.”

Bank boards and leadership teams will need to be proactive — rather than reactive — as regulators get even more serious about this issue. “Know where you stand and what [vendors are] doing to address any of your concerns, and that starts with having a defined criteria of what you require,” says Cody Harrell, managing director at Strategic Resource Management (SRM), a Memphis, Tennessee-based consulting firm.

Broadly, bank executives and boards need to understand the risks inherent with all of the bank’s vendors, including existing ones, says Harrell. “Who are the most critical vendors to our business? Who are the ones that house sensitive data? Where’s our biggest risk? And not only from a liability standpoint, but from an operational standpoint.” If a vendor falls victim to a cyberattack, will the bank still be able to serve customers? “You need to have a vendor due diligence checklist for each vendor, regardless of whether there’s a problem or not,” he adds. “[Make] sure that everyone that’s within the ecosystem is in compliance with your requirements.”

All vendors also need to comply with regulatory guidelines. The November 2021 notification rule specifies that service providers must comply even if the contract states otherwise. But bank boards are ultimately responsible for ensuring compliance. “If the bank doesn’t have a program of regularly conducting annual vendor diligence and sending renewed questionnaires and identifying gaps, then you’re not conducting ongoing diligence,” says Steve Cosentino, a partner at the law firm Stinson LLP who regularly negotiates agreements between banks and their service providers.

Here are four considerations for bank boards seeking to enhance their third-party oversight.

Understand how vendors will respond to a cyber incident. This should be uncovered during due diligence.

When a breach occurs, “how much you did in the vendor diligence area [will impact] how quickly you’re able to respond to an incident,” says Cosentino. “If you have a quality vendor diligence program [with] extensive diligence and ongoing monitoring, those will all be helpful facts if you’re subject to a potential litigation claim or class action, which has been more and more common.”

In line with the regulatory rule around security notifications, banks need to know when they’ll be notified of an incident, and whether the vendor or the bank will communicate with affected customers. And even if individuals weren’t affected, that doesn’t absolve the vendor from notifying the bank, says Cosentino. “It’s evidence of a flaw in [the vendor’s] systems and security processes that next time could potentially affect the bank, and the bank needs to be apprised of what they’re doing to remedy that.” He adds that these obligations could differ in a security breach, where confidential data may have been accessed, versus a security incident, which may not involve the theft of personal information.

Banks should also know if the service provider will engage an outside cyber forensics firm to investigate a breach, and whether that company is on retainer and can respond quickly. “Taking a day or two out to review different forensic investigators and getting a contract in place and all that, that’s time that’s lost,” says Cosentino. Regulators will ask, “Why did it take so long between the time that the breach occurred and [when] the notices went out?”

The bank should also know what the vendor won’t do. “What are the things that my critical vendor, my third-party provider, is requiring me to take care of, that they’re not?” says Moss Adams Partner Craig Sanders. That could include password resets, network design or educating administrators.

Don’t overlook fourth parties. Vendors have their own vendors, from smaller fintechs that may provide ancillary services to big cloud platforms like Amazon Web Services or Microsoft Corp.’s Azure, and those can pose their own risks. Effective diligence on fourth parties can be difficult, says Cosentino, but banks can take a few steps. Questionnaires sent to third-party vendors should address their own due diligence with subcontractors, and banks should access SOC (System and Organization Controls) reports on those fourth parties. In addition, “Put in your agreement some language that says that the service provider may use subcontractors, [but] they always have to be responsible for [their vendors’] actions and omissions,” he says. “But they can only do so after completion of a third-party risk management vendor diligence review consistent with the FFIEC IT examination handbook and interagency guidance on third-party relationships.”

Don’t silo due diligence. The due diligence exercise shouldn’t be limited to the bank’s technology team.

“The IT group doesn’t always have an understanding of all of the software and systems that process personal information or nonpublic personal information. And that slips through the cracks a lot,” says Cosentino. He recommends a data mapping exercise that includes multiple areas so the bank knows where all of its information is housed. “Conduct that review with your IT group, obviously, but also with the marketing team, your sales team, your operations team, your legal team, because you will find when you do that, there are a number of engagements with third-party service providers where nonpublic personal information is involved, and they’re not picked up in the vendor diligence process,” says Cosentino. Involving multiple teams in the bank will ensure everyone’s on the same page before a breach occurs. “If you do have a data security incident, you have to know where all that information is stored, and how to address, analyze and review [where the] personal information is and what actions you need to take with respect to notifications and remediations and all that,” he says.

While multiple teams within the bank should be included along the way, centralizing vendor management — ensuring an individual has responsibility or using a vendor management platform, or both — can help banks stay on track. “A lot of the financial institutions that we see, various departments control a contract or a decision or a vendor evaluation, and they’re not necessarily speaking to the other departments and having a defined criteria that everyone should comply with,” says Harrell. Vendor diligence requires a lot of documentation, and that needs to be tracked. “Make this a systematic approach.”

Set the tone at the top. In a 2019 letter, the FDIC reminded financial institutions that “boards of directors and senior management are responsible for managing risks related to relationships with technology service providers. Effective contracts are an important risk management tool for overseeing technology service provider risks, including business continuity and incident response.”

Unfortunately, boards often lack the skill sets to understand cybersecurity, says Sanders. “They’ve got to have that knowledge and expertise at the governance level to really understand what should be going on.” He recommends that boards hear from the bank’s chief information security officer at least quarterly and should seek the best technology providers that meet the bank’s strategic needs — not selecting a solution because it’s the cheapest option. The bank may find it gets what it pays for.

“Be honest with yourself about where the risk is and what the involvement from the institution is that should take place at the governance level,” says Sanders. “From the top down, give the support to management and compliance to go out and do what they need to do.”

For more information on vendor risk management, you can view “Avoiding Gaps in Vendor Risk Management” and “Vendor Management: What the Board Needs to Know,” both part of Bank Director’s Online Training Series. For advice on tightening up your bank’s cybersecurity practices amid today’s geopolitical tensions, consider reading “From Russia With ‘Love.’” This issue is also addressed in “Ransomware Attacks Heat Up,” the cover story in the fourth quarter 2021 issue of Bank Director magazine.

Bank Director’s 2022 Risk Survey, sponsored by Moss Adams, surveyed 222 independent directors, chief executive officers, chief risk officers and other senior executives of U.S. banks below $100 billion in assets to gauge their concerns and explore several key risk areas, including credit risk, cybersecurity and emerging issues such as ESG. Bank Services members have exclusive access to the complete results of the survey, which was conducted in January 2022.

Combating Complacency Through Strategic and Operational Planning

For many banks, 2020 and 2021 had surprising results. Liquidity and capital were strong, loan growth escalated from pent-up demand and income levels were favorable.

These positive trends could lead many management teams to become complacent — which can lead to risk. In its 2022 Fiscal Year Bank Supervision Operating Plan, the Office of the Comptroller of the Currency (OCC) listed guarding against complacency as a top priority for examiners. Complacency, by definition, is a state where one’s satisfaction with their own achievements leads them to be unaware of potential danger. Heeding the OCC’s warning to address indications or perceptions of emerging risks, we’ve identified five focus areas for boards and management teams.

1. Strategic and Operational Planning
Executives and boards should evaluate strategic planning in the context of the current environment. Post-pandemic, banks have increased opportunities for growth including, but not limited to, mergers and acquisitions. The key to strategic planning is to be strategic. Shape your strategic planning sessions to consider new industry opportunities and threats. Approach each opportunity and threat methodically — whether succession planning, mergers or acquisitions, fintech partnerships, changing demographics, the shift in the regulatory perimeter or another area relevant to your institution.

Operational planning is just as critical. Crafting a well-established plan to profitably service your bank’s target markets remains a balancing act of priorities for directors. Consider new products and services to meet the needs and expectations of your evolving customer base. Thoughtfully evaluate your bank’s target market, planned growth, the potential for enhanced products and services and any prospective investments to maintain profitability. Allow talent, technology, and financial resource risk assessments to guide your institution’s operational planning process, asking, “Where is my bank growing and am I ready?”

2. Credit Risk
We continually hear about the great credit quality that banks have experienced thus far in the post-pandemic period. Yet, credit risk remains a critical priority for banks and regulators, especially since coronavirus relief funds may have dramatically changed the financial view for borrowers.

Covid-19 relief funds served a temporary purpose of keeping businesses operating during the peak of the pandemic. However, high levels of inflation and continuing labor and supply chain disruptions has put continued pressure on many small businesses and may have a yet-to-be-realized impact on the credit quality within your bank.

Now more than ever, remaining engaged with your borrowers and looking past traditional credit metrics to identify issues could reduce future losses for your financial institution. Credit risk monitoring tools like stress testing remain relevant with the prospective of rising interest rates.

3. Cybersecurity Risk
Cybersecurity risk, like credit risk, is here to stay. Executives must stay focused in this area as risks increase; the instances of public attacks across all industries reflect a relentless pursuit by cybercriminals to steal data for financial gain. The most recent reminder of this are Russian state-sponsored cyber threats. As banks gather and maintain more and more data, it’s paramount to have experienced talent and protocols for protection of customer data.

Bank management teams should be able to show evidence of their institution’s capability to respond or recover from destructive cyberattacks that are increasingly routine. The bank’s risk assessment process is a critical component of managing its cybersecurity risk, and should incorporate any processes or controls that may have changed as result of a new strategic or operational plan.

4. Compliance Risk
Compliance matters are always evolving, and regulatory emphasis on applicable laws and regulations is only increasing. The focus on Bank Secrecy Act and anti-money laundering rules, fair lending, Community Reinvestment Act and overall prioritization of compliance management are not shifting.

Compliance risk management requires banks to have a strong internal system. It also requires a deep understanding of the various rules and proficiency in identifying, implementing and auditing the changes. It has never been more critical for banks to have strong independent review systems to account for updated rules and regulations.

5. Management and Board Education
The operational and strategic landscape of banking is changing. Management team and board members must be informed and educated. As you decide how your bank will adjust to this new environment, identify industry-specific third parties to meet with your management team and board to provide a strong foundation to strategic planning.

We see numerous opportunities and areas of focus for banks in 2022. If we’ve learned anything during this time, it’s that banks need to look at risk differently in this ever-changing environment. Now is not the time to be complacent.

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting, investment, or tax advice or opinion provided by CliftonLarsonAllen LLP (CliftonLarsonAllen) to the reader. Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor.

From Russia with ‘Love’

Cybersecurity has lately become a top concern for bank boards and their senior management teams in the face of an unrelenting wave of ransomware attacks. Now you can add heightened geopolitical tension resulting from Russia’s invasion of Ukraine to the worry list.

“Clearly we have a geopolitical situation going on which, given the threat actor, does raise cybersecurity concerns,” says Kevin Greenfield, deputy comptroller for operational risk policy at the Office of the Comptroller of the Currency. “And financial institutions, as well as government agencies themselves, are very focused on this heightened alert and are making sure that cyber defenses are up.”

And if they’re not, they certainly should be.

In an interview, Greenfield says that threat actors have been known to have used cyber attacks as an effective tool against their opponents in the past for political purposes. The concern is that at some point during the conflict in Ukraine, threat actors could potentially target cyber attacks against this country’s critical infrastructure – including its banking system.

“The financial system is a critical infrastructure, which means that it is something that is very important for not just individual institutions,” says Greenfield. “The banking system supports the U.S. economy and the U.S. people. And it’s important to maintain the integrity and resilience of that system. Banks need to make sure they lockdown key controls and make sure they are monitoring for any threat indicators.”

The OCC regulates banks with a national charter, but Greenfield’s comments are just as relevant to state-chartered banks regulated by states, the Federal Deposit Insurance Corp., or the Federal Reserve.

In early January, even before the Russian invasion of Ukraine, the Cybersecurity & Infrastructure Security Agency (CISA), a federal agency under the Department of Homeland Security, issued a threat alert — “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.”

In the alert, CISA made the following recommendations for all U.S. companies, including banks.

1. Be prepared. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.

2. Enhance your organization’s cyber posture. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.

3. Increase organization vigilance. Stay current on reporting on this threat. Subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
CISA has also set up a website – Shields Up – focused on providing threat information, tools and resources to help all organizations safeguard and respond to geopolitical threats in cyber space. “We have pushed that information out to financial institutions because these are the experts,” says Greenfield.

Separate and apart from the current geopolitical situation, Greenfield says the OCC is also seeing an increase in ransomware attacks. “Just from personal observation, we’re seeing more use of ransomware and using [it] to solicit illicit funds from banks,” says Greenfield. “We’re seeing it and I think one of the reasons why is because it works.”

Greenfield says it’s up to banks whether they should pay a ransom if their critical data has been locked up following an attack. “That’s an institution’s decision,” he says. “Executive management and the board need to make that decision. The one thing I’ll tell you is, understand [that] you’re dealing with criminals. You’re not dealing with honest people. It’s not something that we would encourage, but there’s no regulation against it.”

Any bank that does decide to pay a ransom needs to make sure it doesn’t violate any restrictions that have been imposed by the Office of Foreign Assets Control (OFAC), an agency under the U.S. Treasury Department. “When paying ransoms, be aware of any OFAC requirements and any sanctions on those who might be getting paid,” he says. “You can contact OFAC to request a waiver, but that’s something that will be very important to ensure an institution does not violate any sanctions requirements.”

In the face of continued ransomware attacks, Greenfield says that banks should focus on fundamental elements of cyber security. “We have been very clear on our messaging to banks about the importance of cybersecurity and just fundamental cyber hygiene, because when events do occur and then we explore the root cause, it tends not to be a zero-day exploit, but a basic control oversight,” he says. A “zero-day exploit” is a previously unknown vulnerability in a software program.

At the top of Greenfield’s list of poor cyber hygiene habits that leave banks vulnerable to ransomware attacks are weak authentication controls, including the failure to use multi-factor authentication. And even when a multi-factor protocol is in place, banks sometimes grant exceptions that end up getting targeted by hackers who know to look for them.

Greenfield says the federal banking regulators have been emphasizing “effective authentication,” and recently the Federal Financial Institutions Examination Council (FFEIC) – an interagency group comprised of bank and credit union regulators – updated its guidance on authentication. “We tried not to be technology specific so there’s not a corporate requirement for multi-factor,” he says. “But our guidance is you need to have effective authentication, which typically we would see as a layered security approach with multi-factor or similarly strong technologies.”

The guidance also advocates that if nothing else, banks at least take a risk-based approach and protect their most sensitive or critical systems. “This is something that I communicate to all bank management teams; if it’s nonpublic and you don’t want anyone to gain access that’s not authorized, use multi-factor authentication or something similarly strong,” he says. “We’ve seen that malicious actors will get into a system and they will wait for the opportunity to exploit it and move laterally throughout the network as they’re able to figure it out.”

Another vulnerability is poor network management, a potential problem that has been exacerbated by the industry-wide shift to many employees working from home on laptops. Common shortcomings include networks that are not effectively configured, including a failure to turn on security controls that already exist within a particular software product or service. Or a failure to install an available patch when a vulnerability has been identified. “Sometimes we’re seeing they’re not changing default administrator IDs and passwords – I mean, simple things,” Greenfield says. “And especially when we’re talking about off-the-shelf software applications that everyone uses. All those user manuals that you have access to, the bad guys have access to as well, so they know how it works.”

Successful cyber attacks can often be traced back to multiple causes. “Typically, it’s a combination of phishing or some other [tactic] to steal a credential, then weak multi-factor [authentication], and then looking for vulnerabilities such as misconfigured or unpatched systems,” Greenfield says. “The biggest thing I can tell any institution is, make sure your controls are up and as strong as they can be so that you’re not a target, because the one thing that I have seen with many malicious actors is, they’re going to go for the easiest target.”

*Clarification: This article has been amended from an earlier version in part to clarify that Greenfield did not specifically mention Russia in the interview. 

Cybersecurity risk: Managing Multiple Security and Compliance Requirements

Even in the midst of the Covid-19 pandemic, cybersecurity risk remains the No. 1 risk management concern for many banks. In fact, pandemic-driven changes — such as remote workforces, increased IT system use and greater reliance on third parties and cloud providers — actually make cybersecurity risk an even higher priority for boards and executive teams.

With banking operations so heavily dependent on secure and reliable data systems, bank directors and executives need to be actively involved in overseeing the management of technology and cybersecurity risks. Unfortunately, the challenge of addressing these risks sometimes is complicated by the myriad compliance requirements associated with today’s complex and expanding array of data privacy and security standards.

An essential early step in any cybersecurity effort is getting a clear picture of the bank’s overall data landscape and the associated compliance requirements. A thorough risk assessment enables management to produce a comprehensive inventory of the various types of data the bank collects, handles and maintains, along with a clear path tracing the data’s origins and recipients.

Directors should verify that, in addition to specific data-related regulatory requirements, the risk management team also assesses customers’ security expectations and third-party contractual requirements related to data security.

Broadly speaking, banks typically encounter four types of compliance requirements:

  1. Banking regulations. Most directors are aware of specific cybersecurity-related regulatory requirements, such as the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool and the New York State Department of Financial Services cyber regulations. Periodic visits by regulators should confirm that the bank is managing these risks effectively.
  2. Attestation requirements. Beyond specific regulatory requirements, independent certification by objective third parties can give customers and others confidence that the organization is effectively managing IT risk. Examples include system and organizational control audits, federal Cybersecurity Maturity Model Certification and compliance with payment card industry standards.
  3. Good hygiene requirements. Banks adopt these optional frameworks to help provide organizational direction to their cybersecurity programs. Examples include National Institute of Standards and Technology frameworks and Critical Security Controls published by the Center for Internet Security.
  4. Hybrid requirements. These are regulatory requirements that are not subject to regular attestation or examination but that could present risk, particularly if a security incident occurs. Examples include state privacy laws, International Traffic in Arms Regulations requirements and similar rules that generally become issues only after the fact if regulators determine they have not been managed properly.

Creating a unified control framework
Despite variations in standards, most data security frameworks involve similar control sets. By mapping and aligning these commonalities, banks can reduce their overall compliance burden, creating an integrated system of controls that satisfies the most demanding requirements of each framework.

Governance, risk and compliance (GRC) solutions can help manage and track these requirements while also documenting the bank’s control capabilities, testing and tracking of action plans and open items. Automating the GRC effort can improve compliance by synchronizing information, identifying overlaps and redundancies and enhancing efficiency.

Such GRC solutions should encompass third-party relationships. As banks engage with growing numbers of fintech companies and other external providers, they must be able to demonstrate that their third-party affiliates are complying with applicable cybersecurity standards. A unified control framework can streamline this effort, eliminating the need for separate audits and reviews of common controls.

Managing and maintaining the effort
In addition to triggering the initial design and implementation of a cybersecurity compliance program, bank boards and executive teams also must actively oversee its ongoing management. Cybersecurity compliance is not a “set it and forget it” event.

Directors have ongoing oversight responsibilities regarding the individuals and teams that are charged with tracking changes to cybersecurity requirements and maintaining, documenting, and reporting compliance. Because compliance is a critical business requirement, top-down support at the board level is critical.

Directors should verify there are clear lines of responsibility and reporting, with direct links to relevant board committees. Other nonattest services, such as penetration testing, can provide added confidence. In many instances, such testing is also a compliance requirement that regulators or assessors expect banks to perform.

Although cybersecurity compliance by itself does not guarantee data security, it does establish trust on the part of customers, shareholders, regulators and others who have valid interests in maintaining the security and integrity of critical data. As banking operations become even more reliant on data technology, it is increasingly important that bank directors are actively engaged in overseeing both compliance and security concerns.

The Risk of Jaded Consumer Attitudes Toward Cybersecurity

The financial industry has increasingly been a target for cyberattacks as banks accelerated their digital transformation initiatives to maintain operations during the pandemic. While protecting against cybercrime has always been a top priority, the complexity and volume of attacks indicate that cybersecurity will remain one of the most important tasks banks face.

Consumers are feeling the impact, too. A recent CSI survey found that 85% of Americans reported cybersecurity concerns when it came to their personal confidential data. But that figure is down from 92% of Americans expressing cybersecurity concerns in a 2019 survey from CSI. The number of respondents not concerned about cybersecurity increased 7 percentage points compared to 2019, which could indicate that many consumers are becoming desensitized to cybersecurity risks.

It’s possible the size, scope and frequency of cybersecurity attacks makes these breaches appear abstract and distant to the average American. The constant media coverage could also contribute to a broader jaded attitude toward the seriousness of cybercrime risk that some consumers now hold.

When taking these factors into consideration, it is likely that a growing percentage of bank customers have fatalistic acceptance of cybersecurity breaches. As evidenced in CSI’s survey, this acceptance has resulted in lower security standards and more lenient practices in customers’ personal lives, which could ultimately increase the likelihood of their becoming victims of cyberattacks. And broader adoption of this mindset among consumers could have further adverse effects for financial institutions, making cybersecurity education a top priority for banks.

While cyberattacks may seem inevitable, there are consequences for financial institutions and consumers alike. There’s no doubt cyberattacks can cost banks money to resolve, but there are also reputational implications that can be harder to overcome. Banks that experience a cyberattack may face lower customer retention and adoption rates due to their tarnished reputation post-breach. According to CSI’s survey, nearly half of respondents (48%) strongly or somewhat agree they would leave their institution if it suffered a breach.

Additionally, consumers who are lax with cybersecurity awareness increase the risk they’ll fall victim to cyberattacks, including, but not limited to, identity theft and stolen card information. Due to the vast amount of time and resources often needed to resolve these threats, banking customers should take precautions to protect themselves. And to mitigate this risk and prevent attacks, institutions should, in turn, provide education and promote good cyber hygiene to their customers.

According to CSI’s survey, 69% of respondents claim they know what to do if their personal information is compromised. However, additional research suggests that consumers may be overconfident in this assessment. The Norton Cyber Safety Insights Report revealed that 46% of Americans don’t know what to do if their identity gets stolen, and 40% admit they don’t know how to protect themselves from cybercrime.

This data suggests an opportunity for banks to educate their customers about how to react when they notice suspicious activity and ensure that customers can easily obtain assistance if they suspect a breach. Banks that prioritize customer education have the potential to become experts in cybersecurity advice and resolution, which could expand their market reach.

As the frequency of cyberattacks continues to increase, it is vital that bank customers recognize the signs of cyber threats and react appropriately to suspicious activity. Their awareness is an important first step in the fight against cybercrime; as evidenced in the survey, awareness among consumers on the importance of cybersecurity needs to be higher than its current level. Banks should create tailored campaigns to educate their customers and provide actionable tips and insight on how to best protect themselves from attacks.

Looking ahead, banks should also embrace a layered approach to cybersecurity to strengthen their defenses, including continued customer education that reinforces the importance of cybersecurity awareness and best practices for staying secure. Banks that provide valuable education and promote cybersecurity awareness have the opportunity to increase new business through knowledge sharing while retaining current customers by building trust and maintaining strong brand reputation.

Three Tips to Manage Third-Party Cybersecurity Risk

Third-party vendors enable community banks to deliver essential products and services to consumers, but they can also be a weak link in their cybersecurity strategy.

The events of 2020 have made it imperative for banks to focus on protecting their employees, consumers and valuable assets — making cybersecurity a persistent priority for executive management. Ransomware has escalated at an alarming rate, leading community banks to engage even more with managed security service providers to strengthen their cybersecurity strategies. Given the critical nature of omnipresent cybersecurity and the continuous dependency on third-party providers, here are some practical tips for managing third-party risk in your cybersecurity strategy.

1. Collaborate Across Your Institution
It’s common to have a dedicated vendor management team or department at community banks, but it’s important to avoid a silo mentality when dealing with risk. Know your bank’s risk appetite and make sure everyone involved in risk management knows it as well.

Evaluate third parties against that appetite. Vendor assessments are critical to ensure your business will reap the benefits of the services you expect to receive.

Document third-party products and services in your environment. Update operational, IT and cybersecurity policies, as well as business continuity plans to include your vendors, outlining their roles and responsibilities — especially in the event of an outage, incident, or disaster.

2. Due Diligence is Key
Ensure your bank has a detailed process for evaluating third parties prior to signing contracts. One good way to prevent a third-party cyber incident is to ensure third parties have strong cybersecurity programs. The Federal Financial Institutions Examination Council states, “Financial institutions must understand the complex nature of arrangements with outside parties and ensure adequate due diligence for the engagement of the relationships and ongoing monitoring.”

Establish how your bank’s data is handled to protect the privacy of your employees and customers. Who owns the data and who has access to it? How long will data be retained? What happens to data if you terminate your contract? Make sure the bank documents data ownership and management in its third-party contracts. A data breach caused by a third party can endanger customer privacy and violate data privacy laws, including the General Data Protection Regulation and California Consumer Privacy Act.

3. Trust but Verify
It’s important to ensure that services continue to perform as expected after determining the need for third-party services and conducting due diligence to ensure the best fit. The phrase “trust but verify,” while originally used in a political context, is often used to describe this practice in vendor management.

Periodically review the bank’s vendors to ensure they’re meeting the obligations set in the Service Level Agreements (SLAs), which can help address issues before an incident can occur. If appropriate, the board should consider engaging an independent provider to audit, monitor or alert of any issues that could impact the vendor’s ability to meet their SLA.

Banks should consider supporting their vendor management strategy with technology solutions that can:

  1. Track vendors, subsidiaries, relationship owners, documentation and contacts.
  2. Perform vendor due diligence and analyze criticality, usage and spend.
  3. Deliver surveys and risk assessments to external third-party contacts.
  4. Manage contract review and renewals.
  5. Coordinate with legal, procurement, compliance and other functions.
  6. Monitor key vendor metrics via personalized dashboards and dynamic reports.

Third-party risk is an important component of any bank’s cybersecurity strategy and should align with its enterprise risk management and information security programs. Using a common risk framework that includes vendor management will promote collaboration, integration and visibility across the bank. Ultimately, the result is a reliable and consistent process that can help you protect and service your customers.

Can a Hybrid Work Model’s Cyber Risk Be Tamed?

Many U.S. banks are beginning to repatriate their employees to the office after some 16 months of working at home during the Covid-19 pandemic.

Some, like JPMorgan Chase & Co., have demanded that their staff return to the office full time even though many of them may prefer the flexibility that working from home affords. A recent McKinsey & Co. survey found that 52% of respondents wanted a flexible work model post-pandemic, but that doesn’t impress JPMorgan’s Jamie Dimon. “Oh, yes, people don’t like commuting, but so what?” the CEO of the country’s largest bank said at The Wall Street Journal’s CEO Council in May, according to a recent article in the paper. “It’s got to work for the clients. It’s not about whether it works for me, and I have to compete.”

Other banks, like $19.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, are adopting a hybrid work model where employees will rotate between their homes and the office. “We have taken a pretty progressive view there is no going back to normal,” says CEO John Asbury. “Whatever this new normal is will absolutely include a hybrid work environment.” Asbury says the bank has surveyed its employees and “they have spoken clearly that they expect and desire some degree of flexibility. They do not want to go back into the office five days a week [and] if we are heavy-handed, we risk losing good people.”

However, a hybrid work model does create unique cybersecurity issues that banks have to address. From a cyber risk perspective, the safest arrangement is to have everyone working in the office on a company-issued desktop or laptop computers in a closed network. In a hybrid work environment, employees are using laptops that they carry back and forth between the office and home. And at home, they may be using Wi-Fi connections that are less secure than what they have at the office.

“If you think of a typical brick and mortar [environment], the network and computer systems are walled off,” says David McKnight, a principal at the consulting firm Crowe LLP. “No one can gain access to it unless they’re physically there.” In a hybrid work environment, McKnight says, “There are additional footholds on to my network that I don’t necessarily have full visibility into, whether that’s my employee’s home office, or the hotel they’re at or their lake house. That introduces different dynamics, connectivity-wise.”

Still, there are ways of making hybrid arrangements more secure. Full disk encryption protects the content of a laptop’s hard drive if it is stolen. Virtual private networks – or VPNs – can provide a secure environment when an employee is working from a remote location. Multi-factor identification, where employees must provide two or more pieces of authentication when signing on to a system, makes it harder for hackers to break-in to the network. And new cloud-based platforms can enhance security if configured properly.

Many smaller banks struggled to adapt when the pandemic essentially shut the U.S. economy down in the spring of last year, and many banks sent their employees to work from home. Some banks didn’t even have enough laptops to equip all of their workers and had to scramble to procure them, or ask employees to use their own if they had them.

Atlantic Union was fortunate from two perspectives. First, it had already completed a transition throughout the company from desktop computers to laptops, so most of its employees already had them when the pandemic struck. And the bank considers the laptop to be a “higher risk perimeter device,” according to Ron Buchanan, the bank’s chief information security officer. “What that means is you’re putting it in a high-risk environment, and you just expect that it’s going to be on a compromised network [and] it’s going to be attacked.”

The bank has a VPN that only company-issued laptops can access, and this gives it the same level of control and visibility regardless of where an employee was working.

Other security measures include full disk encryption, multi-factor authentication and administrator-level access, which prevents employees from installing unauthorized software and also makes it more difficult for hackers to break into a laptop.

Although cyber risk can never be completely eliminated, it is possible to create a secure environment as banks like Atlantic Union did. But they have to make the investment in upgrading their technology and cybersecurity skill sets. “The tools are there, and the abilities are there,” says Buchanan.

Risk Practices For Today’s Economy

Organizations’ ability to strategically navigate change proved crucial during the Covid-19 pandemic, which required financial institutions to respond to a health and economic crisis. The resiliency of bank teams proved to be a silver lining in 2020, but banks can’t take their eye off the ball just yet.

Bank Director’s 2021 Risk Survey, sponsored by Moss Adams LLP,  focuses on the key risks facing banks today and how the industry will emerge from the pandemic environment. In this video, Craig Sanders, a partner in the financial services practice at Moss Adams, shares his perspective and expertise on these issues.

  • Managing Credit Uncertainty
  • More Eyes on Business Continuity
  • Cybersecurity Today