Embracing a Challenging Environment to Evolve

New York University economist Paul Romer once said, “A crisis is a terrible thing to waste.”

With a nod to Dr. Romer, we believe banks have an extraordinary opportunity to embrace the challenging environment created by the Covid-19 pandemic to enhance critical housekeeping matters. Here are five areas where banks may find opportunities to declutter or reengineer policies, procedures and best practices.

Culture
One of the most obvious opportunities for banks is to focus on culture. Employees working from home has eliminated the ability to have typical office parties, barbeques and other events to build comradery. Remote and semi-remote working environments are challenging employees in many difficult ways. Fortunately, banks are finding simple, yet creative, ways to stay in contact with their employees and build culture through additional correspondence and feedback — electronic happy hours, car parades, and socially distant visits, for example. Creatively maintaining high engagement in challenging times will serve to improve communication and culture over the long term. As management consultant Peter Drucker once said, “Culture eats strategy for breakfast.”

Cybersecurity
Cybersecurity risk continues to be top of mind for bankers and regulators given the remote work brought on by Covid. Certainly, most banks’ cybersecurity risk management planning did not contemplate the immediate scale of remote work, but the extreme experience is an opportunity to drill down on underlying policies and procedures. Banking agencies have provided the general blueprint on sound risk management for cybersecurity.

This heightened risk environment provides executives with a perfect opportunity to note where their vulnerabilities may exist or be discovered, where cyberattacks focus and what works—or doesn’t —for your bank. Use the guidance provided to assess your bank’s response and resilience capabilities. Consider the overall map and configuration of your cyber architecture. Consider authentication requirements and permissions to protect against unauthorized access. Take the time to work with information technology experts to clean up access controls and response plans. This is an active situation that provides bankers the unique opportunity to learn and adapt in real time.

Compliance
Banks also face enhanced compliance originating from federal programs aimed at keeping businesses afloat. A worthy endeavor to be sure, but the rollout of some federal programs such as the Small Business Administration’s Paycheck Protection Program has far outpaced the guidance for banks tasked with implementation. The trickle of (often inconsistent) guidance on the documentation, eligibility and certification adds compliance challenges in reporting under the Bank Secrecy Act, fair lending under the Equal Credit Opportunity Act and unfair or deceptive acts and practices under the Federal Trade Commission Act, for example.

Compliance teams have an opportunity to shine at something they are already extraordinarily good at: documentation. They should document the processes and practices they deploy to demonstrate compliance, despite the uncertainty and pace at which they are expected to operate. This documentation can support real-time decision-making that may come up with regulators in the future, and can serve as a basis for improvement on future best practices and training. Compliance teams will discover new questions to ask, novel scenarios to address and gaps to fill.

Operational Planning
The best time to consider the impacts of Covid on your bank’s operations is while events and memories are fresh. Banks all over the country are experiencing what a handful of institutions may go through in the wake of a natural disaster: devastation, uncertainty and a need for banking support. This is the time to review your bank’s disaster recovery and business continuity plans, specifically including pandemic planning, to assess the plans against reality.  

To help, the Federal Financial Institutions Examination Council released an updated statement on pandemic planning suggesting actions that banks can take to potentially minimize a pandemic’s adverse effects. This is an chance to improve business continuity planning for similar future events, understanding that they may not be as deep or prolonged as the coronavirus. Exercising the plans in real time, compared to a scheduled test, can reveal helpful improvements that will only strengthen the bank.

Customer Experience
Coping with remote work and providing banking services outside of a branch provides the opportunity for banks to consider strategies around technology and financial technology partnerships. Customers have been rerouted to electronic avenues, and many seem to have embraced technology to deposit checks, access accounts online and transact business.

This evolution offers banks the opportunity to adapt and recognize the use of financial technologies. Many customers will understandably return to branches to conduct some of their business when they reopen, but may require them less. Banks may want to consider how they can satisfy future customer demand and improve the customer experience more broadly. These are just five areas where we see opportunities for banks of all levels and complexity to enhance their policies, procedures and best practices as they prepare to move forward.

Risk, Business Continuity Planning: Trends and Lessons from Covid-19

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

How One Bank Flattened Fraud

Argo.pngProtecting the bank and its customers — through cybersecurity measures, identity verification, fraud detection and the like — is vital in ensuring a financial institution’s safety and soundness, as well as its reputation in the marketplace. These investments typically represent significant cost centers, but fraud prevention tools can be an exception to the rule if they’re able to pay for themselves by preventing losses.

The idea is, when you put in a fraud system — and this is where some folks lose it — you want to make sure to catch more fraud than the system costs,” says Ronald Zimmerman, vice president in the operations department at $32.2 billion IBERIABANK Corp., based in Lafayette, Louisiana. “You always have to make sure that the cost doesn’t supersede your savings.”

Zimmerman implemented ARGO OASIS about a year ago. OASIS, which stands for Optimized Assessment of Suspicious Items, uses neural networks and image analytics to detect and prevent fraud. Modeled after the human brain, neural networks are a form of artificial intelligence designed to recognize patterns, making it well suited to identify check alterations, forgeries and other forms of transaction fraud. The solution then provides bank employees with detailed information to enable them to further investigate the activity.

Bank Director’s 2020 Risk Survey found that just 8% of executives and directors report that their bank uses AI technology to improve compliance. One-third are exploring these types of solutions.

IBERIA brought in OASIS to identify fraud in its “two-signature accounts” — customer accounts that require two signatures on a high-dollar check. “We have a queue set up in OASIS to monitor these checks as they come in through clearing. If a signature is missing or is in question, OASIS flags it for review,” Zimmerman says.

One thing about the technology that sets it apart is its check stock validation tool. “You have an overlay button where you can place a questioned check on top of a good check, and you have a little slide bar [so you] can see the small differences,” he says.

That tool alone has helped the bank stop roughly $300,000 in check fraud over the first eight months of use — meaning ARGO has already paid for itself. “We’ve caught a ton of fraud through this product,” says Zimmerman.

And $300,000 is a conservative estimate of the bank’s savings, Zimmerman says, because fraudsters have learned not to target his bank. “Check fraud flattened out, because the fraudsters have probably moved on, knowing that we’ve covered up a hole that was there before.”

ARGO OASIS was recognized as the Best Solution for Protecting the Bank at the 2020 Best of FinXTech Awards in May. ALTR, a blockchain-based security solution, and IDology, which uses big data for identity verification and fraud detection, were also finalists in the category.

Importantly, ARGO helps IBERIA stop fraud efficiently. A task that used to occupy three full-time employees’ time now takes two employees just a couple of hours.

IBERIA will soon merge with Memphis, Tennessee-based First Horizon National Corp. to form a $75 billion company. The deal was driven in part by the pursuit of scale.

Generating efficiencies is essential to better compete with big banks, said First Horizon CEO Bryan Jordan in a 2017 presentation. “We’ve got to be invested in technologies in such a way that we’re at or above table stakes,” he said. “The trick for us will be to … create efficiency in other parts of the business to create money that we can invest in leading-edge technologies and processes that really allow us to be competitive.”

Leveraging AI to reduce compliance busywork is a great place to start.

Guarding Against Virtual Viruses in a Pandemic

As healthcare experts work to mitigate the Covid-19 pandemic, the banking industry is faced with fighting other viruses.

Cyber attackers are known to be opportunistic, pouncing during times of anxiety and uncertainty. Rest assured, they won’t let up once the coronavirus has run its course. While information technology directors are focusing their attention on processing huge volumes of Small Business Administration loans and assisting bankers working remotely for the first time, computer virus and malware threats continue to rise. If not handled effectively, this could threaten the security of the financial system.

Dr. Anthony Fauci, head of the National Institute of Allergy and Infectious Diseases, cautions that Americans need to prepare for the possibility that Covid-19 could return — or even become a seasonal disease. With such prospects, savvy bank directors should familiarize themselves with their institutions’ data security and technology infrastructure. Here are six points to consider when assessing the future of their bank’s information security system:

Look again at business continuity plans. While your bank may have one, it likely did not consider the immediate worldwide demands for laptops and network hardware needed to configure remote work capabilities. Nor did these plans likely consider supply chain interruptions when factories shut down in Asia, where the virus was first detected. The lesson: If you wait until the next global emergency occurs, you might be too late. Plan now.

Consider the increased risk with more employees working remotely. The larger the inventory — coupled with less control of who uses the computer — the tougher it is to protect. An even more concerning practice is allowing bank employees to use personal computers to access bank networks. Firewalls, spam filters, anti-virus software and other security measures should not be determined by individual employees.

The Cybersecurity and Infrastructure Security Agency has issued guidance related to remote work and defending against Covid-19 scams. One of their tips is to ensure virtual private networks, or VPNs, have the latest software package and configurations, and that current anti-virus software is installed and up-to-date. Multi-factor authentication is another must-have for protecting your bank’s network.

Make sure you have enough IT support. Even before Covid-19, there were not enough qualified technical staff to fill available positions. The increased demand for remote connectivity has further stretched IT departments. Make sure your technology departments are fully staffed, or have access qualified outside help.

Be sure employees are hyper-vigilant. Attackers hope that more distance between coworkers will equate to guards being lowered. Ensure that employees are regularly reminded of social engineering, email and other current threats to increase top-of-mind awareness of cyber security.

Be aware that some attacks are physical. We typically think of cyberattacks occurring “invisibly,” through system networks and software. But at least one entity is now mass-mailing infected “free” USB drives to financial institutions. Remind employees to discard any hardware that comes from unknown sources.

Consider the benefits of cloud technology. A recent article in The Wall Street Journal described how remote-work capabilities could become more common as money tightens and daily operations need more flexibility. Cloud computing is both more efficient and flexible, and is easily scalable. Bank regulators have taken notice, saying that outsourcing such technologies gives banks more options.

Time will tell, but this may be a turning point for American business. As more workers have established a routine for working from home — and have found surprising levels of efficiency and productivity — it’s expected that this could become more of the norm, at least in the near term.

Some in the financial services industry have been slow to change; they may now be forced to out of necessity. It’s incumbent upon directors to champion for this flexibility and resiliency by ensuring their data security and information infrastructure is ready to handle it.

Cybersecurity Practices for the Board

Several high-profile data breaches in 2019 assured that cybersecurity remains a top concern for bank boards and executive teams. Capital One Financial Corp. and Facebook revealed significant breaches last year — 106 million and over 500 million, respectively — so it’s no wonder that 87% say their anxiety over the issue has increased, according to Bank Director’s 2020 Risk Survey.

In response, more than three-quarters of directors and executives say they’ve increased oversight of cybersecurity and data privacy.

It’s a thorny issue for banks to manage. This isn’t a typical risk like credit that leverages bank leaders’ expertise and knowledge to ensure their practices are safe and sound. With cybersecurity, the threat level changes almost constantly, and the hacker trying to infiltrate your organization could be a world away.

Yet, the buck stops with the board. While management is charged with the implementation of the bank’s cyber risk program, it’s the board’s duty to ensure the bank is protected.

Unfortunately, board oversight is too often taken seriously only after an incident occurs, rather than before.

Basic Responsibilities
In its IT Examination Handbook, the Federal Financial Institutions Examination Council outlines responsibilities for bank boards. They include:

  • Overseeing the development, implementation and maintenance of the information security program
  • Communicating expectations to management and holding them accountable
  • Approving policies, plans and programs
  • Ensuring the program’s effectiveness by reviewing assessments and reports, and discussing management’s recommendations for improvement

How boards fulfill these duties varies. Most oversee cybersecurity within a committee; 19% as a full board.

Further, the frequency with which the board as a whole reviews cybersecurity can be as often as every meeting or as infrequent as annually (or less). The size of the bank appears to have little bearing on how often boards address this issue.

Regulators expect, at minimum, an annual review. But given the pace of change in the cyber threat landscape, meeting the minimal standard isn’t adequate. Bank boards need to take cybersecurity more seriously.

“If you’re talking cybersecurity less frequently than quarterly, I don’t think you can truly manage that risk to your institution,” says Craig Sanders, a partner at survey sponsor Moss Adams. “You can’t get enough data points to really understand what the risk profile is or isn’t doing in your institution in terms of [protecting the bank].”

At a minimum, the FFIEC says management should report to the board annually on the risk assessment process, risk management and control decisions, third-party arrangements, testing results, security breaches and management response, and recommendations for updates to the program. A designated information security officer should report directly to the board, as well.

In the survey, 76% indicate that the bank’s chief information security officer meets regularly with the board.

Next-Level Oversight
The FFIEC’s Cybersecurity Assessment Tool (CAT) has been made available by the interagency body to evaluate all facets of a bank’s cybersecurity program, including the activities the board engages in as part of its oversight capacity.

Annie Goodwin, the risk oversight chair at $13.7 billion Glacier Bancorp, says the CAT is among the tools in the Kalispell, Montana-based bank’s cybersecurity arsenal. “It’s valuable in assessing cybersecurity preparedness,” she says. “During the safety and soundness exam, the CAT tool is often reviewed, and our board is very familiar with it.”

The CAT provides a list of attributes that indicates a bank’s maturity within each domain: threat intelligence and collaboration, cybersecurity controls, external dependence management, cyber incident management and resilience, and cyber risk management and oversight, including the board’s role. Maturity levels are rated from baseline — a bare-minimum standard indicating the lowest level of maturity, intended for banks exhibiting minimal inherent risk — to advanced and innovative, the two highest levels.

Given the continued prominence of cybersecurity as a threat to the industry, the survey asked directors and executives about some of the advanced and innovative activities for board oversight. The results confirm that some practices are more common than others.

Almost three-quarters of respondents indicate their board participates in training to better understand the cyber threats facing the bank.

Cybersecurity has become a more frequent topic of discussion for the board at Cross Plains, Wisconsin-based SBCP Bancorp. “Rightly so,” says CEO Jim Tubbs, given increased threats to the $1.3 billion bank and its customers. “The first step is informing and educating [the board],” he says. “The second step is having them understand from us — senior management — or from our external auditors, to be able to provide them appropriate reports or knowledge in regards to how we are handling cyber risk, and how [we are] testing our own systems and how our audit function is working.”

Using data to facilitate strategic decisions and monitor cyber risk (27%) is one of the least common practices reported by respondents, along with benchmarking cybersecurity staffing against peer institutions (10%).

Sanders says more progressive organizations are asking for benchmarking metrics to better budget for cybersecurity and technology, to gauge whether they’re spending enough to protect their institution.  “What are peer banks spending, and where are they [in terms of] maturity?” he says.

Incorporating more of the practices outlined in the CAT promises to augment the board’s ability to oversee cybersecurity as a risk.

“When you look at the intent of the [regulatory] guidance, and as you move from baseline maturity level to advanced, evolving, innovative — as you move up that chain, the governance piece becomes more heavily focused. They expect more participation” on the part of the board, says Sanders. “A small percentage of banks [say], ‘We want to move to evolving, or we want to move to advanced.’ Those are the ones that are spending more money and committing more to it, [and] their board and management team have a better harmony about what that program should look like and see the value in it.”

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, surveyed 217 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks under $50 billion in assets. The survey was conducted in January 2020 and focused on the top risks facing financial institutions at that time, including cybersecurity, credit and interest rate risks, and emerging issues.

You can read more about the “Cyber War” facing the banking industry in the second quarter issue of Bank Director magazine. Additionally, Bank Director’s Online Training Series contains information on the board’s role in overseeing cybersecurity. Unit 11 covers best practices for the board. Unit 21 addresses further responsibilities, as well as the importance of an incident response plan and employee training.

COVID-19 Poses New Cybersecurity Challenges for Banks

The COVID-19 pandemic has turned the banking world upside down, not the least by requiring a significant number of employees to work remotely.

Social distancing requirements have forced many companies, banks included, to have large numbers of their employees work from home. Not only is this a stark departure from how most banks have traditionally operated, it happened very quickly; the new coronavirus swept across the country like a derecho, giving them little time to prepare.

And while social distancing will hopefully “flatten the curve” of the pandemic’s infection rate, to use a now common expression, it has had the unintended consequence of increasing the industry’s cyber risk by opening banks up to new attacks.

The “core threat,” according to Ron Buchanan, the chief information security officer at $17.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, involves remote access platforms like virtual private networks (VPNs) and video conferencing platforms. This would include companies using VPNs for the first time, or companies that risk exposing services and sensitive or internal communications online.

“There are plenty of companies out there that aren’t used to working remote and are in a rush to enable remote access services and doing that without the knowledge and proper protections,” Buchanan says. “That creates the vulnerable environment for the attackers to go after. And that’s what they’re focused on.”

In some instances, employees who are working remotely are forced to use their home computers because they don’t have a company laptop. “[With s]ome clients of ours, not [every employee] has a company-issued laptop to take home,” says Shawn Connors, a principal in PwC’s cybersecurity and privacy practice.

In that scenario, the employee may have to use a home computer that is operating outside of the bank’s security framework. The bank’s challenge is to understand “what information is potentially leaving the confines of the organization, where is it going and do those machines that are accessing or manipulating that data, are they at the corporate standard of what one would expect to put into appropriately managed cyber risk?” Connors says.

Larger banks generally have had less trouble meeting the demands of a distributed workforce because they have a more robust technology infrastructure to begin with, as well as more employees working from remote locations. Many smaller banks, on the other hand, have been challenged by the sudden shift to a work-from-home policy.

“We have definitely had a number of clients where, not only is the capacity not there, but they have a security concern on top of it because they don’t have control of the device that’s actually going to be accessing data in these corporate environments,” Connors says. “Overnight, some really bad hygiene practices have been put back in place, just because they got caught flat-footed.”

For its part, Atlantic Union has been able to handle the sudden shift to a distributed workforce in stride. “It hasn’t had too much of an impact on us because we already had a large number of laptop users with the right security protections on those laptops,” says Buchanan. “So really, it was just a slight tuning adjustment to scale up that coverage and keeping a close eye on the increased load on the VPN infrastructure.”

Buchanan has sent out communications reminding employees who are working from home that they are required to use the bank’s VPN and must abide by restrictions such as a prohibition against printing out documents at home.

There has also been a surge in video conferencing, which may not be the most secure communications platform for sensitive meetings. “The biggest risk is if you’re having a confidential conversation and someone eavesdrops on that call, and they’re eavesdropping on that confidential conversation,” Buchanan says. “If you’ve turned on the security settings, which means turning on the password and all the encryption settings, it increases the security of the call. And if you don’t recognize someone and you can’t figure out who it is, then you should assume the call has been compromised and either kick that connection off or change calls.”

The Financial Services Information Sharing and Analysis Center, an industry consortium focused on cybersecurity, offers home security resources for institutions that are managing a distributed workforce.

Small Changes Lead To Big Payoffs In Reducing Fraud

Banks can leverage their relationships with clients and empower to better control fraud.

Many financial institutions find themselves in difficult positions as a growing number of their customers are targeted for business takeover attacks. Hackers gain access to company funds through a variety of manipulations, often tricking an internal employee to send a wire transfer. Some corporates have ineffective controls around their bank accounts or make poor decisions when sharing banking information. Banks are often stuck in the middle. Regardless of its lack of involvement in a fraudulent transaction, the bank will likely receive the first call when money goes missing.

Organizations are increasingly concerned about these business takeover threats, according to RSM’s recent Middle Market Business Index Cybersecurity Special Report. The survey found that 64% of middle market executives believe their businesses are at risk of attempted employees manipulation in the coming year, up 9% from the previous year. They are right to be worried: These attacks are growing in popularity with criminals because of their low-tech and low-risk nature, combined with the potential of significant rewards.

Business takeover cases are simple on the surface, but can have complex details. In one recent example, a portfolio company from a private equity company sent an email to the PE firm’s chief financial officer seeking additional funds. A hacker who took control of the portfolio company’s email sent a follow-up email with the hacker’s bank account information to receive the fraudulent wire transfer. The CFO quickly recognized that something was wrong and called the bank. The company and the hacker used the same bank, which froze the funds. But the hacker successfully convinced the institution to release the funds and wired them out of the country.

While banks are not required to encourage customers to adopt stronger protections against takeover threats or modify their own internal processes to identify fraud, some small adjustments can make a big difference to help deter criminals.

Many banks still do not coach customers on how they can discourage takeover threats, or help them understand the tools at their disposal. For example, many banks offer two-factor authentication for wire transfers that customers choose to disable it, creating unnecessary vulnerabilities. When customers elect to turn off security controls, banks can intervene and help them understand how why those controls exist. Coaching can help clients avoid painful experiences.

In addition, banks should offer security information and training to their clients on a regular basis to help understand threats and the role the bank plays. Institutions need more visibility into emerging risks and the behavior and activity that clients need to avoid. They can use these touchpoints to check on their customers’ status, improve business relationships and discuss any additional necessary services. 

Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms feature extensive functionality, but banks often do not use all of the built-in capabilities and sometimes miss questionable transactions in real time. In many cases, they can establish controls to flag suspicious activity. 

For example, if a middle market company that traditionally only does domestic wire transfers sends funds to Romania, that transaction should stick out like a sore thumb. Perhaps a company that usually sends wire transfers under $20,000 suddenly sends one for $60,000. While large banks may not be able to pick up the phone to validate that transaction, community banks have an opportunity to reach out personally and provide more value than their larger counterparts.

Obviously, detecting a fraudulent wire transfer from within the bank is not always this straightforward. But the institution is often the last point of resistance in these attacks. Individuals responsible for oversight should review suspicious activity reports and other notifications of wire transfer fraud regularly to identify criminal activity.         

Banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.

Most banks and many customers have taken steps to improve their internal cybersecurity following high-profile attacks and increased regulatory scrutiny. However, plans to reduce business takeover risks both inside the bank and when guiding customer activities must be adaptable to new threats. Criminals’ methods will constantly evolve to circumvent today’s detective controls and protective measures.

Educating clients about how to avoid and address risks while adjusting internal bank processes can improve operations for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce the strain on internal employees tasked to track down lost funds and help you avoid having to guide your customers through the fallout of a criminal hacking.

Will Iran Target U.S. Banks?

Should U.S. banks be concerned about possible cyberattacks from Iran following the killing of its top general, Qasem Soleimani, in a U.S. drone attack in early January?

Two federal banking regulators apparently think so.

The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a joint statement on Jan. 16 — 13 days after Soleimani’s assassination — to “remind supervised financial institutions of sound cybersecurity risk management principles,” including response and resilience capabilities, strong authentication controls and securely configured systems.

Iran responded to Soleimani’s killing four days later by firing missiles at two U.S. military bases inside Iraq, but that may not be the end of the matter. A short news item in the Jerusalem Post on Feb. 2 quoted Hashim Al-Haidari, an official in the Popular Mobilization Forces, a Shiite militia group that serves as an umbrella organization for a number of Iran-backed militias operating in Iraq, as saying that Iran’s initial reprisal was just a “first slap” and that “hard revenge” was coming.

What form might that revenge take?

Iran’s missile attack was a carefully calibrated reprisal, intended to limit the possibility of a major U.S. counterattack, according to Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity. The Fulton, Maryland-based consulting firm was co-founded by Keith Alexander, a retired four-star Army general who was director of the National Security Agency and the first commander of the U.S. Cyber Command.

“They were very careful to control the way they responded in that one instance … but I also don’t think we’ve seen the end of the Iranian response,” Jaffer says. “They are likely to come at us again, whether that’s because they’re returning to their old behaviors or because they want to continue to respond to the killing of Soleimani — or maybe a little bit of both — but they will come back again because it’s how they operate.”

Jaffer says that Iran might respond in one of two ways (or perhaps even both). The first would be traditional terrorist attacks on overseas targets intended either to kill people or damage important infrastructure, like the September 2019 attack on Saudi Arabia’s state-owned oil company, Saudi Aramco. These direct attacks will most likely occur outside the United States and could involve U.S. allies like Saudi Arabia, a regional adversary of Iran. “I think they recognize that an attack like that, conducted inside the United States, would result in catastrophic consequences for their regime, and I don’t think they’re looking to do that,” Jaffer says.

A more likely longer-term response from Iran might be cyberattacks on targets inside the United States, including banks. Why banks? Because they are a critical component in the country’s financial infrastructure.

“Physical attacks are much more binary,” Jaffer says. “Either you go blow something up or you don’t, you kill somebody or you don’t, you attack a facility or you don’t. Cyberattacks can be ratcheted up or down in real time. You can go from a nuisance attack to destroying data and [then] back off of that. You can modify how you’re behaving, so they’re dynamically scalable in scope and nature.”

Cyberattacks also provide the source with some element of plausible deniability. “Iran wants to be seen as responding to the Soleimani attack, but they also at times want to be able to say, ‘Yeah, but it wasn’t really us.’ Even though they want you to know it was them and even though they in fact did it, they also want to be able to deny it publicly,” Jaffer explains.

Jaffer says that Iran’s cyber warfare skills should be taken seriously. “They have real capabilities,” he says. In 2014, Iran launched a highly destructive cyberattack on the Las Vegas Sands Corp., where according to Jaffer “they went in and bricked computers and deleted data.” A bricked computer is one that has been rendered useless through a cyberattack and cannot not be repaired through normal means, like installing a new operating system. Why would Iran target Las Vegas Sands? The casino company’s CEO, Sheldon Adelson, is a major supporter of Israel and once said the U.S. should consider dropping a nuclear bomb on Iran.

Between December 2011 and September 2013, Iran launched distributed denial of service attacks against 46 major U.S. financial institutions, according to a federal indictment against a group of Iranian hackers filed by the U.S. Department of Justice and the Southern District of New York. According to the indictment, these institutions incurred tens of millions of dollars in remediation costs. Banks should always be focusing on their cybersecurity defenses, of course. But the current hostilities between the U.S. and Iran, combined with Iran’s demonstrated willingness to use its cyber warfare against U.S. companies including banks, serves as a reminder that an ounce of prevention might be worth a pound of cyber cure.

An Effective Way to Combat Cyber Breaches

Banks have always been in the business of risk management, but the risks they face aren’t stagnant; they migrate with time.

Traditionally, banks have faced two types of risk: interest rate and credit risk. Today, however, given the growth of digital banking and transactions, these two risks have been supplanted by another: cybersecurity.

The biggest challenge when it comes to cybersecurity risk is that it constantly evolves, as the threats, actors and attacks increase in sophistication. Banks that prepare for one method of intrusion may find themselves the victim of a different strategy.

Earlier this year, H. Rodgin Cohen, a partner at Sullivan & Cromwell and one of the industry’s most trusted advisors, commented on this change.

“I think the biggest risk in the [financial] system today is a successful cyberattack,” Cohen said. “That is a very serious risk, but I think the more likely [danger] is that a single bank — or a group of banks — are hit with a massive denial of service for a period of time, or a massive scrambling of records.”

Banks of all sizes feel pressure to keep their systems secure from intruders, according to Bank Director’s 2019 Risk Survey, which found that cybersecurity concerns among bankers have increased over the previous year.

Twenty percent of survey respondents say they address cybersecurity as a full board rather than delegating it to a committee, and slightly more than a third say at least one director is a cybersecurity expert.

The concern is ever present, and for some banks, very real: 18% of respondents, excluding chief lending officers and chief credit officers, reported that their bank experienced a data breach or other cyberattack within the last two years.

Concerns like these are why Bank Director created the “Best Solution for Protecting the Bank” category for its 2019 Best of FinXTech Awards. Judges selected winners from the most innovative solutions found in the FinXTech Connect platform.

The finalists for this year’s award were Rippleshot, which helps banks to identify credit and debit card fraud; IDEMIA, which  works to prevent card-not-present fraud; and Illusive Networks, which helps banks detect when their networks have been infiltrated.

This year’s winner was Illusive Networks, based in part on its work to secure the network of Israel Discount Bank, the third biggest bank in Israel.

Illusive approaches cybersecurity from a hackers’ point of view in order to beat them at their own game. Its strategy isn’t to stop an intrusion per se — a feat that seems increasingly impossible with the number of entry points into a system and the scores of malicious actors.

Rather, it detects and remediates an attack once it has happened. Intruders breaking into a bank’s system must persistently monitor the network for bits of information or credentials that will help them move from machine to machine and gradually close in on the data they want. Illusive plants false information across the bank’s network so that, when attackers act on it, the bank can catch them red-handed.

Illusive calls this “endpoint-focused deception.” The deceptive information is only visible to malicious actors and triggers an alert within Illusive. The technology then captures details about the bad actor directly from the machine they were using, which the bank then uses to track and stop the attack.

One of the main selling points of Illusive’s solution is the short implementation period. In Israel Discount Bank’s case, it took a matter of weeks to implement the solution. The net result is that, not only is the solution harder to detect for potential cyber criminals, but it’s also fast and easy to implement.

How Banks Can Use the Dark Web to Shed Light on Cybersecurity


cybersecurity-9-5-19.pngCyberthreat intelligence, or CTI, can give bankers a deeper understanding of the potential threats that face their business.

Whether it is knowing your enemy or learning about the latest malware, CTI provides information that can help executives make prudent, risk-based decisions. This information comes from the open internet as well as closed sources, including the darknet and dark web. Analyzing this CTI can produce insights and identify signs of a potential breach, leaked data or pending attacks.

The darknet is the part of the internet that is not accessible through conventional browsers and requires specific software or configurations; the deep web is the part of the internet that is not accessible through search engines. Some nation states, cybercriminal gangs and threat actors thrive in this underground economy through illegal activity that includes the sale of personal information, financial goods and illicit services. For bank’s CTI, the deep web and darknet are a treasure trove of breached information and threat indicators.

A vast majority of these cyberthreat intelligence sources contain goods and sensitive data stolen from the financial services industry. Potential financial gain drives bad actors to maintain a thriving marketplace built on illicit items, including debit and credit card numbers, identity theft services and banking malware.

While no tool or service can completely eliminate the risk of a data breach, integrating CTI into a bank’s cybersecurity program can make it more difficult to target and lower the likelihood of a breach. To get value from CTI, a bank can:

  • Identify the threat actors that are leveraging potential vulnerabilities in systems used by the financial sector;
  • Understand whether a particular organization or client is being targeted directly;
  • Detect active malware campaigns that could target the bank;
  • Learn where its customer and employee information may exist;
  • Find breached credit or debit cards on deep web or darknet marketplaces; and
  • Understand emerging trends regarding data theft.

There are a variety of ways that financial institutions can leverage, and directly benefit from, CTI. Some examples include:

  • Incorporating technical indicators of compromise into the company’s security information and event management system;
  • Briefing high-level executives on industry trends and providing intelligence on potential future attacks;
  • Providing intelligence briefings to security operation centers (SOCs), increasing the situational awareness of technical campaigns and bad actors;
  • Developing incident response scenarios;
  • Achieving timely integration with fraud teams to deactivate stolen credit or debit cards;
  • Working with law enforcement to remove stolen credit, debit or other financial information from the deep or dark web;
  • Segregating and limiting internal access to systems if an individual’s credentials are exposed;
  • Communicating with social media and marketing teams about exposed data; and
  • Implementing patches for known vulnerabilities that are discovered on external-facing systems and applications.

What does a successful CTI program look like at financial institutions?
Deep analytical CTI is usually not possible at small- to medium-sized financial institutions using the internal resources of their existing security teams, and is often outsourced to a vendor or third party. Outsourcing can provide some value-added actions, such as:

  • Identifying breached credit and debit cards or other financial information;
  • Monitoring chatter about C-suite executives;
  • Assisting in fraud prevention through credential theft;
  • Thwarting attacks planned by adversaries that uses new financial theft malware, ransomware or Trojans;
  • Examining reputational damage or brand-related chatter for an organization;
  • Identifying large credential data dumps or breaches;
  • Identifying or ascertaining stolen or fraudulent goods like blueprints, skimmers and physical devices, or sensitive data such as tax forms, personally identifiable information and protected health information.

CTI can provide a variety of actionable information that executives can use to make better cybersecurity decisions and assess their risk appetite. With CTI, bankers can prioritize initiatives, address budgets and create business strategies for securing customer, employee and client data. A deeper understanding of the threats they face gives companies a firmer grasp of the tumultuous cyber landscape and a clearer vision of how to prevent problems.