2021 Risk Survey Results: High Anxiety

An outsized crisis requires bold action. The banking industry responded in kind when the economy spiraled as a result of the Covid-19 pandemic.

Financial institutions across the country assisted small businesses by issuing Paycheck Protection Program loans. Banks also almost universally modified loans to help borrowers weather the storm, according to Bank Director’s 2021 Risk Survey, sponsored by Moss Adams LLP. At the peak of the downturn, 43% of the directors, CEOs, chief risk officers and other senior executives responding to the survey say their bank modified more than 10% of the loans in their portfolio.

Conducted on the heels of a tumultuous 2020 — with the pandemic, social strife and political change continuing into January — the survey reveals high levels of anxiety across the risk spectrum. In particular, respondents indicate greater unease regarding cybersecurity (92%) and credit (89%), as well as strategic (62%) and operational (52%) risks.

Almost half of respondents indicate that some or most of the loan modifications extended into the fourth quarter 2020, and two-thirds reveal concerns about concentrations in their loan portfolio, with most pointing to commercial real estate (43%) and/or the hospitality industry (31%).

Forty-three percent indicate that their bank tightened underwriting standards during the downturn. Looking ahead, many are unsure whether they’ll ease their standards to lend to business customers in 2021 and 2022. The challenges to bankers have been deep during the past year.

As the CEO of a small, southeastern community bank put it: “What doesn’t kill you makes you stronger.”

Despite this uncertainty, bankers express some optimism. More than three-quarters believe that supporting their communities during the pandemic has positively affected their bank’s reputation. Eighty-seven percent expect fewer than 10% of their bank’s business customers to fail. And 84% will improve their bank’s business continuity plan due to what they’ve experienced.

Key Findings

More Robust Stress Testing
More than 80% say their bank conducts an annual stress test. Of these, 60% have expanded the quantity and/or depth of economic scenarios examined in response to the Covid-19 pandemic.

Cybersecurity Gaps
Sixty-three percent say their institution increased its oversight of cybersecurity and data privacy in 2020. Most say the bank needs to improve its cybersecurity program by training staff (68%) and implementing technology to better detect or deter threats and intrusions (65%).

Pandemic Plans Adjusted
Respondents identify several areas where they’ll enhance their business continuity plan as a result of the pandemic. The majority point to formalizing remote work procedures and policies (77%), educating and training employees (56%) and/or providing the right tools to staff (55%). Roughly half say that fewer than a quarter of employees will work remotely when the pandemic abates; 25% say that no employees will work remotely.

Banking Marijuana
Forty-one percent of respondents represent a bank headquartered where marijuana use is at least partly legal. Overall, one-third are unsure if their bank would be willing to serve marijuana businesses. Just 7% serve these businesses; 34% have discussed banking this industry but don’t work with these companies yet.

Climate Change Still Not a Hot Topic
Just 14% say their board discusses the risks posed by climate change at least annually; this is up slightly from 11% in last year’s survey. Fewer than 10% say an executive reports to the board about the risks and opportunities that climate change presents to the institution.

To view the full results of the survey, click here.

Developing a Digital-First Approach to Risk Management

The world has leaned further and further into the digital realm, largely thanks to a younger, more tech-dependent generation.

The Covid-19 pandemic accelerated a years-long push toward online and mobile banking use. Does your institution have a true digital banking strategy to deliver simple and secure digital banking services to your customers? As the primary channel through which customers conduct nearly all their banking activities, digital is your bank now.

But as more consumers turn to digital channels, cybercriminals are following suit — as demonstrated by increasing incidents of fraud and unauthorized account access. To mitigate cybersecurity threats and protect your customers, your bank’s risk management strategy now requires a digital-first approach.

Risk Management in Digital Banking
Even though customers demand digital transformation, delivering frictionless experiences comes with certain inherent challenges and risks. Once you identify these hurdles, you can mitigate them so that your institution can move forward.

The most pressing digital banking risk management issues fall into two categories: overcoming organizational challenges and mitigating regulatory risks. Each of them has several considerations and variables your institution should consider.

Overcoming Organizational Challenges

Outdated corporate culture: Entrenched processes and perspectives can stall your digital transformation. Promoting a more forward-thinking culture must start at the top and flow down in order for the entire institution to embrace change. Confirm your bank’s risk management personnel are onboard, and involve them from the beginning to ensure a secure and safe transformation.

Refocusing of key positions: Some of your bank’s key positions may change in response to digital transformation. Digitization may shift the focus of some, but these positions are still critical to the institution’s success. For example, instead of manually performing tasks, employees working in an operations department may begin focusing on automating processes for the institution.

Resistance to change: Many institutions have executives that will champion progress, while others are resistant to the changes required to adopt a digital-first approach. Identify the champions at your institution and empower them to lead your digital transformation.

Lack of innovative thought leadership: It will take true out-of-the-box thinking to digitally compete with the big banks and emerging fintech companies. Encourage that kind of modern thinking within your institution.

Misguided beliefs: Quash any notions that a mobile banking app is the only component of a digital strategy, or that a digital-first approach means that personalization is no longer needed. Back-end operations and internal processes must fully support a digital environment that effectively identifies and fulfills individual customer needs based on their actions and behaviors — without adding friction to the customer experience.

Mitigating Regulatory Risks

Digital compliance and cybersecurity: Banks operating in a digital environment must still comply with all applicable laws and regulations. This includes paying attention to uniquely digital processes that are covered under specific rules, such as electronically signing documents per the E-Sign Act. To mitigate risk, institutions should invest in technology designed to ensure compliance and strengthen cybersecurity.

Third-party risk management: Many banks are outsourcing all or part of their digital strategy to fintechs and other third-party vendors out of necessity. But institutions are still ultimately responsible for all functions, whether they are performed internally or externally. A robust vendor management program is key to avoiding unqualified third-party providers. A provider must understand applicable regulatory requirements, be able to adhere to them and guarantee compliance.

Fraud and identity theft: The increase in banking without face-to-face interaction can increase the risk of synthetic identity fraud, traditional identity theft and account takeovers. Your bank should meet these challenges by reviewing and strengthening your Bank Secrecy Act/anti-money laundering (BSA/AML), know your customer (KYC), customer due diligence (CDD), cybersecurity and other relevant compliance programs. Digitizing internal processes will result in more available data as well as the ability to use AI to monitor customer behaviors and efficiently identify potential fraud.

While digitization can increase certain risks for banks that undertake such a transformation, enabling enhanced digital banking risk management to secure digital channels, mitigate risk and deliver a frictionless customer experience is worth the effort.

Does your Bank Need a SOC?

Banks’ IT departments are at risk of burning out, given the constant pressure to comply with industry standards while preventing emerging cybersecurity threats.

Risk management solutions are in high demand within the financial industry, as the need for continuous network monitoring has only grown. If this sounds more like your current reality than a distant memory, a security operation center (SOC) could be the ideal cybersecurity solution that your bank needs.

What is a SOC?
Gartner defines a security operations center as “a team, often operating in shifts 24/7, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.”

SOCs are responsible for monitoring and analyzing activity on networks, servers, and more. The service center is consistently looking for abnormal activity, indicating a potential breach, security incident, or malicious activity in your network. SOCs also detect harmful attempts to compromise your network and assist with the incident response lifecycle, allowing your bank’s IT team to respond more efficiently and work towards preventing security threats altogether. The goal is simple: get the job done quickly and accurately.

The key to deciding whether to move forward with external SOC support is the ability to deliver all of your enterprise network traffic, laptops, desktops, firewalls, VPNs, routers, switches and application security application detections to your SOC for their review and analysis. Paying a SOC service to watch your firewall traffic isn’t comprehensive enough and will give you a false sense of security. This is why you should consider buying a Security Information and Event Management (SIEM) platform that will ingest all of your data, making it easier for your SOC to protect your network.

What to look for in a SOC?
Searching for an ideal security operations center is not an easy task. There can be delays due to limited knowledge about key features. Below is a list of some primary features your bank should require in a SOC service:

  • Network Monitoring: The service should continuously monitor your network traffic and detect potential intrusions. You should also receive real-time alerts for any anomalous or malicious activity.
  • Incident Response: The incident response lifecycle starts with the initial detection and containment, then continues to the eradication phase, and finally returns to normal business operations.
  • Account Privilege: Privilege analysis of every account, system and group provides a financial institution’s staff with knowledge of exactly who can access the most sensitive data.
  • Compliance Reporting: Compliance reporting tools should include PCI DSS (Payment Card Industry), NIST (National Institute of Standards and Technology), and HIPAA. The FFIEC’s Cyber Assessment Tool (CAT) should be directly integrated into the service as well.
  • 360° View of Network: A SOC service should have the capability to monitor and defend networks on-premise, in the cloud continuously, and across the globe.

According to an Information Security Buzz article, the key to maximizing features like those listed above is to “integrate the data flowing among all the tools. This gives your entire security operations team a filtered view into what the information means.” The more perspectives that analytics can produce from data flow, the higher the value of that analysis. While all SOCs are different, they have critical components that will make or break the success of your bank’s cybersecurity team.

Why prioritize your network’s security?
Cybercriminals are becoming more creative and methodical with their attacks, especially now that remote work is the new normal. The occurrences and threat potentials of data breaches and cyberattacks are at an all-time high, and Security Ventures projects cybercrime damage to total $6 trillion by 2021.

It’s unrealistic to expect your bank’s IT department to quickly and efficiently monitor and solve every problem as demand increases. Your team should feel like they can do their job without continuously worrying about capacity concerns. By implementing a SOC service into your cybersecurity roadmap, your organization can expand its security capabilities, without breaking the bank, for years to come.

Embracing a Challenging Environment to Evolve

New York University economist Paul Romer once said, “A crisis is a terrible thing to waste.”

With a nod to Dr. Romer, we believe banks have an extraordinary opportunity to embrace the challenging environment created by the Covid-19 pandemic to enhance critical housekeeping matters. Here are five areas where banks may find opportunities to declutter or reengineer policies, procedures and best practices.

Culture
One of the most obvious opportunities for banks is to focus on culture. Employees working from home has eliminated the ability to have typical office parties, barbeques and other events to build comradery. Remote and semi-remote working environments are challenging employees in many difficult ways. Fortunately, banks are finding simple, yet creative, ways to stay in contact with their employees and build culture through additional correspondence and feedback — electronic happy hours, car parades, and socially distant visits, for example. Creatively maintaining high engagement in challenging times will serve to improve communication and culture over the long term. As management consultant Peter Drucker once said, “Culture eats strategy for breakfast.”

Cybersecurity
Cybersecurity risk continues to be top of mind for bankers and regulators given the remote work brought on by Covid. Certainly, most banks’ cybersecurity risk management planning did not contemplate the immediate scale of remote work, but the extreme experience is an opportunity to drill down on underlying policies and procedures. Banking agencies have provided the general blueprint on sound risk management for cybersecurity.

This heightened risk environment provides executives with a perfect opportunity to note where their vulnerabilities may exist or be discovered, where cyberattacks focus and what works—or doesn’t —for your bank. Use the guidance provided to assess your bank’s response and resilience capabilities. Consider the overall map and configuration of your cyber architecture. Consider authentication requirements and permissions to protect against unauthorized access. Take the time to work with information technology experts to clean up access controls and response plans. This is an active situation that provides bankers the unique opportunity to learn and adapt in real time.

Compliance
Banks also face enhanced compliance originating from federal programs aimed at keeping businesses afloat. A worthy endeavor to be sure, but the rollout of some federal programs such as the Small Business Administration’s Paycheck Protection Program has far outpaced the guidance for banks tasked with implementation. The trickle of (often inconsistent) guidance on the documentation, eligibility and certification adds compliance challenges in reporting under the Bank Secrecy Act, fair lending under the Equal Credit Opportunity Act and unfair or deceptive acts and practices under the Federal Trade Commission Act, for example.

Compliance teams have an opportunity to shine at something they are already extraordinarily good at: documentation. They should document the processes and practices they deploy to demonstrate compliance, despite the uncertainty and pace at which they are expected to operate. This documentation can support real-time decision-making that may come up with regulators in the future, and can serve as a basis for improvement on future best practices and training. Compliance teams will discover new questions to ask, novel scenarios to address and gaps to fill.

Operational Planning
The best time to consider the impacts of Covid on your bank’s operations is while events and memories are fresh. Banks all over the country are experiencing what a handful of institutions may go through in the wake of a natural disaster: devastation, uncertainty and a need for banking support. This is the time to review your bank’s disaster recovery and business continuity plans, specifically including pandemic planning, to assess the plans against reality.  

To help, the Federal Financial Institutions Examination Council released an updated statement on pandemic planning suggesting actions that banks can take to potentially minimize a pandemic’s adverse effects. This is an chance to improve business continuity planning for similar future events, understanding that they may not be as deep or prolonged as the coronavirus. Exercising the plans in real time, compared to a scheduled test, can reveal helpful improvements that will only strengthen the bank.

Customer Experience
Coping with remote work and providing banking services outside of a branch provides the opportunity for banks to consider strategies around technology and financial technology partnerships. Customers have been rerouted to electronic avenues, and many seem to have embraced technology to deposit checks, access accounts online and transact business.

This evolution offers banks the opportunity to adapt and recognize the use of financial technologies. Many customers will understandably return to branches to conduct some of their business when they reopen, but may require them less. Banks may want to consider how they can satisfy future customer demand and improve the customer experience more broadly. These are just five areas where we see opportunities for banks of all levels and complexity to enhance their policies, procedures and best practices as they prepare to move forward.

Risk, Business Continuity Planning: Trends and Lessons from Covid-19

The Covid-19 pandemic has introduced unprecedented strains to the economy, enhancing concerns about credit risk and pressuring lenders’ ability to serve their borrowers.

Cybersecurity and other risk environments have also evolved, following government-mandated work from home models. These shifts are prompting bank leaders to evaluate their business continuity plans and pandemic planning initiatives to ensure they’re putting safety and efficiency first.

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, was conducted in January before the U.S. economy felt the full effect of the coronavirus. Yet, insights derived from this annual survey of bank executives and board members help paint a picture of how the industry will move forward in a challenging operating environment.

Credit Risk
Most community banks have issued loans through the Paycheck Protection Program (PPP), the Small Business Administration’s loan created under the Coronavirus Aid, Relief and Economic Security (CARES) Act passed in late March. These loans, which may be forgiven if borrowers meet specified conditions, allowed small businesses to retain staff, pay rent and cover identified operating expenses.

However, it’s likely that businesses will seek additional credit sources as the economy restarts. The lapse in business revenue generation will pose significant underwriting challenges for banks.

More than half of respondents in the 2020 Risk Survey revealed enhanced concerns around credit risk over the past year, while 67% believed that competing banks and credit unions had eased underwriting standards.

While there’s no way to determine what the future holds, near-term lending decisions will likely occur amid an uncertain economic recovery. There are some important questions institutions should consider when determining their lending approach:

  • How will our organization evaluate lending to businesses that have been closed due to the coronavirus?
  • Should a pandemic-related operational gap be treated as an anomaly, or should lenders consider this as they underwrite commercial loans?
  • What other factors should be considered in the current environment?
  • How much bank capital are we willing to put at risk?

Cybersecurity
Directors and executives who responded to the survey consistently indicate that cybersecurity is a key risk concern. In this year’s survey, 77% revealed their bank had placed significant emphasis on increasing cybersecurity and data privacy in the wake of cyberattacks targeting financial institutions, such as Capital One Financial Corp.

With more bank staff working remotely, cyber risks are even greater now. Employees are also emotionally taxed with concerns about their health, family and jobs, increasing the risk for errors and oversights. Unfortunately, the COVID-19 pandemic presents cybercriminals with a ripe opportunity to prey on individuals.

Business Continuity
In the survey, respondents whose bank had weathered a natural disaster within the last two years were asked if they were satisfied with their institution’s business continuity plan. The majority, or 79%, indicated they were.

However, the Covid-19 pandemic isn’t a typical natural disaster. Although buildings haven’t been destroyed, companies are still experiencing significant disruption to their normal operations — if they’re able to operate at all.

These circumstances, coupled with expanding technology and banks operations increasingly moving to the cloud, will likely lead to further changes in business continuity planning.

Remain Flexible
In an interagency statement released a week before the World Health Organization declared that the Covid-19 outbreak a pandemic, federal regulators reminded depository institutions of their duty to “periodically review related risk management plans, including continuity plans, to ensure their ability to continue to deliver their products and services in a wide range of scenarios and with minimal disruption.”

The Federal Financial Institutions Examination Council also updated its pandemic guidance, noting the need for a preventative program and documented strategy to continue critical operations throughout a pandemic.

Since that time, banks have encouraged customers to broadly adopt digital platforms and, when necessary, serve customers in person through drive-through lines or by appointment to reduce face-to-face contact. Bank employees wear masks and gloves, branches are cleaned frequently and, where possible, staff work remotely.

Gain Insights
The pandemic is a real-world tabletop exercise that can provide important takeaways about the effectiveness of an organization’s business continuity plan. It’s important for organizations to take advantage of this opportunity.

For example, there could be another wave of Covid-19 later this year; alternately, it could be years before we see an event similar to what we’re experiencing. Either way, your bank must to consider the potential consequences of each outcome and have a plan ready. Reviewing your organization’s business continuity plans and initiatives can help reveal opportunities to move forward with confidence, despite challenging operating environments.

How One Bank Flattened Fraud

Argo.pngProtecting the bank and its customers — through cybersecurity measures, identity verification, fraud detection and the like — is vital in ensuring a financial institution’s safety and soundness, as well as its reputation in the marketplace. These investments typically represent significant cost centers, but fraud prevention tools can be an exception to the rule if they’re able to pay for themselves by preventing losses.

The idea is, when you put in a fraud system — and this is where some folks lose it — you want to make sure to catch more fraud than the system costs,” says Ronald Zimmerman, vice president in the operations department at $32.2 billion IBERIABANK Corp., based in Lafayette, Louisiana. “You always have to make sure that the cost doesn’t supersede your savings.”

Zimmerman implemented ARGO OASIS about a year ago. OASIS, which stands for Optimized Assessment of Suspicious Items, uses neural networks and image analytics to detect and prevent fraud. Modeled after the human brain, neural networks are a form of artificial intelligence designed to recognize patterns, making it well suited to identify check alterations, forgeries and other forms of transaction fraud. The solution then provides bank employees with detailed information to enable them to further investigate the activity.

Bank Director’s 2020 Risk Survey found that just 8% of executives and directors report that their bank uses AI technology to improve compliance. One-third are exploring these types of solutions.

IBERIA brought in OASIS to identify fraud in its “two-signature accounts” — customer accounts that require two signatures on a high-dollar check. “We have a queue set up in OASIS to monitor these checks as they come in through clearing. If a signature is missing or is in question, OASIS flags it for review,” Zimmerman says.

One thing about the technology that sets it apart is its check stock validation tool. “You have an overlay button where you can place a questioned check on top of a good check, and you have a little slide bar [so you] can see the small differences,” he says.

That tool alone has helped the bank stop roughly $300,000 in check fraud over the first eight months of use — meaning ARGO has already paid for itself. “We’ve caught a ton of fraud through this product,” says Zimmerman.

And $300,000 is a conservative estimate of the bank’s savings, Zimmerman says, because fraudsters have learned not to target his bank. “Check fraud flattened out, because the fraudsters have probably moved on, knowing that we’ve covered up a hole that was there before.”

ARGO OASIS was recognized as the Best Solution for Protecting the Bank at the 2020 Best of FinXTech Awards in May. ALTR, a blockchain-based security solution, and IDology, which uses big data for identity verification and fraud detection, were also finalists in the category.

Importantly, ARGO helps IBERIA stop fraud efficiently. A task that used to occupy three full-time employees’ time now takes two employees just a couple of hours.

IBERIA will soon merge with Memphis, Tennessee-based First Horizon National Corp. to form a $75 billion company. The deal was driven in part by the pursuit of scale.

Generating efficiencies is essential to better compete with big banks, said First Horizon CEO Bryan Jordan in a 2017 presentation. “We’ve got to be invested in technologies in such a way that we’re at or above table stakes,” he said. “The trick for us will be to … create efficiency in other parts of the business to create money that we can invest in leading-edge technologies and processes that really allow us to be competitive.”

Leveraging AI to reduce compliance busywork is a great place to start.

Guarding Against Virtual Viruses in a Pandemic

As healthcare experts work to mitigate the Covid-19 pandemic, the banking industry is faced with fighting other viruses.

Cyber attackers are known to be opportunistic, pouncing during times of anxiety and uncertainty. Rest assured, they won’t let up once the coronavirus has run its course. While information technology directors are focusing their attention on processing huge volumes of Small Business Administration loans and assisting bankers working remotely for the first time, computer virus and malware threats continue to rise. If not handled effectively, this could threaten the security of the financial system.

Dr. Anthony Fauci, head of the National Institute of Allergy and Infectious Diseases, cautions that Americans need to prepare for the possibility that Covid-19 could return — or even become a seasonal disease. With such prospects, savvy bank directors should familiarize themselves with their institutions’ data security and technology infrastructure. Here are six points to consider when assessing the future of their bank’s information security system:

Look again at business continuity plans. While your bank may have one, it likely did not consider the immediate worldwide demands for laptops and network hardware needed to configure remote work capabilities. Nor did these plans likely consider supply chain interruptions when factories shut down in Asia, where the virus was first detected. The lesson: If you wait until the next global emergency occurs, you might be too late. Plan now.

Consider the increased risk with more employees working remotely. The larger the inventory — coupled with less control of who uses the computer — the tougher it is to protect. An even more concerning practice is allowing bank employees to use personal computers to access bank networks. Firewalls, spam filters, anti-virus software and other security measures should not be determined by individual employees.

The Cybersecurity and Infrastructure Security Agency has issued guidance related to remote work and defending against Covid-19 scams. One of their tips is to ensure virtual private networks, or VPNs, have the latest software package and configurations, and that current anti-virus software is installed and up-to-date. Multi-factor authentication is another must-have for protecting your bank’s network.

Make sure you have enough IT support. Even before Covid-19, there were not enough qualified technical staff to fill available positions. The increased demand for remote connectivity has further stretched IT departments. Make sure your technology departments are fully staffed, or have access qualified outside help.

Be sure employees are hyper-vigilant. Attackers hope that more distance between coworkers will equate to guards being lowered. Ensure that employees are regularly reminded of social engineering, email and other current threats to increase top-of-mind awareness of cyber security.

Be aware that some attacks are physical. We typically think of cyberattacks occurring “invisibly,” through system networks and software. But at least one entity is now mass-mailing infected “free” USB drives to financial institutions. Remind employees to discard any hardware that comes from unknown sources.

Consider the benefits of cloud technology. A recent article in The Wall Street Journal described how remote-work capabilities could become more common as money tightens and daily operations need more flexibility. Cloud computing is both more efficient and flexible, and is easily scalable. Bank regulators have taken notice, saying that outsourcing such technologies gives banks more options.

Time will tell, but this may be a turning point for American business. As more workers have established a routine for working from home — and have found surprising levels of efficiency and productivity — it’s expected that this could become more of the norm, at least in the near term.

Some in the financial services industry have been slow to change; they may now be forced to out of necessity. It’s incumbent upon directors to champion for this flexibility and resiliency by ensuring their data security and information infrastructure is ready to handle it.

Cybersecurity Practices for the Board

Several high-profile data breaches in 2019 assured that cybersecurity remains a top concern for bank boards and executive teams. Capital One Financial Corp. and Facebook revealed significant breaches last year — 106 million and over 500 million, respectively — so it’s no wonder that 87% say their anxiety over the issue has increased, according to Bank Director’s 2020 Risk Survey.

In response, more than three-quarters of directors and executives say they’ve increased oversight of cybersecurity and data privacy.

It’s a thorny issue for banks to manage. This isn’t a typical risk like credit that leverages bank leaders’ expertise and knowledge to ensure their practices are safe and sound. With cybersecurity, the threat level changes almost constantly, and the hacker trying to infiltrate your organization could be a world away.

Yet, the buck stops with the board. While management is charged with the implementation of the bank’s cyber risk program, it’s the board’s duty to ensure the bank is protected.

Unfortunately, board oversight is too often taken seriously only after an incident occurs, rather than before.

Basic Responsibilities
In its IT Examination Handbook, the Federal Financial Institutions Examination Council outlines responsibilities for bank boards. They include:

  • Overseeing the development, implementation and maintenance of the information security program
  • Communicating expectations to management and holding them accountable
  • Approving policies, plans and programs
  • Ensuring the program’s effectiveness by reviewing assessments and reports, and discussing management’s recommendations for improvement

How boards fulfill these duties varies. Most oversee cybersecurity within a committee; 19% as a full board.

Further, the frequency with which the board as a whole reviews cybersecurity can be as often as every meeting or as infrequent as annually (or less). The size of the bank appears to have little bearing on how often boards address this issue.

Regulators expect, at minimum, an annual review. But given the pace of change in the cyber threat landscape, meeting the minimal standard isn’t adequate. Bank boards need to take cybersecurity more seriously.

“If you’re talking cybersecurity less frequently than quarterly, I don’t think you can truly manage that risk to your institution,” says Craig Sanders, a partner at survey sponsor Moss Adams. “You can’t get enough data points to really understand what the risk profile is or isn’t doing in your institution in terms of [protecting the bank].”

At a minimum, the FFIEC says management should report to the board annually on the risk assessment process, risk management and control decisions, third-party arrangements, testing results, security breaches and management response, and recommendations for updates to the program. A designated information security officer should report directly to the board, as well.

In the survey, 76% indicate that the bank’s chief information security officer meets regularly with the board.

Next-Level Oversight
The FFIEC’s Cybersecurity Assessment Tool (CAT) has been made available by the interagency body to evaluate all facets of a bank’s cybersecurity program, including the activities the board engages in as part of its oversight capacity.

Annie Goodwin, the risk oversight chair at $13.7 billion Glacier Bancorp, says the CAT is among the tools in the Kalispell, Montana-based bank’s cybersecurity arsenal. “It’s valuable in assessing cybersecurity preparedness,” she says. “During the safety and soundness exam, the CAT tool is often reviewed, and our board is very familiar with it.”

The CAT provides a list of attributes that indicates a bank’s maturity within each domain: threat intelligence and collaboration, cybersecurity controls, external dependence management, cyber incident management and resilience, and cyber risk management and oversight, including the board’s role. Maturity levels are rated from baseline — a bare-minimum standard indicating the lowest level of maturity, intended for banks exhibiting minimal inherent risk — to advanced and innovative, the two highest levels.

Given the continued prominence of cybersecurity as a threat to the industry, the survey asked directors and executives about some of the advanced and innovative activities for board oversight. The results confirm that some practices are more common than others.

Almost three-quarters of respondents indicate their board participates in training to better understand the cyber threats facing the bank.

Cybersecurity has become a more frequent topic of discussion for the board at Cross Plains, Wisconsin-based SBCP Bancorp. “Rightly so,” says CEO Jim Tubbs, given increased threats to the $1.3 billion bank and its customers. “The first step is informing and educating [the board],” he says. “The second step is having them understand from us — senior management — or from our external auditors, to be able to provide them appropriate reports or knowledge in regards to how we are handling cyber risk, and how [we are] testing our own systems and how our audit function is working.”

Using data to facilitate strategic decisions and monitor cyber risk (27%) is one of the least common practices reported by respondents, along with benchmarking cybersecurity staffing against peer institutions (10%).

Sanders says more progressive organizations are asking for benchmarking metrics to better budget for cybersecurity and technology, to gauge whether they’re spending enough to protect their institution.  “What are peer banks spending, and where are they [in terms of] maturity?” he says.

Incorporating more of the practices outlined in the CAT promises to augment the board’s ability to oversee cybersecurity as a risk.

“When you look at the intent of the [regulatory] guidance, and as you move from baseline maturity level to advanced, evolving, innovative — as you move up that chain, the governance piece becomes more heavily focused. They expect more participation” on the part of the board, says Sanders. “A small percentage of banks [say], ‘We want to move to evolving, or we want to move to advanced.’ Those are the ones that are spending more money and committing more to it, [and] their board and management team have a better harmony about what that program should look like and see the value in it.”

Bank Director’s 2020 Risk Survey, sponsored by Moss Adams, surveyed 217 independent directors, CEOs, chief risk officers and other senior executives of U.S. banks under $50 billion in assets. The survey was conducted in January 2020 and focused on the top risks facing financial institutions at that time, including cybersecurity, credit and interest rate risks, and emerging issues.

You can read more about the “Cyber War” facing the banking industry in the second quarter issue of Bank Director magazine. Additionally, Bank Director’s Online Training Series contains information on the board’s role in overseeing cybersecurity. Unit 11 covers best practices for the board. Unit 21 addresses further responsibilities, as well as the importance of an incident response plan and employee training.

COVID-19 Poses New Cybersecurity Challenges for Banks

The COVID-19 pandemic has turned the banking world upside down, not the least by requiring a significant number of employees to work remotely.

Social distancing requirements have forced many companies, banks included, to have large numbers of their employees work from home. Not only is this a stark departure from how most banks have traditionally operated, it happened very quickly; the new coronavirus swept across the country like a derecho, giving them little time to prepare.

And while social distancing will hopefully “flatten the curve” of the pandemic’s infection rate, to use a now common expression, it has had the unintended consequence of increasing the industry’s cyber risk by opening banks up to new attacks.

The “core threat,” according to Ron Buchanan, the chief information security officer at $17.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, involves remote access platforms like virtual private networks (VPNs) and video conferencing platforms. This would include companies using VPNs for the first time, or companies that risk exposing services and sensitive or internal communications online.

“There are plenty of companies out there that aren’t used to working remote and are in a rush to enable remote access services and doing that without the knowledge and proper protections,” Buchanan says. “That creates the vulnerable environment for the attackers to go after. And that’s what they’re focused on.”

In some instances, employees who are working remotely are forced to use their home computers because they don’t have a company laptop. “[With s]ome clients of ours, not [every employee] has a company-issued laptop to take home,” says Shawn Connors, a principal in PwC’s cybersecurity and privacy practice.

In that scenario, the employee may have to use a home computer that is operating outside of the bank’s security framework. The bank’s challenge is to understand “what information is potentially leaving the confines of the organization, where is it going and do those machines that are accessing or manipulating that data, are they at the corporate standard of what one would expect to put into appropriately managed cyber risk?” Connors says.

Larger banks generally have had less trouble meeting the demands of a distributed workforce because they have a more robust technology infrastructure to begin with, as well as more employees working from remote locations. Many smaller banks, on the other hand, have been challenged by the sudden shift to a work-from-home policy.

“We have definitely had a number of clients where, not only is the capacity not there, but they have a security concern on top of it because they don’t have control of the device that’s actually going to be accessing data in these corporate environments,” Connors says. “Overnight, some really bad hygiene practices have been put back in place, just because they got caught flat-footed.”

For its part, Atlantic Union has been able to handle the sudden shift to a distributed workforce in stride. “It hasn’t had too much of an impact on us because we already had a large number of laptop users with the right security protections on those laptops,” says Buchanan. “So really, it was just a slight tuning adjustment to scale up that coverage and keeping a close eye on the increased load on the VPN infrastructure.”

Buchanan has sent out communications reminding employees who are working from home that they are required to use the bank’s VPN and must abide by restrictions such as a prohibition against printing out documents at home.

There has also been a surge in video conferencing, which may not be the most secure communications platform for sensitive meetings. “The biggest risk is if you’re having a confidential conversation and someone eavesdrops on that call, and they’re eavesdropping on that confidential conversation,” Buchanan says. “If you’ve turned on the security settings, which means turning on the password and all the encryption settings, it increases the security of the call. And if you don’t recognize someone and you can’t figure out who it is, then you should assume the call has been compromised and either kick that connection off or change calls.”

The Financial Services Information Sharing and Analysis Center, an industry consortium focused on cybersecurity, offers home security resources for institutions that are managing a distributed workforce.

Small Changes Lead To Big Payoffs In Reducing Fraud

Banks can leverage their relationships with clients and empower to better control fraud.

Many financial institutions find themselves in difficult positions as a growing number of their customers are targeted for business takeover attacks. Hackers gain access to company funds through a variety of manipulations, often tricking an internal employee to send a wire transfer. Some corporates have ineffective controls around their bank accounts or make poor decisions when sharing banking information. Banks are often stuck in the middle. Regardless of its lack of involvement in a fraudulent transaction, the bank will likely receive the first call when money goes missing.

Organizations are increasingly concerned about these business takeover threats, according to RSM’s recent Middle Market Business Index Cybersecurity Special Report. The survey found that 64% of middle market executives believe their businesses are at risk of attempted employees manipulation in the coming year, up 9% from the previous year. They are right to be worried: These attacks are growing in popularity with criminals because of their low-tech and low-risk nature, combined with the potential of significant rewards.

Business takeover cases are simple on the surface, but can have complex details. In one recent example, a portfolio company from a private equity company sent an email to the PE firm’s chief financial officer seeking additional funds. A hacker who took control of the portfolio company’s email sent a follow-up email with the hacker’s bank account information to receive the fraudulent wire transfer. The CFO quickly recognized that something was wrong and called the bank. The company and the hacker used the same bank, which froze the funds. But the hacker successfully convinced the institution to release the funds and wired them out of the country.

While banks are not required to encourage customers to adopt stronger protections against takeover threats or modify their own internal processes to identify fraud, some small adjustments can make a big difference to help deter criminals.

Many banks still do not coach customers on how they can discourage takeover threats, or help them understand the tools at their disposal. For example, many banks offer two-factor authentication for wire transfers that customers choose to disable it, creating unnecessary vulnerabilities. When customers elect to turn off security controls, banks can intervene and help them understand how why those controls exist. Coaching can help clients avoid painful experiences.

In addition, banks should offer security information and training to their clients on a regular basis to help understand threats and the role the bank plays. Institutions need more visibility into emerging risks and the behavior and activity that clients need to avoid. They can use these touchpoints to check on their customers’ status, improve business relationships and discuss any additional necessary services. 

Many banks utilize flexible core banking systems that can identify high-risk transactions. These platforms feature extensive functionality, but banks often do not use all of the built-in capabilities and sometimes miss questionable transactions in real time. In many cases, they can establish controls to flag suspicious activity. 

For example, if a middle market company that traditionally only does domestic wire transfers sends funds to Romania, that transaction should stick out like a sore thumb. Perhaps a company that usually sends wire transfers under $20,000 suddenly sends one for $60,000. While large banks may not be able to pick up the phone to validate that transaction, community banks have an opportunity to reach out personally and provide more value than their larger counterparts.

Obviously, detecting a fraudulent wire transfer from within the bank is not always this straightforward. But the institution is often the last point of resistance in these attacks. Individuals responsible for oversight should review suspicious activity reports and other notifications of wire transfer fraud regularly to identify criminal activity.         

Banks may be able to better control fraud in three ways: confirming transfers with clients, being more conservative with internal fraud detection processes and paying attention for any outlier transactions.

Most banks and many customers have taken steps to improve their internal cybersecurity following high-profile attacks and increased regulatory scrutiny. However, plans to reduce business takeover risks both inside the bank and when guiding customer activities must be adaptable to new threats. Criminals’ methods will constantly evolve to circumvent today’s detective controls and protective measures.

Educating clients about how to avoid and address risks while adjusting internal bank processes can improve operations for both your bank and your clients. A stronger risk environment can increase customer satisfaction, reduce the strain on internal employees tasked to track down lost funds and help you avoid having to guide your customers through the fallout of a criminal hacking.